1 /** 2 * \file hmac_drbg.h 3 * 4 * \brief The HMAC_DRBG pseudorandom generator. 5 * 6 * This module implements the HMAC_DRBG pseudorandom generator described 7 * in <em>NIST SP 800-90A: Recommendation for Random Number Generation Using 8 * Deterministic Random Bit Generators</em>. 9 */ 10 /* 11 * Copyright The Mbed TLS Contributors 12 * SPDX-License-Identifier: Apache-2.0 13 * 14 * Licensed under the Apache License, Version 2.0 (the "License"); you may 15 * not use this file except in compliance with the License. 16 * You may obtain a copy of the License at 17 * 18 * http://www.apache.org/licenses/LICENSE-2.0 19 * 20 * Unless required by applicable law or agreed to in writing, software 21 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 22 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 23 * See the License for the specific language governing permissions and 24 * limitations under the License. 25 */ 26 #ifndef MBEDTLS_HMAC_DRBG_H 27 #define MBEDTLS_HMAC_DRBG_H 28 #include "mbedtls/private_access.h" 29 30 #include "mbedtls/build_info.h" 31 32 #include "mbedtls/md.h" 33 34 #if defined(MBEDTLS_THREADING_C) 35 #include "mbedtls/threading.h" 36 #endif 37 38 /* 39 * Error codes 40 */ 41 /** Too many random requested in single call. */ 42 #define MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG -0x0003 43 /** Input too large (Entropy + additional). */ 44 #define MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG -0x0005 45 /** Read/write error in file. */ 46 #define MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR -0x0007 47 /** The entropy source failed. */ 48 #define MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED -0x0009 49 50 /** 51 * \name SECTION: Module settings 52 * 53 * The configuration options you can set for this module are in this section. 54 * Either change them in mbedtls_config.h or define them on the compiler command line. 55 * \{ 56 */ 57 58 #if !defined(MBEDTLS_HMAC_DRBG_RESEED_INTERVAL) 59 #define MBEDTLS_HMAC_DRBG_RESEED_INTERVAL 10000 /**< Interval before reseed is performed by default */ 60 #endif 61 62 #if !defined(MBEDTLS_HMAC_DRBG_MAX_INPUT) 63 #define MBEDTLS_HMAC_DRBG_MAX_INPUT 256 /**< Maximum number of additional input bytes */ 64 #endif 65 66 #if !defined(MBEDTLS_HMAC_DRBG_MAX_REQUEST) 67 #define MBEDTLS_HMAC_DRBG_MAX_REQUEST 1024 /**< Maximum number of requested bytes per call */ 68 #endif 69 70 #if !defined(MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT) 71 #define MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT 384 /**< Maximum size of (re)seed buffer */ 72 #endif 73 74 /** \} name SECTION: Module settings */ 75 76 #define MBEDTLS_HMAC_DRBG_PR_OFF 0 /**< No prediction resistance */ 77 #define MBEDTLS_HMAC_DRBG_PR_ON 1 /**< Prediction resistance enabled */ 78 79 #ifdef __cplusplus 80 extern "C" { 81 #endif 82 83 /** 84 * HMAC_DRBG context. 85 */ 86 typedef struct mbedtls_hmac_drbg_context 87 { 88 /* Working state: the key K is not stored explicitly, 89 * but is implied by the HMAC context */ 90 mbedtls_md_context_t MBEDTLS_PRIVATE(md_ctx); /*!< HMAC context (inc. K) */ 91 unsigned char MBEDTLS_PRIVATE(V)[MBEDTLS_MD_MAX_SIZE]; /*!< V in the spec */ 92 int MBEDTLS_PRIVATE(reseed_counter); /*!< reseed counter */ 93 94 /* Administrative state */ 95 size_t MBEDTLS_PRIVATE(entropy_len); /*!< entropy bytes grabbed on each (re)seed */ 96 int MBEDTLS_PRIVATE(prediction_resistance); /*!< enable prediction resistance (Automatic 97 reseed before every random generation) */ 98 int MBEDTLS_PRIVATE(reseed_interval); /*!< reseed interval */ 99 100 /* Callbacks */ 101 int (*MBEDTLS_PRIVATE(f_entropy))(void *, unsigned char *, size_t); /*!< entropy function */ 102 void *MBEDTLS_PRIVATE(p_entropy); /*!< context for the entropy function */ 103 104 #if defined(MBEDTLS_THREADING_C) 105 /* Invariant: the mutex is initialized if and only if 106 * md_ctx->md_info != NULL. This means that the mutex is initialized 107 * during the initial seeding in mbedtls_hmac_drbg_seed() or 108 * mbedtls_hmac_drbg_seed_buf() and freed in mbedtls_ctr_drbg_free(). 109 * 110 * Note that this invariant may change without notice. Do not rely on it 111 * and do not access the mutex directly in application code. 112 */ 113 mbedtls_threading_mutex_t MBEDTLS_PRIVATE(mutex); 114 #endif 115 } mbedtls_hmac_drbg_context; 116 117 /** 118 * \brief HMAC_DRBG context initialization. 