github/OpenVPNAdapter
3
0
Fork 0
mirror of https://github.com/deneraraujo/OpenVPNAdapter.git synced 2026-06-01 00:00:02 +08:00
Code Issues Packages Projects Releases Wiki Activity

Squashed 'Sources/mbedTLS/' changes from 14c6762351..f8199650a9

Browse Source 
d8180f8d84 Merge remote-tracking branch 'origin/mbedtls-2.7' into mbedtls-2.7-restricted
db649896e6 Merge pull request #2895 from gilles-peskine-arm/drbg-set_entropy_len-2.7
373a7097eb Merge pull request #673 from gilles-peskine-arm/ctr_drbg-aes_fail-2.7
b2be1fca2c Catch AES failure in mbedtls_ctr_drbg_random
df1b3e54c7 Merge pull request #2937 from gilles-peskine-arm/memory_buffer_alloc-fatal-pass-2.7
02fbc08d2e Enable more test cases without MBEDTLS_MEMORY_DEBUG
786f068ec0 More accurate test case description
04d45c98e8 Clarify that the "FATAL" message is expected
c5a016dde1 Merge remote-tracking branch 'restricted/pr/666' into mbedtls-2.7-restricted
e70059df85 Merge remote-tracking branch 'restricted/pr/668' into mbedtls-2.7-restricted
10fcdd25d4 Merge pull request #664 from ARMmbed/dev/yanesca/iotcrypt-958-ecdsa-side-channel-fix-2.7
07597365cd Zeroize local AES variables before exiting the function
dfa4d71873 Add ChangeLog entry
b4edac5616 mpi_lt_mpi_ct: fix condition handling
f4482aaccc mpi_lt_mpi_ct: Add further tests
a776aea91a mpi_lt_mpi_ct: Fix test numbering
1b86eeb06b mpi_lt_mpi_ct perform tests for both limb size
5823961558 ct_lt_mpi_uint: cast the return value explicitely
6adff06e50 mbedtls_mpi_lt_mpi_ct: add tests for 32 bit limbs
cff9e6e03d mbedtls_mpi_lt_mpi_ct: simplify condition
8ec2a953af Rename variable for better readability
a2b9a96fb8 mbedtls_mpi_lt_mpi_ct: Improve documentation
51ed14e20f Make mbedtls_mpi_lt_mpi_ct more portable
9741fa6e2b Bignum: Document assumptions about the sign field
9332ecefc8 Add more tests for mbedtls_mpi_lt_mpi_ct
aaa3f22b76 mpi_lt_mpi_ct test: hardcode base 16
3173a53fe9 Document ct_lt_mpi_uint
782cbe592d mpi_lt_mpi_ct: make use of unsigned consistent
db9f449409 ct_lt_mpi_uint: make use of biL
c3b376e2f2 Change mbedtls_mpi_cmp_mpi_ct to check less than
8461c0e2a8 mbedtls_mpi_cmp_mpi_ct: remove multiplications
8de2d45cd7 Remove excess vertical space
c587a32a9c Remove declaration after statement
5f3019b298 Fix side channel vulnerability in ECDSA
883801d3ec Add tests to constant time mpi comparison
e0187b95f0 Add new, constant time mpi comparison
4c575c0270 Note that mbedtls_ctr_drbg_seed() must not be called twice
eab4d701ca Fix CTR_DRBG benchmark
5cf41f80a4 Add ChangeLog entry
82debf8332 ECDSA: Fix side channel vulnerability
093aa517c4 Changelog entry for xxx_drbg_set_entropy_len before xxx_drbg_seed
b729e1b9ba CTR_DRBG: support set_entropy_len() before seed()
845ac103a9 CTR_DRBG: Don't use functions before they're defined
9c742249cf HMAC_DRBG: support set_entropy_len() before seed()
c87a54683b Merge pull request #2900 from gilles-peskine-arm/asan-test-fail-2.7
cc656ac96b Merge pull request #2872 from gilles-peskine-arm/test_malloc_0_null-2.7
5ee14d70d2 'make test' must fail if Asan fails
4c2697f43f Asan make builds: avoid sanitizer recovery
260921d3f2 Use UBsan in addition to Asan with 'make test'
c20a4053c3 Unify ASan options in make builds
395d8c1222 Merge remote-tracking branch 'origin/pr/2878' into mbedtls-2.7
55e120b9b2 mbedtls_hmac_drbg_set_entropy_len() only matters when reseeding
dff3682477 mbedtls_ctr_drbg_set_entropy_len() only matters when reseeding
2abefefec2 mbedtls_ctr_drbg_seed: correct maximum for len
