1 /**
2  * \file hmac_drbg.h
3  *
4  * \brief The HMAC_DRBG pseudorandom generator.
5  *
6  * This module implements the HMAC_DRBG pseudorandom generator described
7  * in <em>NIST SP 800-90A: Recommendation for Random Number Generation Using
8  * Deterministic Random Bit Generators</em>.
9  */
10 /*
11  *  Copyright The Mbed TLS Contributors
12  *  SPDX-License-Identifier: Apache-2.0
13  *
14  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
15  *  not use this file except in compliance with the License.
16  *  You may obtain a copy of the License at
17  *
18  *  http://www.apache.org/licenses/LICENSE-2.0
19  *
20  *  Unless required by applicable law or agreed to in writing, software
21  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
22  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
23  *  See the License for the specific language governing permissions and
24  *  limitations under the License.
25  */
26 #ifndef MBEDTLS_HMAC_DRBG_H
27 #define MBEDTLS_HMAC_DRBG_H
28 #include "mbedtls/private_access.h"
29 
30 #include "mbedtls/build_info.h"
31 
32 #include "mbedtls/md.h"
33 
34 #if defined(MBEDTLS_THREADING_C)
35 #include "mbedtls/threading.h"
36 #endif
37 
38 /*
39  * Error codes
40  */
41 /** Too many random requested in single call. */
42 #define MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG              -0x0003
43 /** Input too large (Entropy + additional). */
44 #define MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG                -0x0005
45 /** Read/write error in file. */
46 #define MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR                -0x0007
47 /** The entropy source failed. */
48 #define MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED        -0x0009
49 
50 /**
51  * \name SECTION: Module settings
52  *
53  * The configuration options you can set for this module are in this section.
54  * Either change them in mbedtls_config.h or define them on the compiler command line.
55  * \{
56  */
57 
58 #if !defined(MBEDTLS_HMAC_DRBG_RESEED_INTERVAL)
59 #define MBEDTLS_HMAC_DRBG_RESEED_INTERVAL   10000   /**< Interval before reseed is performed by default */
60 #endif
61 
62 #if !defined(MBEDTLS_HMAC_DRBG_MAX_INPUT)
63 #define MBEDTLS_HMAC_DRBG_MAX_INPUT         256     /**< Maximum number of additional input bytes */
64 #endif
65 
66 #if !defined(MBEDTLS_HMAC_DRBG_MAX_REQUEST)
67 #define MBEDTLS_HMAC_DRBG_MAX_REQUEST       1024    /**< Maximum number of requested bytes per call */
68 #endif
69 
70 #if !defined(MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT)
71 #define MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT    384     /**< Maximum size of (re)seed buffer */
72 #endif
73 
74 /** \} name SECTION: Module settings */
75 
76 #define MBEDTLS_HMAC_DRBG_PR_OFF   0   /**< No prediction resistance       */
77 #define MBEDTLS_HMAC_DRBG_PR_ON    1   /**< Prediction resistance enabled  */
78 
79 #ifdef __cplusplus
80 extern "C" {
81 #endif
82 
83 /**
84  * HMAC_DRBG context.
