1 /** 2 * \file hmac_drbg.h 3 * 4 * \brief The HMAC_DRBG pseudorandom generator. 5 * 6 * This module implements the HMAC_DRBG pseudorandom generator described 7 * in <em>NIST SP 800-90A: Recommendation for Random Number Generation Using 8 * Deterministic Random Bit Generators</em>. 9 */ 10 /* 11 * Copyright The Mbed TLS Contributors 12 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 13 * 14 * This file is provided under the Apache License 2.0, or the 15 * GNU General Public License v2.0 or later. 16 * 17 * ********** 18 * Apache License 2.0: 19 * 20 * Licensed under the Apache License, Version 2.0 (the "License"); you may 21 * not use this file except in compliance with the License. 22 * You may obtain a copy of the License at 23 * 24 * http://www.apache.org/licenses/LICENSE-2.0 25 * 26 * Unless required by applicable law or agreed to in writing, software 27 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 28 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 29 * See the License for the specific language governing permissions and 30 * limitations under the License. 31 * 32 * ********** 33 * 34 * ********** 35 * GNU General Public License v2.0 or later: 36 * 37 * This program is free software; you can redistribute it and/or modify 38 * it under the terms of the GNU General Public License as published by 39 * the Free Software Foundation; either version 2 of the License, or 40 * (at your option) any later version. 41 * 42 * This program is distributed in the hope that it will be useful, 43 * but WITHOUT ANY WARRANTY; without even the implied warranty of 44 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 45 * GNU General Public License for more details. 46 * 47 * You should have received a copy of the GNU General Public License along 48 * with this program; if not, write to the Free Software Foundation, Inc., 49 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 50 * 51 * ********** 52 */ 53 #ifndef MBEDTLS_HMAC_DRBG_H 54 #define MBEDTLS_HMAC_DRBG_H 55 56 #if !defined(MBEDTLS_CONFIG_FILE) 57 #include "config.h" 58 #else 59 #include MBEDTLS_CONFIG_FILE 60 #endif 61 62 #include "md.h" 63 64 #if defined(MBEDTLS_THREADING_C) 65 #include "threading.h" 66 #endif 67 68 /* 69 * Error codes 70 */ 71 #define MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG -0x0003 /**< Too many random requested in single call. */ 72 #define MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG -0x0005 /**< Input too large (Entropy + additional). */ 73 #define MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR -0x0007 /**< Read/write error in file. */ 74 #define MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED -0x0009 /**< The entropy source failed. */ 75 76 /** 77 * \name SECTION: Module settings 78 * 79 * The configuration options you can set for this module are in this section. 80 * Either change them in config.h or define them on the compiler command line. 81 * \{ 82 */ 83 84 #if !defined(MBEDTLS_HMAC_DRBG_RESEED_INTERVAL) 85 #define MBEDTLS_HMAC_DRBG_RESEED_INTERVAL 10000 /**< Interval before reseed is performed by default */ 86 #endif 87 88 #if !defined(MBEDTLS_HMAC_DRBG_MAX_INPUT) 89 #define MBEDTLS_HMAC_DRBG_MAX_INPUT 256 /**< Maximum number of additional input bytes */ 90 #endif 91 92 #if !defined(MBEDTLS_HMAC_DRBG_MAX_REQUEST) 93 #define MBEDTLS_HMAC_DRBG_MAX_REQUEST 1024 /**< Maximum number of requested bytes per call */ 94 #endif 95 96 #if !defined(MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT) 97 #define MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT 384 /**< Maximum size of (re)seed buffer */ 98 #endif 99 100 /* \} name SECTION: Module settings */ 101 102 #define MBEDTLS_HMAC_DRBG_PR_OFF 0 /**< No prediction resistance */ 103 #define MBEDTLS_HMAC_DRBG_PR_ON 1 /**< Prediction resistance enabled */ 104 105 #ifdef __cplusplus 106 extern "C" { 107 #endif 108 109 /** 110 * HMAC_DRBG context. 