yuzu-emu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2024-11-25 18:25:44 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'public/pr/1902' into development

Browse Source
This commit is contained in:
Simon Butcher 2018-10-27 18:36:55 +01:00
commit a07d86e8af
8 changed files with 774 additions and 223 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
CMakeLists.txt
View File

@ -36,10 +36,27 @@ set(NULL_ENTROPY_WARNING "${WARNING_BORDER}"
"${NULL_ENTROPY_WARN_L3}"
"${WARNING_BORDER}")
set(CTR_DRBG_128_BIT_KEY_WARN_L1 "**** WARNING! MBEDTLS_CTR_DRBG_USE_128_BIT_KEY defined!\n")
set(CTR_DRBG_128_BIT_KEY_WARN_L2 "**** Using 128-bit keys for CTR_DRBG limits the security of generated\n")
set(CTR_DRBG_128_BIT_KEY_WARN_L3 "**** keys and operations that use random values generated to 128-bit security\n")
set(CTR_DRBG_128_BIT_KEY_WARNING "${WARNING_BORDER}"
"${CTR_DRBG_128_BIT_KEY_WARN_L1}"
"${CTR_DRBG_128_BIT_KEY_WARN_L2}"
"${CTR_DRBG_128_BIT_KEY_WARN_L3}"
"${WARNING_BORDER}")
find_package(PythonInterp)
find_package(Perl)
if(PERL_FOUND)
# If 128-bit keys are configured for CTR_DRBG, display an appropriate warning
execute_process(COMMAND ${PERL_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/scripts/config.pl -f ${CMAKE_CURRENT_SOURCE_DIR}/include/mbedtls/config.h get MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
RESULT_VARIABLE result)
if(${result} EQUAL 0)
message(WARNING ${CTR_DRBG_128_BIT_KEY_WARNING})
endif()
# If NULL Entropy is configured, display an appropriate warning
execute_process(COMMAND ${PERL_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/scripts/config.pl -f ${CMAKE_CURRENT_SOURCE_DIR}/include/mbedtls/config.h get MBEDTLS_TEST_NULL_ENTROPY
RESULT_VARIABLE result)

2
ChangeLog
View File

@ -159,6 +159,8 @@ Features
independently contributed again by Paul Sokolovsky.
* Add support for key wrapping modes based on AES as defined by
NIST SP 800-38F algorithms KW and KWP and by RFC 3394 and RFC 5649.
* Add support for 128-bit keys in CTR_DRBG. Note that using keys shorter
than 256 bits limits the security of generated material to 128 bits.
Bugfix
* Fix the key_app_writer example which was writing a leading zero byte which

12
Makefile
View File

@ -61,9 +61,21 @@ NULL_ENTROPY_WARN_L3=**** AND IS *NOT* SUITABLE FOR PRODUCTION USE ****\n
NULL_ENTROPY_WARNING=\n$(WARNING_BORDER)$(NULL_ENTROPY_WARN_L1)$(NULL_ENTROPY_WARN_L2)$(NULL_ENTROPY_WARN_L3)$(WARNING_BORDER)
WARNING_BORDER_LONG =**********************************************************************************\n
CTR_DRBG_128_BIT_KEY_WARN_L1=**** WARNING! MBEDTLS_CTR_DRBG_USE_128_BIT_KEY defined! ****\n
CTR_DRBG_128_BIT_KEY_WARN_L2=**** Using 128-bit keys for CTR_DRBG limits the security of generated ****\n
CTR_DRBG_128_BIT_KEY_WARN_L3=**** keys and operations that use random values generated to 128-bit security ****\n
CTR_DRBG_128_BIT_KEY_WARNING=\n$(WARNING_BORDER_LONG)$(CTR_DRBG_128_BIT_KEY_WARN_L1)$(CTR_DRBG_128_BIT_KEY_WARN_L2)$(CTR_DRBG_128_BIT_KEY_WARN_L3)$(WARNING_BORDER_LONG)
# Post build steps
post_build:
ifndef WINDOWS
# If 128-bit keys are configured for CTR_DRBG, display an appropriate warning
-scripts/config.pl get MBEDTLS_CTR_DRBG_USE_128_BIT_KEY && ([ $$? -eq 0 ]) && \
echo '$(CTR_DRBG_128_BIT_KEY_WARNING)'
# If NULL Entropy is configured, display an appropriate warning
-scripts/config.pl get MBEDTLS_TEST_NULL_ENTROPY && ([ $$? -eq 0 ]) && \
echo '$(NULL_ENTROPY_WARNING)'

