1
#pragma GCC system_header
5
* \brief The HMAC_DRBG pseudorandom generator.
7
* This module implements the HMAC_DRBG pseudorandom generator described
8
* in <em>NIST SP 800-90A: Recommendation for Random Number Generation Using
9
* Deterministic Random Bit Generators</em>.
12
* Copyright The Mbed TLS Contributors
13
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
15
* This file is provided under the Apache License 2.0, or the
16
* GNU General Public License v2.0 or later.
21
* Licensed under the Apache License, Version 2.0 (the "License"); you may
22
* not use this file except in compliance with the License.
23
* You may obtain a copy of the License at
25
* http://www.apache.org/licenses/LICENSE-2.0
27
* Unless required by applicable law or agreed to in writing, software
28
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
29
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
30
* See the License for the specific language governing permissions and
31
* limitations under the License.
36
* GNU General Public License v2.0 or later:
38
* This program is free software; you can redistribute it and/or modify
39
* it under the terms of the GNU General Public License as published by
40
* the Free Software Foundation; either version 2 of the License, or
41
* (at your option) any later version.
43
* This program is distributed in the hope that it will be useful,
44
* but WITHOUT ANY WARRANTY; without even the implied warranty of
45
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
46
* GNU General Public License for more details.
48
* You should have received a copy of the GNU General Public License along
49
* with this program; if not, write to the Free Software Foundation, Inc.,
50
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
54
#ifndef MBEDTLS_HMAC_DRBG_H
55
#define MBEDTLS_HMAC_DRBG_H
57
#if !defined(MBEDTLS_CONFIG_FILE)
60
#include MBEDTLS_CONFIG_FILE
65
#if defined(MBEDTLS_THREADING_C)
66
#include "threading.h"
72
#define MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG -0x0003 /**< Too many random requested in single call. */
73
#define MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG -0x0005 /**< Input too large (Entropy + additional). */
74
#define MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR -0x0007 /**< Read/write error in file. */
75
#define MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED -0x0009 /**< The entropy source failed. */
78
* \name SECTION: Module settings
80
* The configuration options you can set for this module are in this section.
81
* Either change them in config.h or define them on the compiler command line.
85
#if !defined(MBEDTLS_HMAC_DRBG_RESEED_INTERVAL)
86
#define MBEDTLS_HMAC_DRBG_RESEED_INTERVAL 10000 /**< Interval before reseed is performed by default */
89
#if !defined(MBEDTLS_HMAC_DRBG_MAX_INPUT)
90
#define MBEDTLS_HMAC_DRBG_MAX_INPUT 256 /**< Maximum number of additional input bytes */
93
#if !defined(MBEDTLS_HMAC_DRBG_MAX_REQUEST)
94
#define MBEDTLS_HMAC_DRBG_MAX_REQUEST 1024 /**< Maximum number of requested bytes per call */
97
#if !defined(MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT)
98
#define MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT 384 /**< Maximum size of (re)seed buffer */
101
/* \} name SECTION: Module settings */
103
#define MBEDTLS_HMAC_DRBG_PR_OFF 0 /**< No prediction resistance */
104
#define MBEDTLS_HMAC_DRBG_PR_ON 1 /**< Prediction resistance enabled */
113
typedef struct mbedtls_hmac_drbg_context
115
/* Working state: the key K is not stored explicitly,
116
* but is implied by the HMAC context */
117
mbedtls_md_context_t md_ctx; /*!< HMAC context (inc. K) */
118
unsigned char V[MBEDTLS_MD_MAX_SIZE]; /*!< V in the spec */
119
int reseed_counter; /*!< reseed counter */
121
/* Administrative state */
122
size_t entropy_len; /*!< entropy bytes grabbed on each (re)seed */
123
int prediction_resistance; /*!< enable prediction resistance (Automatic
124
reseed before every random generation) */
125
int reseed_interval; /*!< reseed interval */
128
int (*f_entropy)(void *, unsigned char *, size_t); /*!< entropy function */
129
void *p_entropy; /*!< context for the entropy function */
131
#if defined(MBEDTLS_THREADING_C)
132
/* Invariant: the mutex is initialized if and only if
133
* md_ctx->md_info != NULL. This means that the mutex is initialized
134
* during the initial seeding in mbedtls_hmac_drbg_seed() or
135
* mbedtls_hmac_drbg_seed_buf() and freed in mbedtls_ctr_drbg_free().
137
* Note that this invariant may change without notice. Do not rely on it
138
* and do not access the mutex directly in application code.
