File ctr_drbg.h

This file contains definitions and functions for the CTR_DRBG pseudorandom generator.

CTR_DRBG is a standardized way of building a PRNG from a block-cipher in counter mode operation, as defined in NIST SP 800-90A: Recommendation for Random Number Generation Using Deterministic Random Bit Generators.

The Mbed TLS implementation of CTR_DRBG uses AES-256 (default) or AES-128 (if MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is enabled at compile time) as the underlying block cipher, with a derivation function.

The security strength as defined in NIST SP 800-90A is 128 bits when AES-128 is used (MBEDTLS_CTR_DRBG_USE_128_BIT_KEY enabled) and 256 bits otherwise, provided that MBEDTLS_CTR_DRBG_ENTROPY_LEN is kept at its default value (and not overridden in mbedtls_config.h) and that the DRBG instance is set up with default parameters. See the documentation of mbedtls_ctr_drbg_seed() for more information.

Defines

MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED

The entropy source failed.

MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG

The requested random buffer length is too big.

MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG

The input (entropy + additional data) is too large.

MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR

Read or write error in file.

MBEDTLS_CTR_DRBG_BLOCKSIZE

The block size used by the cipher.

MBEDTLS_CTR_DRBG_KEYSIZE

The key size in bytes used by the cipher.

Compile-time choice: 16 bytes (128 bits) because MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is enabled.

MBEDTLS_CTR_DRBG_KEYBITS

The key size for the DRBG operation, in bits.

MBEDTLS_CTR_DRBG_SEEDLEN

The seed length, calculated as (counter + AES key).

MBEDTLS_CTR_DRBG_PR_OFF

Prediction resistance is disabled.

MBEDTLS_CTR_DRBG_PR_ON

Prediction resistance is enabled.

MBEDTLS_CTR_DRBG_ENTROPY_NONCE_LEN

The default length of the nonce read from the entropy source.

This is 0 because a single read from the entropy source is sufficient to include a nonce. See the documentation of mbedtls_ctr_drbg_seed() for more information.

Typedefs

typedef struct mbedtls_ctr_drbg_context mbedtls_ctr_drbg_context

The CTR_DRBG context structure.

Functions

void mbedtls_ctr_drbg_init(mbedtls_ctr_drbg_context *ctx)

This function initializes the CTR_DRBG context, and prepares it for mbedtls_ctr_drbg_seed() or mbedtls_ctr_drbg_free().

Note

The reseed interval is MBEDTLS_CTR_DRBG_RESEED_INTERVAL by default. You can override it by calling mbedtls_ctr_drbg_set_reseed_interval().

Parameters:

ctx – The CTR_DRBG context to initialize.

int mbedtls_ctr_drbg_seed(mbedtls_ctr_drbg_context *ctx, int (*f_entropy)(void*, unsigned char*, size_t), void *p_entropy, const unsigned char *custom, size_t len)

This function seeds and sets up the CTR_DRBG entropy source for future reseeds.

A typical choice for the f_entropy and p_entropy parameters is to use the entropy module:

The entropy length is MBEDTLS_CTR_DRBG_ENTROPY_LEN by default. You can override it by calling mbedtls_ctr_drbg_set_entropy_len().

The entropy nonce length is:

  • 0 if the entropy length is at least 3/2 times the entropy length, which guarantees that the security strength is the maximum permitted by the key size and entropy length according to NIST SP 800-90A §10.2.1;

  • Half the entropy length otherwise. You can override it by calling mbedtls_ctr_drbg_set_nonce_len(). With the default entropy length, the entropy nonce length is MBEDTLS_CTR_DRBG_ENTROPY_NONCE_LEN.

You can provide a nonce and personalization string in addition to the entropy source, to make this instantiation as unique as possible. See SP 800-90A §8.6.7 for more details about nonces.

The seed_material value passed to the derivation function in the CTR_DRBG Instantiate Process described in NIST SP 800-90A §10.2.1.3.2 is the concatenation of the following strings:

  • A string obtained by calling f_entropy function for the entropy length.

  • If mbedtls_ctr_drbg_set_nonce_len() has been called, a string obtained by calling f_entropy function for the specified length.

  • The custom string.