111 */ 112 typedef struct mbedtls_hmac_drbg_context 113 { 114 /* Working state: the key K is not stored explicitly, 115 * but is implied by the HMAC context */ 116 mbedtls_md_context_t md_ctx; /*!< HMAC context (inc. K) */ 117 unsigned char V[MBEDTLS_MD_MAX_SIZE]; /*!< V in the spec */ 118 int reseed_counter; /*!< reseed counter */ 119 120 /* Administrative state */ 121 size_t entropy_len; /*!< entropy bytes grabbed on each (re)seed */ 122 int prediction_resistance; /*!< enable prediction resistance (Automatic 123 reseed before every random generation) */ 124 int reseed_interval; /*!< reseed interval */ 125 126 /* Callbacks */ 127 int (*f_entropy)(void *, unsigned char *, size_t); /*!< entropy function */ 128 void *p_entropy; /*!< context for the entropy function */ 129 130 #if defined(MBEDTLS_THREADING_C) 131 /* Invariant: the mutex is initialized if and only if 132 * md_ctx->md_info != NULL. This means that the mutex is initialized 133 * during the initial seeding in mbedtls_hmac_drbg_seed() or 134 * mbedtls_hmac_drbg_seed_buf() and freed in mbedtls_ctr_drbg_free(). 135 * 136 * Note that this invariant may change without notice. Do not rely on it 137 * and do not access the mutex directly in application code. 138 */ 139 mbedtls_threading_mutex_t mutex; 140 #endif 141 } mbedtls_hmac_drbg_context; 142 143 /** 144 * \brief HMAC_DRBG context initialization. 145 * 146 * This function makes the context ready for mbedtls_hmac_drbg_seed(), 147 * mbedtls_hmac_drbg_seed_buf() or mbedtls_hmac_drbg_free(). 148 * 149 * \note The reseed interval is #MBEDTLS_HMAC_DRBG_RESEED_INTERVAL 150 * by default. Override this value by calling 151 * mbedtls_hmac_drbg_set_reseed_interval(). 152 * 153 * \param ctx HMAC_DRBG context to be initialized. 154 */ 155 void mbedtls_hmac_drbg_init( mbedtls_hmac_drbg_context *ctx ); 156 157 /** 158 * \brief HMAC_DRBG initial seeding. 159 * 160 * Set the initial seed and set up the entropy source for future reseeds. 161 * 162 * A typical choice for the \p f_entropy and \p p_entropy parameters is 163 * to use the entropy module: 164 * - \p f_entropy is mbedtls_entropy_func(); 165 * - \p p_entropy is an instance of ::mbedtls_entropy_context initialized 166 * with mbedtls_entropy_init() (which registers the platform's default 167 * entropy sources). 168 * 169 * You can provide a personalization string in addition to the 170 * entropy source, to make this instantiation as unique as possible. 171 * 172 * \note By default, the security strength as defined by NIST is: 173 * - 128 bits if \p md_info is SHA-1; 174 * - 192 bits if \p md_info is SHA-224; 175 * - 256 bits if \p md_info is SHA-256, SHA-384 or SHA-512. 176 * Note that SHA-256 is just as efficient as SHA-224. 177 * The security strength can be reduced if a smaller 178 * entropy length is set with 179 * mbedtls_hmac_drbg_set_entropy_len(). 180 * 181 * \note The default entropy length is the security strength 182 * (converted from bits to bytes). You can override 183 * it by calling mbedtls_hmac_drbg_set_entropy_len(). 184 * 185 * \note During the initial seeding, this function calls 186 * the entropy source to obtain a nonce 187 * whose length is half the entropy length. 188 */ 189 #if defined(MBEDTLS_THREADING_C) 190 /** 191 * \note When Mbed TLS is built with threading support, 192 * after this function returns successfully, 193 * it is safe to call mbedtls_hmac_drbg_random() 194 * from multiple threads. Other operations, including 195 * reseeding, are not thread-safe. 196 */ 197 #endif /* MBEDTLS_THREADING_C */ 198 /** 199 * \param ctx HMAC_DRBG context to be seeded. 