119 * 120 * This function makes the context ready for mbedtls_hmac_drbg_seed(), 121 * mbedtls_hmac_drbg_seed_buf() or mbedtls_hmac_drbg_free(). 122 * 123 * \note The reseed interval is #MBEDTLS_HMAC_DRBG_RESEED_INTERVAL 124 * by default. Override this value by calling 125 * mbedtls_hmac_drbg_set_reseed_interval(). 126 * 127 * \param ctx HMAC_DRBG context to be initialized. 128 */ 129 void mbedtls_hmac_drbg_init( mbedtls_hmac_drbg_context *ctx ); 130 131 /** 132 * \brief HMAC_DRBG initial seeding. 133 * 134 * Set the initial seed and set up the entropy source for future reseeds. 135 * 136 * A typical choice for the \p f_entropy and \p p_entropy parameters is 137 * to use the entropy module: 138 * - \p f_entropy is mbedtls_entropy_func(); 139 * - \p p_entropy is an instance of ::mbedtls_entropy_context initialized 140 * with mbedtls_entropy_init() (which registers the platform's default 141 * entropy sources). 142 * 143 * You can provide a personalization string in addition to the 144 * entropy source, to make this instantiation as unique as possible. 145 * 146 * \note By default, the security strength as defined by NIST is: 147 * - 128 bits if \p md_info is SHA-1; 148 * - 192 bits if \p md_info is SHA-224; 149 * - 256 bits if \p md_info is SHA-256, SHA-384 or SHA-512. 150 * Note that SHA-256 is just as efficient as SHA-224. 151 * The security strength can be reduced if a smaller 152 * entropy length is set with 153 * mbedtls_hmac_drbg_set_entropy_len(). 154 * 155 * \note The default entropy length is the security strength 156 * (converted from bits to bytes). You can override 157 * it by calling mbedtls_hmac_drbg_set_entropy_len(). 158 * 159 * \note During the initial seeding, this function calls 160 * the entropy source to obtain a nonce 161 * whose length is half the entropy length. 162 */ 163 #if defined(MBEDTLS_THREADING_C) 164 /** 165 * \note When Mbed TLS is built with threading support, 166 * after this function returns successfully, 167 * it is safe to call mbedtls_hmac_drbg_random() 168 * from multiple threads. Other operations, including 169 * reseeding, are not thread-safe. 170 */ 171 #endif /* MBEDTLS_THREADING_C */ 172 /** 173 * \param ctx HMAC_DRBG context to be seeded. 174 * \param md_info MD algorithm to use for HMAC_DRBG. 175 * \param f_entropy The entropy callback, taking as arguments the 176 * \p p_entropy context, the buffer to fill, and the 177 * length of the buffer. 178 * \p f_entropy is always called with a length that is 179 * less than or equal to the entropy length. 180 * \param p_entropy The entropy context to pass to \p f_entropy. 181 * \param custom The personalization string. 182 * This can be \c NULL, in which case the personalization 183 * string is empty regardless of the value of \p len. 184 * \param len The length of the personalization string. 185 * This must be at most #MBEDTLS_HMAC_DRBG_MAX_INPUT 186 * and also at most 187 * #MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT - \p entropy_len * 3 / 2 188 * where \p entropy_len is the entropy length 189 * described above. 190 * 191 * \return \c 0 if successful. 192 * \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA if \p md_info is 193 * invalid. 194 * \return #MBEDTLS_ERR_MD_ALLOC_FAILED if there was not enough 195 * memory to allocate context data. 196 * \return #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED 197 * if the call to \p f_entropy failed. 198 */ 199 int mbedtls_hmac_drbg_seed( mbedtls_hmac_drbg_context *ctx, 200 const mbedtls_md_info_t * md_info, 201 int (*f_entropy)(void *, unsigned char *, size_t), 202 void *p_entropy, 203 const unsigned char *custom, 204 size_t len ); 205 206 /** 207 * \brief Initialisation of simplified HMAC_DRBG (never reseeds). 208 * 209 * This function is meant for use in algorithms that need a pseudorandom 210 * input such as deterministic ECDSA. 211 */ 212 #if defined(MBEDTLS_THREADING_C) 213 /** 214 * \note When Mbed TLS is built with threading support, 215 * after this function returns successfully, 216 * it is safe to call mbedtls_hmac_drbg_random() 217 * from multiple threads. Other operations, including 218 * reseeding, are not thread-safe. 219 */ 220 #endif /* MBEDTLS_THREADING_C */ 221 /** 222 * \param ctx HMAC_DRBG context to be initialised. 