140
mbedtls_threading_mutex_t mutex;
142
} mbedtls_hmac_drbg_context;
145
* \brief HMAC_DRBG context initialization.
147
* This function makes the context ready for mbedtls_hmac_drbg_seed(),
148
* mbedtls_hmac_drbg_seed_buf() or mbedtls_hmac_drbg_free().
150
* \note The reseed interval is #MBEDTLS_HMAC_DRBG_RESEED_INTERVAL
151
* by default. Override this value by calling
152
* mbedtls_hmac_drbg_set_reseed_interval().
154
* \param ctx HMAC_DRBG context to be initialized.
156
void mbedtls_hmac_drbg_init( mbedtls_hmac_drbg_context *ctx );
159
* \brief HMAC_DRBG initial seeding.
161
* Set the initial seed and set up the entropy source for future reseeds.
163
* A typical choice for the \p f_entropy and \p p_entropy parameters is
164
* to use the entropy module:
165
* - \p f_entropy is mbedtls_entropy_func();
166
* - \p p_entropy is an instance of ::mbedtls_entropy_context initialized
167
* with mbedtls_entropy_init() (which registers the platform's default
170
* You can provide a personalization string in addition to the
171
* entropy source, to make this instantiation as unique as possible.
173
* \note By default, the security strength as defined by NIST is:
174
* - 128 bits if \p md_info is SHA-1;
175
* - 192 bits if \p md_info is SHA-224;
176
* - 256 bits if \p md_info is SHA-256, SHA-384 or SHA-512.
177
* Note that SHA-256 is just as efficient as SHA-224.
178
* The security strength can be reduced if a smaller
179
* entropy length is set with
180
* mbedtls_hmac_drbg_set_entropy_len().
182
* \note The default entropy length is the security strength
183
* (converted from bits to bytes). You can override
184
* it by calling mbedtls_hmac_drbg_set_entropy_len().
186
* \note During the initial seeding, this function calls
187
* the entropy source to obtain a nonce
188
* whose length is half the entropy length.
190
#if defined(MBEDTLS_THREADING_C)
192
* \note When Mbed TLS is built with threading support,
193
* after this function returns successfully,
194
* it is safe to call mbedtls_hmac_drbg_random()
195
* from multiple threads. Other operations, including
196
* reseeding, are not thread-safe.
198
#endif /* MBEDTLS_THREADING_C */
200
* \param ctx HMAC_DRBG context to be seeded.
201
* \param md_info MD algorithm to use for HMAC_DRBG.
202
* \param f_entropy The entropy callback, taking as arguments the
203
* \p p_entropy context, the buffer to fill, and the
204
* length of the buffer.
205
* \p f_entropy is always called with a length that is
206
* less than or equal to the entropy length.
207
* \param p_entropy The entropy context to pass to \p f_entropy.
208
* \param custom The personalization string.
209
* This can be \c NULL, in which case the personalization
210
* std::string is empty regardless of the value of \p len.
211
* \param len The length of the personalization string.
212
* This must be at most #MBEDTLS_HMAC_DRBG_MAX_INPUT
214
* #MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT - \p entropy_len * 3 / 2
215
* where \p entropy_len is the entropy length
218
* \return \c 0 if successful.
219
* \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA if \p md_info is
221
* \return #MBEDTLS_ERR_MD_ALLOC_FAILED if there was not enough
222
* memory to allocate context data.
223
* \return #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED
224
* if the call to \p f_entropy failed.
226
int mbedtls_hmac_drbg_seed( mbedtls_hmac_drbg_context *ctx,
227
const mbedtls_md_info_t * md_info,
228
int (*f_entropy)(void *, unsigned char *, size_t),
230
const unsigned char *custom,
234
* \brief Initilisation of simpified HMAC_DRBG (never reseeds).
236
* This function is meant for use in algorithms that need a pseudorandom
237
* input such as deterministic ECDSA.
239
#if defined(MBEDTLS_THREADING_C)
241
* \note When Mbed TLS is built with threading support,
242
* after this function returns successfully,
243
* it is safe to call mbedtls_hmac_drbg_random()
244
* from multiple threads. Other operations, including
245
* reseeding, are not thread-safe.
247
#endif /* MBEDTLS_THREADING_C */
249
* \param ctx HMAC_DRBG context to be initialised.
250
* \param md_info MD algorithm to use for HMAC_DRBG.
251
* \param data Concatenation of the initial entropy string and
252
* the additional data.
