EIC code displayed by LXR |
|
|
|
|||
File indexing completed on 2025-08-27 09:37:32
0001 /** 0002 * \file hmac_drbg.h 0003 * 0004 * \brief The HMAC_DRBG pseudorandom generator. 0005 * 0006 * This module implements the HMAC_DRBG pseudorandom generator described 0007 * in <em>NIST SP 800-90A: Recommendation for Random Number Generation Using 0008 * Deterministic Random Bit Generators</em>. 0009 */ 0010 /* 0011 * Copyright The Mbed TLS Contributors 0012 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 0013 */ 0014 #ifndef MBEDTLS_HMAC_DRBG_H 0015 #define MBEDTLS_HMAC_DRBG_H 0016 #include "mbedtls/private_access.h" 0017 0018 #include "mbedtls/build_info.h" 0019 0020 #include "mbedtls/md.h" 0021 0022 #if defined(MBEDTLS_THREADING_C) 0023 #include "mbedtls/threading.h" 0024 #endif 0025 0026 /* 0027 * Error codes 0028 */ 0029 /** Too many random requested in single call. */ 0030 #define MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG -0x0003 0031 /** Input too large (Entropy + additional). */ 0032 #define MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG -0x0005 0033 /** Read/write error in file. */ 0034 #define MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR -0x0007 0035 /** The entropy source failed. */ 0036 #define MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED -0x0009 0037 0038 /** 0039 * \name SECTION: Module settings 0040 * 0041 * The configuration options you can set for this module are in this section. 0042 * Either change them in mbedtls_config.h or define them on the compiler command line. 0043 * \{ 0044 */ 0045 0046 #if !defined(MBEDTLS_HMAC_DRBG_RESEED_INTERVAL) 0047 #define MBEDTLS_HMAC_DRBG_RESEED_INTERVAL 10000 /**< Interval before reseed is performed by default */ 0048 #endif 0049 0050 #if !defined(MBEDTLS_HMAC_DRBG_MAX_INPUT) 0051 #define MBEDTLS_HMAC_DRBG_MAX_INPUT 256 /**< Maximum number of additional input bytes */ 0052 #endif 0053 0054 #if !defined(MBEDTLS_HMAC_DRBG_MAX_REQUEST) 0055 #define MBEDTLS_HMAC_DRBG_MAX_REQUEST 1024 /**< Maximum number of requested bytes per call */ 0056 #endif 0057 0058 #if !defined(MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT) 0059 #define MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT 384 /**< Maximum size of (re)seed buffer */ 0060 #endif 0061 0062 /** \} name SECTION: Module settings */ 0063 0064 #define MBEDTLS_HMAC_DRBG_PR_OFF 0 /**< No prediction resistance */ 0065 #define MBEDTLS_HMAC_DRBG_PR_ON 1 /**< Prediction resistance enabled */ 0066 0067 #ifdef __cplusplus 0068 extern "C" { 0069 #endif 0070 0071 /** 0072 * HMAC_DRBG context. 0073 */ 0074 typedef struct mbedtls_hmac_drbg_context { 0075 /* Working state: the key K is not stored explicitly, 0076 * but is implied by the HMAC context */ 0077 mbedtls_md_context_t MBEDTLS_PRIVATE(md_ctx); /*!< HMAC context (inc. K) */ 0078 unsigned char MBEDTLS_PRIVATE(V)[MBEDTLS_MD_MAX_SIZE]; /*!< V in the spec */ 0079 int MBEDTLS_PRIVATE(reseed_counter); /*!< reseed counter */ 0080 0081 /* Administrative state */ 0082 size_t MBEDTLS_PRIVATE(entropy_len); /*!< entropy bytes grabbed on each (re)seed */ 0083 int MBEDTLS_PRIVATE(prediction_resistance); /*!< enable prediction resistance (Automatic 0084 reseed before every random generation) */ 0085 int MBEDTLS_PRIVATE(reseed_interval); /*!< reseed interval */ 0086 0087 /* Callbacks */ 0088 int(*MBEDTLS_PRIVATE(f_entropy))(void *, unsigned char *, size_t); /*!< entropy function */ 0089 void *MBEDTLS_PRIVATE(p_entropy); /*!