1 /** 2 * \file hmac_drbg.h 3 * 4 * \brief The HMAC_DRBG pseudorandom generator. 5 * 6 * This module implements the HMAC_DRBG pseudorandom generator described 7 * in <em>NIST SP 800-90A: Recommendation for Random Number Generation Using 8 * Deterministic Random Bit Generators</em>. 9 */ 10 /* 11 * Copyright The Mbed TLS Contributors 12 * SPDX-License-Identifier: Apache-2.0 13 * 14 * Licensed under the Apache License, Version 2.0 (the "License"); you may 15 * not use this file except in compliance with the License. 16 * You may obtain a copy of the License at 17 * 18 * http://www.apache.org/licenses/LICENSE-2.0 19 * 20 * Unless required by applicable law or agreed to in writing, software 21 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 22 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 23 * See the License for the specific language governing permissions and 24 * limitations under the License. 25 */ 26 #ifndef MBEDTLS_HMAC_DRBG_H 27 #define MBEDTLS_HMAC_DRBG_H 28 29 #if !defined(MBEDTLS_CONFIG_FILE) 30 #include "mbedtls/config.h" 31 #else 32 #include MBEDTLS_CONFIG_FILE 33 #endif 34 35 #include "mbedtls/md.h" 36 37 #if defined(MBEDTLS_THREADING_C) 38 #include "mbedtls/threading.h" 39 #endif 40 41 /* 42 * Error codes 43 */ 44 /** Too many random requested in single call. */ 45 #define MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG -0x0003 46 /** Input too large (Entropy + additional). */ 47 #define MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG -0x0005 48 /** Read/write error in file. */ 49 #define MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR -0x0007 50 /** The entropy source failed. */ 51 #define MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED -0x0009 52 53 /** 54 * \name SECTION: Module settings 55 * 56 * The configuration options you can set for this module are in this section. 57 * Either change them in config.h or define them on the compiler command line. 58 * \{ 59 */ 60 61 #if !defined(MBEDTLS_HMAC_DRBG_RESEED_INTERVAL) 62 #define MBEDTLS_HMAC_DRBG_RESEED_INTERVAL 10000 /**< Interval before reseed is performed by default */ 63 #endif 64 65 #if !defined(MBEDTLS_HMAC_DRBG_MAX_INPUT) 66 #define MBEDTLS_HMAC_DRBG_MAX_INPUT 256 /**< Maximum number of additional input bytes */ 67 #endif 68 69 #if !defined(MBEDTLS_HMAC_DRBG_MAX_REQUEST) 70 #define MBEDTLS_HMAC_DRBG_MAX_REQUEST 1024 /**< Maximum number of requested bytes per call */ 71 #endif 72 73 #if !defined(MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT) 74 #define MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT 384 /**< Maximum size of (re)seed buffer */ 75 #endif 76 77 /* \} name SECTION: Module settings */ 78 79 #define MBEDTLS_HMAC_DRBG_PR_OFF 0 /**< No prediction resistance */ 80 #define MBEDTLS_HMAC_DRBG_PR_ON 1 /**< Prediction resistance enabled */ 81 82 #ifdef __cplusplus 83 extern "C" { 84 #endif 85 86 /** 87 * HMAC_DRBG context. 88 */ 89 typedef struct mbedtls_hmac_drbg_context 90 { 91 /* Working state: the key K is not stored explicitly, 92 * but is implied by the HMAC context */ 93 mbedtls_md_context_t md_ctx; /*!< HMAC context (inc. K) */ 94 unsigned char V[MBEDTLS_MD_MAX_SIZE]; /*!< V in the spec */ 95 int reseed_counter; /*!< reseed counter */ 96 97 /* Administrative state */ 98 size_t entropy_len; /*!< entropy bytes grabbed on each (re)seed */ 99 int prediction_resistance; /*!< enable prediction resistance (Automatic 100 reseed before every random generation) */ 101 int reseed_interval; /*!< reseed interval */ 102 103 /* Callbacks */ 104 int (*f_entropy)(void *, unsigned char *, size_t); /*!