253
* \param data_len Length of \p data in bytes.
255
* \return \c 0 if successful. or
256
* \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA if \p md_info is
258
* \return #MBEDTLS_ERR_MD_ALLOC_FAILED if there was not enough
259
* memory to allocate context data.
261
int mbedtls_hmac_drbg_seed_buf( mbedtls_hmac_drbg_context *ctx,
262
const mbedtls_md_info_t * md_info,
263
const unsigned char *data, size_t data_len );
266
* \brief This function turns prediction resistance on or off.
267
* The default value is off.
269
* \note If enabled, entropy is gathered at the beginning of
270
* every call to mbedtls_hmac_drbg_random_with_add()
271
* or mbedtls_hmac_drbg_random().
272
* Only use this if your entropy source has sufficient
275
* \param ctx The HMAC_DRBG context.
276
* \param resistance #MBEDTLS_HMAC_DRBG_PR_ON or #MBEDTLS_HMAC_DRBG_PR_OFF.
278
void mbedtls_hmac_drbg_set_prediction_resistance( mbedtls_hmac_drbg_context *ctx,
282
* \brief This function sets the amount of entropy grabbed on each
285
* See the documentation of mbedtls_hmac_drbg_seed() for the default value.
287
* \param ctx The HMAC_DRBG context.
288
* \param len The amount of entropy to grab, in bytes.
290
void mbedtls_hmac_drbg_set_entropy_len( mbedtls_hmac_drbg_context *ctx,
294
* \brief Set the reseed interval.
296
* The reseed interval is the number of calls to mbedtls_hmac_drbg_random()
297
* or mbedtls_hmac_drbg_random_with_add() after which the entropy function
300
* The default value is #MBEDTLS_HMAC_DRBG_RESEED_INTERVAL.
302
* \param ctx The HMAC_DRBG context.
303
* \param interval The reseed interval.
305
void mbedtls_hmac_drbg_set_reseed_interval( mbedtls_hmac_drbg_context *ctx,
309
* \brief This function updates the state of the HMAC_DRBG context.
311
* \note This function is not thread-safe. It is not safe
312
* to call this function if another thread might be
313
* concurrently obtaining random numbers from the same
314
* context or updating or reseeding the same context.
316
* \param ctx The HMAC_DRBG context.
317
* \param additional The data to update the state with.
318
* If this is \c NULL, there is no additional data.
319
* \param add_len Length of \p additional in bytes.
320
* Unused if \p additional is \c NULL.
322
* \return \c 0 on success, or an error from the underlying
325
int mbedtls_hmac_drbg_update_ret( mbedtls_hmac_drbg_context *ctx,
326
const unsigned char *additional, size_t add_len );
329
* \brief This function reseeds the HMAC_DRBG context, that is
330
* extracts data from the entropy source.
332
* \note This function is not thread-safe. It is not safe
333
* to call this function if another thread might be
334
* concurrently obtaining random numbers from the same
335
* context or updating or reseeding the same context.
337
* \param ctx The HMAC_DRBG context.
338
* \param additional Additional data to add to the state.
339
* If this is \c NULL, there is no additional data
340
* and \p len should be \c 0.
341
* \param len The length of the additional data.
342
* This must be at most #MBEDTLS_HMAC_DRBG_MAX_INPUT
344
* #MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT - \p entropy_len
345
* where \p entropy_len is the entropy length
346
* (see mbedtls_hmac_drbg_set_entropy_len()).
348
* \return \c 0 if successful.
349
* \return #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED
350
* if a call to the entropy function failed.
352
int mbedtls_hmac_drbg_reseed( mbedtls_hmac_drbg_context *ctx,
353
const unsigned char *additional, size_t len );
356
* \brief This function updates an HMAC_DRBG instance with additional
357
* data and uses it to generate random data.
359
* This function automatically reseeds if the reseed counter is exceeded
360
* or prediction resistance is enabled.
362
* \note This function is not thread-safe. It is not safe
363
* to call this function if another thread might be
364
* concurrently obtaining random numbers from the same
365
* context or updating or reseeding the same context.
367
* \param p_rng The HMAC_DRBG context. This must be a pointer to a
368
* #mbedtls_hmac_drbg_context structure.
369
* \param output The buffer to fill.
370
* \param output_len The length of the buffer in bytes.
371
* This must be at most #MBEDTLS_HMAC_DRBG_MAX_REQUEST.
372
* \param additional Additional data to update with.