200 * \param md_info MD algorithm to use for HMAC_DRBG. 201 * \param f_entropy The entropy callback, taking as arguments the 202 * \p p_entropy context, the buffer to fill, and the 203 * length of the buffer. 204 * \p f_entropy is always called with a length that is 205 * less than or equal to the entropy length. 206 * \param p_entropy The entropy context to pass to \p f_entropy. 207 * \param custom The personalization string. 208 * This can be \c NULL, in which case the personalization 209 * string is empty regardless of the value of \p len. 210 * \param len The length of the personalization string. 211 * This must be at most #MBEDTLS_HMAC_DRBG_MAX_INPUT 212 * and also at most 213 * #MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT - \p entropy_len * 3 / 2 214 * where \p entropy_len is the entropy length 215 * described above. 216 * 217 * \return \c 0 if successful. 218 * \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA if \p md_info is 219 * invalid. 220 * \return #MBEDTLS_ERR_MD_ALLOC_FAILED if there was not enough 221 * memory to allocate context data. 222 * \return #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED 223 * if the call to \p f_entropy failed. 224 */ 225 int mbedtls_hmac_drbg_seed( mbedtls_hmac_drbg_context *ctx, 226 const mbedtls_md_info_t * md_info, 227 int (*f_entropy)(void *, unsigned char *, size_t), 228 void *p_entropy, 229 const unsigned char *custom, 230 size_t len ); 231 232 /** 233 * \brief Initilisation of simpified HMAC_DRBG (never reseeds). 234 * 235 * This function is meant for use in algorithms that need a pseudorandom 236 * input such as deterministic ECDSA. 237 */ 238 #if defined(MBEDTLS_THREADING_C) 239 /** 240 * \note When Mbed TLS is built with threading support, 241 * after this function returns successfully, 242 * it is safe to call mbedtls_hmac_drbg_random() 243 * from multiple threads. Other operations, including 244 * reseeding, are not thread-safe. 245 */ 246 #endif /* MBEDTLS_THREADING_C */ 247 /** 248 * \param ctx HMAC_DRBG context to be initialised. 249 * \param md_info MD algorithm to use for HMAC_DRBG. 250 * \param data Concatenation of the initial entropy string and 251 * the additional data. 252 * \param data_len Length of \p data in bytes. 253 * 254 * \return \c 0 if successful. or 255 * \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA if \p md_info is 256 * invalid. 257 * \return #MBEDTLS_ERR_MD_ALLOC_FAILED if there was not enough 258 * memory to allocate context data. 259 */ 260 int mbedtls_hmac_drbg_seed_buf( mbedtls_hmac_drbg_context *ctx, 261 const mbedtls_md_info_t * md_info, 262 const unsigned char *data, size_t data_len ); 263 264 /** 265 * \brief This function turns prediction resistance on or off. 266 * The default value is off. 267 * 268 * \note If enabled, entropy is gathered at the beginning of 269 * every call to mbedtls_hmac_drbg_random_with_add() 270 * or mbedtls_hmac_drbg_random(). 271 * Only use this if your entropy source has sufficient 272 * throughput. 273 * 274 * \param ctx The HMAC_DRBG context. 275 * \param resistance #MBEDTLS_HMAC_DRBG_PR_ON or #MBEDTLS_HMAC_DRBG_PR_OFF. 276 */ 277 void mbedtls_hmac_drbg_set_prediction_resistance( mbedtls_hmac_drbg_context *ctx, 278 int resistance ); 279 280 /** 281 * \brief This function sets the amount of entropy grabbed on each 282 * seed or reseed. 283 * 284 * See the documentation of mbedtls_hmac_drbg_seed() for the default value. 285 * 286 * \param ctx The HMAC_DRBG context. 287 * \param len The amount of entropy to grab, in bytes. 288 */ 289 void mbedtls_hmac_drbg_set_entropy_len( mbedtls_hmac_drbg_context *ctx, 290 size_t len ); 291 292 /** 293 * \brief Set the reseed interval. 294 * 295 * The reseed interval is the number of calls to mbedtls_hmac_drbg_random() 296 * or mbedtls_hmac_drbg_random_with_add() after which the entropy function 297 * is called again. 