CTR_DRBG: define a constant for the default entropy nonce length
The default entropy nonce length is either zero or nonzero depending
on the desired security strength and the entropy length.
The implementation calculates the actual entropy nonce length from the
actual entropy length, and therefore it doesn't need a constant that
indicates the default entropy nonce length. A portable application may
be interested in this constant, however. And our test code could
definitely use it.
Define a constant MBEDTLS_CTR_DRBG_ENTROPY_NONCE_LEN and use it in
test code. Previously, test_suite_ctr_drbg had knowledge about the
default entropy nonce length built in and test_suite_psa_crypto_init
failed. Now both use MBEDTLS_CTR_DRBG_ENTROPY_NONCE_LEN.
This change means that the test ctr_drbg_entropy_usage no longer
validates that the default entropy nonce length is sensible. So add a
new test that checks that the default entropy length and the default
entropy nonce length are sufficient to ensure the expected security
strength.
diff --git a/tests/suites/test_suite_ctr_drbg.function b/tests/suites/test_suite_ctr_drbg.function
index c284385..8317c08 100644
--- a/tests/suites/test_suite_ctr_drbg.function
+++ b/tests/suites/test_suite_ctr_drbg.function
@@ -3,14 +3,6 @@
#include "mbedtls/ctr_drbg.h"
#include "string.h"
-/* mbedtls_ctr_drbg_seed() grabs a nonce by default if the entropy
- * length is smaller than 3/2 times the maximum security strength. */
-#if MBEDTLS_CTR_DRBG_ENTROPY_LEN >= MBEDTLS_CTR_DRBG_KEYSIZE * 3 / 2
-#undef DEFAULT_ENTROPY_NONCE
-#else
-#define DEFAULT_ENTROPY_NONCE
-#endif
-
/* Modes for ctr_drbg_validate */
enum reseed_mode
{
@@ -196,7 +188,37 @@
}
/* END_CASE */
+/* BEGIN_CASE */
+void ctr_drbg_entropy_strength( int expected_bit_strength )
+{
+ unsigned char entropy[/*initial entropy*/ MBEDTLS_CTR_DRBG_ENTROPY_LEN +
+ /*nonce*/ MBEDTLS_CTR_DRBG_ENTROPY_NONCE_LEN +
+ /*reseed*/ MBEDTLS_CTR_DRBG_ENTROPY_LEN];
+ mbedtls_ctr_drbg_context ctx;
+ size_t last_idx;
+ size_t byte_strength = expected_bit_strength / 8;
+ mbedtls_ctr_drbg_init( &ctx );
+ test_offset_idx = 0;
+ test_max_idx = sizeof( entropy );
+ memset( entropy, 0, sizeof( entropy ) );
+
+ /* The initial seeding must grab at least byte_strength bytes of entropy
+ * for the entropy input and byte_strength/2 bytes for a nonce. */
+ TEST_ASSERT( mbedtls_ctr_drbg_seed( &ctx,
+ mbedtls_test_entropy_func, entropy,
+ NULL, 0 ) == 0 );
+ TEST_ASSERT( test_offset_idx >= ( byte_strength * 3 + 1 ) / 2 );
+ last_idx = test_offset_idx;
+
+ /* A reseed must grab at least byte_strength bytes of entropy. */
+ TEST_ASSERT( mbedtls_ctr_drbg_reseed( &ctx, NULL, 0 ) == 0 );
+ TEST_ASSERT( test_offset_idx - last_idx >= byte_strength );
+
+exit:
+ mbedtls_ctr_drbg_free( &ctx );
+}
+/* END_CASE */
/* BEGIN_CASE */
void ctr_drbg_entropy_usage( int entropy_nonce_len )
@@ -224,11 +246,7 @@
if( entropy_nonce_len >= 0 )
expected_idx += entropy_nonce_len;
else
- {
-#if defined(DEFAULT_ENTROPY_NONCE)
- expected_idx += ( MBEDTLS_CTR_DRBG_ENTROPY_LEN + 1 ) / 2;
-#endif
- }
+ expected_idx += MBEDTLS_CTR_DRBG_ENTROPY_NONCE_LEN;
TEST_EQUAL( test_offset_idx, expected_idx );
/* By default, PR is off and reseed_interval is large,