< entropy function */ 105 void *p_entropy; /*!< context for the entropy function */ 106 107 #if defined(MBEDTLS_THREADING_C) 108 /* Invariant: the mutex is initialized if and only if 109 * md_ctx->md_info != NULL. This means that the mutex is initialized 110 * during the initial seeding in mbedtls_hmac_drbg_seed() or 111 * mbedtls_hmac_drbg_seed_buf() and freed in mbedtls_ctr_drbg_free(). 112 * 113 * Note that this invariant may change without notice. Do not rely on it 114 * and do not access the mutex directly in application code. 115 */ 116 mbedtls_threading_mutex_t mutex; 117 #endif 118 } mbedtls_hmac_drbg_context; 119 120 /** 121 * \brief HMAC_DRBG context initialization. 122 * 123 * This function makes the context ready for mbedtls_hmac_drbg_seed(), 124 * mbedtls_hmac_drbg_seed_buf() or mbedtls_hmac_drbg_free(). 125 * 126 * \note The reseed interval is #MBEDTLS_HMAC_DRBG_RESEED_INTERVAL 127 * by default. Override this value by calling 128 * mbedtls_hmac_drbg_set_reseed_interval(). 129 * 130 * \param ctx HMAC_DRBG context to be initialized. 131 */ 132 void mbedtls_hmac_drbg_init( mbedtls_hmac_drbg_context *ctx ); 133 134 /** 135 * \brief HMAC_DRBG initial seeding. 136 * 137 * Set the initial seed and set up the entropy source for future reseeds. 138 * 139 * A typical choice for the \p f_entropy and \p p_entropy parameters is 140 * to use the entropy module: 141 * - \p f_entropy is mbedtls_entropy_func(); 142 * - \p p_entropy is an instance of ::mbedtls_entropy_context initialized 143 * with mbedtls_entropy_init() (which registers the platform's default 144 * entropy sources). 145 * 146 * You can provide a personalization string in addition to the 147 * entropy source, to make this instantiation as unique as possible. 148 * 149 * \note By default, the security strength as defined by NIST is: 150 * - 128 bits if \p md_info is SHA-1; 151 * - 192 bits if \p md_info is SHA-224; 152 * - 256 bits if \p md_info is SHA-256, SHA-384 or SHA-512. 153 * Note that SHA-256 is just as efficient as SHA-224. 154 * The security strength can be reduced if a smaller 155 * entropy length is set with 156 * mbedtls_hmac_drbg_set_entropy_len(). 157 * 158 * \note The default entropy length is the security strength 159 * (converted from bits to bytes). You can override 160 * it by calling mbedtls_hmac_drbg_set_entropy_len(). 161 * 162 * \note During the initial seeding, this function calls 163 * the entropy source to obtain a nonce 164 * whose length is half the entropy length. 165 */ 166 #if defined(MBEDTLS_THREADING_C) 167 /** 168 * \note When Mbed TLS is built with threading support, 169 * after this function returns successfully, 170 * it is safe to call mbedtls_hmac_drbg_random() 171 * from multiple threads. Other operations, including 172 * reseeding, are not thread-safe. 173 */ 174 #endif /* MBEDTLS_THREADING_C */ 175 /** 176 * \param ctx HMAC_DRBG context to be seeded. 177 * \param md_info MD algorithm to use for HMAC_DRBG. 178 * \param f_entropy The entropy callback, taking as arguments the 179 * \p p_entropy context, the buffer to fill, and the 180 * length of the buffer. 181 * \p f_entropy is always called with a length that is 182 * less than or equal to the entropy length. 183 * \param p_entropy The entropy context to pass to \p f_entropy. 184 * \param custom The personalization string. 185 * This can be \c NULL, in which case the personalization 186 * string is empty regardless of the value of \p len. 187 * \param len The length of the personalization string. 