7
include/mbedtls/config.h
View File

@ -2047,14 +2047,16 @@
/**
* \def MBEDTLS_CTR_DRBG_C
*
* Enable the CTR_DRBG AES-256-based random generator.
* Enable the CTR_DRBG AES-based random generator.
* The CTR_DRBG generator uses AES-256 by default.
* To use AES-128 instead, enable MBEDTLS_CTR_DRBG_USE_128_BIT_KEY below.
*
* Module: library/ctr_drbg.c
* Caller:
*
* Requires: MBEDTLS_AES_C
*
* This module provides the CTR_DRBG AES-256 random number generator.
* This module provides the CTR_DRBG AES random number generator.
*/
#define MBEDTLS_CTR_DRBG_C
@ -2939,6 +2941,7 @@
//#define MBEDTLS_CTR_DRBG_MAX_INPUT 256 /**< Maximum number of additional input bytes */
//#define MBEDTLS_CTR_DRBG_MAX_REQUEST 1024 /**< Maximum number of requested bytes per call */
//#define MBEDTLS_CTR_DRBG_MAX_SEED_INPUT 384 /**< Maximum size of (re)seed buffer */
//#define MBEDTLS_CTR_DRBG_USE_128_BIT_KEY /**< Use 128-bit key for CTR_DRBG - may reduce security (see ctr_drbg.h) */
/* HMAC_DRBG options */
//#define MBEDTLS_HMAC_DRBG_RESEED_INTERVAL 10000 /**< Interval before reseed is performed by default */

15
include/mbedtls/ctr_drbg.h
View File

@ -8,8 +8,11 @@
* Recommendation for Random Number Generation Using Deterministic Random
* Bit Generators</em>.
*
* The Mbed TLS implementation of CTR_DRBG uses AES-256 as the underlying
* block cipher.
* The Mbed TLS implementation of CTR_DRBG uses AES-256 (default) or AES-128
* as the underlying block cipher.
*
* \warning Using 128-bit keys for CTR_DRBG limits the security of generated
* keys and operations that use random values generated to 128-bit security.
*/
/*
* Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
@ -45,7 +48,13 @@
#define MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR -0x003A /**< Read or write error in file. */
#define MBEDTLS_CTR_DRBG_BLOCKSIZE 16 /**< The block size used by the cipher. */
#define MBEDTLS_CTR_DRBG_KEYSIZE 32 /**< The key size used by the cipher. */
#if defined(MBEDTLS_CTR_DRBG_USE_128_BIT_KEY)
#define MBEDTLS_CTR_DRBG_KEYSIZE 16 /**< The key size used by the cipher (compile-time choice: 128 bits). */
#else
#define MBEDTLS_CTR_DRBG_KEYSIZE 32 /**< The key size used by the cipher (compile-time choice: 256 bits). */
#endif
#define MBEDTLS_CTR_DRBG_KEYBITS ( MBEDTLS_CTR_DRBG_KEYSIZE * 8 ) /**< The key size for the DRBG operation, in bits. */
#define MBEDTLS_CTR_DRBG_SEEDLEN ( MBEDTLS_CTR_DRBG_KEYSIZE + MBEDTLS_CTR_DRBG_BLOCKSIZE ) /**< The seed length, calculated as (counter + AES key). */

