From 4b91986a763546b32a370f7840599cb351cbad2d Mon Sep 17 00:00:00 2001 From: "ENT\\stroej1" Date: Wed, 23 Dec 2020 17:28:33 -0600 Subject: [PATCH 01/10] Fixed seed variable concatenation pointer. Signed-off-by: ENT\stroej1 --- library/ctr_drbg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ctr_drbg.c b/library/ctr_drbg.c index 023aac51a3..0a46967f62 100644 --- a/library/ctr_drbg.c +++ b/library/ctr_drbg.c @@ -394,7 +394,7 @@ static int mbedtls_ctr_drbg_reseed_internal( mbedtls_ctr_drbg_context *ctx, /* Gather entropy for a nonce if requested. */ if( nonce_len != 0 ) { - if( 0 != ctx->f_entropy( ctx->p_entropy, seed, nonce_len ) ) + if( 0 != ctx->f_entropy( ctx->p_entropy, seed + seedlen, nonce_len ) ) { return( MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED ); } From 1446211e5e0c621ae8823cfce43626a7c98975f3 Mon Sep 17 00:00:00 2001 From: "ENT\\stroej1" Date: Thu, 24 Dec 2020 12:23:28 -0600 Subject: [PATCH 02/10] Update self-test vectors to include nonce and test it as part of reseeding. Signed-off-by: ENT\stroej1 --- library/ctr_drbg.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/library/ctr_drbg.c b/library/ctr_drbg.c index 0a46967f62..ce364dfc4d 100644 --- a/library/ctr_drbg.c +++ b/library/ctr_drbg.c @@ -718,20 +718,20 @@ static const unsigned char nonce_pers_nopr[16] = #if defined(MBEDTLS_CTR_DRBG_USE_128_BIT_KEY) static const unsigned char result_pr[16] = - { 0x95, 0x3c, 0xa5, 0xbd, 0x44, 0x1, 0x34, 0xb7, - 0x13, 0x58, 0x3e, 0x6a, 0x6c, 0x7e, 0x88, 0x8a }; + { 0x41, 0x23, 0x0c, 0xd8, 0xad, 0x3f, 0x82, 0xfb, + 0x08, 0x2d, 0xe7, 0xbe, 0x6f, 0x84, 0x88, 0x94 }; static const unsigned char result_nopr[16] = - { 0x6c, 0x25, 0x27, 0x95, 0xa3, 0x62, 0xd6, 0xdb, - 0x90, 0xfd, 0x69, 0xb5, 0x42, 0x9, 0x4b, 0x84 }; + { 0x6f, 0x91, 0x56, 0xa3, 0xde, 0x0f, 0x7f, 0x01, + 0x96, 0x93, 0xd9, 0x43, 0x5f, 0xc7, 0x56, 0xb6 }; #else /* MBEDTLS_CTR_DRBG_USE_128_BIT_KEY */ static const unsigned char result_pr[16] = - { 0x34, 0x01, 0x16, 0x56, 0xb4, 0x29, 0x00, 0x8f, - 0x35, 0x63, 0xec, 0xb5, 0xf2, 0x59, 0x07, 0x23 }; + { 0x4b, 0x78, 0xa5, 0xec, 0x88, 0xc0, 0xfc, 0x0c, + 0x28, 0xfb, 0xe1, 0x7a, 0x6e, 0x5e, 0xeb, 0xf7 }; static const unsigned char result_nopr[16] = - { 0xa0, 0x54, 0x30, 0x3d, 0x8a, 0x7e, 0xa9, 0x88, - 0x9d, 0x90, 0x3e, 0x07, 