mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-22 09:05:37 +01:00
compile time warning of 128bit ctr_drbg keys and standardized warnings
a compile time print was added warning in case of 128bit ctr_drbg keys. This was don't to avoid an actual warning in these cases (making build with warnings as errors possible). Additional warnings on the Changelog/headers were set to use the same phrasing phrasing was approved by Gilles and Janos.
This commit is contained in:
parent
ce266e4ca2
commit
b7ebbcaa2c
@ -36,10 +36,26 @@ set(NULL_ENTROPY_WARNING "${WARNING_BORDER}"
|
|||||||
"${NULL_ENTROPY_WARN_L3}"
|
"${NULL_ENTROPY_WARN_L3}"
|
||||||
"${WARNING_BORDER}")
|
"${WARNING_BORDER}")
|
||||||
|
|
||||||
find_package(PythonInterp)
|
set(CTR_DRBG_128_BIT_KEY_WARN_L1 "**** WARNING! MBEDTLS_CTR_DRBG_USE_128_BIT_KEY defined!\n")
|
||||||
|
set(CTR_DRBG_128_BIT_KEY_WARN_L2 "**** Using 128-bit keys for CTR_DRBG limits the security of generated\n")
|
||||||
|
set(CTR_DRBG_128_BIT_KEY_WARN_L3 "**** keys and operations that use random values generated to 128-bit security\n")
|
||||||
|
|
||||||
|
set(CTR_DRBG_128_BIT_KEY_WARNING "${WARNING_BORDER}"
|
||||||
|
"${CTR_DRBG_128_BIT_KEY_WARN_L1}"
|
||||||
|
"${CTR_DRBG_128_BIT_KEY_WARN_L2}"
|
||||||
|
"${CTR_DRBG_128_BIT_KEY_WARN_L3}"
|
||||||
|
"${WARNING_BORDER}")
|
||||||
|
|
||||||
find_package(Perl)
|
find_package(Perl)
|
||||||
if(PERL_FOUND)
|
if(PERL_FOUND)
|
||||||
|
|
||||||
|
# If 128-bit keys are configured for CTR_DRBG, display an appropriate warning
|
||||||
|
execute_process(COMMAND ${PERL_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/scripts/config.pl -f ${CMAKE_CURRENT_SOURCE_DIR}/include/mbedtls/config.h get MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
|
||||||
|
RESULT_VARIABLE result)
|
||||||
|
if(${result} EQUAL 0)
|
||||||
|
message(WARNING ${CTR_DRBG_128_BIT_KEY_WARNING})
|
||||||
|
endif()
|
||||||
|
|
||||||
# If NULL Entropy is configured, display an appropriate warning
|
# If NULL Entropy is configured, display an appropriate warning
|
||||||
execute_process(COMMAND ${PERL_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/scripts/config.pl -f ${CMAKE_CURRENT_SOURCE_DIR}/include/mbedtls/config.h get MBEDTLS_TEST_NULL_ENTROPY
|
execute_process(COMMAND ${PERL_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/scripts/config.pl -f ${CMAKE_CURRENT_SOURCE_DIR}/include/mbedtls/config.h get MBEDTLS_TEST_NULL_ENTROPY
|
||||||
RESULT_VARIABLE result)
|
RESULT_VARIABLE result)
|
||||||
|
@ -71,8 +71,8 @@ Features
|
|||||||
independently contributed again by Paul Sokolovsky.
|
independently contributed again by Paul Sokolovsky.
|
||||||
* Add support for key wrapping modes based on AES as defined by
|
* Add support for key wrapping modes based on AES as defined by
|
||||||
NIST SP 800-38F algorithms KW and KWP and by RFC 3394 and RFC 5649.
|
NIST SP 800-38F algorithms KW and KWP and by RFC 3394 and RFC 5649.
|
||||||
* Add support different keys sizes to CTR_CRBG. Note: using shorter keys
|
* Add support for 128-bit keys in CTR_DRBG. Note that using keys shorter
|
||||||
than 256 bit may decrease security.