< context for the entropy function */ 0090 0091 #if defined(MBEDTLS_THREADING_C) 0092 /* Invariant: the mutex is initialized if and only if 0093 * md_ctx->md_info != NULL. This means that the mutex is initialized 0094 * during the initial seeding in mbedtls_hmac_drbg_seed() or 0095 * mbedtls_hmac_drbg_seed_buf() and freed in mbedtls_ctr_drbg_free(). 0096 * 0097 * Note that this invariant may change without notice. Do not rely on it 0098 * and do not access the mutex directly in application code. 0099 */ 0100 mbedtls_threading_mutex_t MBEDTLS_PRIVATE(mutex); 0101 #endif 0102 } mbedtls_hmac_drbg_context; 0103 0104 /** 0105 * \brief HMAC_DRBG context initialization. 0106 * 0107 * This function makes the context ready for mbedtls_hmac_drbg_seed(), 0108 * mbedtls_hmac_drbg_seed_buf() or mbedtls_hmac_drbg_free(). 0109 * 0110 * \note The reseed interval is #MBEDTLS_HMAC_DRBG_RESEED_INTERVAL 0111 * by default. Override this value by calling 0112 * mbedtls_hmac_drbg_set_reseed_interval(). 0113 * 0114 * \param ctx HMAC_DRBG context to be initialized. 0115 */ 0116 void mbedtls_hmac_drbg_init(mbedtls_hmac_drbg_context *ctx); 0117 0118 /** 0119 * \brief HMAC_DRBG initial seeding. 0120 * 0121 * Set the initial seed and set up the entropy source for future reseeds. 0122 * 0123 * A typical choice for the \p f_entropy and \p p_entropy parameters is 0124 * to use the entropy module: 0125 * - \p f_entropy is mbedtls_entropy_func(); 0126 * - \p p_entropy is an instance of ::mbedtls_entropy_context initialized 0127 * with mbedtls_entropy_init() (which registers the platform's default 0128 * entropy sources). 0129 * 0130 * You can provide a personalization string in addition to the 0131 * entropy source, to make this instantiation as unique as possible. 0132 * 0133 * \note By default, the security strength as defined by NIST is: 0134 * - 128 bits if \p md_info is SHA-1; 0135 * - 192 bits if \p md_info is SHA-224; 0136 * - 256 bits if \p md_info is SHA-256, SHA-384 or SHA-512. 0137 * Note that SHA-256 is just as efficient as SHA-224. 0138 * The security strength can be reduced if a smaller 0139 * entropy length is set with 0140 * mbedtls_hmac_drbg_set_entropy_len(). 0141 * 0142 * \note The default entropy length is the security strength 0143 * (converted from bits to bytes). You can override 0144 * it by calling mbedtls_hmac_drbg_set_entropy_len(). 0145 * 0146 * \note During the initial seeding, this function calls 0147 * the entropy source to obtain a nonce 0148 * whose length is half the entropy length. 0149 */ 0150 #if defined(MBEDTLS_THREADING_C) 0151 /** 0152 * \note When Mbed TLS is built with threading support, 0153 * after this function returns successfully, 0154 * it is safe to call mbedtls_hmac_drbg_random() 0155 * from multiple threads. Other operations, including 0156 * reseeding, are not thread-safe. 0157 */ 0158 #endif /* MBEDTLS_THREADING_C */ 0159 /** 0160 * \param ctx HMAC_DRBG context to be seeded. 0161 * \param md_info MD algorithm to use for HMAC_DRBG. 0162 * \param f_entropy The entropy callback, taking as arguments the 0163 * \p p_entropy context, the buffer to fill, and the 0164 * length of the buffer. 0165 * \p f_entropy is always called with a length that is 0166 * less than or equal to the entropy length. 0167 * \param p_entropy The entropy context to pass to \p f_entropy. 0168 * \param custom The personalization string. 0169 * This can be \c NULL, in which case the personalization 0170 * string is empty regardless of the value of \p len. 0171 * \param len The length of the personalization string. 