1 /** 2 * \file hmac_drbg.h 3 * 4 * \brief The HMAC_DRBG pseudorandom generator. 5 * 6 * This module implements the HMAC_DRBG pseudorandom generator described 7 * in <em>NIST SP 800-90A: Recommendation for Random Number Generation Using 8 * Deterministic Random Bit Generators</em>. 9 */ 10 /* 11 * Copyright The Mbed TLS Contributors 12 * SPDX-License-Identifier: Apache-2.0 13 * 14 * Licensed under the Apache License, Version 2.0 (the "License"); you may 15 * not use this file except in compliance with the License. 16 * You may obtain a copy of the License at 17 * 18 * http://www.apache.org/licenses/LICENSE-2.0 19 * 20 * Unless required by applicable law or agreed to in writing, software 21 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 22 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 23 * See the License for the specific language governing permissions and 24 * limitations under the License. 25 */ 26 #ifndef MBEDTLS_HMAC_DRBG_H 27 #define MBEDTLS_HMAC_DRBG_H 28 29 #if !defined(MBEDTLS_CONFIG_FILE) 30 #include "mbedtls/config.h" 31 #else 32 #include MBEDTLS_CONFIG_FILE 33 #endif 34 35 #include "mbedtls/md.h" 36 37 #if defined(MBEDTLS_THREADING_C) 38 #include "mbedtls/threading.h" 39 #endif 40 41 /* 42 * Error codes 43 */ 44 #define MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG -0x0003 /**< Too many random requested in single call. */ 45 #define MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG -0x0005 /**< Input too large (Entropy + additional). */ 46 #define MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR -0x0007 /**< Read/write error in file. */ 47 #define MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED -0x0009 /**< The entropy source failed. */ 48 49 /** 50 * \name SECTION: Module settings 51 * 52 * The configuration options you can set for this module are in this section. 53 * Either change them in config.h or define them on the compiler command line. 54 * \{ 55 */ 56 57 #if !defined(MBEDTLS_HMAC_DRBG_RESEED_INTERVAL) 58 #define MBEDTLS_HMAC_DRBG_RESEED_INTERVAL 10000 /**< Interval before reseed is performed by default */ 59 #endif 60 61 #if !defined(MBEDTLS_HMAC_DRBG_MAX_INPUT) 62 #define MBEDTLS_HMAC_DRBG_MAX_INPUT 256 /**< Maximum number of additional input bytes */ 63 #endif 64 65 #if !defined(MBEDTLS_HMAC_DRBG_MAX_REQUEST) 66 #define MBEDTLS_HMAC_DRBG_MAX_REQUEST 1024 /**< Maximum number of requested bytes per call */ 67 #endif 68 69 #if !defined(MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT) 70 #define MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT 384 /**< Maximum size of (re)seed buffer */ 71 #endif 72 73 /* \} name SECTION: Module settings */ 74 75 #define MBEDTLS_HMAC_DRBG_PR_OFF 0 /**< No prediction resistance */ 76 #define MBEDTLS_HMAC_DRBG_PR_ON 1 /**< Prediction resistance enabled */ 77 78 #ifdef __cplusplus 79 extern "C" { 80 #endif 81 82 /** 83 * HMAC_DRBG context. 84 */ 85 typedef struct mbedtls_hmac_drbg_context 86 { 87 /* Working state: the key K is not stored explicitly, 88 * but is implied by the HMAC context */ 89 mbedtls_md_context_t md_ctx; /*!< HMAC context (inc. K) */ 90 unsigned char V[MBEDTLS_MD_MAX_SIZE]; /*!< V in the spec */ 91 int reseed_counter; /*!< reseed counter */ 92 93 /* Administrative state */ 94 size_t entropy_len; /*!< entropy bytes grabbed on each (re)seed */ 95 int prediction_resistance; /*!< enable prediction resistance (Automatic 96 reseed before every random generation) */ 97 int reseed_interval; /*!< reseed interval */ 98 99 /* Callbacks */ 100 int (*f_entropy)(void *, unsigned char *, size_t); /*!< entropy function */ 101 void *p_entropy; /*!< context for the entropy function */ 102 103 #if defined(MBEDTLS_THREADING_C) 104 mbedtls_threading_mutex_t mutex; 105 #endif 106 } mbedtls_hmac_drbg_context; 107 108 /** 109 * \brief HMAC_DRBG context initialization. 110 * 111 * This function makes the context ready for mbedtls_hmac_drbg_seed(), 112 * mbedtls_hmac_drbg_seed_buf() or mbedtls_hmac_drbg_free(). 