0x7c, 0x6f, 0x21, 0x8f }; + { 0x19, 0x94, 0xfd, 0xe3, 0x11, 0xe8, 0x73, 0x0f, + 0xaa, 0x33, 0xc2, 0x00, 0x19, 0x2c, 0xd9, 0x4d }; #endif /* MBEDTLS_CTR_DRBG_USE_128_BIT_KEY */ static size_t test_offset; @@ -769,7 +769,7 @@ int mbedtls_ctr_drbg_self_test( int verbose ) test_offset = 0; mbedtls_ctr_drbg_set_entropy_len( &ctx, 32 ); - mbedtls_ctr_drbg_set_nonce_len( &ctx, 0 ); + mbedtls_ctr_drbg_set_nonce_len( &ctx, 16 ); CHK( mbedtls_ctr_drbg_seed( &ctx, ctr_drbg_self_test_entropy, (void *) entropy_source_pr, @@ -794,7 +794,7 @@ int mbedtls_ctr_drbg_self_test( int verbose ) test_offset = 0; mbedtls_ctr_drbg_set_entropy_len( &ctx, 32 ); - mbedtls_ctr_drbg_set_nonce_len( &ctx, 0 ); + mbedtls_ctr_drbg_set_nonce_len( &ctx, 16 ); CHK( mbedtls_ctr_drbg_seed( &ctx, ctr_drbg_self_test_entropy, (void *) entropy_source_nopr, From 6a5f10cdc72c7359df9abeba4895a970ba8ad053 Mon Sep 17 00:00:00 2001 From: "ENT\\stroej1" Date: Thu, 24 Dec 2020 12:39:13 -0600 Subject: [PATCH 03/10] Added ChangeLog entry for related issue. Signed-off-by: ENT\stroej1 --- ChangeLog.d/issue3819.txt | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 ChangeLog.d/issue3819.txt diff --git a/ChangeLog.d/issue3819.txt b/ChangeLog.d/issue3819.txt new file mode 100644 index 0000000000..927b6a2b32 --- /dev/null +++ b/ChangeLog.d/issue3819.txt @@ -0,0 +1,4 @@ +Bugfix + * Fix incorrect seed generation when a nonce is included + in mbedtls_ctr_drbg_reseed_internal. + Found by John Stroebel in #3819 and fixed in #3973. From a0deec050931a334d762a1344b3ac18fe1d6b7ae Mon Sep 17 00:00:00 2001 From: "ENT\\stroej1" Date: Thu, 24 Dec 2020 15:26:27 -0600 Subject: [PATCH 04/10] Extended test vectors to accomodate addition of nonce to test input array and updated results. Signed-off-by: ENT\stroej1 --- library/ctr_drbg.c | 28 ++++++++++++++++------------ 1 file changed, 16 insertions(+), 12 deletions(-) diff --git a/library/ctr_drbg.c b/library/ctr_drbg.c index ce364dfc4d..8a5bc49a2b 100644 --- a/library/ctr_drbg.c +++ b/library/ctr_drbg.c @@ -684,7 +684,7 @@ exit: #if defined(MBEDTLS_SELF_TEST) -static const unsigned char entropy_source_pr[96] = +static const unsigned char entropy_source_pr[112] = { 0xc1, 0x80, 0x81, 0xa6, 0x5d, 0x44, 0x02, 0x16, 0x19, 0xb3, 0xf1, 0x80, 0xb1, 0xc9, 0x20, 0x02, 0x6a, 