63
library/ctr_drbg.c
View File

@ -66,6 +66,18 @@ void mbedtls_ctr_drbg_init( mbedtls_ctr_drbg_context *ctx )
* Non-public function wrapped by mbedtls_ctr_drbg_seed(). Necessary to allow
* NIST tests to succeed (which require known length fixed entropy)
*/
/* CTR_DRBG_Instantiate with derivation function (SP 800-90A &sect;10.2.1.3.2)
* mbedtls_ctr_drbg_seed_entropy_len(ctx, f_entropy, p_entropy,
* custom, len, entropy_len)
* implements
* CTR_DRBG_Instantiate(entropy_input, nonce, personalization_string,
* security_strength) -> initial_working_state
* with inputs
* custom[:len] = nonce || personalization_string
* where entropy_input comes from f_entropy for entropy_len bytes
* and with outputs
* ctx = initial_working_state
*/
int mbedtls_ctr_drbg_seed_entropy_len(
mbedtls_ctr_drbg_context *ctx,
int (*f_entropy)(void *, unsigned char *, size_t),
@ -256,6 +268,14 @@ exit:
return( ret );
}
/* CTR_DRBG_Update (SP 800-90A &sect;10.2.1.2)
* ctr_drbg_update_internal(ctx, provided_data)
* implements
* CTR_DRBG_Update(provided_data, Key, V)
* with inputs and outputs
* ctx->aes_ctx = Key
* ctx->counter = V
*/
static int ctr_drbg_update_internal( mbedtls_ctr_drbg_context *ctx,
const unsigned char data[MBEDTLS_CTR_DRBG_SEEDLEN] )
{
@ -301,6 +321,18 @@ static int ctr_drbg_update_internal( mbedtls_ctr_drbg_context *ctx,
return( 0 );
}
/* CTR_DRBG_Instantiate with derivation function (SP 800-90A &sect;10.2.1.3.2)
* mbedtls_ctr_drbg_update(ctx, additional, add_len)
* implements
* CTR_DRBG_Instantiate(entropy_input, nonce, personalization_string,
* security_strength) -> initial_working_state
* with inputs
* ctx->counter = all-bits-0
* ctx->aes_ctx = context from all-bits-0 key
* additional[:add_len] = entropy_input || nonce || personalization_string
* and with outputs
* ctx = initial_working_state
*/
void mbedtls_ctr_drbg_update( mbedtls_ctr_drbg_context *ctx,
const unsigned char *additional, size_t add_len )
{
@ -318,6 +350,18 @@ void mbedtls_ctr_drbg_update( mbedtls_ctr_drbg_context *ctx,
}
}
/* CTR_DRBG_Reseed with derivation function (SP 800-90A &sect;10.2.1.4.2)
* mbedtls_ctr_drbg_reseed(ctx, additional, len)
* implements
* CTR_DRBG_Reseed(working_state, entropy_input, additional_input)
* -> new_working_state
* with inputs
* ctx contains working_state
* additional[:len] = additional_input
* and entropy_input comes from calling ctx->f_entropy
* and with output
* ctx contains new_working_state
*/
int mbedtls_ctr_drbg_reseed( mbedtls_ctr_drbg_context *ctx,
const unsigned char *additional, size_t len )
{
@ -371,6 +415,25 @@ int mbedtls_ctr_drbg_reseed( mbedtls_ctr_drbg_context *ctx,
return( 0 );
}
/* CTR_DRBG_Generate with derivation function (SP 800-90A &sect;10.2.1.5.2)
* mbedtls_ctr_drbg_random_with_add(ctx, output, output_len, additional, add_len)
* implements
* CTR_DRBG_Reseed(working_state, entropy_input, additional[:add_len])
* -> working_state_after_reseed
* if required, then
* CTR_DRBG_Generate(working_state_after_reseed,
* requested_number_of_bits, additional_input)
* -> status, returned_bits, new_working_state
* with inputs
* ctx contains working_state
* requested_number_of_bits = 8 * output_len
* additional[:add_len] = additional_input
* and entropy_input comes from calling ctx->f_entropy
* and with outputs
* status = SUCCESS (this function does the reseed internally)
* returned_bits = output[:output_len]
* ctx contains new_working_state
*/
int mbedtls_ctr_drbg_random_with_add( void *p_rng,
unsigned char *output, size_t output_len,
const unsigned char *additional, size_t add_len )

