Coverage Report

Created: 2024-11-21 06:38

/src/BearSSL/inc/bearssl_rand.h
Line
Count
Source (jump to first uncovered line)
1
/*
2
 * Copyright (c) 2016 Thomas Pornin <pornin@bolet.org>
3
 *
4
 * Permission is hereby granted, free of charge, to any person obtaining 
5
 * a copy of this software and associated documentation files (the
6
 * "Software"), to deal in the Software without restriction, including
7
 * without limitation the rights to use, copy, modify, merge, publish,
8
 * distribute, sublicense, and/or sell copies of the Software, and to
9
 * permit persons to whom the Software is furnished to do so, subject to
10
 * the following conditions:
11
 *
12
 * The above copyright notice and this permission notice shall be 
13
 * included in all copies or substantial portions of the Software.
14
 *
15
 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 
16
 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17
 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 
18
 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19
 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20
 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21
 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
22
 * SOFTWARE.
23
 */
24
25
#ifndef BR_BEARSSL_RAND_H__
26
#define BR_BEARSSL_RAND_H__
27
28
#include <stddef.h>
29
#include <stdint.h>
30
31
#include "bearssl_block.h"
32
#include "bearssl_hash.h"
33
34
#ifdef __cplusplus
35
extern "C" {
36
#endif
37
38
/** \file bearssl_rand.h
39
 *
40
 * # Pseudo-Random Generators
41
 *
42
 * A PRNG is a state-based engine that outputs pseudo-random bytes on
43
 * demand. It is initialized with an initial seed, and additional seed
44
 * bytes can be added afterwards. Bytes produced depend on the seeds and
45
 * also on the exact sequence of calls (including sizes requested for
46
 * each call).
47
 *
48
 *
49
 * ## Procedural and OOP API
50
 *
51
 * For the PRNG of name "`xxx`", two API are provided. The _procedural_
52
 * API defined a context structure `br_xxx_context` and three functions:
53
 *
54
 *   - `br_xxx_init()`
55
 *
56
 *     Initialise the context with an initial seed.
57
 *
58
 *   - `br_xxx_generate()`
59
 *
60
 *     Produce some pseudo-random bytes.
61
 *
62
 *   - `br_xxx_update()`
63
 *
64
 *     Inject some additional seed.
65
 *
66
 * The initialisation function sets the first context field (`vtable`)
67
 * to a pointer to the vtable that supports the OOP API. The OOP API
68
 * provides access to the same functions through function pointers,
69
 * named `init()`, `generate()` and `update()`.
70
 *
71
 * Note that the context initialisation method may accept additional
72
 * parameters, provided as a 'const void *' pointer at API level. These
73
 * additional parameters depend on the implemented PRNG.
74
 *
75
 *
76
 * ## HMAC_DRBG
77
 *
78
 * HMAC_DRBG is defined in [NIST SP 800-90A Revision
79
 * 1](http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf).
80
 * It uses HMAC repeatedly, over some configurable underlying hash
81
 * function. In BearSSL, it is implemented under the "`hmac_drbg`" name.
82
 * The "extra parameters" pointer for context initialisation should be
83
 * set to a pointer to the vtable for the underlying hash function (e.g.
84
 * pointer to `br_sha256_vtable` to use HMAC_DRBG with SHA-256).
85
 *
86
 * According to the NIST standard, each request shall produce up to
87
 * 2<sup>19</sup> bits (i.e. 64 kB of data); moreover, the context shall
88
 * be reseeded at least once every 2<sup>48</sup> requests. This
89
 * implementation does not maintain the reseed counter (the threshold is
90
 * too high to be reached in practice) and does not object to producing
91
 * more than 64 kB in a single request; thus, the code cannot fail,
92
 * which corresponds to the fact that the API has no room for error
93
 * codes. However, this implies that requesting more than 64 kB in one
94
 * `generate()` request, or making more than 2<sup>48</sup> requests
95
 * without reseeding, is formally out of NIST specification. There is
96
 * no currently known security penalty for exceeding the NIST limits,
97
 * and, in any case, HMAC_DRBG usage in implementing SSL/TLS always
98
 * stays much below these thresholds.