406d25878c Add a note about CTR_DRBG security strength to config.h
f0b3dcb14b CTR_DRBG: more consistent formatting and wording
b9cfe58180 DRBG documentation: Relate f_entropy arguments to the entropy module
97edf5e1e2 Add ChangeLog entry for the DRBG documentation improvements
5cc748e58f Merge remote-tracking branch 'origin/pr/2866' into mbedtls-2.7
d89173066c HMAC_DRBG documentation improvements
2fc6cf5da7 Merge remote-tracking branch 'origin/pr/2704' into mbedtls-2.7
eb99c1028f CTR_DRBG: explain the security strength and the entropy input length
25e1945321 CTR_DRBG documentation improvements
0ab4092e2d Reduce stack usage of test_suite_pkcs1_v15
dd4277f70d Reduce stack usage of test_suite_pkcs1_v21
b3d3973264 Reduce stack usage of test_suite_rsa
6827d1c588 Reduce stack usage of test_suite_pk
0981a5d7ab Add a test component with malloc(0) returning NULL
ea5d3571b0 Add a calloc self-test
d28b9b3c5d Merge remote-tracking branch 'origin/pr/2828' into mbedtls-2.7
9b1c248209 Enable MBEDTLS_MEMORY_DEBUG in memory buffer alloc test in all.sh
7eb7f8db8b Remove unnecessary memory buffer alloc unsets
6addfdd190 Disable DTLS proxy tests for MEMORY_BUFFER_ALLOC test
9a461a1cd7 all.sh: restructure memory allocator tests
7aad93c9da Add missing dependency in memory buffer alloc set in all.sh
19aa89ad47 Don't set MBEDTLS_MEMORY_DEBUG through `scripts/config.pl full`
8561115cb8 Add cfg dep MBEDTLS_MEMORY_DEBUG->MBEDTLS_MEMORY_BUFFER_ALLOC_C
167ae43852 Add all.sh run with full config and ASan enabled
f5baaaaf89 Add all.sh run with MBEDTLS_MEMORY_BUFFER_ALLOC_C enabled
e1c62e6641 Update documentation of exceptions for `config.pl full`
c7f97f1c8d Adapt all.sh to removal of buffer allocator from full config
26c333ac01 Disable memory buffer allocator in full config
76ef31116b Check dependencies of MBEDTLS_MEMORY_BACKTRACE in check_config.h
9bf1509ef3 Adapt auth_crypt_tv usage to 2.7
dd91b24764 Add missing dependencies in test_suite_cipher.gcm
d62577fa74 Adapt ChangeLog
311276c871 Add NIST AES GCM test vectors to single-step cipher API test suite

git-subtree-dir: Sources/mbedTLS
git-subtree-split: f8199650a9d49b3982a7b7f3d448899b67b09571
This commit is contained in:
Sergey Abramchuk
2020-08-18 13:51:43 +03:00
parent 1a3a83f332
commit 029ba813cd
29 changed files with 3136 additions and 399 deletions
Download Patch File Download Diff File Expand all files Collapse all files
include/mbedtls/ctr_drbg.h
+163 -48
View File
@@ -1,13 +1,38 @@
/**
* \file ctr_drbg.h
*
* \brief CTR_DRBG is based on AES-256, as defined in <em>NIST SP 800-90A:
* Recommendation for Random Number Generation Using Deterministic
* Random Bit Generators</em>.
* \brief The CTR_DRBG pseudorandom generator.
*
* CTR_DRBG is a standardized way of building a PRNG from a block-cipher
* in counter mode operation, as defined in <em>NIST SP 800-90A:
* Recommendation for Random Number Generation Using Deterministic Random
* Bit Generators</em>.
*
* The Mbed TLS implementation of CTR_DRBG uses AES-256
* as the underlying block cipher, with a derivation function.
* The initial seeding grabs #MBEDTLS_CTR_DRBG_ENTROPY_LEN bytes of entropy.
* See the documentation of mbedtls_ctr_drbg_seed() for more details.
*
* Based on NIST SP 800-90A §10.2.1 table 3 and NIST SP 800-57 part 1 table 2,
* here are the security strengths achieved in typical configuration:
* - 256 bits under the default configuration of the library,
* with #MBEDTLS_CTR_DRBG_ENTROPY_LEN set to 48 or more.