373
* If this is \c NULL, there is no additional data
374
* and \p add_len should be \c 0.
375
* \param add_len The length of the additional data.
376
* This must be at most #MBEDTLS_HMAC_DRBG_MAX_INPUT.
378
* \return \c 0 if successful.
379
* \return #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED
380
* if a call to the entropy source failed.
381
* \return #MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG if
382
* \p output_len > #MBEDTLS_HMAC_DRBG_MAX_REQUEST.
383
* \return #MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG if
384
* \p add_len > #MBEDTLS_HMAC_DRBG_MAX_INPUT.
386
int mbedtls_hmac_drbg_random_with_add( void *p_rng,
387
unsigned char *output, size_t output_len,
388
const unsigned char *additional,
392
* \brief This function uses HMAC_DRBG to generate random data.
394
* This function automatically reseeds if the reseed counter is exceeded
395
* or prediction resistance is enabled.
397
#if defined(MBEDTLS_THREADING_C)
399
* \note When Mbed TLS is built with threading support,
400
* it is safe to call mbedtls_ctr_drbg_random()
401
* from multiple threads. Other operations, including
402
* reseeding, are not thread-safe.
404
#endif /* MBEDTLS_THREADING_C */
406
* \param p_rng The HMAC_DRBG context. This must be a pointer to a
407
* #mbedtls_hmac_drbg_context structure.
408
* \param output The buffer to fill.
409
* \param out_len The length of the buffer in bytes.
410
* This must be at most #MBEDTLS_HMAC_DRBG_MAX_REQUEST.
412
* \return \c 0 if successful.
413
* \return #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED
414
* if a call to the entropy source failed.
415
* \return #MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG if
416
* \p out_len > #MBEDTLS_HMAC_DRBG_MAX_REQUEST.
418
int mbedtls_hmac_drbg_random( void *p_rng, unsigned char *output, size_t out_len );
421
* \brief This function resets HMAC_DRBG context to the state immediately
422
* after initial call of mbedtls_hmac_drbg_init().
424
* \param ctx The HMAC_DRBG context to free.
426
void mbedtls_hmac_drbg_free( mbedtls_hmac_drbg_context *ctx );
428
#if ! defined(MBEDTLS_DEPRECATED_REMOVED)
429
#if defined(MBEDTLS_DEPRECATED_WARNING)
430
#define MBEDTLS_DEPRECATED __attribute__((deprecated))
432
#define MBEDTLS_DEPRECATED
435
* \brief This function updates the state of the HMAC_DRBG context.
437
* \disabled_deprecated Superseded by mbedtls_hmac_drbg_update_ret()
440
* \param ctx The HMAC_DRBG context.
441
* \param additional The data to update the state with.
442
* If this is \c NULL, there is no additional data.
443
* \param add_len Length of \p additional in bytes.
444
* Unused if \p additional is \c NULL.
446
MBEDTLS_DEPRECATED void mbedtls_hmac_drbg_update(
447
mbedtls_hmac_drbg_context *ctx,
448
const unsigned char *additional, size_t add_len );
449
#undef MBEDTLS_DEPRECATED
450
#endif /* !MBEDTLS_DEPRECATED_REMOVED */
452
#if defined(MBEDTLS_FS_IO)
454
* \brief This function writes a seed file.
456
* \param ctx The HMAC_DRBG context.
457
* \param path The name of the file.
459
* \return \c 0 on success.
460
* \return #MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR on file error.
461
* \return #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED on reseed
464
int mbedtls_hmac_drbg_write_seed_file( mbedtls_hmac_drbg_context *ctx, const char *path );
467
* \brief This function reads and updates a seed file. The seed
468
* is added to this instance.
470
* \param ctx The HMAC_DRBG context.
471
* \param path The name of the file.
473
* \return \c 0 on success.
474
* \return #MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR on file error.
475
* \return #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED on
477
* \return #MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG if the existing
478
* seed file is too large.
480
int mbedtls_hmac_drbg_update_seed_file( mbedtls_hmac_drbg_context *ctx, const char *path );
481
#endif /* MBEDTLS_FS_IO */
484
#if defined(MBEDTLS_SELF_TEST)
486
* \brief The HMAC_DRBG Checkup routine.
488
* \return \c 0 if successful.
489
* \return \c 1 if the test failed.
491
int mbedtls_hmac_drbg_self_test( int verbose );
498
#endif /* hmac_drbg.h */
added
removed
mbedtls2/hmac_drbg.h