99
 *
100
 *
101
 * ## AESCTR_DRBG
102
 *
103
 * AESCTR_DRBG is a custom PRNG based on AES-128 in CTR mode. This is
104
 * meant to be used only in situations where you are desperate for
105
 * speed, and have an hardware-optimized AES/CTR implementation. Whether
106
 * this will yield perceptible improvements depends on what you use the
107
 * pseudorandom bytes for, and how many you want; for instance, RSA key
108
 * pair generation uses a substantial amount of randomness, and using
109
 * AESCTR_DRBG instead of HMAC_DRBG yields a 15 to 20% increase in key
110
 * generation speed on a recent x86 CPU (Intel Core i7-6567U at 3.30 GHz).
111
 *
112
 * Internally, it uses CTR mode with successive counter values, starting
113
 * at zero (counter value expressed over 128 bits, big-endian convention).
114
 * The counter is not allowed to reach 32768; thus, every 32768*16 bytes
115
 * at most, the `update()` function is run (on an empty seed, if none is
116
 * provided). The `update()` function computes the new AES-128 key by
117
 * applying a custom hash function to the concatenation of a state-dependent
118
 * word (encryption of an all-one block with the current key) and the new
119
 * seed. The custom hash function uses Hirose's construction over AES-256;
120
 * see the comments in `aesctr_drbg.c` for details.
121
 *
122
 * This DRBG does not follow an existing standard, and thus should be
123
 * considered as inadequate for production use until it has been properly
124
 * analysed.
125
 */
126
127
/**
128
 * \brief Class type for PRNG implementations.
129
 *
130
 * A `br_prng_class` instance references the methods implementing a PRNG.
131
 * Constant instances of this structure are defined for each implemented
132
 * PRNG. Such instances are also called "vtables".
133
 */
134
typedef struct br_prng_class_ br_prng_class;
135
struct br_prng_class_ {
136
  /**
137
   * \brief Size (in bytes) of the context structure appropriate for
138
   * running this PRNG.
139
   */
140
  size_t context_size;
141
142
  /**
143
   * \brief Initialisation method.
144
   *
145
   * The context to initialise is provided as a pointer to its
146
   * first field (the vtable pointer); this function sets that
147
   * first field to a pointer to the vtable.
148
   *
149
   * The extra parameters depend on the implementation; each
150
   * implementation defines what kind of extra parameters it
151
   * expects (if any).
152
   *
153
   * Requirements on the initial seed depend on the implemented
154
   * PRNG.
155
   *
156
   * \param ctx        PRNG context to initialise.
157
   * \param params     extra parameters for the PRNG.
158
   * \param seed       initial seed.
159
   * \param seed_len   initial seed length (in bytes).
160
   */
161
  void (*init)(const br_prng_class **ctx, const void *params,
162
    const void *seed, size_t seed_len);
163
164
  /**
165
   * \brief Random bytes generation.
166
   *
167
   * This method produces `len` pseudorandom bytes, in the `out`
168
   * buffer. The context is updated accordingly.
169
   *
170
   * \param ctx   PRNG context.
171
   * \param out   output buffer.
172
   * \param len   number of pseudorandom bytes to produce.
173
   */
174
  void (*generate)(const br_prng_class **ctx, void *out, size_t len);
175
176
  /**
177
   * \brief Inject additional seed bytes.
178
   *
179
   * The provided seed bytes are added into the PRNG internal
180
   * entropy pool.
181
   *
182
   * \param ctx        PRNG context.
183
   * \param seed       additional seed.
184
   * \param seed_len   additional seed length (in bytes).
185
   */
186
  void (*update)(const br_prng_class **ctx,
187
    const void *seed, size_t seed_len);
188
};
189
190
/**
191
 * \brief Context for HMAC_DRBG.
192
 *
193
 * The context contents are opaque, except the first field, which
194
 * supports OOP.
195
 */
196
typedef struct {
197
  /**
198
   * \brief Pointer to the vtable.
199
   *
200
   * This field is set with the initialisation method/function.
