HMAC DRBG incorrect output

Hi @athorath

Thank you for your question!

Are you using the hmac_drbg as reference for your tests? If so, note that the entropy_context used should also change.

The entropy length in hmac_drbg is not identical as in ctr_drbg.

As you can see from the code, calling mbedtls_hmac_drbg_seed() will have the following definitions:

    /*
     * See SP800-57 5.6.1 (p. 65-66) for the security strength provided by
     * each hash function, then according to SP800-90A rev1 10.1 table 2,
     * min_entropy_len (in bits) is security_strength.
     *
     * (This also matches the sizes used in the NIST test vectors.)
     */
    ctx->entropy_len = md_size <= 20 ? 16 : /* 160-bits hash -> 128 bits */
                       md_size <= 28 ? 24 : /* 224-bits hash -> 192 bits */
                       32;  /* better (256+) -> 256 bits */

Which calls hmac_drbg_reseed_core() with use_nonce = 1 , so it calls f_entropy twice:

    if( ( ret = ctx->f_entropy( ctx->p_entropy,
                                seed, ctx->entropy_len ) ) != 0 )

and

     * from the entropy source. See Sect 8.6.7 in SP800-90A. */
    if( use_nonce )
    {
        /* Note: We don't merge the two calls to f_entropy() in order
         *       to avoid requesting too much entropy from f_entropy()
         *       at once. Specifically, if the underlying digest is not
         *       SHA-1, 3 / 2 * entropy_len is at least 36 Bytes, which
         *       is larger than the maximum of 32 Bytes that our own
         *       entropy source implementation can emit in a single
         *       call in configurations disabling SHA-512. */
        if( ( ret = ctx->f_entropy( ctx->p_entropy,
                                    seed + seedlen,
                                    ctx->entropy_len / 2 ) ) != 0 )

so, for SHA1 hmac_drbg, your offset should be 16 + 8 = 24 , and for SHA256, it should be 32 + 16 = 48 , as the results you are seeing. The reasoning for these values are in the standards mentioned in the comments.
Regards,
Mbed TLS Support
Ron