85  */
86 typedef struct mbedtls_hmac_drbg_context
87 {
88     /* Working state: the key K is not stored explicitly,
89      * but is implied by the HMAC context */
90     mbedtls_md_context_t MBEDTLS_PRIVATE(md_ctx);                    /*!< HMAC context (inc. K)  */
91     unsigned char MBEDTLS_PRIVATE(V)[MBEDTLS_MD_MAX_SIZE];  /*!< V in the spec          */
92     int MBEDTLS_PRIVATE(reseed_counter);                     /*!< reseed counter         */
93 
94     /* Administrative state */
95     size_t MBEDTLS_PRIVATE(entropy_len);         /*!< entropy bytes grabbed on each (re)seed */
96     int MBEDTLS_PRIVATE(prediction_resistance);  /*!< enable prediction resistance (Automatic
97                                      reseed before every random generation) */
98     int MBEDTLS_PRIVATE(reseed_interval);        /*!< reseed interval   */
99 
100     /* Callbacks */
101     int (*MBEDTLS_PRIVATE(f_entropy))(void *, unsigned char *, size_t); /*!< entropy function */
102     void *MBEDTLS_PRIVATE(p_entropy);            /*!< context for the entropy function        */
103 
104 #if defined(MBEDTLS_THREADING_C)
105     /* Invariant: the mutex is initialized if and only if
106      * md_ctx->md_info != NULL. This means that the mutex is initialized
107      * during the initial seeding in mbedtls_hmac_drbg_seed() or
108      * mbedtls_hmac_drbg_seed_buf() and freed in mbedtls_ctr_drbg_free().
109      *
110      * Note that this invariant may change without notice. Do not rely on it
111      * and do not access the mutex directly in application code.
112      */
113     mbedtls_threading_mutex_t MBEDTLS_PRIVATE(mutex);
114 #endif
115 } mbedtls_hmac_drbg_context;
116 
117 /**
118  * \brief               HMAC_DRBG context initialization.
119  *
120  * This function makes the context ready for mbedtls_hmac_drbg_seed(),
121  * mbedtls_hmac_drbg_seed_buf() or mbedtls_hmac_drbg_free().
122  *
123  * \note                The reseed interval is #MBEDTLS_HMAC_DRBG_RESEED_INTERVAL
124  *                      by default. Override this value by calling
125  *                      mbedtls_hmac_drbg_set_reseed_interval().
126  *
127  * \param ctx           HMAC_DRBG context to be initialized.
128  */
129 void mbedtls_hmac_drbg_init( mbedtls_hmac_drbg_context *ctx );
130 
131 /**
132  * \brief               HMAC_DRBG initial seeding.
133  *
134  * Set the initial seed and set up the entropy source for future reseeds.
135  *
136  * A typical choice for the \p f_entropy and \p p_entropy parameters is
137  * to use the entropy module:
138  * - \p f_entropy is mbedtls_entropy_func();
139  * - \p p_entropy is an instance of ::mbedtls_entropy_context initialized
140  *   with mbedtls_entropy_init() (which registers the platform's default
141  *   entropy sources).
142  *
143  * You can provide a personalization string in addition to the
144  * entropy source, to make this instantiation as unique as possible.
145  *
146  * \note                By default, the security strength as defined by NIST is:
147  *                      - 128 bits if \p md_info is SHA-1;
148  *                      - 192 bits if \p md_info is SHA-224;
149  *                      - 256 bits if \p md_info is SHA-256, SHA-384 or SHA-512.
150  *                      Note that SHA-256 is just as efficient as SHA-224.
151  *                      The security strength can be reduced if a smaller
152  *                      entropy length is set with
153  *                      mbedtls_hmac_drbg_set_entropy_len().
154  *
155  * \note                The default entropy length is the security strength
156  *                      (converted from bits to bytes). You can override
157  *                      it by calling mbedtls_hmac_drbg_set_entropy_len().
158  *
159  * \note                During the initial seeding, this function calls
160  *                      the entropy source to obtain a nonce
161  *                      whose length is half the entropy length.
162  */
163 #if defined(MBEDTLS_THREADING_C)
164 /**
165  * \note                When Mbed TLS is built with threading support,
166  *                      after this function returns successfully,
167  *                      it is safe to call mbedtls_hmac_drbg_random()
168  *                      from multiple threads. Other operations, including
169  *                      reseeding, are not thread-safe.
170  */
171 #endif /* MBEDTLS_THREADING_C */
172 /**
173  * \param ctx           HMAC_DRBG context to be seeded.
174  * \param md_info       MD algorithm to use for HMAC_DRBG.