* - 256 bits if #MBEDTLS_CTR_DRBG_ENTROPY_LEN is set
* to 32 or more and the DRBG is initialized with an explicit
* nonce in the \c custom parameter to mbedtls_ctr_drbg_seed().
* - 128 bits if #MBEDTLS_CTR_DRBG_ENTROPY_LEN is
* between 24 and 47 and the DRBG is not initialized with an explicit
* nonce (see mbedtls_ctr_drbg_seed()).
*
* Note that the value of #MBEDTLS_CTR_DRBG_ENTROPY_LEN defaults to:
* - \c 48 if the module \c MBEDTLS_SHA512_C is enabled and the symbol
* \c MBEDTLS_ENTROPY_FORCE_SHA256 is not enabled at compile time.
* This is the default configuration of the library.
* - \c 32 if the module \c MBEDTLS_SHA512_C is disabled at compile time.
* - \c 32 if \c MBEDTLS_ENTROPY_FORCE_SHA256 is enabled at compile time.
*/
/*
* Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
* Copyright (C) 2006-2019, Arm Limited (or its affiliates), All Rights Reserved
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
@@ -59,21 +84,29 @@
* \{
*/
/** \def MBEDTLS_CTR_DRBG_ENTROPY_LEN
*
* \brief The amount of entropy used per seed by default, in bytes.
*/
#if !defined(MBEDTLS_CTR_DRBG_ENTROPY_LEN)
#if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_ENTROPY_FORCE_SHA256)
/** This is 48 bytes because the entropy module uses SHA-512
* (\c MBEDTLS_ENTROPY_FORCE_SHA256 is not set).
*/
#define MBEDTLS_CTR_DRBG_ENTROPY_LEN 48
/**< The amount of entropy used per seed by default:
* <ul><li>48 with SHA-512.</li>
* <li>32 with SHA-256.</li></ul>
#else /* defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_ENTROPY_FORCE_SHA256) */
/** This is 32 bytes because the entropy module uses SHA-256
* (the SHA512 module is disabled or
* \c MBEDTLS_ENTROPY_FORCE_SHA256 is enabled).
*
* \warning To achieve a 256-bit security strength, you must pass a nonce
* to mbedtls_ctr_drbg_seed().
*/
#else
#define MBEDTLS_CTR_DRBG_ENTROPY_LEN 32
/**< Amount of entropy used per seed by default:
* <ul><li>48 with SHA-512.</li>
* <li>32 with SHA-256.</li></ul>
*/
#endif
#endif
#endif /* defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_ENTROPY_FORCE_SHA256) */
#endif /* !defined(MBEDTLS_CTR_DRBG_ENTROPY_LEN) */
#if !defined(MBEDTLS_CTR_DRBG_RESEED_INTERVAL)
#define MBEDTLS_CTR_DRBG_RESEED_INTERVAL 10000
@@ -92,7 +125,7 @@
#if !defined(MBEDTLS_CTR_DRBG_MAX_SEED_INPUT)
#define MBEDTLS_CTR_DRBG_MAX_SEED_INPUT 384
/**< The maximum size of seed or reseed buffer. */
/**< The maximum size of seed or reseed buffer in bytes. */
#endif
/* \} name SECTION: Module settings */
@@ -150,17 +183,67 @@ void mbedtls_ctr_drbg_init( mbedtls_ctr_drbg_context *ctx );
* \brief This function seeds and sets up the CTR_DRBG
* entropy source for future reseeds.
*
* \note Personalization data can be provided in addition to the more generic
* entropy source, to make this instantiation as unique as possible.
* A typical choice for the \p f_entropy and \p p_entropy parameters is
* to use the entropy module:
* - \p f_entropy is mbedtls_entropy_func();
* - \p p_entropy is an instance of ::mbedtls_entropy_context initialized
* with mbedtls_entropy_init() (which registers the platform's default
* entropy sources).
*
* The entropy length is #MBEDTLS_CTR_DRBG_ENTROPY_LEN by default.
* You can override it by calling mbedtls_ctr_drbg_set_entropy_len().
*
* You can provide a personalization string in addition to the
* entropy source, to make this instantiation as unique as possible.
*
* \note The _seed_material_ value passed to the derivation
* function in the CTR_DRBG Instantiate Process
* described in NIST SP 800-90A §10.2.1.3.2
* is the concatenation of the string obtained from
* calling \p f_entropy and the \p custom string.
