xref: /freebsd/contrib/bearssl/inc/bearssl_rand.h (revision a03411e84728e9b267056fd31c7d1d9d1dc1b01e)
1 /*
2  * Copyright (c) 2016 Thomas Pornin <pornin@bolet.org>
3  *
4  * Permission is hereby granted, free of charge, to any person obtaining
5  * a copy of this software and associated documentation files (the
6  * "Software"), to deal in the Software without restriction, including
7  * without limitation the rights to use, copy, modify, merge, publish,
8  * distribute, sublicense, and/or sell copies of the Software, and to
9  * permit persons to whom the Software is furnished to do so, subject to
10  * the following conditions:
11  *
12  * The above copyright notice and this permission notice shall be
13  * included in all copies or substantial portions of the Software.
14  *
15  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16  * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17  * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18  * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19  * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20  * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21  * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
22  * SOFTWARE.
23  */
24 
25 #ifndef BR_BEARSSL_RAND_H__
26 #define BR_BEARSSL_RAND_H__
27 
28 #include <stddef.h>
29 #include <stdint.h>
30 
31 #include "bearssl_block.h"
32 #include "bearssl_hash.h"
33 
34 #ifdef __cplusplus
35 extern "C" {
36 #endif
37 
38 /** \file bearssl_rand.h
39  *
40  * # Pseudo-Random Generators
41  *
42  * A PRNG is a state-based engine that outputs pseudo-random bytes on
43  * demand. It is initialized with an initial seed, and additional seed
44  * bytes can be added afterwards. Bytes produced depend on the seeds and
45  * also on the exact sequence of calls (including sizes requested for
46  * each call).
47  *
48  *
49  * ## Procedural and OOP API
50  *
51  * For the PRNG of name "`xxx`", two API are provided. The _procedural_
52  * API defined a context structure `br_xxx_context` and three functions:
53  *
54  *   - `br_xxx_init()`
55  *
56  *     Initialise the context with an initial seed.
57  *
58  *   - `br_xxx_generate()`
59  *
60  *     Produce some pseudo-random bytes.
61  *
62  *   - `br_xxx_update()`
63  *
64  *     Inject some additional seed.
65  *
66  * The initialisation function sets the first context field (`vtable`)
67  * to a pointer to the vtable that supports the OOP API. The OOP API
68  * provides access to the same functions through function pointers,
69  * named `init()`, `generate()` and `update()`.
70  *
71  * Note that the context initialisation method may accept additional
72  * parameters, provided as a 'const void *' pointer at API level. These
73  * additional parameters depend on the implemented PRNG.
74  *
75  *
76  * ## HMAC_DRBG
77  *
78  * HMAC_DRBG is defined in [NIST SP 800-90A Revision
79  * 1](http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf).
80  * It uses HMAC repeatedly, over some configurable underlying hash
81  * function. In BearSSL, it is implemented under the "`hmac_drbg`" name.
82  * The "extra parameters" pointer for context initialisation should be
83  * set to a pointer to the vtable for the underlying hash function (e.g.
84  * pointer to `br_sha256_vtable` to use HMAC_DRBG with SHA-256).
85  *
86  * According to the NIST standard, each request shall produce up to
87  * 2<sup>19</sup> bits (i.e. 64 kB of data); moreover, the context shall
88  * be reseeded at least once every 2<sup>48</sup> requests. This
89  * implementation does not maintain the reseed counter (the threshold is
90  * too high to be reached in practice) and does not object to producing
91  * more than 64 kB in a single request; thus, the code cannot fail,
92  * which corresponds to the fact that the API has no room for error
93  * codes. However, this implies that requesting more than 64 kB in one
94  * `generate()` request, or making more than 2<sup>48</sup> requests
95  * without reseeding, is formally out of NIST specification. There is
96  * no currently known security penalty for exceeding the NIST limits,
97  * and, in any case, HMAC_DRBG usage in implementing SSL/TLS always
98  * stays much below these thresholds.