188 * This must be at most #MBEDTLS_HMAC_DRBG_MAX_INPUT 189 * and also at most 190 * #MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT - \p entropy_len * 3 / 2 191 * where \p entropy_len is the entropy length 192 * described above. 193 * 194 * \return \c 0 if successful. 195 * \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA if \p md_info is 196 * invalid. 197 * \return #MBEDTLS_ERR_MD_ALLOC_FAILED if there was not enough 198 * memory to allocate context data. 199 * \return #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED 200 * if the call to \p f_entropy failed. 201 */ 202 int mbedtls_hmac_drbg_seed( mbedtls_hmac_drbg_context *ctx, 203 const mbedtls_md_info_t * md_info, 204 int (*f_entropy)(void *, unsigned char *, size_t), 205 void *p_entropy, 206 const unsigned char *custom, 207 size_t len ); 208 209 /** 210 * \brief Initilisation of simpified HMAC_DRBG (never reseeds). 211 * 212 * This function is meant for use in algorithms that need a pseudorandom 213 * input such as deterministic ECDSA. 214 */ 215 #if defined(MBEDTLS_THREADING_C) 216 /** 217 * \note When Mbed TLS is built with threading support, 218 * after this function returns successfully, 219 * it is safe to call mbedtls_hmac_drbg_random() 220 * from multiple threads. Other operations, including 221 * reseeding, are not thread-safe. 222 */ 223 #endif /* MBEDTLS_THREADING_C */ 224 /** 225 * \param ctx HMAC_DRBG context to be initialised. 226 * \param md_info MD algorithm to use for HMAC_DRBG. 227 * \param data Concatenation of the initial entropy string and 228 * the additional data. 229 * \param data_len Length of \p data in bytes. 230 * 231 * \return \c 0 if successful. or 232 * \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA if \p md_info is 233 * invalid. 234 * \return #MBEDTLS_ERR_MD_ALLOC_FAILED if there was not enough 235 * memory to allocate context data. 236 */ 237 int mbedtls_hmac_drbg_seed_buf( mbedtls_hmac_drbg_context *ctx, 238 const mbedtls_md_info_t * md_info, 239 const unsigned char *data, size_t data_len ); 240 241 /** 242 * \brief This function turns prediction resistance on or off. 243 * The default value is off. 244 * 245 * \note If enabled, entropy is gathered at the beginning of 246 * every call to mbedtls_hmac_drbg_random_with_add() 247 * or mbedtls_hmac_drbg_random(). 248 * Only use this if your entropy source has sufficient 249 * throughput. 250 * 251 * \param ctx The HMAC_DRBG context. 252 * \param resistance #MBEDTLS_HMAC_DRBG_PR_ON or #MBEDTLS_HMAC_DRBG_PR_OFF. 253 */ 254 void mbedtls_hmac_drbg_set_prediction_resistance( mbedtls_hmac_drbg_context *ctx, 255 int resistance ); 256 257 /** 258 * \brief This function sets the amount of entropy grabbed on each 259 * seed or reseed. 260 * 261 * See the documentation of mbedtls_hmac_drbg_seed() for the default value. 262 * 263 * \param ctx The HMAC_DRBG context. 264 * \param len The amount of entropy to grab, in bytes. 265 */ 266 void mbedtls_hmac_drbg_set_entropy_len( mbedtls_hmac_drbg_context *ctx, 267 size_t len ); 268 269 /** 270 * \brief Set the reseed interval. 271 * 272 * The reseed interval is the number of calls to mbedtls_hmac_drbg_random() 273 * or mbedtls_hmac_drbg_random_with_add() after which the entropy function 274 * is called again. 275 * 276 * The default value is #MBEDTLS_HMAC_DRBG_RESEED_INTERVAL. 277 * 278 * \param ctx The HMAC_DRBG context. 279 * \param interval The reseed interval. 280 */ 281 void mbedtls_hmac_drbg_set_reseed_interval( mbedtls_hmac_drbg_context *ctx, 282 int interval ); 283 284 /** 285 * \brief This function updates the state of the HMAC_DRBG context. 