0172 * This must be at most #MBEDTLS_HMAC_DRBG_MAX_INPUT 0173 * and also at most 0174 * #MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT - \c entropy_len * 3 / 2 0175 * where \c entropy_len is the entropy length 0176 * described above. 0177 * 0178 * \return \c 0 if successful. 0179 * \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA if \p md_info is 0180 * invalid. 0181 * \return #MBEDTLS_ERR_MD_ALLOC_FAILED if there was not enough 0182 * memory to allocate context data. 0183 * \return #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED 0184 * if the call to \p f_entropy failed. 0185 */ 0186 int mbedtls_hmac_drbg_seed(mbedtls_hmac_drbg_context *ctx, 0187 const mbedtls_md_info_t *md_info, 0188 int (*f_entropy)(void *, unsigned char *, size_t), 0189 void *p_entropy, 0190 const unsigned char *custom, 0191 size_t len); 0192 0193 /** 0194 * \brief Initialisation of simplified HMAC_DRBG (never reseeds). 0195 * 0196 * This function is meant for use in algorithms that need a pseudorandom 0197 * input such as deterministic ECDSA. 0198 */ 0199 #if defined(MBEDTLS_THREADING_C) 0200 /** 0201 * \note When Mbed TLS is built with threading support, 0202 * after this function returns successfully, 0203 * it is safe to call mbedtls_hmac_drbg_random() 0204 * from multiple threads. Other operations, including 0205 * reseeding, are not thread-safe. 0206 */ 0207 #endif /* MBEDTLS_THREADING_C */ 0208 /** 0209 * \param ctx HMAC_DRBG context to be initialised. 0210 * \param md_info MD algorithm to use for HMAC_DRBG. 0211 * \param data Concatenation of the initial entropy string and 0212 * the additional data. 0213 * \param data_len Length of \p data in bytes. 0214 * 0215 * \return \c 0 if successful. or 0216 * \return #MBEDTLS_ERR_MD_BAD_INPUT_DATA if \p md_info is 0217 * invalid. 0218 * \return #MBEDTLS_ERR_MD_ALLOC_FAILED if there was not enough 0219 * memory to allocate context data. 0220 */ 0221 int mbedtls_hmac_drbg_seed_buf(mbedtls_hmac_drbg_context *ctx, 0222 const mbedtls_md_info_t *md_info, 0223 const unsigned char *data, size_t data_len); 0224 0225 /** 0226 * \brief This function turns prediction resistance on or off. 0227 * The default value is off. 0228 * 0229 * \note If enabled, entropy is gathered at the beginning of 0230 * every call to mbedtls_hmac_drbg_random_with_add() 0231 * or mbedtls_hmac_drbg_random(). 0232 * Only use this if your entropy source has sufficient 0233 * throughput. 0234 * 0235 * \param ctx The HMAC_DRBG context. 0236 * \param resistance #MBEDTLS_HMAC_DRBG_PR_ON or #MBEDTLS_HMAC_DRBG_PR_OFF. 0237 */ 0238 void mbedtls_hmac_drbg_set_prediction_resistance(mbedtls_hmac_drbg_context *ctx, 0239 int resistance); 0240 0241 /** 0242 * \brief This function sets the amount of entropy grabbed on each 0243 * seed or reseed. 0244 * 0245 * See the documentation of mbedtls_hmac_drbg_seed() for the default value. 0246 * 0247 * \param ctx The HMAC_DRBG context. 0248 * \param len The amount of entropy to grab, in bytes. 0249 */ 0250 void mbedtls_hmac_drbg_set_entropy_len(mbedtls_hmac_drbg_context *ctx, 0251 size_t len); 0252 0253 /** 0254 * \brief Set the reseed interval. 0255 * 0256 * The reseed interval is the number of calls to mbedtls_hmac_drbg_random() 0257 * or mbedtls_hmac_drbg_random_with_add() after which the entropy function 0258 * is called again. 0259 * 0260 * The default value is #MBEDTLS_HMAC_DRBG_RESEED_INTERVAL. 