2 * Copyright (c) 2016 Thomas Pornin <pornin@bolet.org>
4 * Permission is hereby granted, free of charge, to any person obtaining
5 * a copy of this software and associated documentation files (the
6 * "Software"), to deal in the Software without restriction, including
7 * without limitation the rights to use, copy, modify, merge, publish,
8 * distribute, sublicense, and/or sell copies of the Software, and to
9 * permit persons to whom the Software is furnished to do so, subject to
10 * the following conditions:
12 * The above copyright notice and this permission notice shall be
13 * included in all copies or substantial portions of the Software.
15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
25 #ifndef BR_BEARSSL_RAND_H__
26 #define BR_BEARSSL_RAND_H__
31 #include "bearssl_block.h"
32 #include "bearssl_hash.h"
38 /** \file bearssl_rand.h
40 * # Pseudo-Random Generators
42 * A PRNG is a state-based engine that outputs pseudo-random bytes on
43 * demand. It is initialized with an initial seed, and additional seed
44 * bytes can be added afterwards. Bytes produced depend on the seeds and
45 * also on the exact sequence of calls (including sizes requested for
49 * ## Procedural and OOP API
51 * For the PRNG of name "`xxx`", two API are provided. The _procedural_
52 * API defined a context structure `br_xxx_context` and three functions:
56 * Initialise the context with an initial seed.
58 * - `br_xxx_generate()`
60 * Produce some pseudo-random bytes.
64 * Inject some additional seed.
66 * The initialisation function sets the first context field (`vtable`)
67 * to a pointer to the vtable that supports the OOP API. The OOP API
68 * provides access to the same functions through function pointers,
69 * named `init()`, `generate()` and `update()`.
71 * Note that the context initialisation method may accept additional
72 * parameters, provided as a 'const void *' pointer at API level. These
73 * additional parameters depend on the implemented PRNG.
78 * HMAC_DRBG is defined in [NIST SP 800-90A Revision
79 * 1](http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf).
80 * It uses HMAC repeatedly, over some configurable underlying hash
81 * function. In BearSSL, it is implemented under the "`hmac_drbg`" name.
82 * The "extra parameters" pointer for context initialisation should be
83 * set to a pointer to the vtable for the underlying hash function (e.g.
84 * pointer to `br_sha256_vtable` to use HMAC_DRBG with SHA-256).
86 * According to the NIST standard, each request shall produce up to
87 * 2<sup>19</sup> bits (i.e. 64 kB of data); moreover, the context shall
88 * be reseeded at least once every 2<sup>48</sup> requests. This
89 * implementation does not maintain the reseed counter (the threshold is
90 * too high to be reached in practice) and does not object to producing
91 * more than 64 kB in a single request; thus, the code cannot fail,
92 * which corresponds to the fact that the API has no room for error
93 * codes. However, this implies that requesting more than 64 kB in one
94 * `generate()` request, or making more than 2<sup>48</sup> requests
95 * without reseeding, is formally out of NIST specification. There is
96 * no currently known security penalty for exceeding the NIST limits,
97 * and, in any case, HMAC_DRBG usage in implementing SSL/TLS always
98 * stays much below these thresholds.
103 * AESCTR_DRBG is a custom PRNG based on AES-128 in CTR mode. This is
104 * meant to be used only in situations where you are desperate for
105 * speed, and have an hardware-optimized AES/CTR implementation. Whether
106 * this will yield perceptible improvements depends on what you use the
107 * pseudorandom bytes for, and how many you want; for instance, RSA key
108 * pair generation uses a substantial amount of randomness, and using
109 * AESCTR_DRBG instead of HMAC_DRBG yields a 15 to 20% increase in key
110 * generation speed on a recent x86 CPU (Intel Core i7-6567U at 3.30 GHz).
112 * Internally, it uses CTR mode with successive counter values, starting
113 * at zero (counter value expressed over 128 bits, big-endian convention).
114 * The counter is not allowed to reach 32768; thus, every 32768*16 bytes
115 * at most, the `update()` function is run (on an empty seed, if none is
116 * provided). The `update()` function computes the new AES-128 key by
117 * applying a custom hash function to the concatenation of a state-dependent
118 * word (encryption of an all-one block with the current key) and the new
119 * seed. The custom hash function uses Hirose's construction over AES-256;
120 * see the comments in `aesctr_drbg.c` for details.