713
tests/suites/test_suite_ctr_drbg.data
View File

File diff suppressed because it is too large Load Diff

166
tests/suites/test_suite_ctr_drbg.function
View File

@ -1,15 +1,97 @@
/* BEGIN_HEADER */
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include "string.h"
static int test_offset_idx;
/* Modes for ctr_drbg_validate */
enum reseed_mode
{
RESEED_NEVER, /* never reseed */
RESEED_FIRST, /* instantiate, reseed, generate, generate */
RESEED_SECOND, /* instantiate, generate, reseed, generate */
RESEED_ALWAYS /* prediction resistance, no explicit reseed */
};
static size_t test_offset_idx = 0;
static size_t test_max_idx = 0;
static int mbedtls_test_entropy_func( void *data, unsigned char *buf, size_t len )
{
const unsigned char *p = (unsigned char *) data;
if( test_offset_idx + len > test_max_idx )
return( MBEDTLS_ERR_ENTROPY_SOURCE_FAILED );
memcpy( buf, p + test_offset_idx, len );
test_offset_idx += len;
return( 0 );
}
static void ctr_drbg_validate_internal( int reseed_mode, data_t * nonce,
int entropy_len_arg, data_t * entropy,
data_t * reseed,
data_t * add1, data_t * add2,
data_t * result )
{
mbedtls_ctr_drbg_context ctx;
unsigned char buf[64];
size_t entropy_chunk_len = (size_t) entropy_len_arg;
TEST_ASSERT( entropy_chunk_len <= sizeof( buf ) );
test_offset_idx = 0;
mbedtls_ctr_drbg_init( &ctx );
test_max_idx = entropy->len;
/* CTR_DRBG_Instantiate(entropy[:entropy->len], nonce, perso, <ignored>)
* where nonce||perso = nonce[nonce->len] */
TEST_ASSERT( mbedtls_ctr_drbg_seed_entropy_len(
&ctx,
mbedtls_test_entropy_func, entropy->x,
nonce->x, nonce->len,
entropy_chunk_len ) == 0 );
if( reseed_mode == RESEED_ALWAYS )
mbedtls_ctr_drbg_set_prediction_resistance(
&ctx,
MBEDTLS_CTR_DRBG_PR_ON );
if( reseed_mode == RESEED_FIRST )
{
/* CTR_DRBG_Reseed(entropy[idx:idx+entropy->len],
* reseed[:reseed->len]) */
TEST_ASSERT( mbedtls_ctr_drbg_reseed(
&ctx,
reseed->x, reseed->len ) == 0 );
}
/* CTR_DRBG_Generate(result->len * 8 bits, add1[:add1->len]) -> buf */
/* Then reseed if prediction resistance is enabled. */
TEST_ASSERT( mbedtls_ctr_drbg_random_with_add(
&ctx,
buf, result->len,
add1->x, add1->len ) == 0 );
if( reseed_mode == RESEED_SECOND )
{
/* CTR_DRBG_Reseed(entropy[idx:idx+entropy->len],
* reseed[:reseed->len]) */
TEST_ASSERT( mbedtls_ctr_drbg_reseed(
&ctx,
reseed->x, reseed->len ) == 0 );
}
/* CTR_DRBG_Generate(result->len * 8 bits, add2->x[:add2->len]) -> buf */
/* Then reseed if prediction resistance is enabled. */
TEST_ASSERT( mbedtls_ctr_drbg_random_with_add(
&ctx,
buf, result->len,
add2->x, add2->len ) == 0 );
TEST_ASSERT( memcmp( buf, result->x, result->len ) == 0 );
exit:
mbedtls_ctr_drbg_free( &ctx );
}
/* END_HEADER */
/* BEGIN_DEPENDENCIES
@ -50,54 +132,63 @@ exit:
}
/* END_CASE */
/* BEGIN_CASE */
void ctr_drbg_validate_no_reseed( data_t * add_init, data_t * entropy,
data_t * add1, data_t * add2,
data_t * result_string )
{
data_t empty = { 0, 0 };
ctr_drbg_validate_internal( RESEED_NEVER, add_init,
entropy->len, entropy,
&empty, add1, add2,