201
   */
202
  const br_prng_class *vtable;
203
#ifndef BR_DOXYGEN_IGNORE
204
  unsigned char K[64];
205
  unsigned char V[64];
206
  const br_hash_class *digest_class;
207
#endif
208
} br_hmac_drbg_context;
209
210
/**
211
 * \brief Statically allocated, constant vtable for HMAC_DRBG.
212
 */
213
extern const br_prng_class br_hmac_drbg_vtable;
214
215
/**
216
 * \brief HMAC_DRBG initialisation.
217
 *
218
 * The context to initialise is provided as a pointer to its first field
219
 * (the vtable pointer); this function sets that first field to a
220
 * pointer to the vtable.
221
 *
222
 * The `seed` value is what is called, in NIST terminology, the
223
 * concatenation of the "seed", "nonce" and "personalization string", in
224
 * that order.
225
 *
226
 * The `digest_class` parameter defines the underlying hash function.
227
 * Formally, the NIST standard specifies that the hash function shall
228
 * be only SHA-1 or one of the SHA-2 functions. This implementation also
229
 * works with any other implemented hash function (such as MD5), but
230
 * this is non-standard and therefore not recommended.
231
 *
232
 * \param ctx            HMAC_DRBG context to initialise.
233
 * \param digest_class   vtable for the underlying hash function.
234
 * \param seed           initial seed.
235
 * \param seed_len       initial seed length (in bytes).
236
 */
237
void br_hmac_drbg_init(br_hmac_drbg_context *ctx,
238
  const br_hash_class *digest_class, const void *seed, size_t seed_len);
239
240
/**
241
 * \brief Random bytes generation with HMAC_DRBG.
242
 *
243
 * This method produces `len` pseudorandom bytes, in the `out`
244
 * buffer. The context is updated accordingly. Formally, requesting
245
 * more than 65536 bytes in one request falls out of specification
246
 * limits (but it won't fail).
247
 *
248
 * \param ctx   HMAC_DRBG context.
249
 * \param out   output buffer.
250
 * \param len   number of pseudorandom bytes to produce.
251
 */
252
void br_hmac_drbg_generate(br_hmac_drbg_context *ctx, void *out, size_t len);
253
254
/**
255
 * \brief Inject additional seed bytes in HMAC_DRBG.
256
 *
257
 * The provided seed bytes are added into the HMAC_DRBG internal
258
 * entropy pool. The process does not _replace_ existing entropy,
259
 * thus pushing non-random bytes (i.e. bytes which are known to the
260
 * attackers) does not degrade the overall quality of generated bytes.
261
 *
262
 * \param ctx        HMAC_DRBG context.
263
 * \param seed       additional seed.
264
 * \param seed_len   additional seed length (in bytes).
265
 */
266
void br_hmac_drbg_update(br_hmac_drbg_context *ctx,
267
  const void *seed, size_t seed_len);
268
269
/**
270
 * \brief Get the hash function implementation used by a given instance of
271
 * HMAC_DRBG.
272
 *
273
 * This calls MUST NOT be performed on a context which was not
274
 * previously initialised.
275
 *
276
 * \param ctx   HMAC_DRBG context.
277
 * \return  the hash function vtable.