0261 * 0262 * \param ctx The HMAC_DRBG context. 0263 * \param interval The reseed interval. 0264 */ 0265 void mbedtls_hmac_drbg_set_reseed_interval(mbedtls_hmac_drbg_context *ctx, 0266 int interval); 0267 0268 /** 0269 * \brief This function updates the state of the HMAC_DRBG context. 0270 * 0271 * \note This function is not thread-safe. It is not safe 0272 * to call this function if another thread might be 0273 * concurrently obtaining random numbers from the same 0274 * context or updating or reseeding the same context. 0275 * 0276 * \param ctx The HMAC_DRBG context. 0277 * \param additional The data to update the state with. 0278 * If this is \c NULL, there is no additional data. 0279 * \param add_len Length of \p additional in bytes. 0280 * Unused if \p additional is \c NULL. 0281 * 0282 * \return \c 0 on success, or an error from the underlying 0283 * hash calculation. 0284 */ 0285 int mbedtls_hmac_drbg_update(mbedtls_hmac_drbg_context *ctx, 0286 const unsigned char *additional, size_t add_len); 0287 0288 /** 0289 * \brief This function reseeds the HMAC_DRBG context, that is 0290 * extracts data from the entropy source. 0291 * 0292 * \note This function is not thread-safe. It is not safe 0293 * to call this function if another thread might be 0294 * concurrently obtaining random numbers from the same 0295 * context or updating or reseeding the same context. 0296 * 0297 * \param ctx The HMAC_DRBG context. 0298 * \param additional Additional data to add to the state. 0299 * If this is \c NULL, there is no additional data 0300 * and \p len should be \c 0. 0301 * \param len The length of the additional data. 0302 * This must be at most #MBEDTLS_HMAC_DRBG_MAX_INPUT 0303 * and also at most 0304 * #MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT - \c entropy_len 0305 * where \c entropy_len is the entropy length 0306 * (see mbedtls_hmac_drbg_set_entropy_len()). 0307 * 0308 * \return \c 0 if successful. 0309 * \return #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED 0310 * if a call to the entropy function failed. 0311 */ 0312 int mbedtls_hmac_drbg_reseed(mbedtls_hmac_drbg_context *ctx, 0313 const unsigned char *additional, size_t len); 0314 0315 /** 0316 * \brief This function updates an HMAC_DRBG instance with additional 0317 * data and uses it to generate random data. 0318 * 0319 * This function automatically reseeds if the reseed counter is exceeded 0320 * or prediction resistance is enabled. 0321 * 0322 * \note This function is not thread-safe. It is not safe 0323 * to call this function if another thread might be 0324 * concurrently obtaining random numbers from the same 0325 * context or updating or reseeding the same context. 0326 * 0327 * \param p_rng The HMAC_DRBG context. This must be a pointer to a 0328 * #mbedtls_hmac_drbg_context structure. 0329 * \param output The buffer to fill. 0330 * \param output_len The length of the buffer in bytes. 0331 * This must be at most #MBEDTLS_HMAC_DRBG_MAX_REQUEST. 0332 * \param additional Additional data to update with. 0333 * If this is \c NULL, there is no additional data 0334 * and \p add_len should be \c 0. 0335 * \param add_len The length of the additional data. 0336 * This must be at most #MBEDTLS_HMAC_DRBG_MAX_INPUT. 0337 * 0338 * \return \c 0 if successful. 0339 * \return #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED 0340 * if a call to the entropy source failed. 0341 * \return #MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG if 0342 * \p output_len > #MBEDTLS_HMAC_DRBG_MAX_REQUEST. 