286 * 287 * \note This function is not thread-safe. It is not safe 288 * to call this function if another thread might be 289 * concurrently obtaining random numbers from the same 290 * context or updating or reseeding the same context. 291 * 292 * \param ctx The HMAC_DRBG context. 293 * \param additional The data to update the state with. 294 * If this is \c NULL, there is no additional data. 295 * \param add_len Length of \p additional in bytes. 296 * Unused if \p additional is \c NULL. 297 * 298 * \return \c 0 on success, or an error from the underlying 299 * hash calculation. 300 */ 301 int mbedtls_hmac_drbg_update_ret( mbedtls_hmac_drbg_context *ctx, 302 const unsigned char *additional, size_t add_len ); 303 304 /** 305 * \brief This function reseeds the HMAC_DRBG context, that is 306 * extracts data from the entropy source. 307 * 308 * \note This function is not thread-safe. It is not safe 309 * to call this function if another thread might be 310 * concurrently obtaining random numbers from the same 311 * context or updating or reseeding the same context. 312 * 313 * \param ctx The HMAC_DRBG context. 314 * \param additional Additional data to add to the state. 315 * If this is \c NULL, there is no additional data 316 * and \p len should be \c 0. 317 * \param len The length of the additional data. 318 * This must be at most #MBEDTLS_HMAC_DRBG_MAX_INPUT 319 * and also at most 320 * #MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT - \p entropy_len 321 * where \p entropy_len is the entropy length 322 * (see mbedtls_hmac_drbg_set_entropy_len()). 323 * 324 * \return \c 0 if successful. 325 * \return #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED 326 * if a call to the entropy function failed. 327 */ 328 int mbedtls_hmac_drbg_reseed( mbedtls_hmac_drbg_context *ctx, 329 const unsigned char *additional, size_t len ); 330 331 /** 332 * \brief This function updates an HMAC_DRBG instance with additional 333 * data and uses it to generate random data. 334 * 335 * This function automatically reseeds if the reseed counter is exceeded 336 * or prediction resistance is enabled. 337 * 338 * \note This function is not thread-safe. It is not safe 339 * to call this function if another thread might be 340 * concurrently obtaining random numbers from the same 341 * context or updating or reseeding the same context. 342 * 343 * \param p_rng The HMAC_DRBG context. This must be a pointer to a 344 * #mbedtls_hmac_drbg_context structure. 345 * \param output The buffer to fill. 346 * \param output_len The length of the buffer in bytes. 347 * This must be at most #MBEDTLS_HMAC_DRBG_MAX_REQUEST. 348 * \param additional Additional data to update with. 349 * If this is \c NULL, there is no additional data 350 * and \p add_len should be \c 0. 351 * \param add_len The length of the additional data. 352 * This must be at most #MBEDTLS_HMAC_DRBG_MAX_INPUT. 353 * 354 * \return \c 0 if successful. 355 * \return #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED 356 * if a call to the entropy source failed. 357 * \return #MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG if 358 * \p output_len > #MBEDTLS_HMAC_DRBG_MAX_REQUEST. 359 * \return #MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG if 360 * \p add_len > #MBEDTLS_HMAC_DRBG_MAX_INPUT. 361 */ 362 int mbedtls_hmac_drbg_random_with_add( void *p_rng, 363 unsigned char *output, size_t output_len, 364 const unsigned char *additional, 365 size_t add_len ); 366 367 /** 368 * \brief This function uses HMAC_DRBG to generate random data. 369 * 370 * This function automatically reseeds if the reseed counter is exceeded 371 * or prediction resistance is enabled. 