113 * 114 * \note The reseed interval is #MBEDTLS_HMAC_DRBG_RESEED_INTERVAL 115 * by default. Override this value by calling 116 * mbedtls_hmac_drbg_set_reseed_interval(). 117 * 118 * \param ctx HMAC_DRBG context to be initialized. 119 */ 120 void mbedtls_hmac_drbg_init( mbedtls_hmac_drbg_context *ctx ); 121 122 /** 123 * \brief HMAC_DRBG initial seeding. 124 * 125 * Set the initial seed and set up the entropy source for future reseeds. 126 * 127 * A typical choice for the \p f_entropy and \p p_entropy parameters is 128 * to use the entropy module: 129 * - \p f_entropy is mbedtls_entropy_func(); 130 * - \p p_entropy is an instance of ::mbedtls_entropy_context initialized 131 * with mbedtls_entropy_init() (which registers the platform's default 132 * entropy sources). 133 * 134 * You can provide a personalization string in addition to the 135 * entropy source, to make this instantiation as unique as possible. 136 * 137 * \note By default, the security strength as defined by NIST is: 138 * - 128 bits if \p md_info is SHA-1; 139 * - 192 bits if \p md_info is SHA-224; 140 * - 256 bits if \p md_info is SHA-256, SHA-384 or SHA-512. 141 * Note that SHA-256 is just as efficient as SHA-224. 142 * The security strength can be reduced if a smaller 143 * entropy length is set with 144 * mbedtls_hmac_drbg_set_entropy_len(). 145 * 146 * \note The default entropy length is the security strength 147 * (converted from bits to bytes). You can override 148 * it by calling mbedtls_hmac_drbg_set_entropy_len(). 149 * 150 * \note During the initial seeding, this function calls 151 * the entropy source to obtain a nonce 152 * whose length is half the entropy length. 153 * 154 * \param ctx HMAC_DRBG context to be seeded. 155 * \param md_info MD algorithm to use for HMAC_DRBG. 156 * \param f_entropy The entropy callback, taking as arguments the 157 * \p p_entropy context, the buffer to fill, and the 158 * length of the buffer. 159 * \p f_entropy is always called with a length that is 160 * less than or equal to the entropy length. 161 * \param p_entropy The entropy context to pass to \p f_entropy. 162 * \param custom The personalization string. 163 * This can be \c NULL, in which case the personalization 164 * string is empty regardless of the value of \p len. 165 * \param len The length of the personalization string. 166 * This must be at most #MBEDTLS_HMAC_DRBG_MAX_INPUT 167 * and also at most 168 * #MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT - \p entropy_len * 3 / 2 169 * where \p entropy_len is the entropy length 170 * described above. 171 * 172 * \return \c 0 if successful. 173 * \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA if \p md_info is 174 * invalid. 175 * \return #MBEDTLS_ERR_MD_ALLOC_FAILED if there was not enough 176 * memory to allocate context data. 177 * \return #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED 178 * if the call to \p f_entropy failed. 179 */ 180 int mbedtls_hmac_drbg_seed( mbedtls_hmac_drbg_context *ctx, 181 const mbedtls_md_info_t * md_info, 182 int (*f_entropy)(void *, unsigned char *, size_t), 183 void *p_entropy, 184 const unsigned char *custom, 185 size_t len ); 186 187 /** 188 * \brief Initilisation of simpified HMAC_DRBG (never reseeds). 189 * 190 * This function is meant for use in algorithms that need a pseudorandom 191 * input such as deterministic ECDSA. 192 * 193 * \param ctx HMAC_DRBG context to be initialised. 194 * \param md_info MD algorithm to use for HMAC_DRBG. 195 * \param data Concatenation of the initial entropy string and 196 * the additional data. 197 * \param data_len Length of \p data in bytes. 198 * 199 * \return \c 0 if successful. or 200 * \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA if \p md_info is 201 * invalid. 