278
 */
279
static inline const br_hash_class *
280
br_hmac_drbg_get_hash(const br_hmac_drbg_context *ctx)
281
0
{
282
0
  return ctx->digest_class;
283
0
}
Unexecuted instantiation: module.cpp:br_hmac_drbg_get_hash(br_hmac_drbg_context const*)
Unexecuted instantiation: poly1305_ctmul.c:br_hmac_drbg_get_hash
Unexecuted instantiation: chacha20_sse2.c:br_hmac_drbg_get_hash
Unexecuted instantiation: chacha20_ct.c:br_hmac_drbg_get_hash
Unexecuted instantiation: aes_x86ni_ctrcbc.c:br_hmac_drbg_get_hash
Unexecuted instantiation: aes_x86ni.c:br_hmac_drbg_get_hash
Unexecuted instantiation: aes_small_ctrcbc.c:br_hmac_drbg_get_hash
Unexecuted instantiation: aes_ct_ctrcbc.c:br_hmac_drbg_get_hash
Unexecuted instantiation: aes_ct_ctr.c:br_hmac_drbg_get_hash
Unexecuted instantiation: aes_ct64_ctrcbc.c:br_hmac_drbg_get_hash
Unexecuted instantiation: aes_ct64.c:br_hmac_drbg_get_hash
Unexecuted instantiation: aes_ct.c:br_hmac_drbg_get_hash
Unexecuted instantiation: aes_common.c:br_hmac_drbg_get_hash
Unexecuted instantiation: aes_big_ctrcbc.c:br_hmac_drbg_get_hash
Unexecuted instantiation: prf_md5sha1.c:br_hmac_drbg_get_hash
Unexecuted instantiation: prf.c:br_hmac_drbg_get_hash
Unexecuted instantiation: sysrng.c:br_hmac_drbg_get_hash
Unexecuted instantiation: hmac_drbg.c:br_hmac_drbg_get_hash
Unexecuted instantiation: hmac.c:br_hmac_drbg_get_hash
Unexecuted instantiation: shake.c:br_hmac_drbg_get_hash
Unexecuted instantiation: hkdf.c:br_hmac_drbg_get_hash
Unexecuted instantiation: sha2small.c:br_hmac_drbg_get_hash
Unexecuted instantiation: sha2big.c:br_hmac_drbg_get_hash
Unexecuted instantiation: sha1.c:br_hmac_drbg_get_hash
Unexecuted instantiation: md5sha1.c:br_hmac_drbg_get_hash
Unexecuted instantiation: md5.c:br_hmac_drbg_get_hash
Unexecuted instantiation: ghash_ctmul32.c:br_hmac_drbg_get_hash
Unexecuted instantiation: ecdsa_i31_vrfy_raw.c:br_hmac_drbg_get_hash
Unexecuted instantiation: ecdsa_i31_sign_raw.c:br_hmac_drbg_get_hash
Unexecuted instantiation: ecdsa_i31_bits.c:br_hmac_drbg_get_hash
Unexecuted instantiation: ecdsa_i15_vrfy_raw.c:br_hmac_drbg_get_hash
Unexecuted instantiation: ecdsa_i15_sign_raw.c:br_hmac_drbg_get_hash
Unexecuted instantiation: ecdsa_i15_bits.c:br_hmac_drbg_get_hash
Unexecuted instantiation: ec_secp521r1.c:br_hmac_drbg_get_hash
Unexecuted instantiation: ec_secp384r1.c:br_hmac_drbg_get_hash
Unexecuted instantiation: ec_secp256r1.c:br_hmac_drbg_get_hash
Unexecuted instantiation: ec_pubkey.c:br_hmac_drbg_get_hash
Unexecuted instantiation: ec_prime_i31.c:br_hmac_drbg_get_hash
Unexecuted instantiation: ec_prime_i15.c:br_hmac_drbg_get_hash
Unexecuted instantiation: ec_p256_m64.c:br_hmac_drbg_get_hash
Unexecuted instantiation: ec_p256_m62.c:br_hmac_drbg_get_hash
Unexecuted instantiation: ec_p256_m31.c:br_hmac_drbg_get_hash
Unexecuted instantiation: ec_p256_m15.c:br_hmac_drbg_get_hash
Unexecuted instantiation: ec_keygen.c:br_hmac_drbg_get_hash
Unexecuted instantiation: ec_default.c:br_hmac_drbg_get_hash
Unexecuted instantiation: ec_c25519_m64.c:br_hmac_drbg_get_hash
Unexecuted instantiation: ec_c25519_m62.c:br_hmac_drbg_get_hash
Unexecuted instantiation: ec_c25519_m31.c:br_hmac_drbg_get_hash