In addition, if you do not pass a nonce in custom, the sum of the entropy length and the entropy nonce length must be:

  • at least 24 bytes for a 128-bit strength (maximum achievable strength when using AES-128);

  • at least 48 bytes for a 256-bit strength (maximum achievable strength when using AES-256).

Note

When Mbed TLS is built with threading support, after this function returns successfully, it is safe to call mbedtls_ctr_drbg_random() from multiple threads. Other operations, including reseeding, are not thread-safe.

Note

To achieve the nominal security strength permitted by CTR_DRBG, the entropy length must be:

  • at least 16 bytes for a 128-bit strength (maximum achievable strength when using AES-128);

  • at least 32 bytes for a 256-bit strength (maximum achievable strength when using AES-256).

Parameters:
Returns:

0 on success.

Returns:

MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED on failure.

void mbedtls_ctr_drbg_free(mbedtls_ctr_drbg_context *ctx)

This function resets CTR_DRBG context to the state immediately after initial call of mbedtls_ctr_drbg_init().

Parameters:

ctx – The CTR_DRBG context to clear.

void mbedtls_ctr_drbg_set_prediction_resistance(mbedtls_ctr_drbg_context *ctx, int resistance)

This function turns prediction resistance on or off. The default value is off.

Note

If enabled, entropy is gathered at the beginning of every call to mbedtls_ctr_drbg_random_with_add() or mbedtls_ctr_drbg_random(). Only use this if your entropy source has sufficient throughput.

Parameters:
void mbedtls_ctr_drbg_set_entropy_len(mbedtls_ctr_drbg_context *ctx, size_t len)

This function sets the amount of entropy grabbed on each seed or reseed.

The default value is MBEDTLS_CTR_DRBG_ENTROPY_LEN.

Note

The security strength of CTR_DRBG is bounded by the entropy length. Thus:

  • When using AES-256 (MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is disabled, which is the default), len must be at least 32 (in bytes) to achieve a 256-bit strength.

  • When using AES-128 (MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is enabled) len must be at least 16 (in bytes) to achieve a 128-bit strength.

Parameters:

  • ctx – The CTR_DRBG context.

  • len – The amount of entropy to grab, in bytes. This must be at most MBEDTLS_CTR_DRBG_MAX_SEED_INPUT and at most the maximum length accepted by the entropy function that is set in the context.

int mbedtls_ctr_drbg_set_nonce_len(mbedtls_ctr_drbg_context *ctx, size_t len)

This function sets the amount of entropy grabbed as a nonce for the initial seeding.

Call this function before calling mbedtls_ctr_drbg_seed() to read a nonce from the entropy source during the initial seeding.

Parameters:

  • ctx – The CTR_DRBG context.

  • len – The amount of entropy to grab for the nonce, in bytes. This must be at most MBEDTLS_CTR_DRBG_MAX_SEED_INPUT and at most the maximum length accepted by the entropy function that is set in the context.

Returns:

0 on success.

Returns:

MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG if len is more than MBEDTLS_CTR_DRBG_MAX_SEED_INPUT.

Returns:

MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED if the initial seeding has already taken place.

void mbedtls_ctr_drbg_set_reseed_interval(mbedtls_ctr_drbg_context *ctx, int interval)

This function sets the reseed interval.

The reseed interval is the number of calls to mbedtls_ctr_drbg_random() or mbedtls_ctr_drbg_random_with_add() after which the entropy function is called again.

The default value is MBEDTLS_CTR_DRBG_RESEED_INTERVAL.

Parameters:

  • ctx – The CTR_DRBG context.

  • interval – The reseed interval.

int mbedtls_ctr_drbg_reseed(mbedtls_ctr_drbg_context *ctx, const unsigned char *additional, size_t len)

This function reseeds the CTR_DRBG context, that is extracts data from the entropy source.

Note

This function is not thread-safe. It is not safe to call this function if another thread might be concurrently obtaining random numbers from the same context or updating or reseeding the same context.

Parameters:

  • ctx – The CTR_DRBG context.

  • additional – Additional data to add to the state. Can be NULL.

  • len – The length of the additional data. This must be less than MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - entropy_len where entropy_len is the entropy length configured for the context.

Returns:

0 on success.

Returns:

MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED on failure.

int mbedtls_ctr_drbg_update(mbedtls_ctr_drbg_context *ctx, const unsigned char *additional, size_t add_len)

This function updates the state of the CTR_DRBG context.