122 * This DRBG does not follow an existing standard, and thus should be
123 * considered as inadequate for production use until it has been properly
128 * \brief Class type for PRNG implementations.
130 * A `br_prng_class` instance references the methods implementing a PRNG.
131 * Constant instances of this structure are defined for each implemented
132 * PRNG. Such instances are also called "vtables".
134 typedef struct br_prng_class_ br_prng_class
;
135 struct br_prng_class_
{
137 * \brief Size (in bytes) of the context structure appropriate for
143 * \brief Initialisation method.
145 * The context to initialise is provided as a pointer to its
146 * first field (the vtable pointer); this function sets that
147 * first field to a pointer to the vtable.
149 * The extra parameters depend on the implementation; each
150 * implementation defines what kind of extra parameters it
153 * Requirements on the initial seed depend on the implemented
156 * \param ctx PRNG context to initialise.
157 * \param params extra parameters for the PRNG.
158 * \param seed initial seed.
159 * \param seed_len initial seed length (in bytes).
161 void (*init
)(const br_prng_class
**ctx
, const void *params
,
162 const void *seed
, size_t seed_len
);
165 * \brief Random bytes generation.
167 * This method produces `len` pseudorandom bytes, in the `out`
168 * buffer. The context is updated accordingly.
170 * \param ctx PRNG context.
171 * \param out output buffer.
172 * \param len number of pseudorandom bytes to produce.
174 void (*generate
)(const br_prng_class
**ctx
, void *out
, size_t len
);
177 * \brief Inject additional seed bytes.
179 * The provided seed bytes are added into the PRNG internal
182 * \param ctx PRNG context.
183 * \param seed additional seed.
184 * \param seed_len additional seed length (in bytes).
186 void (*update
)(const br_prng_class
**ctx
,
187 const void *seed
, size_t seed_len
);
191 * \brief Context for HMAC_DRBG.
193 * The context contents are opaque, except the first field, which
198 * \brief Pointer to the vtable.
200 * This field is set with the initialisation method/function.
202 const br_prng_class
*vtable
;
203 #ifndef BR_DOXYGEN_IGNORE
206 const br_hash_class
*digest_class
;
208 } br_hmac_drbg_context
;
211 * \brief Statically allocated, constant vtable for HMAC_DRBG.
213 extern const br_prng_class br_hmac_drbg_vtable
;
216 * \brief HMAC_DRBG initialisation.
218 * The context to initialise is provided as a pointer to its first field
219 * (the vtable pointer); this function sets that first field to a
220 * pointer to the vtable.
222 * The `seed` value is what is called, in NIST terminology, the
223 * concatenation of the "seed", "nonce" and "personalization string", in
226 * The `digest_class` parameter defines the underlying hash function.
227 * Formally, the NIST standard specifies that the hash function shall
228 * be only SHA-1 or one of the SHA-2 functions. This implementation also
229 * works with any other implemented hash function (such as MD5), but
230 * this is non-standard and therefore not recommended.
232 * \param ctx HMAC_DRBG context to initialise.
233 * \param digest_class vtable for the underlying hash function.
234 * \param seed initial seed.
235 * \param seed_len initial seed length (in bytes).
237 void br_hmac_drbg_init(br_hmac_drbg_context
*ctx
,
238 const br_hash_class
*digest_class
, const void *seed
, size_t seed_len
);
241 * \brief Random bytes generation with HMAC_DRBG.
243 * This method produces `len` pseudorandom bytes, in the `out`
244 * buffer. The context is updated accordingly. Formally, requesting
245 * more than 65536 bytes in one request falls out of specification
246 * limits (but it won't fail).
248 * \param ctx HMAC_DRBG context.
249 * \param out output buffer.
250 * \param len number of pseudorandom bytes to produce.
252 void br_hmac_drbg_generate(br_hmac_drbg_context
*ctx
, void *out
, size_t len
);
255 * \brief Inject additional seed bytes in HMAC_DRBG.
257 * The provided seed bytes are added into the HMAC_DRBG internal
258 * entropy pool. The process does not _replace_ existing entropy,
259 * thus pushing non-random bytes (i.e. bytes which are known to the
260 * attackers) does not degrade the overall quality of generated bytes.
262 * \param ctx HMAC_DRBG context.
263 * \param seed additional seed.
264 * \param seed_len additional seed length (in bytes).