Unexecuted instantiation: ec_c25519_m15.c:br_hmac_drbg_get_hash
Unexecuted instantiation: ec_c25519_i31.c:br_hmac_drbg_get_hash
Unexecuted instantiation: ec_c25519_i15.c:br_hmac_drbg_get_hash
Unexecuted instantiation: ec_all_m31.c:br_hmac_drbg_get_hash
Unexecuted instantiation: enc64be.c:br_hmac_drbg_get_hash
Unexecuted instantiation: enc32le.c:br_hmac_drbg_get_hash
Unexecuted instantiation: enc32be.c:br_hmac_drbg_get_hash
Unexecuted instantiation: dec64be.c:br_hmac_drbg_get_hash
Unexecuted instantiation: dec32le.c:br_hmac_drbg_get_hash
Unexecuted instantiation: dec32be.c:br_hmac_drbg_get_hash
Unexecuted instantiation: ccopy.c:br_hmac_drbg_get_hash
Unexecuted instantiation: gcm.c:br_hmac_drbg_get_hash
Unexecuted instantiation: ccm.c:br_hmac_drbg_get_hash
Unexecuted instantiation: aes_small_enc.c:br_hmac_drbg_get_hash
Unexecuted instantiation: aes_ct_enc.c:br_hmac_drbg_get_hash
Unexecuted instantiation: aes_ct64_enc.c:br_hmac_drbg_get_hash
Unexecuted instantiation: aes_big_enc.c:br_hmac_drbg_get_hash
Unexecuted instantiation: i31_sub.c:br_hmac_drbg_get_hash
Unexecuted instantiation: i31_rshift.c:br_hmac_drbg_get_hash
Unexecuted instantiation: i31_ninv31.c:br_hmac_drbg_get_hash
Unexecuted instantiation: i31_montmul.c:br_hmac_drbg_get_hash
Unexecuted instantiation: i31_modpow.c:br_hmac_drbg_get_hash
Unexecuted instantiation: i31_iszero.c:br_hmac_drbg_get_hash
Unexecuted instantiation: i31_fmont.c:br_hmac_drbg_get_hash
Unexecuted instantiation: i31_encode.c:br_hmac_drbg_get_hash
Unexecuted instantiation: i31_decode.c:br_hmac_drbg_get_hash
Unexecuted instantiation: i31_decmod.c:br_hmac_drbg_get_hash
Unexecuted instantiation: i31_bitlen.c:br_hmac_drbg_get_hash
Unexecuted instantiation: i31_add.c:br_hmac_drbg_get_hash
Unexecuted instantiation: i15_sub.c:br_hmac_drbg_get_hash
Unexecuted instantiation: i15_rshift.c:br_hmac_drbg_get_hash
Unexecuted instantiation: i15_ninv15.c:br_hmac_drbg_get_hash
Unexecuted instantiation: i15_montmul.c:br_hmac_drbg_get_hash
Unexecuted instantiation: i15_modpow.c:br_hmac_drbg_get_hash
Unexecuted instantiation: i15_iszero.c:br_hmac_drbg_get_hash
Unexecuted instantiation: i15_fmont.c:br_hmac_drbg_get_hash
Unexecuted instantiation: i15_encode.c:br_hmac_drbg_get_hash
Unexecuted instantiation: i15_decode.c:br_hmac_drbg_get_hash
Unexecuted instantiation: i15_decmod.c:br_hmac_drbg_get_hash
Unexecuted instantiation: i15_bitlen.c:br_hmac_drbg_get_hash
Unexecuted instantiation: i15_add.c:br_hmac_drbg_get_hash
Unexecuted instantiation: i31_tmont.c:br_hmac_drbg_get_hash
Unexecuted instantiation: i31_muladd.c:br_hmac_drbg_get_hash
Unexecuted instantiation: i15_tmont.c:br_hmac_drbg_get_hash
Unexecuted instantiation: i15_muladd.c:br_hmac_drbg_get_hash
Unexecuted instantiation: i32_div32.c:br_hmac_drbg_get_hash
284
285
/**
286
 * \brief Type for a provider of entropy seeds.
287
 *
288
 * A "seeder" is a function that is able to obtain random values from
289
 * some source and inject them as entropy seed in a PRNG. A seeder
290
 * shall guarantee that the total entropy of the injected seed is large
291
 * enough to seed a PRNG for purposes of cryptographic key generation
292
 * (i.e. at least 128 bits).