202 * \return #MBEDTLS_ERR_MD_ALLOC_FAILED if there was not enough 203 * memory to allocate context data. 204 */ 205 int mbedtls_hmac_drbg_seed_buf( mbedtls_hmac_drbg_context *ctx, 206 const mbedtls_md_info_t * md_info, 207 const unsigned char *data, size_t data_len ); 208 209 /** 210 * \brief This function turns prediction resistance on or off. 211 * The default value is off. 212 * 213 * \note If enabled, entropy is gathered at the beginning of 214 * every call to mbedtls_hmac_drbg_random_with_add() 215 * or mbedtls_hmac_drbg_random(). 216 * Only use this if your entropy source has sufficient 217 * throughput. 218 * 219 * \param ctx The HMAC_DRBG context. 220 * \param resistance #MBEDTLS_HMAC_DRBG_PR_ON or #MBEDTLS_HMAC_DRBG_PR_OFF. 221 */ 222 void mbedtls_hmac_drbg_set_prediction_resistance( mbedtls_hmac_drbg_context *ctx, 223 int resistance ); 224 225 /** 226 * \brief This function sets the amount of entropy grabbed on each 227 * seed or reseed. 228 * 229 * See the documentation of mbedtls_hmac_drbg_seed() for the default value. 230 * 231 * \param ctx The HMAC_DRBG context. 232 * \param len The amount of entropy to grab, in bytes. 233 */ 234 void mbedtls_hmac_drbg_set_entropy_len( mbedtls_hmac_drbg_context *ctx, 235 size_t len ); 236 237 /** 238 * \brief Set the reseed interval. 239 * 240 * The reseed interval is the number of calls to mbedtls_hmac_drbg_random() 241 * or mbedtls_hmac_drbg_random_with_add() after which the entropy function 242 * is called again. 243 * 244 * The default value is #MBEDTLS_HMAC_DRBG_RESEED_INTERVAL. 245 * 246 * \param ctx The HMAC_DRBG context. 247 * \param interval The reseed interval. 248 */ 249 void mbedtls_hmac_drbg_set_reseed_interval( mbedtls_hmac_drbg_context *ctx, 250 int interval ); 251 252 /** 253 * \brief This function updates the state of the HMAC_DRBG context. 254 * 255 * \param ctx The HMAC_DRBG context. 256 * \param additional The data to update the state with. 257 * If this is \c NULL, there is no additional data. 258 * \param add_len Length of \p additional in bytes. 259 * Unused if \p additional is \c NULL. 260 * 261 * \return \c 0 on success, or an error from the underlying 262 * hash calculation. 263 */ 264 int mbedtls_hmac_drbg_update_ret( mbedtls_hmac_drbg_context *ctx, 265 const unsigned char *additional, size_t add_len ); 266 267 /** 268 * \brief This function reseeds the HMAC_DRBG context, that is 269 * extracts data from the entropy source. 270 * 271 * \param ctx The HMAC_DRBG context. 272 * \param additional Additional data to add to the state. 273 * If this is \c NULL, there is no additional data 274 * and \p len should be \c 0. 275 * \param len The length of the additional data. 276 * This must be at most #MBEDTLS_HMAC_DRBG_MAX_INPUT 277 * and also at most 278 * #MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT - \p entropy_len 279 * where \p entropy_len is the entropy length 280 * (see mbedtls_hmac_drbg_set_entropy_len()). 281 * 282 * \return \c 0 if successful. 283 * \return #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED 284 * if a call to the entropy function failed. 285 */ 286 int mbedtls_hmac_drbg_reseed( mbedtls_hmac_drbg_context *ctx, 287 const unsigned char *additional, size_t len ); 288 289 /** 290 * \brief This function updates an HMAC_DRBG instance with additional 291 * data and uses it to generate random data. 292 * 293 * This function automatically reseeds if the reseed counter is exceeded 294 * or prediction resistance is enabled. 295 * 296 * \param p_rng The HMAC_DRBG context. This must be a pointer to a 297 * #mbedtls_hmac_drbg_context structure. 298 * \param output The buffer to fill. 299 * \param output_len The length of the buffer in bytes. 300 * This must be at most #MBEDTLS_HMAC_DRBG_MAX_REQUEST. 301 * \param additional Additional data to update with. 302 * If this is \c NULL, there is no additional data 303 * and \p add_len should be \c 0. 304 * \param add_len The length of the additional data. 305 * This must be at most #MBEDTLS_HMAC_DRBG_MAX_INPUT. 306 * 307 * \return \c 0 if successful. 