* The origin of the nonce depends on the value of
* the entropy length relative to the security strength.
* - If the entropy length is at least 1.5 times the
* security strength then the nonce is taken from the
* string obtained with \p f_entropy.
* - If the entropy length is less than the security
* strength, then the nonce is taken from \p custom.
* In this case, for compliance with SP 800-90A,
* you must pass a unique value of \p custom at
* each invocation. See SP 800-90A §8.6.7 for more
* details.
*/
#if MBEDTLS_CTR_DRBG_ENTROPY_LEN < MBEDTLS_CTR_DRBG_KEYSIZE * 3 / 2
/** \warning When #MBEDTLS_CTR_DRBG_ENTROPY_LEN is less than
* 48, to achieve a 256-bit security strength,
* you must pass a value of \p custom that is a nonce:
* this value must never be repeated in subsequent
* runs of the same application or on a different
* device.
*/
#endif
/**
* \param ctx The CTR_DRBG context to seed.
* It must have been initialized with
* mbedtls_ctr_drbg_init().
* After a successful call to mbedtls_ctr_drbg_seed(),
* you may not call mbedtls_ctr_drbg_seed() again on
* the same context unless you call
* mbedtls_ctr_drbg_free() and mbedtls_ctr_drbg_init()
* again first.
* \param f_entropy The entropy callback, taking as arguments the
* \p p_entropy context, the buffer to fill, and the
length of the buffer.
* \param p_entropy The entropy context.
* \param custom Personalization data, that is device-specific
identifiers. Can be NULL.
* \param len The length of the personalization data.
* length of the buffer.
* \p f_entropy is always called with a buffer size
* equal to the entropy length.
* \param p_entropy The entropy context to pass to \p f_entropy.
* \param custom The personalization string.
* This can be \c NULL, in which case the personalization
* string is empty regardless of the value of \p len.
* \param len The length of the personalization string.
* This must be at most
* #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT
* - #MBEDTLS_CTR_DRBG_ENTROPY_LEN.
*
* \return \c 0 on success, or
* #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED on failure.
@@ -183,7 +266,8 @@ void mbedtls_ctr_drbg_free( mbedtls_ctr_drbg_context *ctx );
* The default value is off.
*
* \note If enabled, entropy is gathered at the beginning of
* every call to mbedtls_ctr_drbg_random_with_add().
* every call to mbedtls_ctr_drbg_random_with_add()
* or mbedtls_ctr_drbg_random().
* Only use this if your entropy source has sufficient
* throughput.
*
@@ -195,18 +279,29 @@ void mbedtls_ctr_drbg_set_prediction_resistance( mbedtls_ctr_drbg_context *ctx,
/**
* \brief This function sets the amount of entropy grabbed on each
* seed or reseed. The default value is
* #MBEDTLS_CTR_DRBG_ENTROPY_LEN.
* seed or reseed.
*
* The default value is #MBEDTLS_CTR_DRBG_ENTROPY_LEN.
*
* \note The security strength of CTR_DRBG is bounded by the
* entropy length. Thus \p len must be at least
* 32 (in bytes) to achieve a 256-bit strength.
*
* \param ctx The CTR_DRBG context.
* \param len The amount of entropy to grab.
* \param len The amount of entropy to grab, in bytes.
* This must be at most #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT.
*/
void mbedtls_ctr_drbg_set_entropy_len( mbedtls_ctr_drbg_context *ctx,
size_t len );
/**
* \brief This function sets the reseed interval.
* The default value is #MBEDTLS_CTR_DRBG_RESEED_INTERVAL.
*
* The reseed interval is the number of calls to mbedtls_ctr_drbg_random()
* or mbedtls_ctr_drbg_random_with_add() after which the entropy function
* is called again.
*
* The default value is #MBEDTLS_CTR_DRBG_RESEED_INTERVAL.
*
* \param ctx The CTR_DRBG context.
* \param interval The reseed interval.
@@ -219,8 +314,12 @@ void mbedtls_ctr_drbg_set_reseed_interval( mbedtls_ctr_drbg_context *ctx,
* extracts data from the entropy source.
*
* \param ctx The CTR_DRBG context.
* \param additional Additional data to add to the state. Can be NULL.
* \param additional Additional data to add to the state. Can be \c NULL.
* \param len The length of the additional data.
* This must be less than
* #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - \c entropy_len
* where \c entropy_len is the entropy length
* configured for the context.