293
 *
294
 * A seeder may report a failure to obtain adequate entropy. Seeders
295
 * shall endeavour to fix themselves transient errors by trying again;
296
 * thus, callers may consider reported errors as permanent.
297
 *
298
 * \param ctx   PRNG context to seed.
299
 * \return  1 on success, 0 on error.
300
 */
301
typedef int (*br_prng_seeder)(const br_prng_class **ctx);
302
303
/**
304
 * \brief Get a seeder backed by the operating system or hardware.
305
 *
306
 * Get a seeder that feeds on RNG facilities provided by the current
307
 * operating system or hardware. If no such facility is known, then 0
308
 * is returned.
309
 *
310
 * If `name` is not `NULL`, then `*name` is set to a symbolic string
311
 * that identifies the seeder implementation. If no seeder is returned
312
 * and `name` is not `NULL`, then `*name` is set to a pointer to the
313
 * constant string `"none"`.
314
 *
315
 * \param name   receiver for seeder name, or `NULL`.
316
 * \return  the system seeder, if available, or 0.
317
 */
318
br_prng_seeder br_prng_seeder_system(const char **name);
319
320
/**
321
 * \brief Context for AESCTR_DRBG.
322
 *
323
 * The context contents are opaque, except the first field, which
324
 * supports OOP.
325
 */
326
typedef struct {
327
  /**
328
   * \brief Pointer to the vtable.
329
   *
330
   * This field is set with the initialisation method/function.
331
   */
332
  const br_prng_class *vtable;
333
#ifndef BR_DOXYGEN_IGNORE
334
  br_aes_gen_ctr_keys sk;
335
  uint32_t cc;
336
#endif
337
} br_aesctr_drbg_context;
338
339
/**
340
 * \brief Statically allocated, constant vtable for AESCTR_DRBG.
341
 */
342
extern const br_prng_class br_aesctr_drbg_vtable;
343
344
/**
345
 * \brief AESCTR_DRBG initialisation.
346
 *
347
 * The context to initialise is provided as a pointer to its first field
348
 * (the vtable pointer); this function sets that first field to a
349
 * pointer to the vtable.
350
 *
351
 * The internal AES key is first set to the all-zero key; then, the
352
 * `br_aesctr_drbg_update()` function is called with the provided `seed`.
353
 * The call is performed even if the seed length (`seed_len`) is zero.
354
 *
355
 * The `aesctr` parameter defines the underlying AES/CTR implementation.
356
 *
357
 * \param ctx        AESCTR_DRBG context to initialise.
358
 * \param aesctr     vtable for the AES/CTR implementation.
359
 * \param seed       initial seed (can be `NULL` if `seed_len` is zero).
360
 * \param seed_len   initial seed length (in bytes).
361
 */
362
void br_aesctr_drbg_init(br_aesctr_drbg_context *ctx,
363
  const br_block_ctr_class *aesctr, const void *seed, size_t seed_len);
364
365
/**
366
 * \brief Random bytes generation with AESCTR_DRBG.
367
 *
368
 * This method produces `len` pseudorandom bytes, in the `out`
369
 * buffer. The context is updated accordingly.
370
 *
371
 * \param ctx   AESCTR_DRBG context.
372
 * \param out   output buffer.
373
 * \param len   number of pseudorandom bytes to produce.
374
 */
375
void br_aesctr_drbg_generate(br_aesctr_drbg_context *ctx,
376
  void *out, size_t len);
377
378
/**
379
 * \brief Inject additional seed bytes in AESCTR_DRBG.
380
 *
381
 * The provided seed bytes are added into the AESCTR_DRBG internal
382
 * entropy pool. The process does not _replace_ existing entropy,
383
 * thus pushing non-random bytes (i.e. bytes which are known to the
384
 * attackers) does not degrade the overall quality of generated bytes.
385
 *
386
 * \param ctx        AESCTR_DRBG context.
387
 * \param seed       additional seed.
388
 * \param seed_len   additional seed length (in bytes).
389
 */
390
void br_aesctr_drbg_update(br_aesctr_drbg_context *ctx,
391
  const void *seed, size_t seed_len);
392
393
#ifdef __cplusplus
394
}
395
#endif
396
397
#endif