175  * \param f_entropy     The entropy callback, taking as arguments the
176  *                      \p p_entropy context, the buffer to fill, and the
177  *                      length of the buffer.
178  *                      \p f_entropy is always called with a length that is
179  *                      less than or equal to the entropy length.
180  * \param p_entropy     The entropy context to pass to \p f_entropy.
181  * \param custom        The personalization string.
182  *                      This can be \c NULL, in which case the personalization
183  *                      string is empty regardless of the value of \p len.
184  * \param len           The length of the personalization string.
185  *                      This must be at most #MBEDTLS_HMAC_DRBG_MAX_INPUT
186  *                      and also at most
187  *                      #MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT - \p entropy_len * 3 / 2
188  *                      where \p entropy_len is the entropy length
189  *                      described above.
190  *
191  * \return              \c 0 if successful.
192  * \return              #MBEDTLS_ERR_MD_BAD_INPUT_DATA if \p md_info is
193  *                      invalid.
194  * \return              #MBEDTLS_ERR_MD_ALLOC_FAILED if there was not enough
195  *                      memory to allocate context data.
196  * \return              #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED
197  *                      if the call to \p f_entropy failed.
198  */
199 int mbedtls_hmac_drbg_seed( mbedtls_hmac_drbg_context *ctx,
200                     const mbedtls_md_info_t * md_info,
201                     int (*f_entropy)(void *, unsigned char *, size_t),
202                     void *p_entropy,
203                     const unsigned char *custom,
204                     size_t len );
205 
206 /**
207  * \brief               Initialisation of simplified HMAC_DRBG (never reseeds).
208  *
209  * This function is meant for use in algorithms that need a pseudorandom
210  * input such as deterministic ECDSA.
211  */
212 #if defined(MBEDTLS_THREADING_C)
213 /**
214  * \note                When Mbed TLS is built with threading support,
215  *                      after this function returns successfully,
216  *                      it is safe to call mbedtls_hmac_drbg_random()
217  *                      from multiple threads. Other operations, including
218  *                      reseeding, are not thread-safe.
219  */
220 #endif /* MBEDTLS_THREADING_C */
221 /**
222  * \param ctx           HMAC_DRBG context to be initialised.
223  * \param md_info       MD algorithm to use for HMAC_DRBG.
224  * \param data          Concatenation of the initial entropy string and
225  *                      the additional data.
226  * \param data_len      Length of \p data in bytes.
227  *
228  * \return              \c 0 if successful. or
229  * \return              #MBEDTLS_ERR_MD_BAD_INPUT_DATA if \p md_info is
230  *                      invalid.
231  * \return              #MBEDTLS_ERR_MD_ALLOC_FAILED if there was not enough
232  *                      memory to allocate context data.
233  */
234 int mbedtls_hmac_drbg_seed_buf( mbedtls_hmac_drbg_context *ctx,
235                         const mbedtls_md_info_t * md_info,
236                         const unsigned char *data, size_t data_len );
237 
238 /**
239  * \brief               This function turns prediction resistance on or off.
240  *                      The default value is off.
241  *
242  * \note                If enabled, entropy is gathered at the beginning of
243  *                      every call to mbedtls_hmac_drbg_random_with_add()
244  *                      or mbedtls_hmac_drbg_random().
245  *                      Only use this if your entropy source has sufficient
246  *                      throughput.
247  *
248  * \param ctx           The HMAC_DRBG context.
249  * \param resistance    #MBEDTLS_HMAC_DRBG_PR_ON or #MBEDTLS_HMAC_DRBG_PR_OFF.
250  */
251 void mbedtls_hmac_drbg_set_prediction_resistance( mbedtls_hmac_drbg_context *ctx,
252                                           int resistance );
253 
254 /**
255  * \brief               This function sets the amount of entropy grabbed on each
256  *                      seed or reseed.
257  *
258  * See the documentation of mbedtls_hmac_drbg_seed() for the default value.