99  *
100  *
101  * ## AESCTR_DRBG
102  *
103  * AESCTR_DRBG is a custom PRNG based on AES-128 in CTR mode. This is
104  * meant to be used only in situations where you are desperate for
105  * speed, and have an hardware-optimized AES/CTR implementation. Whether
106  * this will yield perceptible improvements depends on what you use the
107  * pseudorandom bytes for, and how many you want; for instance, RSA key
108  * pair generation uses a substantial amount of randomness, and using
109  * AESCTR_DRBG instead of HMAC_DRBG yields a 15 to 20% increase in key
110  * generation speed on a recent x86 CPU (Intel Core i7-6567U at 3.30 GHz).
111  *
112  * Internally, it uses CTR mode with successive counter values, starting
113  * at zero (counter value expressed over 128 bits, big-endian convention).
114  * The counter is not allowed to reach 32768; thus, every 32768*16 bytes
115  * at most, the `update()` function is run (on an empty seed, if none is
116  * provided). The `update()` function computes the new AES-128 key by
117  * applying a custom hash function to the concatenation of a state-dependent
118  * word (encryption of an all-one block with the current key) and the new
119  * seed. The custom hash function uses Hirose's construction over AES-256;
120  * see the comments in `aesctr_drbg.c` for details.
121  *
122  * This DRBG does not follow an existing standard, and thus should be
123  * considered as inadequate for production use until it has been properly
124  * analysed.
125  */
126 
127 /**
128  * \brief Class type for PRNG implementations.
129  *
130  * A `br_prng_class` instance references the methods implementing a PRNG.
131  * Constant instances of this structure are defined for each implemented
132  * PRNG. Such instances are also called "vtables".
133  */
134 typedef struct br_prng_class_ br_prng_class;
135 struct br_prng_class_ {
136 	/**
137 	 * \brief Size (in bytes) of the context structure appropriate for
138 	 * running this PRNG.
139 	 */
140 	size_t context_size;
141 
142 	/**
143 	 * \brief Initialisation method.
144 	 *
145 	 * The context to initialise is provided as a pointer to its
146 	 * first field (the vtable pointer); this function sets that
147 	 * first field to a pointer to the vtable.
148 	 *
149 	 * The extra parameters depend on the implementation; each
150 	 * implementation defines what kind of extra parameters it
151 	 * expects (if any).
152 	 *
153 	 * Requirements on the initial seed depend on the implemented
154 	 * PRNG.
155 	 *
156 	 * \param ctx        PRNG context to initialise.
157 	 * \param params     extra parameters for the PRNG.
158 	 * \param seed       initial seed.
159 	 * \param seed_len   initial seed length (in bytes).
160 	 */
161 	void (*init)(const br_prng_class **ctx, const void *params,
162 		const void *seed, size_t seed_len);
163 
164 	/**
165 	 * \brief Random bytes generation.
166 	 *
167 	 * This method produces `len` pseudorandom bytes, in the `out`
168 	 * buffer. The context is updated accordingly.
169 	 *
170 	 * \param ctx   PRNG context.
171 	 * \param out   output buffer.
172 	 * \param len   number of pseudorandom bytes to produce.
173 	 */
174 	void (*generate)(const br_prng_class **ctx, void *out, size_t len);
175 
176 	/**
177 	 * \brief Inject additional seed bytes.
178 	 *
179 	 * The provided seed bytes are added into the PRNG internal
180 	 * entropy pool.
181 	 *
182 	 * \param ctx        PRNG context.
183 	 * \param seed       additional seed.
184 	 * \param seed_len   additional seed length (in bytes).
185 	 */
186 	void (*update)(const br_prng_class **ctx,
187 		const void *seed, size_t seed_len);
188 };
189 
190 /**
191  * \brief Context for HMAC_DRBG.
192  *
193  * The context contents are opaque, except the first field, which
194  * supports OOP.