298 * 299 * The default value is #MBEDTLS_HMAC_DRBG_RESEED_INTERVAL. 300 * 301 * \param ctx The HMAC_DRBG context. 302 * \param interval The reseed interval. 303 */ 304 void mbedtls_hmac_drbg_set_reseed_interval( mbedtls_hmac_drbg_context *ctx, 305 int interval ); 306 307 /** 308 * \brief This function updates the state of the HMAC_DRBG context. 309 * 310 * \note This function is not thread-safe. It is not safe 311 * to call this function if another thread might be 312 * concurrently obtaining random numbers from the same 313 * context or updating or reseeding the same context. 314 * 315 * \param ctx The HMAC_DRBG context. 316 * \param additional The data to update the state with. 317 * If this is \c NULL, there is no additional data. 318 * \param add_len Length of \p additional in bytes. 319 * Unused if \p additional is \c NULL. 320 * 321 * \return \c 0 on success, or an error from the underlying 322 * hash calculation. 323 */ 324 int mbedtls_hmac_drbg_update_ret( mbedtls_hmac_drbg_context *ctx, 325 const unsigned char *additional, size_t add_len ); 326 327 /** 328 * \brief This function reseeds the HMAC_DRBG context, that is 329 * extracts data from the entropy source. 330 * 331 * \note This function is not thread-safe. It is not safe 332 * to call this function if another thread might be 333 * concurrently obtaining random numbers from the same 334 * context or updating or reseeding the same context. 335 * 336 * \param ctx The HMAC_DRBG context. 337 * \param additional Additional data to add to the state. 338 * If this is \c NULL, there is no additional data 339 * and \p len should be \c 0. 340 * \param len The length of the additional data. 341 * This must be at most #MBEDTLS_HMAC_DRBG_MAX_INPUT 342 * and also at most 343 * #MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT - \p entropy_len 344 * where \p entropy_len is the entropy length 345 * (see mbedtls_hmac_drbg_set_entropy_len()). 346 * 347 * \return \c 0 if successful. 348 * \return #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED 349 * if a call to the entropy function failed. 350 */ 351 int mbedtls_hmac_drbg_reseed( mbedtls_hmac_drbg_context *ctx, 352 const unsigned char *additional, size_t len ); 353 354 /** 355 * \brief This function updates an HMAC_DRBG instance with additional 356 * data and uses it to generate random data. 357 * 358 * This function automatically reseeds if the reseed counter is exceeded 359 * or prediction resistance is enabled. 360 * 361 * \note This function is not thread-safe. It is not safe 362 * to call this function if another thread might be 363 * concurrently obtaining random numbers from the same 364 * context or updating or reseeding the same context. 365 * 366 * \param p_rng The HMAC_DRBG context. This must be a pointer to a 367 * #mbedtls_hmac_drbg_context structure. 368 * \param output The buffer to fill. 369 * \param output_len The length of the buffer in bytes. 370 * This must be at most #MBEDTLS_HMAC_DRBG_MAX_REQUEST. 371 * \param additional Additional data to update with. 372 * If this is \c NULL, there is no additional data 373 * and \p add_len should be \c 0. 374 * \param add_len The length of the additional data. 375 * This must be at most #MBEDTLS_HMAC_DRBG_MAX_INPUT. 376 * 377 * \return \c 0 if successful. 378 * \return #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED 379 * if a call to the entropy source failed. 380 * \return #MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG if 381 * \p output_len > #MBEDTLS_HMAC_DRBG_MAX_REQUEST. 382 * \return #MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG if 383 * \p add_len > #MBEDTLS_HMAC_DRBG_MAX_INPUT. 