result_string );
goto exit; // goto is needed to avoid warning ( no test assertions in func)
}
/* END_CASE */
/* BEGIN_CASE */
void ctr_drbg_validate_pr( data_t * add_init, data_t * entropy,
data_t * add1, data_t * add2,
data_t * result_str )
data_t * result_string )
{
mbedtls_ctr_drbg_context ctx;
unsigned char buf[512];
mbedtls_ctr_drbg_init( &ctx );
test_offset_idx = 0;
TEST_ASSERT( mbedtls_ctr_drbg_seed_entropy_len( &ctx, mbedtls_test_entropy_func, entropy->x, add_init->x, add_init->len, 32 ) == 0 );
mbedtls_ctr_drbg_set_prediction_resistance( &ctx, MBEDTLS_CTR_DRBG_PR_ON );
TEST_ASSERT( mbedtls_ctr_drbg_random_with_add( &ctx, buf, 16, add1->x, add1->len ) == 0 );
TEST_ASSERT( mbedtls_ctr_drbg_random_with_add( &ctx, buf, 16, add2->x, add2->len ) == 0 );
TEST_ASSERT( hexcmp( buf, result_str->x, 16, result_str->len ) == 0 );
exit:
mbedtls_ctr_drbg_free( &ctx );
data_t empty = { 0, 0 };
ctr_drbg_validate_internal( RESEED_ALWAYS, add_init,
entropy->len / 3, entropy,
&empty, add1, add2,
result_string );
goto exit; // goto is needed to avoid warning ( no test assertions in func)
}
/* END_CASE */
/* BEGIN_CASE */
void ctr_drbg_validate_nopr( data_t * add_init, data_t * entropy,
void ctr_drbg_validate_reseed_between( data_t * add_init, data_t * entropy,
data_t * add1, data_t * add_reseed,
data_t * add2, data_t * result_str )
data_t * add2, data_t * result_string )
{
mbedtls_ctr_drbg_context ctx;
unsigned char buf[512];
mbedtls_ctr_drbg_init( &ctx );
test_offset_idx = 0;
TEST_ASSERT( mbedtls_ctr_drbg_seed_entropy_len( &ctx, mbedtls_test_entropy_func, entropy->x, add_init->x, add_init->len, 32 ) == 0 );
TEST_ASSERT( mbedtls_ctr_drbg_random_with_add( &ctx, buf, 16, add1->x, add1->len ) == 0 );
TEST_ASSERT( mbedtls_ctr_drbg_reseed( &ctx, add_reseed->x, add_reseed->len ) == 0 );
TEST_ASSERT( mbedtls_ctr_drbg_random_with_add( &ctx, buf, 16, add2->x, add2->len ) == 0 );
TEST_ASSERT( hexcmp( buf, result_str->x, 16, result_str->len ) == 0 );
exit:
mbedtls_ctr_drbg_free( &ctx );
ctr_drbg_validate_internal( RESEED_SECOND, add_init,
entropy->len / 2, entropy,
add_reseed, add1, add2,
result_string );
goto exit; // goto is needed to avoid warning ( no test assertions in func)
}
/* END_CASE */
/* BEGIN_CASE */
void ctr_drbg_validate_reseed_first( data_t * add_init, data_t * entropy,
data_t * add1, data_t * add_reseed,
data_t * add2, data_t * result_string )
{
ctr_drbg_validate_internal( RESEED_FIRST, add_init,
entropy->len / 2, entropy,
add_reseed, add1, add2,
result_string );
goto exit; // goto is needed to avoid warning ( no test assertions in func)
}
/* END_CASE */
/* BEGIN_CASE */
void ctr_drbg_entropy_usage( )
{
@ -106,10 +197,11 @@ void ctr_drbg_entropy_usage( )
unsigned char entropy[1024];
mbedtls_ctr_drbg_context ctx;
size_t i, reps = 10;
int last_idx;
size_t last_idx;
mbedtls_ctr_drbg_init( &ctx );
test_offset_idx = 0;
test_max_idx = sizeof( entropy );
memset( entropy, 0, sizeof( entropy ) );
memset( out, 0, sizeof( out ) );
memset( add, 0, sizeof( add ) );