195  */
196 typedef struct {
197 	/**
198 	 * \brief Pointer to the vtable.
199 	 *
200 	 * This field is set with the initialisation method/function.
201 	 */
202 	const br_prng_class *vtable;
203 #ifndef BR_DOXYGEN_IGNORE
204 	unsigned char K[64];
205 	unsigned char V[64];
206 	const br_hash_class *digest_class;
207 #endif
208 } br_hmac_drbg_context;
209 
210 /**
211  * \brief Statically allocated, constant vtable for HMAC_DRBG.
212  */
213 extern const br_prng_class br_hmac_drbg_vtable;
214 
215 /**
216  * \brief HMAC_DRBG initialisation.
217  *
218  * The context to initialise is provided as a pointer to its first field
219  * (the vtable pointer); this function sets that first field to a
220  * pointer to the vtable.
221  *
222  * The `seed` value is what is called, in NIST terminology, the
223  * concatenation of the "seed", "nonce" and "personalization string", in
224  * that order.
225  *
226  * The `digest_class` parameter defines the underlying hash function.
227  * Formally, the NIST standard specifies that the hash function shall
228  * be only SHA-1 or one of the SHA-2 functions. This implementation also
229  * works with any other implemented hash function (such as MD5), but
230  * this is non-standard and therefore not recommended.
231  *
232  * \param ctx            HMAC_DRBG context to initialise.
233  * \param digest_class   vtable for the underlying hash function.
234  * \param seed           initial seed.
235  * \param seed_len       initial seed length (in bytes).
236  */
237 void br_hmac_drbg_init(br_hmac_drbg_context *ctx,
238 	const br_hash_class *digest_class, const void *seed, size_t seed_len);
239 
240 /**
241  * \brief Random bytes generation with HMAC_DRBG.
242  *
243  * This method produces `len` pseudorandom bytes, in the `out`
244  * buffer. The context is updated accordingly. Formally, requesting
245  * more than 65536 bytes in one request falls out of specification
246  * limits (but it won't fail).
247  *
248  * \param ctx   HMAC_DRBG context.
249  * \param out   output buffer.
250  * \param len   number of pseudorandom bytes to produce.
251  */
252 void br_hmac_drbg_generate(br_hmac_drbg_context *ctx, void *out, size_t len);
253 
254 /**
255  * \brief Inject additional seed bytes in HMAC_DRBG.
256  *
257  * The provided seed bytes are added into the HMAC_DRBG internal
258  * entropy pool. The process does not _replace_ existing entropy,
259  * thus pushing non-random bytes (i.e. bytes which are known to the
260  * attackers) does not degrade the overall quality of generated bytes.
261  *
262  * \param ctx        HMAC_DRBG context.
263  * \param seed       additional seed.
264  * \param seed_len   additional seed length (in bytes).
265  */
266 void br_hmac_drbg_update(br_hmac_drbg_context *ctx,
267 	const void *seed, size_t seed_len);
268 
269 /**
270  * \brief Get the hash function implementation used by a given instance of
271  * HMAC_DRBG.
272  *
273  * This calls MUST NOT be performed on a context which was not
274  * previously initialised.
275  *
276  * \param ctx   HMAC_DRBG context.
277  * \return  the hash function vtable.
278  */
279 static inline const br_hash_class *
280 br_hmac_drbg_get_hash(const br_hmac_drbg_context *ctx)
281 {
282 	return ctx->digest_class;
283 }
284 
285 /**
286  * \brief Type for a provider of entropy seeds.
287  *
288  * A "seeder" is a function that is able to obtain random values from
289  * some source and inject them as entropy seed in a PRNG. A seeder
290  * shall guarantee that the total entropy of the injected seed is large
291  * enough to seed a PRNG for purposes of cryptographic key generation
292  * (i.e. at least 128 bits).
293  *
294  * A seeder may report a failure to obtain adequate entropy. Seeders
295  * shall endeavour to fix themselves transient errors by trying again;
296  * thus, callers may consider reported errors as permanent.