223 * \param md_info MD algorithm to use for HMAC_DRBG. 224 * \param data Concatenation of the initial entropy string and 225 * the additional data. 226 * \param data_len Length of \p data in bytes. 227 * 228 * \return \c 0 if successful. or 229 * \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA if \p md_info is 230 * invalid. 231 * \return #MBEDTLS_ERR_MD_ALLOC_FAILED if there was not enough 232 * memory to allocate context data. 233 */ 234 int mbedtls_hmac_drbg_seed_buf( mbedtls_hmac_drbg_context *ctx, 235 const mbedtls_md_info_t * md_info, 236 const unsigned char *data, size_t data_len ); 237 238 /** 239 * \brief This function turns prediction resistance on or off. 240 * The default value is off. 241 * 242 * \note If enabled, entropy is gathered at the beginning of 243 * every call to mbedtls_hmac_drbg_random_with_add() 244 * or mbedtls_hmac_drbg_random(). 245 * Only use this if your entropy source has sufficient 246 * throughput. 247 * 248 * \param ctx The HMAC_DRBG context. 249 * \param resistance #MBEDTLS_HMAC_DRBG_PR_ON or #MBEDTLS_HMAC_DRBG_PR_OFF. 250 */ 251 void mbedtls_hmac_drbg_set_prediction_resistance( mbedtls_hmac_drbg_context *ctx, 252 int resistance ); 253 254 /** 255 * \brief This function sets the amount of entropy grabbed on each 256 * seed or reseed. 257 * 258 * See the documentation of mbedtls_hmac_drbg_seed() for the default value. 259 * 260 * \param ctx The HMAC_DRBG context. 261 * \param len The amount of entropy to grab, in bytes. 262 */ 263 void mbedtls_hmac_drbg_set_entropy_len( mbedtls_hmac_drbg_context *ctx, 264 size_t len ); 265 266 /** 267 * \brief Set the reseed interval. 268 * 269 * The reseed interval is the number of calls to mbedtls_hmac_drbg_random() 270 * or mbedtls_hmac_drbg_random_with_add() after which the entropy function 271 * is called again. 272 * 273 * The default value is #MBEDTLS_HMAC_DRBG_RESEED_INTERVAL. 274 * 275 * \param ctx The HMAC_DRBG context. 276 * \param interval The reseed interval. 277 */ 278 void mbedtls_hmac_drbg_set_reseed_interval( mbedtls_hmac_drbg_context *ctx, 279 int interval ); 280 281 /** 282 * \brief This function updates the state of the HMAC_DRBG context. 283 * 284 * \note This function is not thread-safe. It is not safe 285 * to call this function if another thread might be 286 * concurrently obtaining random numbers from the same 287 * context or updating or reseeding the same context. 288 * 289 * \param ctx The HMAC_DRBG context. 290 * \param additional The data to update the state with. 291 * If this is \c NULL, there is no additional data. 292 * \param add_len Length of \p additional in bytes. 293 * Unused if \p additional is \c NULL. 294 * 295 * \return \c 0 on success, or an error from the underlying 296 * hash calculation. 297 */ 298 int mbedtls_hmac_drbg_update( mbedtls_hmac_drbg_context *ctx, 299 const unsigned char *additional, size_t add_len ); 300 301 /** 302 * \brief This function reseeds the HMAC_DRBG context, that is 303 * extracts data from the entropy source. 304 * 305 * \note This function is not thread-safe. It is not safe 306 * to call this function if another thread might be 307 * concurrently obtaining random numbers from the same 308 * context or updating or reseeding the same context. 309 * 310 * \param ctx The HMAC_DRBG context. 311 * \param additional Additional data to add to the state. 312 * If this is \c NULL, there is no additional data 313 * and \p len should be \c 0. 314 * \param len The length of the additional data. 315 * This must be at most #MBEDTLS_HMAC_DRBG_MAX_INPUT 316 * and also at most 317 * #MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT - \p entropy_len 318 * where \p entropy_len is the entropy length 319 * (see mbedtls_hmac_drbg_set_entropy_len()). 320 * 321 * \return \c 0 if successful. 322 * \return #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED 323 * if a call to the entropy function failed. 324 */ 325 int mbedtls_hmac_drbg_reseed( mbedtls_hmac_drbg_context *ctx, 326 const unsigned char *additional, size_t len ); 327 328 /** 329 * \brief This function updates an HMAC_DRBG instance with additional 330 * data and uses it to generate random data. 331 * 332 * This function automatically reseeds if the reseed counter is exceeded 333 * or prediction resistance is enabled. 