*
* \return \c 0 on success, or
* #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED on failure.
@@ -232,7 +331,8 @@ int mbedtls_ctr_drbg_reseed( mbedtls_ctr_drbg_context *ctx,
* \brief This function updates the state of the CTR_DRBG context.
*
* \param ctx The CTR_DRBG context.
* \param additional The data to update the state with.
* \param additional The data to update the state with. This must not be
* \c NULL unless \p add_len is \c 0.
* \param add_len Length of \p additional in bytes. This must be at
* most #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT.
*
@@ -258,8 +358,10 @@ int mbedtls_ctr_drbg_update_ret( mbedtls_ctr_drbg_context *ctx,
* The remaining Bytes are silently discarded.
*
* \param ctx The CTR_DRBG context.
* \param additional The data to update the state with.
* \param add_len Length of \p additional data.
* \param additional The data to update the state with. This must not be
* \c NULL unless \p add_len is \c 0.
* \param add_len Length of \p additional data. This must be at
* most #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT.
*/
void mbedtls_ctr_drbg_update( mbedtls_ctr_drbg_context *ctx,
const unsigned char *additional,
@@ -269,17 +371,26 @@ void mbedtls_ctr_drbg_update( mbedtls_ctr_drbg_context *ctx,
* \brief This function updates a CTR_DRBG instance with additional
* data and uses it to generate random data.
*
* \note The function automatically reseeds if the reseed counter is exceeded.
* This function automatically reseeds if the reseed counter is exceeded
* or prediction resistance is enabled.
*
* \param p_rng The CTR_DRBG context. This must be a pointer to a
* #mbedtls_ctr_drbg_context structure.
* \param output The buffer to fill.
* \param output_len The length of the buffer.
* \param additional Additional data to update. Can be NULL.
* \param add_len The length of the additional data.
* \param output_len The length of the buffer in bytes.
* \param additional Additional data to update. Can be \c NULL, in which
* case the additional data is empty regardless of
* the value of \p add_len.
* \param add_len The length of the additional data
* if \p additional is not \c NULL.
* This must be less than #MBEDTLS_CTR_DRBG_MAX_INPUT
* and less than
* #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - \c entropy_len
* where \c entropy_len is the entropy length
* configured for the context.
*
* \return \c 0 on success, or
* #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED or
* \return \c 0 on success.
* \return #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED or
* #MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG on failure.
*/
int mbedtls_ctr_drbg_random_with_add( void *p_rng,
@@ -289,15 +400,17 @@ int mbedtls_ctr_drbg_random_with_add( void *p_rng,
/**
* \brief This function uses CTR_DRBG to generate random data.
*
* \note The function automatically reseeds if the reseed counter is exceeded.
* This function automatically reseeds if the reseed counter is exceeded
* or prediction resistance is enabled.
*
*
* \param p_rng The CTR_DRBG context. This must be a pointer to a
* #mbedtls_ctr_drbg_context structure.
* \param output The buffer to fill.
* \param output_len The length of the buffer.
* \param output_len The length of the buffer in bytes.
*
* \return \c 0 on success, or
* #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED or
* \return \c 0 on success.
* \return #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED or
* #MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG on failure.
*/
int mbedtls_ctr_drbg_random( void *p_rng,
@@ -310,9 +423,9 @@ int mbedtls_ctr_drbg_random( void *p_rng,
* \param ctx The CTR_DRBG context.
* \param path The name of the file.
*
* \return \c 0 on success,
* #MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR on file error, or
* #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED on
* \return \c 0 on success.
* \return #MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR on file error.
* \return #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED on reseed
* failure.
*/
int mbedtls_ctr_drbg_write_seed_file( mbedtls_ctr_drbg_context *ctx, const char *path );
@@ -324,10 +437,12 @@ int mbedtls_ctr_drbg_write_seed_file( mbedtls_ctr_drbg_context *ctx, const char
* \param ctx The CTR_DRBG context.
* \param path The name of the file.
*
* \return \c 0 on success,
* #MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR on file error,
* #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED or
* #MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG on failure.
* \return \c 0 on success.
* \return #MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR on file error.
* \return #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED on
* reseed failure.
* \return #MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG if the existing
* seed file is too large.
*/
int mbedtls_ctr_drbg_update_seed_file( mbedtls_ctr_drbg_context *ctx, const char *path );
#endif /* MBEDTLS_FS_IO */