HMAC_DRBG: support set_entropy_len() before seed()

mbedtls_hmac_drbg_seed() always set the entropy length to the default,
so a call to mbedtls_hmac_drbg_set_entropy_len() before seed() had no
effect. Change this to the more intuitive behavior that
set_entropy_len() sets the entropy length and seed() respects that and
only uses the default entropy length if there was no call to
set_entropy_len().
This commit is contained in:
Gilles Peskine 2019-10-04 11:47:35 +02:00
parent 3cdb3da3a0
commit 8f7921ec4b
2 changed files with 17 additions and 16 deletions

View File

@ -141,11 +141,9 @@ void mbedtls_hmac_drbg_init( mbedtls_hmac_drbg_context *ctx );
* entropy length is set with * entropy length is set with
* mbedtls_hmac_drbg_set_entropy_len() afterwards. * mbedtls_hmac_drbg_set_entropy_len() afterwards.
* *
* \note The entropy length for the initial seeding is * \note The default entropy length is the security strength
* the security strength (converted from bits to bytes). * (converted from bits to bytes). You can override
* You can set a different entropy length for subsequent * it by calling mbedtls_hmac_drbg_set_entropy_len().
* seeding by calling mbedtls_hmac_drbg_set_entropy_len()
* after this function.
* *
* \note During the initial seeding, this function calls * \note During the initial seeding, this function calls
* the entropy source to obtain a nonce * the entropy source to obtain a nonce

View File

@ -273,6 +273,8 @@ int mbedtls_hmac_drbg_seed( mbedtls_hmac_drbg_context *ctx,
ctx->reseed_interval = MBEDTLS_HMAC_DRBG_RESEED_INTERVAL; ctx->reseed_interval = MBEDTLS_HMAC_DRBG_RESEED_INTERVAL;
if( ctx->entropy_len == 0 )
{
/* /*
* See SP800-57 5.6.1 (p. 65-66) for the security strength provided by * See SP800-57 5.6.1 (p. 65-66) for the security strength provided by
* each hash function, then according to SP800-90A rev1 10.1 table 2, * each hash function, then according to SP800-90A rev1 10.1 table 2,
@ -283,6 +285,7 @@ int mbedtls_hmac_drbg_seed( mbedtls_hmac_drbg_context *ctx,
ctx->entropy_len = md_size <= 20 ? 16 : /* 160-bits hash -> 128 bits */ ctx->entropy_len = md_size <= 20 ? 16 : /* 160-bits hash -> 128 bits */
md_size <= 28 ? 24 : /* 224-bits hash -> 192 bits */ md_size <= 28 ? 24 : /* 224-bits hash -> 192 bits */
32; /* better (256+) -> 256 bits */ 32; /* better (256+) -> 256 bits */
}
if( ( ret = hmac_drbg_reseed_core( ctx, custom, len, if( ( ret = hmac_drbg_reseed_core( ctx, custom, len,
1 /* add nonce */ ) ) != 0 ) 1 /* add nonce */ ) ) != 0 )
@ -303,7 +306,7 @@ void mbedtls_hmac_drbg_set_prediction_resistance( mbedtls_hmac_drbg_context *ctx
} }
/* /*
* Set entropy length grabbed for reseeds * Set entropy length grabbed for seeding
*/ */
void mbedtls_hmac_drbg_set_entropy_len( mbedtls_hmac_drbg_context *ctx, size_t len ) void mbedtls_hmac_drbg_set_entropy_len( mbedtls_hmac_drbg_context *ctx, size_t len )
{ {