0343 * \return #MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG if 0344 * \p add_len > #MBEDTLS_HMAC_DRBG_MAX_INPUT. 0345 */ 0346 int mbedtls_hmac_drbg_random_with_add(void *p_rng, 0347 unsigned char *output, size_t output_len, 0348 const unsigned char *additional, 0349 size_t add_len); 0350 0351 /** 0352 * \brief This function uses HMAC_DRBG to generate random data. 0353 * 0354 * This function automatically reseeds if the reseed counter is exceeded 0355 * or prediction resistance is enabled. 0356 */ 0357 #if defined(MBEDTLS_THREADING_C) 0358 /** 0359 * \note When Mbed TLS is built with threading support, 0360 * it is safe to call mbedtls_ctr_drbg_random() 0361 * from multiple threads. Other operations, including 0362 * reseeding, are not thread-safe. 0363 */ 0364 #endif /* MBEDTLS_THREADING_C */ 0365 /** 0366 * \param p_rng The HMAC_DRBG context. This must be a pointer to a 0367 * #mbedtls_hmac_drbg_context structure. 0368 * \param output The buffer to fill. 0369 * \param out_len The length of the buffer in bytes. 0370 * This must be at most #MBEDTLS_HMAC_DRBG_MAX_REQUEST. 0371 * 0372 * \return \c 0 if successful. 0373 * \return #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED 0374 * if a call to the entropy source failed. 0375 * \return #MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG if 0376 * \p out_len > #MBEDTLS_HMAC_DRBG_MAX_REQUEST. 0377 */ 0378 int mbedtls_hmac_drbg_random(void *p_rng, unsigned char *output, size_t out_len); 0379 0380 /** 0381 * \brief This function resets HMAC_DRBG context to the state immediately 0382 * after initial call of mbedtls_hmac_drbg_init(). 0383 * 0384 * \param ctx The HMAC_DRBG context to free. 0385 */ 0386 void mbedtls_hmac_drbg_free(mbedtls_hmac_drbg_context *ctx); 0387 0388 #if defined(MBEDTLS_FS_IO) 0389 /** 0390 * \brief This function writes a seed file. 0391 * 0392 * \param ctx The HMAC_DRBG context. 0393 * \param path The name of the file. 0394 * 0395 * \return \c 0 on success. 0396 * \return #MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR on file error. 0397 * \return #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED on reseed 0398 * failure. 0399 */ 0400 int mbedtls_hmac_drbg_write_seed_file(mbedtls_hmac_drbg_context *ctx, const char *path); 0401 0402 /** 0403 * \brief This function reads and updates a seed file. The seed 0404 * is added to this instance. 0405 * 0406 * \param ctx The HMAC_DRBG context. 0407 * \param path The name of the file. 0408 * 0409 * \return \c 0 on success. 0410 * \return #MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR on file error. 0411 * \return #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED on 0412 * reseed failure. 0413 * \return #MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG if the existing 0414 * seed file is too large. 0415 */ 0416 int mbedtls_hmac_drbg_update_seed_file(mbedtls_hmac_drbg_context *ctx, const char *path); 0417 #endif /* MBEDTLS_FS_IO */ 0418 0419 0420 #if defined(MBEDTLS_SELF_TEST) 0421 /** 0422 * \brief The HMAC_DRBG Checkup routine. 0423 * 0424 * \return \c 0 if successful. 0425 * \return \c 1 if the test failed. 0426 */ 0427 int mbedtls_hmac_drbg_self_test(int verbose); 0428 #endif 0429 0430 #ifdef __cplusplus 0431 } 0432 #endif 0433 0434 #endif /* hmac_drbg.h */
| [ Source navigation ] | [ Diff markup ] | [ Identifier search ] | [ general search ] |
|
This page was automatically generated by the 2.3.7 LXR engine. The LXR team |
|