372 */ 373 #if defined(MBEDTLS_THREADING_C) 374 /** 375 * \note When Mbed TLS is built with threading support, 376 * it is safe to call mbedtls_ctr_drbg_random() 377 * from multiple threads. Other operations, including 378 * reseeding, are not thread-safe. 379 */ 380 #endif /* MBEDTLS_THREADING_C */ 381 /** 382 * \param p_rng The HMAC_DRBG context. This must be a pointer to a 383 * #mbedtls_hmac_drbg_context structure. 384 * \param output The buffer to fill. 385 * \param out_len The length of the buffer in bytes. 386 * This must be at most #MBEDTLS_HMAC_DRBG_MAX_REQUEST. 387 * 388 * \return \c 0 if successful. 389 * \return #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED 390 * if a call to the entropy source failed. 391 * \return #MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG if 392 * \p out_len > #MBEDTLS_HMAC_DRBG_MAX_REQUEST. 393 */ 394 int mbedtls_hmac_drbg_random( void *p_rng, unsigned char *output, size_t out_len ); 395 396 /** 397 * \brief This function resets HMAC_DRBG context to the state immediately 398 * after initial call of mbedtls_hmac_drbg_init(). 399 * 400 * \param ctx The HMAC_DRBG context to free. 401 */ 402 void mbedtls_hmac_drbg_free( mbedtls_hmac_drbg_context *ctx ); 403 404 #if ! defined(MBEDTLS_DEPRECATED_REMOVED) 405 #if defined(MBEDTLS_DEPRECATED_WARNING) 406 #define MBEDTLS_DEPRECATED __attribute__((deprecated)) 407 #else 408 #define MBEDTLS_DEPRECATED 409 #endif 410 /** 411 * \brief This function updates the state of the HMAC_DRBG context. 412 * 413 * \deprecated Superseded by mbedtls_hmac_drbg_update_ret() 414 * in 2.16.0. 415 * 416 * \param ctx The HMAC_DRBG context. 417 * \param additional The data to update the state with. 418 * If this is \c NULL, there is no additional data. 419 * \param add_len Length of \p additional in bytes. 420 * Unused if \p additional is \c NULL. 421 */ 422 MBEDTLS_DEPRECATED void mbedtls_hmac_drbg_update( 423 mbedtls_hmac_drbg_context *ctx, 424 const unsigned char *additional, size_t add_len ); 425 #undef MBEDTLS_DEPRECATED 426 #endif /* !MBEDTLS_DEPRECATED_REMOVED */ 427 428 #if defined(MBEDTLS_FS_IO) 429 /** 430 * \brief This function writes a seed file. 431 * 432 * \param ctx The HMAC_DRBG context. 433 * \param path The name of the file. 434 * 435 * \return \c 0 on success. 436 * \return #MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR on file error. 437 * \return #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED on reseed 438 * failure. 439 */ 440 int mbedtls_hmac_drbg_write_seed_file( mbedtls_hmac_drbg_context *ctx, const char *path ); 441 442 /** 443 * \brief This function reads and updates a seed file. The seed 444 * is added to this instance. 445 * 446 * \param ctx The HMAC_DRBG context. 447 * \param path The name of the file. 448 * 449 * \return \c 0 on success. 450 * \return #MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR on file error. 451 * \return #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED on 452 * reseed failure. 453 * \return #MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG if the existing 454 * seed file is too large. 455 */ 456 int mbedtls_hmac_drbg_update_seed_file( mbedtls_hmac_drbg_context *ctx, const char *path ); 457 #endif /* MBEDTLS_FS_IO */ 458 459 460 #if defined(MBEDTLS_SELF_TEST) 461 /** 462 * \brief The HMAC_DRBG Checkup routine. 463 * 464 * \return \c 0 if successful. 465 * \return \c 1 if the test failed. 466 */ 467 int mbedtls_hmac_drbg_self_test( int verbose ); 468 #endif 469 470 #ifdef __cplusplus 471 } 472 #endif 473 474 #endif /* hmac_drbg.h */ 475