334 * 335 * \note This function is not thread-safe. It is not safe 336 * to call this function if another thread might be 337 * concurrently obtaining random numbers from the same 338 * context or updating or reseeding the same context. 339 * 340 * \param p_rng The HMAC_DRBG context. This must be a pointer to a 341 * #mbedtls_hmac_drbg_context structure. 342 * \param output The buffer to fill. 343 * \param output_len The length of the buffer in bytes. 344 * This must be at most #MBEDTLS_HMAC_DRBG_MAX_REQUEST. 345 * \param additional Additional data to update with. 346 * If this is \c NULL, there is no additional data 347 * and \p add_len should be \c 0. 348 * \param add_len The length of the additional data. 349 * This must be at most #MBEDTLS_HMAC_DRBG_MAX_INPUT. 350 * 351 * \return \c 0 if successful. 352 * \return #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED 353 * if a call to the entropy source failed. 354 * \return #MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG if 355 * \p output_len > #MBEDTLS_HMAC_DRBG_MAX_REQUEST. 356 * \return #MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG if 357 * \p add_len > #MBEDTLS_HMAC_DRBG_MAX_INPUT. 358 */ 359 int mbedtls_hmac_drbg_random_with_add( void *p_rng, 360 unsigned char *output, size_t output_len, 361 const unsigned char *additional, 362 size_t add_len ); 363 364 /** 365 * \brief This function uses HMAC_DRBG to generate random data. 366 * 367 * This function automatically reseeds if the reseed counter is exceeded 368 * or prediction resistance is enabled. 369 */ 370 #if defined(MBEDTLS_THREADING_C) 371 /** 372 * \note When Mbed TLS is built with threading support, 373 * it is safe to call mbedtls_ctr_drbg_random() 374 * from multiple threads. Other operations, including 375 * reseeding, are not thread-safe. 376 */ 377 #endif /* MBEDTLS_THREADING_C */ 378 /** 379 * \param p_rng The HMAC_DRBG context. This must be a pointer to a 380 * #mbedtls_hmac_drbg_context structure. 381 * \param output The buffer to fill. 382 * \param out_len The length of the buffer in bytes. 383 * This must be at most #MBEDTLS_HMAC_DRBG_MAX_REQUEST. 384 * 385 * \return \c 0 if successful. 386 * \return #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED 387 * if a call to the entropy source failed. 388 * \return #MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG if 389 * \p out_len > #MBEDTLS_HMAC_DRBG_MAX_REQUEST. 390 */ 391 int mbedtls_hmac_drbg_random( void *p_rng, unsigned char *output, size_t out_len ); 392 393 /** 394 * \brief This function resets HMAC_DRBG context to the state immediately 395 * after initial call of mbedtls_hmac_drbg_init(). 396 * 397 * \param ctx The HMAC_DRBG context to free. 398 */ 399 void mbedtls_hmac_drbg_free( mbedtls_hmac_drbg_context *ctx ); 400 401 #if defined(MBEDTLS_FS_IO) 402 /** 403 * \brief This function writes a seed file. 404 * 405 * \param ctx The HMAC_DRBG context. 406 * \param path The name of the file. 407 * 408 * \return \c 0 on success. 409 * \return #MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR on file error. 410 * \return #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED on reseed 411 * failure. 412 */ 413 int mbedtls_hmac_drbg_write_seed_file( mbedtls_hmac_drbg_context *ctx, const char *path ); 414 415 /** 416 * \brief This function reads and updates a seed file. The seed 417 * is added to this instance. 418 * 419 * \param ctx The HMAC_DRBG context. 420 * \param path The name of the file. 421 * 422 * \return \c 0 on success. 423 * \return #MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR on file error. 424 * \return #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED on 425 * reseed failure. 426 * \return #MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG if the existing 427 * seed file is too large. 428 */ 429 int mbedtls_hmac_drbg_update_seed_file( mbedtls_hmac_drbg_context *ctx, const char *path ); 430 #endif /* MBEDTLS_FS_IO */ 431 432 433 #if defined(MBEDTLS_SELF_TEST) 434 /** 435 * \brief The HMAC_DRBG Checkup routine. 436 * 437 * \return \c 0 if successful. 438 * \return \c 1 if the test failed. 439 */ 440 int mbedtls_hmac_drbg_self_test( int verbose ); 441 #endif 442 443 #ifdef __cplusplus 444 } 445 #endif 446 447 #endif /* hmac_drbg.h */ 448