308 * \return #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED 309 * if a call to the entropy source failed. 310 * \return #MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG if 311 * \p output_len > #MBEDTLS_HMAC_DRBG_MAX_REQUEST. 312 * \return #MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG if 313 * \p add_len > #MBEDTLS_HMAC_DRBG_MAX_INPUT. 314 */ 315 int mbedtls_hmac_drbg_random_with_add( void *p_rng, 316 unsigned char *output, size_t output_len, 317 const unsigned char *additional, 318 size_t add_len ); 319 320 /** 321 * \brief This function uses HMAC_DRBG to generate random data. 322 * 323 * This function automatically reseeds if the reseed counter is exceeded 324 * or prediction resistance is enabled. 325 * 326 * \param p_rng The HMAC_DRBG context. This must be a pointer to a 327 * #mbedtls_hmac_drbg_context structure. 328 * \param output The buffer to fill. 329 * \param out_len The length of the buffer in bytes. 330 * This must be at most #MBEDTLS_HMAC_DRBG_MAX_REQUEST. 331 * 332 * \return \c 0 if successful. 333 * \return #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED 334 * if a call to the entropy source failed. 335 * \return #MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG if 336 * \p out_len > #MBEDTLS_HMAC_DRBG_MAX_REQUEST. 337 */ 338 int mbedtls_hmac_drbg_random( void *p_rng, unsigned char *output, size_t out_len ); 339 340 /** 341 * \brief This function resets HMAC_DRBG context to the state immediately 342 * after initial call of mbedtls_hmac_drbg_init(). 343 * 344 * \param ctx The HMAC_DRBG context to free. 345 */ 346 void mbedtls_hmac_drbg_free( mbedtls_hmac_drbg_context *ctx ); 347 348 #if ! defined(MBEDTLS_DEPRECATED_REMOVED) 349 #if defined(MBEDTLS_DEPRECATED_WARNING) 350 #define MBEDTLS_DEPRECATED __attribute__((deprecated)) 351 #else 352 #define MBEDTLS_DEPRECATED 353 #endif 354 /** 355 * \brief This function updates the state of the HMAC_DRBG context. 356 * 357 * \deprecated Superseded by mbedtls_hmac_drbg_update_ret() 358 * in 2.16.0. 359 * 360 * \param ctx The HMAC_DRBG context. 361 * \param additional The data to update the state with. 362 * If this is \c NULL, there is no additional data. 363 * \param add_len Length of \p additional in bytes. 364 * Unused if \p additional is \c NULL. 365 */ 366 MBEDTLS_DEPRECATED void mbedtls_hmac_drbg_update( 367 mbedtls_hmac_drbg_context *ctx, 368 const unsigned char *additional, size_t add_len ); 369 #undef MBEDTLS_DEPRECATED 370 #endif /* !MBEDTLS_DEPRECATED_REMOVED */ 371 372 #if defined(MBEDTLS_FS_IO) 373 /** 374 * \brief This function writes a seed file. 375 * 376 * \param ctx The HMAC_DRBG context. 377 * \param path The name of the file. 378 * 379 * \return \c 0 on success. 380 * \return #MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR on file error. 381 * \return #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED on reseed 382 * failure. 383 */ 384 int mbedtls_hmac_drbg_write_seed_file( mbedtls_hmac_drbg_context *ctx, const char *path ); 385 386 /** 387 * \brief This function reads and updates a seed file. The seed 388 * is added to this instance. 389 * 390 * \param ctx The HMAC_DRBG context. 391 * \param path The name of the file. 392 * 393 * \return \c 0 on success. 394 * \return #MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR on file error. 395 * \return #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED on 396 * reseed failure. 397 * \return #MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG if the existing 398 * seed file is too large. 399 */ 400 int mbedtls_hmac_drbg_update_seed_file( mbedtls_hmac_drbg_context *ctx, const char *path ); 401 #endif /* MBEDTLS_FS_IO */ 402 403 404 #if defined(MBEDTLS_SELF_TEST) 405 /** 406 * \brief The HMAC_DRBG Checkup routine. 407 * 408 * \return \c 0 if successful. 409 * \return \c 1 if the test failed. 410 */ 411 int mbedtls_hmac_drbg_self_test( int verbose ); 412 #endif 413 414 #ifdef __cplusplus 415 } 416 #endif 417 418 #endif /* hmac_drbg.h */ 419