0x54, 0x6f, 0x0c, 0x70, 0x81, 0x49, 0x8b, @@ -696,9 +696,11 @@ static const unsigned char entropy_source_pr[96] = 0x37, 0xc9, 0x98, 0x1c, 0x0b, 0xfb, 0x91, 0x31, 0x4d, 0x55, 0xb9, 0xe9, 0x1c, 0x5a, 0x5e, 0xe4, 0x93, 0x92, 0xcf, 0xc5, 0x23, 0x12, 0xd5, 0x56, - 0x2c, 0x4a, 0x6e, 0xff, 0xdc, 0x10, 0xd0, 0x68 }; + 0x2c, 0x4a, 0x6e, 0xff, 0xdc, 0x10, 0xd0, 0x68, + 0x0c, 0xbe, 0x99, 0x82, 0x15, 0x09, 0x97, 0x5d, + 0x82, 0x4f, 0xd8, 0x26, 0xc4, 0x7d, 0x2a, 0xbc }; -static const unsigned char entropy_source_nopr[64] = +static const unsigned char entropy_source_nopr[80] = { 0x5a, 0x19, 0x4d, 0x5e, 0x2b, 0x31, 0x58, 0x14, 0x54, 0xde, 0xf6, 0x75, 0xfb, 0x79, 0x58, 0xfe, 0xc7, 0xdb, 0x87, 0x3e, 0x56, 0x89, 0xfc, 0x9d, @@ -706,7 +708,9 @@ static const unsigned char entropy_source_nopr[64] = 0xf9, 0xe6, 0x5e, 0x04, 0xd8, 0x56, 0xf3, 0xa9, 0xc4, 0x4a, 0x4c, 0xbd, 0xc1, 0xd0, 0x08, 0x46, 0xf5, 0x98, 0x3d, 0x77, 0x1c, 0x1b, 0x13, 0x7e, - 0x4e, 0x0f, 0x9d, 0x8e, 0xf4, 0x09, 0xf9, 0x2e }; + 0x4e, 0x0f, 0x9d, 0x8e, 0xf4, 0x09, 0xf9, 0x2e, + 0xd4, 0xdd, 0x3a, 0xe9, 0x8e, 0x45, 0x65, 0x59, + 0x0e, 0x5b, 0x03, 0xc8, 0x7a, 0x77, 0xce, 0x59 }; static const unsigned char nonce_pers_pr[16] = { 0xd2, 0x54, 0xfc, 0xff, 0x02, 0x1e, 0x69, 0xd2, @@ -718,20 +722,20 @@ static const unsigned char nonce_pers_nopr[16] = #if defined(MBEDTLS_CTR_DRBG_USE_128_BIT_KEY) static const unsigned char result_pr[16] = - { 0x41, 0x23, 0x0c, 0xd8, 0xad, 0x3f, 0x82, 0xfb, - 0x08, 0x2d, 0xe7, 0xbe, 0x6f, 0x84, 0x88, 0x94 }; + { 0x77, 0x84, 0x98, 0x63, 0xad, 0x37, 0xcc, 0xf3, + 0x17, 0x66, 0xb2, 0xa5, 0x06, 0x8c, 0xa9, 0x4f }; static const unsigned char result_nopr[16] = - { 0x6f, 0x91, 0x56, 0xa3, 0xde, 0x0f, 0x7f, 0x01, - 0x96, 0x93, 0xd9, 0x43, 0x5f, 0xc7, 0x56, 0xb6 }; + { 0xd0, 0xf2, 0xc7, 0x7e, 0x12, 0x08, 0xf3, 0xcb, + 0xf1, 0xbc, 0xd9, 0xff, 0x33, 0x6b, 0x7c, 0xa8 }; #else /* MBEDTLS_CTR_DRBG_USE_128_BIT_KEY */ static const unsigned char result_pr[16] = - { 0x4b, 0x78, 0xa5, 0xec, 0x88, 0xc0, 0xfc, 0x0c, - 0x28, 0xfb, 0xe1, 0x7a, 0x6e, 0x5e, 0xeb, 0xf7 }; + { 0xd5, 0x9e, 0xbb, 0xda, 0x5c, 0xb1, 0xd7, 0x60, + 0x15, 0x18, 0x28, 0x82, 0xd9, 0xd5, 0x71, 0x51 }; static const unsigned char result_nopr[16] = - { 0x19, 0x94, 0xfd, 0xe3, 0x11, 0xe8, 0x73, 0x0f, - 0xaa, 0x33, 0xc2, 0x00, 0x19, 0x2c, 