266 void br_hmac_drbg_update(br_hmac_drbg_context
*ctx
,
267 const void *seed
, size_t seed_len
);
270 * \brief Get the hash function implementation used by a given instance of
273 * This calls MUST NOT be performed on a context which was not
274 * previously initialised.
276 * \param ctx HMAC_DRBG context.
277 * \return the hash function vtable.
279 static inline const br_hash_class
*
280 br_hmac_drbg_get_hash(const br_hmac_drbg_context
*ctx
)
282 return ctx
->digest_class
;
286 * \brief Type for a provider of entropy seeds.
288 * A "seeder" is a function that is able to obtain random values from
289 * some source and inject them as entropy seed in a PRNG. A seeder
290 * shall guarantee that the total entropy of the injected seed is large
291 * enough to seed a PRNG for purposes of cryptographic key generation
292 * (i.e. at least 128 bits).
294 * A seeder may report a failure to obtain adequate entropy. Seeders
295 * shall endeavour to fix themselves transient errors by trying again;
296 * thus, callers may consider reported errors as permanent.
298 * \param ctx PRNG context to seed.
299 * \return 1 on success, 0 on error.
301 typedef int (*br_prng_seeder
)(const br_prng_class
**ctx
);
304 * \brief Get a seeder backed by the operating system or hardware.
306 * Get a seeder that feeds on RNG facilities provided by the current
307 * operating system or hardware. If no such facility is known, then 0
310 * If `name` is not `NULL`, then `*name` is set to a symbolic string
311 * that identifies the seeder implementation. If no seeder is returned
312 * and `name` is not `NULL`, then `*name` is set to a pointer to the
313 * constant string `"none"`.
315 * \param name receiver for seeder name, or `NULL`.
316 * \return the system seeder, if available, or 0.
318 br_prng_seeder
br_prng_seeder_system(const char **name
);
321 * \brief Context for AESCTR_DRBG.
323 * The context contents are opaque, except the first field, which
328 * \brief Pointer to the vtable.
330 * This field is set with the initialisation method/function.
332 const br_prng_class
*vtable
;
333 #ifndef BR_DOXYGEN_IGNORE
334 br_aes_gen_ctr_keys sk
;
337 } br_aesctr_drbg_context
;
340 * \brief Statically allocated, constant vtable for AESCTR_DRBG.
342 extern const br_prng_class br_aesctr_drbg_vtable
;
345 * \brief AESCTR_DRBG initialisation.
347 * The context to initialise is provided as a pointer to its first field
348 * (the vtable pointer); this function sets that first field to a
349 * pointer to the vtable.
351 * The internal AES key is first set to the all-zero key; then, the
352 * `br_aesctr_drbg_update()` function is called with the provided `seed`.
353 * The call is performed even if the seed length (`seed_len`) is zero.
355 * The `aesctr` parameter defines the underlying AES/CTR implementation.
357 * \param ctx AESCTR_DRBG context to initialise.
358 * \param aesctr vtable for the AES/CTR implementation.
359 * \param seed initial seed (can be `NULL` if `seed_len` is zero).
360 * \param seed_len initial seed length (in bytes).
362 void br_aesctr_drbg_init(br_aesctr_drbg_context
*ctx
,
363 const br_block_ctr_class
*aesctr
, const void *seed
, size_t seed_len
);
366 * \brief Random bytes generation with AESCTR_DRBG.
368 * This method produces `len` pseudorandom bytes, in the `out`
369 * buffer. The context is updated accordingly.
371 * \param ctx AESCTR_DRBG context.
372 * \param out output buffer.
373 * \param len number of pseudorandom bytes to produce.
375 void br_aesctr_drbg_generate(br_aesctr_drbg_context
*ctx
,
376 void *out
, size_t len
);
379 * \brief Inject additional seed bytes in AESCTR_DRBG.
381 * The provided seed bytes are added into the AESCTR_DRBG internal
382 * entropy pool. The process does not _replace_ existing entropy,
383 * thus pushing non-random bytes (i.e. bytes which are known to the
384 * attackers) does not degrade the overall quality of generated bytes.
386 * \param ctx AESCTR_DRBG context.
387 * \param seed additional seed.
388 * \param seed_len additional seed length (in bytes).
390 void br_aesctr_drbg_update(br_aesctr_drbg_context
*ctx
,
391 const void *seed
, size_t seed_len
);
projects / BearSSL / blob