384 */ 385 int mbedtls_hmac_drbg_random_with_add( void *p_rng, 386 unsigned char *output, size_t output_len, 387 const unsigned char *additional, 388 size_t add_len ); 389 390 /** 391 * \brief This function uses HMAC_DRBG to generate random data. 392 * 393 * This function automatically reseeds if the reseed counter is exceeded 394 * or prediction resistance is enabled. 395 */ 396 #if defined(MBEDTLS_THREADING_C) 397 /** 398 * \note When Mbed TLS is built with threading support, 399 * it is safe to call mbedtls_ctr_drbg_random() 400 * from multiple threads. Other operations, including 401 * reseeding, are not thread-safe. 402 */ 403 #endif /* MBEDTLS_THREADING_C */ 404 /** 405 * \param p_rng The HMAC_DRBG context. This must be a pointer to a 406 * #mbedtls_hmac_drbg_context structure. 407 * \param output The buffer to fill. 408 * \param out_len The length of the buffer in bytes. 409 * This must be at most #MBEDTLS_HMAC_DRBG_MAX_REQUEST. 410 * 411 * \return \c 0 if successful. 412 * \return #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED 413 * if a call to the entropy source failed. 414 * \return #MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG if 415 * \p out_len > #MBEDTLS_HMAC_DRBG_MAX_REQUEST. 416 */ 417 int mbedtls_hmac_drbg_random( void *p_rng, unsigned char *output, size_t out_len ); 418 419 /** 420 * \brief This function resets HMAC_DRBG context to the state immediately 421 * after initial call of mbedtls_hmac_drbg_init(). 422 * 423 * \param ctx The HMAC_DRBG context to free. 424 */ 425 void mbedtls_hmac_drbg_free( mbedtls_hmac_drbg_context *ctx ); 426 427 #if ! defined(MBEDTLS_DEPRECATED_REMOVED) 428 #if defined(MBEDTLS_DEPRECATED_WARNING) 429 #define MBEDTLS_DEPRECATED __attribute__((deprecated)) 430 #else 431 #define MBEDTLS_DEPRECATED 432 #endif 433 /** 434 * \brief This function updates the state of the HMAC_DRBG context. 435 * 436 * \deprecated Superseded by mbedtls_hmac_drbg_update_ret() 437 * in 2.16.0. 438 * 439 * \param ctx The HMAC_DRBG context. 440 * \param additional The data to update the state with. 441 * If this is \c NULL, there is no additional data. 442 * \param add_len Length of \p additional in bytes. 443 * Unused if \p additional is \c NULL. 444 */ 445 MBEDTLS_DEPRECATED void mbedtls_hmac_drbg_update( 446 mbedtls_hmac_drbg_context *ctx, 447 const unsigned char *additional, size_t add_len ); 448 #undef MBEDTLS_DEPRECATED 449 #endif /* !MBEDTLS_DEPRECATED_REMOVED */ 450 451 #if defined(MBEDTLS_FS_IO) 452 /** 453 * \brief This function writes a seed file. 454 * 455 * \param ctx The HMAC_DRBG context. 456 * \param path The name of the file. 457 * 458 * \return \c 0 on success. 459 * \return #MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR on file error. 460 * \return #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED on reseed 461 * failure. 462 */ 463 int mbedtls_hmac_drbg_write_seed_file( mbedtls_hmac_drbg_context *ctx, const char *path ); 464 465 /** 466 * \brief This function reads and updates a seed file. The seed 467 * is added to this instance. 468 * 469 * \param ctx The HMAC_DRBG context. 470 * \param path The name of the file. 471 * 472 * \return \c 0 on success. 473 * \return #MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR on file error. 474 * \return #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED on 475 * reseed failure. 476 * \return #MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG if the existing 477 * seed file is too large. 478 */ 479 int mbedtls_hmac_drbg_update_seed_file( mbedtls_hmac_drbg_context *ctx, const char *path ); 480 #endif /* MBEDTLS_FS_IO */ 481 482 483 #if defined(MBEDTLS_SELF_TEST) 484 /** 485 * \brief The HMAC_DRBG Checkup routine. 486 * 487 * \return \c 0 if successful. 488 * \return \c 1 if the test failed. 489 */ 490 int mbedtls_hmac_drbg_self_test( int verbose ); 491 #endif 492 493 #ifdef __cplusplus 494 } 495 #endif 496 497 #endif /* hmac_drbg.h */ 498