259  *
260  * \param ctx           The HMAC_DRBG context.
261  * \param len           The amount of entropy to grab, in bytes.
262  */
263 void mbedtls_hmac_drbg_set_entropy_len( mbedtls_hmac_drbg_context *ctx,
264                                 size_t len );
265 
266 /**
267  * \brief               Set the reseed interval.
268  *
269  * The reseed interval is the number of calls to mbedtls_hmac_drbg_random()
270  * or mbedtls_hmac_drbg_random_with_add() after which the entropy function
271  * is called again.
272  *
273  * The default value is #MBEDTLS_HMAC_DRBG_RESEED_INTERVAL.
274  *
275  * \param ctx           The HMAC_DRBG context.
276  * \param interval      The reseed interval.
277  */
278 void mbedtls_hmac_drbg_set_reseed_interval( mbedtls_hmac_drbg_context *ctx,
279                                     int interval );
280 
281 /**
282  * \brief               This function updates the state of the HMAC_DRBG context.
283  *
284  * \note                This function is not thread-safe. It is not safe
285  *                      to call this function if another thread might be
286  *                      concurrently obtaining random numbers from the same
287  *                      context or updating or reseeding the same context.
288  *
289  * \param ctx           The HMAC_DRBG context.
290  * \param additional    The data to update the state with.
291  *                      If this is \c NULL, there is no additional data.
292  * \param add_len       Length of \p additional in bytes.
293  *                      Unused if \p additional is \c NULL.
294  *
295  * \return              \c 0 on success, or an error from the underlying
296  *                      hash calculation.
297  */
298 int mbedtls_hmac_drbg_update( mbedtls_hmac_drbg_context *ctx,
299                               const unsigned char *additional, size_t add_len );
300 
301 /**
302  * \brief               This function reseeds the HMAC_DRBG context, that is
303  *                      extracts data from the entropy source.
304  *
305  * \note                This function is not thread-safe. It is not safe
306  *                      to call this function if another thread might be
307  *                      concurrently obtaining random numbers from the same
308  *                      context or updating or reseeding the same context.
309  *
310  * \param ctx           The HMAC_DRBG context.
311  * \param additional    Additional data to add to the state.
312  *                      If this is \c NULL, there is no additional data
313  *                      and \p len should be \c 0.
314  * \param len           The length of the additional data.
315  *                      This must be at most #MBEDTLS_HMAC_DRBG_MAX_INPUT
316  *                      and also at most
317  *                      #MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT - \p entropy_len
318  *                      where \p entropy_len is the entropy length
319  *                      (see mbedtls_hmac_drbg_set_entropy_len()).
320  *
321  * \return              \c 0 if successful.
322  * \return              #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED
323  *                      if a call to the entropy function failed.
324  */
325 int mbedtls_hmac_drbg_reseed( mbedtls_hmac_drbg_context *ctx,
326                       const unsigned char *additional, size_t len );
327 
328 /**
329  * \brief   This function updates an HMAC_DRBG instance with additional
330  *          data and uses it to generate random data.
331  *
332  * This function automatically reseeds if the reseed counter is exceeded
333  * or prediction resistance is enabled.
334  *
335  * \note                This function is not thread-safe. It is not safe
336  *                      to call this function if another thread might be
337  *                      concurrently obtaining random numbers from the same
338  *                      context or updating or reseeding the same context.
339  *
340  * \param p_rng         The HMAC_DRBG context. This must be a pointer to a
341  *                      #mbedtls_hmac_drbg_context structure.
342  * \param output        The buffer to fill.
343  * \param output_len    The length of the buffer in bytes.
344  *                      This must be at most #MBEDTLS_HMAC_DRBG_MAX_REQUEST.
345  * \param additional    Additional data to update with.
346  *                      If this is \c NULL, there is no additional data
347  *                      and \p add_len should be \c 0.
348  * \param add_len       The length of the additional data.
