TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / e9a3454e0980887a81f7c61dfdd355769296940c^! / . / tests
commite9a3454e0980887a81f7c61dfdd355769296940c[log] [tgz]
authorGilles Peskine <Gilles.Peskine@arm.com>Tue Oct 22 20:43:24 2019 +0200
committerGilles Peskine <Gilles.Peskine@arm.com>Wed Oct 23 19:46:57 2019 +0200
tree6232958bd82f789f91daccfbfc3dfdfe4d3db551
parent0ed378aa02c22fdeba0113d7cd736777c0d4ebf6 [diff]
CTR_DRBG: grab a nonce from the entropy source if needed

Change the default entropy nonce length to be nonzero in some cases.
Specifically, the default nonce length is now set in such a way that
the entropy input during the initial seeding always contains enough
entropy to achieve the maximum possible security strength per
NIST SP 800-90A given the key size and entropy length.

If MBEDTLS_CTR_DRBG_ENTROPY_LEN is kept to its default value,
mbedtls_ctr_drbg_seed() now grabs extra entropy for a nonce if
MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is disabled and either
MBEDTLS_ENTROPY_FORCE_SHA256 is enabled or MBEDTLS_SHA512_C is
disabled. If MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is enabled, or if
the entropy module uses SHA-512, then the default value of
MBEDTLS_CTR_DRBG_ENTROPY_LEN does not require a second call to the
entropy function to achieve the maximum security strength.

This choice of default nonce size guarantees NIST compliance with the
maximum security strength while keeping backward compatibility and
performance high: in configurations that do not require grabbing more
entropy, the code will not grab more entropy than before.

diff --git a/tests/suites/test_suite_ctr_drbg.data b/tests/suites/test_suite_ctr_drbg.data
index 5f198a4..461e502 100644
--- a/tests/suites/test_suite_ctr_drbg.data
+++ b/tests/suites/test_suite_ctr_drbg.data

@@ -1071,6 +1071,11 @@
 ctr_drbg_validate_pr:"d4f1f4ae08bcb3e1":"5d4041942bcf68864a4997d8171f1f9fef55a769b7eaf03fe082029bb32a2b9d8239e865c0a42e14b964b9c09de85a20":"":"":"4155320287eedcf7d484c2c2a1e2eb64b9c9ce77c87202a1ae1616c7a5cfd1c687c7a0bfcc85bda48fdd4629fd330c22d0a76076f88fc7cd04037ee06b7af602"
 
 CTR_DRBG entropy usage (entropy_nonce_len=0 by default)
+depends_on:!DEFAULT_ENTROPY_NONCE
+ctr_drbg_entropy_usage:-1
+
+CTR_DRBG entropy usage (entropy_nonce_len=entropy_len/2 by default)
+depends_on:DEFAULT_ENTROPY_NONCE
 ctr_drbg_entropy_usage:-1
 
 CTR_DRBG entropy usage (entropy_nonce_len=0)

diff --git a/tests/suites/test_suite_ctr_drbg.function b/tests/suites/test_suite_ctr_drbg.function
index c79b6e2..c284385 100644
--- a/tests/suites/test_suite_ctr_drbg.function
+++ b/tests/suites/test_suite_ctr_drbg.function

@@ -3,6 +3,14 @@
 #include "mbedtls/ctr_drbg.h"
 #include "string.h"
 
+/* mbedtls_ctr_drbg_seed() grabs a nonce by default if the entropy
+ * length is smaller than 3/2 times the maximum security strength. */
+#if MBEDTLS_CTR_DRBG_ENTROPY_LEN >= MBEDTLS_CTR_DRBG_KEYSIZE * 3 / 2
+#undef DEFAULT_ENTROPY_NONCE
+#else
+#define DEFAULT_ENTROPY_NONCE
+#endif
+
 /* Modes for ctr_drbg_validate */
 enum reseed_mode
 {
@@ -215,6 +223,12 @@
     expected_idx += MBEDTLS_CTR_DRBG_ENTROPY_LEN;
     if( entropy_nonce_len >= 0 )
         expected_idx += entropy_nonce_len;
+    else
+    {
+#if defined(DEFAULT_ENTROPY_NONCE)
+        expected_idx += ( MBEDTLS_CTR_DRBG_ENTROPY_LEN + 1 ) / 2;
+#endif
+    }
     TEST_EQUAL( test_offset_idx, expected_idx );
 
     /* By default, PR is off and reseed_interval is large,