From 8cec70a8c4549dc962dd0634083294166460c939 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 2 Oct 2019 18:23:38 +0200 Subject: [PATCH] CTR_DRBG: make it easier to understand the security strength Explain how MBEDTLS_CTR_DRBG_ENTROPY_LEN is set next to the security strength statement, rather than giving a partial explanation (current setting only) in the documentation of MBEDTLS_CTR_DRBG_ENTROPY_LEN. --- include/mbedtls/ctr_drbg.h | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/ctr_drbg.h b/include/mbedtls/ctr_drbg.h index 3599e95d2..4f8d1315c 100644 --- a/include/mbedtls/ctr_drbg.h +++ b/include/mbedtls/ctr_drbg.h @@ -24,6 +24,13 @@ * and #MBEDTLS_CTR_DRBG_ENTROPY_LEN is set to 24 or more (which is * always the case unless it is explicitly set to a different value * in `config.h`). + * + * Note that the value of #MBEDTLS_CTR_DRBG_ENTROPY_LEN defaults to: + * - \c 48 if the module #MBEDTLS_SHA512_C is enabled and the symbol + * #MBEDTLS_ENTROPY_FORCE_SHA256 is not enabled at compile time. + * This is the default configuration of the library. + * - \c 32 if the module #MBEDTLS_SHA512_C is disabled at compile time. + * - \c 32 if #MBEDTLS_ENTROPY_FORCE_SHA256 is enabled at compile time. */ /* * Copyright (C) 2006-2019, Arm Limited (or its affiliates), All Rights Reserved @@ -99,7 +106,7 @@ /** The amount of entropy used per seed by default. * * This is 48 bytes because the entropy module uses SHA-512 - * (`MBEDTLS_ENTROPY_FORCE_SHA256` is not set). + * #MBEDTLS_ENTROPY_FORCE_SHA256 is not set). * * \note See mbedtls_ctr_drbg_set_entropy_len() regarding what values are * acceptable. @@ -109,7 +116,7 @@ /** The amount of entropy used per seed by default. * * This is 32 bytes because the entropy module uses SHA-256 - * (the SHA-512 module is disabled or `MBEDTLS_ENTROPY_FORCE_SHA256` is set). + * (the SHA512 module is disabled or #MBEDTLS_ENTROPY_FORCE_SHA256 is set). * * \note See mbedtls_ctr_drbg_set_entropy_len() regarding what values are * acceptable.