297  *
298  * \param ctx   PRNG context to seed.
299  * \return  1 on success, 0 on error.
300  */
301 typedef int (*br_prng_seeder)(const br_prng_class **ctx);
302 
303 /**
304  * \brief Get a seeder backed by the operating system or hardware.
305  *
306  * Get a seeder that feeds on RNG facilities provided by the current
307  * operating system or hardware. If no such facility is known, then 0
308  * is returned.
309  *
310  * If `name` is not `NULL`, then `*name` is set to a symbolic string
311  * that identifies the seeder implementation. If no seeder is returned
312  * and `name` is not `NULL`, then `*name` is set to a pointer to the
313  * constant string `"none"`.
314  *
315  * \param name   receiver for seeder name, or `NULL`.
316  * \return  the system seeder, if available, or 0.
317  */
318 br_prng_seeder br_prng_seeder_system(const char **name);
319 
320 /**
321  * \brief Context for AESCTR_DRBG.
322  *
323  * The context contents are opaque, except the first field, which
324  * supports OOP.
325  */
326 typedef struct {
327 	/**
328 	 * \brief Pointer to the vtable.
329 	 *
330 	 * This field is set with the initialisation method/function.
331 	 */
332 	const br_prng_class *vtable;
333 #ifndef BR_DOXYGEN_IGNORE
334 	br_aes_gen_ctr_keys sk;
335 	uint32_t cc;
336 #endif
337 } br_aesctr_drbg_context;
338 
339 /**
340  * \brief Statically allocated, constant vtable for AESCTR_DRBG.
341  */
342 extern const br_prng_class br_aesctr_drbg_vtable;
343 
344 /**
345  * \brief AESCTR_DRBG initialisation.
346  *
347  * The context to initialise is provided as a pointer to its first field
348  * (the vtable pointer); this function sets that first field to a
349  * pointer to the vtable.
350  *
351  * The internal AES key is first set to the all-zero key; then, the
352  * `br_aesctr_drbg_update()` function is called with the provided `seed`.
353  * The call is performed even if the seed length (`seed_len`) is zero.
354  *
355  * The `aesctr` parameter defines the underlying AES/CTR implementation.
356  *
357  * \param ctx        AESCTR_DRBG context to initialise.
358  * \param aesctr     vtable for the AES/CTR implementation.
359  * \param seed       initial seed (can be `NULL` if `seed_len` is zero).
360  * \param seed_len   initial seed length (in bytes).
361  */
362 void br_aesctr_drbg_init(br_aesctr_drbg_context *ctx,
363 	const br_block_ctr_class *aesctr, const void *seed, size_t seed_len);
364 
365 /**
366  * \brief Random bytes generation with AESCTR_DRBG.
367  *
368  * This method produces `len` pseudorandom bytes, in the `out`
369  * buffer. The context is updated accordingly.
370  *
371  * \param ctx   AESCTR_DRBG context.
372  * \param out   output buffer.
373  * \param len   number of pseudorandom bytes to produce.
374  */
375 void br_aesctr_drbg_generate(br_aesctr_drbg_context *ctx,
376 	void *out, size_t len);
377 
378 /**
379  * \brief Inject additional seed bytes in AESCTR_DRBG.
380  *
381  * The provided seed bytes are added into the AESCTR_DRBG internal
382  * entropy pool. The process does not _replace_ existing entropy,
383  * thus pushing non-random bytes (i.e. bytes which are known to the
384  * attackers) does not degrade the overall quality of generated bytes.
385  *
386  * \param ctx        AESCTR_DRBG context.
387  * \param seed       additional seed.
388  * \param seed_len   additional seed length (in bytes).
389  */
390 void br_aesctr_drbg_update(br_aesctr_drbg_context *ctx,
391 	const void *seed, size_t seed_len);
392 
393 #ifdef __cplusplus
394 }
395 #endif
396 
397 #endif
398