349  *                      This must be at most #MBEDTLS_HMAC_DRBG_MAX_INPUT.
350  *
351  * \return              \c 0 if successful.
352  * \return              #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED
353  *                      if a call to the entropy source failed.
354  * \return              #MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG if
355  *                      \p output_len > #MBEDTLS_HMAC_DRBG_MAX_REQUEST.
356  * \return              #MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG if
357  *                      \p add_len > #MBEDTLS_HMAC_DRBG_MAX_INPUT.
358  */
359 int mbedtls_hmac_drbg_random_with_add( void *p_rng,
360                                unsigned char *output, size_t output_len,
361                                const unsigned char *additional,
362                                size_t add_len );
363 
364 /**
365  * \brief   This function uses HMAC_DRBG to generate random data.
366  *
367  * This function automatically reseeds if the reseed counter is exceeded
368  * or prediction resistance is enabled.
369  */
370 #if defined(MBEDTLS_THREADING_C)
371 /**
372  * \note                When Mbed TLS is built with threading support,
373  *                      it is safe to call mbedtls_ctr_drbg_random()
374  *                      from multiple threads. Other operations, including
375  *                      reseeding, are not thread-safe.
376  */
377 #endif /* MBEDTLS_THREADING_C */
378 /**
379  * \param p_rng         The HMAC_DRBG context. This must be a pointer to a
380  *                      #mbedtls_hmac_drbg_context structure.
381  * \param output        The buffer to fill.
382  * \param out_len       The length of the buffer in bytes.
383  *                      This must be at most #MBEDTLS_HMAC_DRBG_MAX_REQUEST.
384  *
385  * \return              \c 0 if successful.
386  * \return              #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED
387  *                      if a call to the entropy source failed.
388  * \return              #MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG if
389  *                      \p out_len > #MBEDTLS_HMAC_DRBG_MAX_REQUEST.
390  */
391 int mbedtls_hmac_drbg_random( void *p_rng, unsigned char *output, size_t out_len );
392 
393 /**
394  * \brief               This function resets HMAC_DRBG context to the state immediately
395  *                      after initial call of mbedtls_hmac_drbg_init().
396  *
397  * \param ctx           The HMAC_DRBG context to free.
398  */
399 void mbedtls_hmac_drbg_free( mbedtls_hmac_drbg_context *ctx );
400 
401 #if defined(MBEDTLS_FS_IO)
402 /**
403  * \brief               This function writes a seed file.
404  *
405  * \param ctx           The HMAC_DRBG context.
406  * \param path          The name of the file.
407  *
408  * \return              \c 0 on success.
409  * \return              #MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR on file error.
410  * \return              #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED on reseed
411  *                      failure.
412  */
413 int mbedtls_hmac_drbg_write_seed_file( mbedtls_hmac_drbg_context *ctx, const char *path );
414 
415 /**
416  * \brief               This function reads and updates a seed file. The seed
417  *                      is added to this instance.
418  *
419  * \param ctx           The HMAC_DRBG context.
420  * \param path          The name of the file.
421  *
422  * \return              \c 0 on success.
423  * \return              #MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR on file error.
424  * \return              #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED on
425  *                      reseed failure.
426  * \return              #MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG if the existing
427  *                      seed file is too large.
428  */
429 int mbedtls_hmac_drbg_update_seed_file( mbedtls_hmac_drbg_context *ctx, const char *path );
430 #endif /* MBEDTLS_FS_IO */
431 
432 
433 #if defined(MBEDTLS_SELF_TEST)
434 /**
435  * \brief               The HMAC_DRBG Checkup routine.
436  *
437  * \return              \c 0 if successful.
438  * \return              \c 1 if the test failed.
439  */
440 int mbedtls_hmac_drbg_self_test( int verbose );
441 #endif
442 
443 #ifdef __cplusplus
444 }
445 #endif
446 
447 #endif /* hmac_drbg.h */
448