|
than 256 bits limits the security of generated material to 128 bits.
|
||||||
|
|
||||||
Bugfix
|
Bugfix
|
||||||
* Fix the key_app_writer example which was writing a leading zero byte which
|
* Fix the key_app_writer example which was writing a leading zero byte which
|
||||||
|
12
Makefile
12
Makefile
@ -61,9 +61,21 @@ NULL_ENTROPY_WARN_L3=**** AND IS *NOT* SUITABLE FOR PRODUCTION USE ****\n
|
|||||||
|
|
||||||
NULL_ENTROPY_WARNING=\n$(WARNING_BORDER)$(NULL_ENTROPY_WARN_L1)$(NULL_ENTROPY_WARN_L2)$(NULL_ENTROPY_WARN_L3)$(WARNING_BORDER)
|
NULL_ENTROPY_WARNING=\n$(WARNING_BORDER)$(NULL_ENTROPY_WARN_L1)$(NULL_ENTROPY_WARN_L2)$(NULL_ENTROPY_WARN_L3)$(WARNING_BORDER)
|
||||||
|
|
||||||
|
WARNING_BORDER_LONG =**********************************************************************************\n
|
||||||
|
CTR_DRBG_128_BIT_KEY_WARN_L1=**** WARNING! MBEDTLS_CTR_DRBG_USE_128_BIT_KEY defined! ****\n
|
||||||
|
CTR_DRBG_128_BIT_KEY_WARN_L2=**** Using 128-bit keys for CTR_DRBG limits the security of generated ****\n
|
||||||
|
CTR_DRBG_128_BIT_KEY_WARN_L3=**** keys and operations that use random values generated to 128-bit security ****\n
|
||||||
|
|
||||||
|
CTR_DRBG_128_BIT_KEY_WARNING=\n$(WARNING_BORDER_LONG)$(CTR_DRBG_128_BIT_KEY_WARN_L1)$(CTR_DRBG_128_BIT_KEY_WARN_L2)$(CTR_DRBG_128_BIT_KEY_WARN_L3)$(WARNING_BORDER_LONG)
|
||||||
|
|
||||||
# Post build steps
|
# Post build steps
|
||||||
post_build:
|
post_build:
|
||||||
ifndef WINDOWS
|
ifndef WINDOWS
|
||||||
|
|
||||||
|
# If 128-bit keys are configured for CTR_DRBG, display an appropriate warning
|
||||||
|
-scripts/config.pl get MBEDTLS_CTR_DRBG_USE_128_BIT_KEY && ([ $$? -eq 0 ]) && \
|
||||||
|
echo '$(CTR_DRBG_128_BIT_KEY_WARNING)'
|
||||||
|
|
||||||
# If NULL Entropy is configured, display an appropriate warning
|
# If NULL Entropy is configured, display an appropriate warning
|
||||||
-scripts/config.pl get MBEDTLS_TEST_NULL_ENTROPY && ([ $$? -eq 0 ]) && \
|
-scripts/config.pl get MBEDTLS_TEST_NULL_ENTROPY && ([ $$? -eq 0 ]) && \
|
||||||
echo '$(NULL_ENTROPY_WARNING)'
|
echo '$(NULL_ENTROPY_WARNING)'
|
||||||
|
@ -11,8 +11,8 @@
|
|||||||
* The Mbed TLS implementation of CTR_DRBG uses AES-256 (default) or AES-128
|
* The Mbed TLS implementation of CTR_DRBG uses AES-256 (default) or AES-128
|
||||||
* as the underlying block cipher.
|
* as the underlying block cipher.
|
||||||
*
|
*
|
||||||
* * \warning ARC4 is considered a weak cipher and its use constitutes a
|
* \warning Using 128-bit keys for CTR_DRBG limits the security of generated
|
||||||
* security risk. We recommend considering stronger ciphers instead.
|
* keys and operations that use random values generated to 128-bit security.
|
||||||
*/
|
*/
|
||||||
/*
|
/*
|
||||||
* Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
|
* Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
|
||||||
|
Loading…
Reference in New Issue
Block a user