Note

This function is not thread-safe. It is not safe to call this function if another thread might be concurrently obtaining random numbers from the same context or updating or reseeding the same context.

Parameters:

  • ctx – The CTR_DRBG context.

  • additional – The data to update the state with. This must not be NULL unless add_len is 0.

  • add_len – Length of additional in bytes. This must be at most MBEDTLS_CTR_DRBG_MAX_SEED_INPUT.

Returns:

0 on success.

Returns:

MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG if add_len is more than MBEDTLS_CTR_DRBG_MAX_SEED_INPUT.

Returns:

An error from the underlying AES cipher on failure.

int mbedtls_ctr_drbg_random_with_add(void *p_rng, unsigned char *output, size_t output_len, const unsigned char *additional, size_t add_len)

This function updates a CTR_DRBG instance with additional data and uses it to generate random data.

This function automatically reseeds if the reseed counter is exceeded or prediction resistance is enabled.

Note

This function is not thread-safe. It is not safe to call this function if another thread might be concurrently obtaining random numbers from the same context or updating or reseeding the same context.

Parameters:

  • p_rng – The CTR_DRBG context. This must be a pointer to a mbedtls_ctr_drbg_context structure.

  • output – The buffer to fill.

  • output_len – The length of the buffer in bytes.

  • additional – Additional data to update. Can be NULL, in which case the additional data is empty regardless of the value of add_len.

  • add_len – The length of the additional data if additional is not NULL. This must be less than MBEDTLS_CTR_DRBG_MAX_INPUT and less than MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - entropy_len where entropy_len is the entropy length configured for the context.

Returns:

0 on success.

Returns:

MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED or MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG on failure.

int mbedtls_ctr_drbg_random(void *p_rng, unsigned char *output, size_t output_len)

This function uses CTR_DRBG to generate random data.

This function automatically reseeds if the reseed counter is exceeded or prediction resistance is enabled.

Note

When Mbed TLS is built with threading support, it is safe to call mbedtls_ctr_drbg_random() from multiple threads. Other operations, including reseeding, are not thread-safe.

Parameters:

  • p_rng – The CTR_DRBG context. This must be a pointer to a mbedtls_ctr_drbg_context structure.

  • output – The buffer to fill.

  • output_len – The length of the buffer in bytes.

Returns:

0 on success.

Returns:

MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED or MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG on failure.

int mbedtls_ctr_drbg_write_seed_file(mbedtls_ctr_drbg_context *ctx, const char *path)

This function writes a seed file.

Parameters:

  • ctx – The CTR_DRBG context.

  • path – The name of the file.

Returns:

0 on success.

Returns:

MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR on file error.

Returns:

MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED on reseed failure.

int mbedtls_ctr_drbg_update_seed_file(mbedtls_ctr_drbg_context *ctx, const char *path)

This function reads and updates a seed file. The seed is added to this instance.

Parameters:

  • ctx – The CTR_DRBG context.

  • path – The name of the file.

Returns:

0 on success.

Returns:

MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR on file error.

Returns:

MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED on reseed failure.

Returns:

MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG if the existing seed file is too large.

int mbedtls_ctr_drbg_self_test(int verbose)

The CTR_DRBG checkup routine.

Returns:

0 on success.

Returns:

1 on failure.

struct mbedtls_ctr_drbg_context
#include <ctr_drbg.h>

The CTR_DRBG context structure.

Public Members

unsigned char private_counter[16]

The counter (V).

int private_reseed_counter

The reseed counter. This is the number of requests that have been made since the last (re)seeding, minus one. Before the initial seeding, this field contains the amount of entropy in bytes to use as a nonce for the initial seeding, or -1 if no nonce length has been explicitly set (see mbedtls_ctr_drbg_set_nonce_len()).

int private_prediction_resistance

This determines whether prediction resistance is enabled, that is whether to systematically reseed before each random generation.

size_t private_entropy_len

The amount of entropy grabbed on each seed or reseed operation, in bytes.

int private_reseed_interval

The reseed interval. This is the maximum number of requests that can be made between reseedings.

mbedtls_aes_context private_aes_ctx

The AES context.

int (*private_f_entropy)(void*, unsigned char*, size_t)

The entropy callback function.

void *private_p_entropy

The context for the entropy function.

mbedtls_threading_mutex_t private_mutex