0xd9, 0x4d }; + { 0xfd, 0x43, 0xf2, 0xf6, 0x44, 0x6c, 0x62, 0xbf, + 0x9d, 0xd3, 0x6e, 0xfa, 0xdd, 0xc7, 0x2c, 0x02 }; #endif /* MBEDTLS_CTR_DRBG_USE_128_BIT_KEY */ static size_t test_offset; From df307002cfbae26d0143995a5b13b8a9434e5d88 Mon Sep 17 00:00:00 2001 From: "ENT\\stroej1" Date: Sat, 26 Dec 2020 12:41:04 -0600 Subject: [PATCH 05/10] Updated self test to use NIST test vectors and produce proper result. Signed-off-by: ENT\stroej1 --- library/ctr_drbg.c | 175 +++++++++++++++++++++++++++++---------------- 1 file changed, 114 insertions(+), 61 deletions(-) diff --git a/library/ctr_drbg.c b/library/ctr_drbg.c index 8a5bc49a2b..51a4129eb1 100644 --- a/library/ctr_drbg.c +++ b/library/ctr_drbg.c @@ -684,58 +684,111 @@ exit: #if defined(MBEDTLS_SELF_TEST) -static const unsigned char entropy_source_pr[112] = - { 0xc1, 0x80, 0x81, 0xa6, 0x5d, 0x44, 0x02, 0x16, - 0x19, 0xb3, 0xf1, 0x80, 0xb1, 0xc9, 0x20, 0x02, - 0x6a, 0x54, 0x6f, 0x0c, 0x70, 0x81, 0x49, 0x8b, - 0x6e, 0xa6, 0x62, 0x52, 0x6d, 0x51, 0xb1, 0xcb, - 0x58, 0x3b, 0xfa, 0xd5, 0x37, 0x5f, 0xfb, 0xc9, - 0xff, 0x46, 0xd2, 0x19, 0xc7, 0x22, 0x3e, 0x95, - 0x45, 0x9d, 0x82, 0xe1, 0xe7, 0x22, 0x9f, 0x63, - 0x31, 0x69, 0xd2, 0x6b, 0x57, 0x47, 0x4f, 0xa3, - 0x37, 0xc9, 0x98, 0x1c, 0x0b, 0xfb, 0x91, 0x31, - 0x4d, 0x55, 0xb9, 0xe9, 0x1c, 0x5a, 0x5e, 0xe4, - 0x93, 0x92, 0xcf, 0xc5, 0x23, 0x12, 0xd5, 0x56, - 0x2c, 0x4a, 0x6e, 0xff, 0xdc, 0x10, 0xd0, 0x68, - 0x0c, 0xbe, 0x99, 0x82, 0x15, 0x09, 0x97, 0x5d, - 0x82, 0x4f, 0xd8, 0x26, 0xc4, 0x7d, 0x2a, 0xbc }; - -static const unsigned char entropy_source_nopr[80] = - { 0x5a, 0x19, 0x4d, 0x5e, 0x2b, 0x31, 0x58, 0x14, - 0x54, 0xde, 0xf6, 0x75, 0xfb, 0x79, 0x58, 0xfe, - 0xc7, 0xdb, 0x87, 0x3e, 0x56, 0x89, 0xfc, 0x9d, - 0x03, 0x21, 0x7c, 0x68, 0xd8, 0x03, 0x38, 0x20, - 0xf9, 0xe6, 0x5e, 0x04, 0xd8, 0x56, 0xf3, 0xa9, - 0xc4, 0x4a, 0x4c, 0xbd, 0xc1, 0xd0, 0x08, 0x46, - 0xf5, 0x98, 0x3d, 0x77, 0x1c, 0x1b, 0x13, 0x7e, - 0x4e, 0x0f, 0x9d, 0x8e, 0xf4, 0x09, 0xf9, 0x2e, - 0xd4, 0xdd, 0x3a, 0xe9, 0x8e, 0x45, 0x65, 0x59, - 0x0e, 0x5b, 0x03, 0xc8, 0x7a, 0x77, 0xce, 0x59 }; - -static const unsigned char nonce_pers_pr[16] = - { 0xd2, 0x54, 0xfc, 0xff, 0x02, 0x1e, 0x69, 0xd2, - 0x29, 0xc9, 0xcf, 0xad, 0x85, 0xfa, 0x48, 0x6c }; - -static const unsigned char nonce_pers_nopr[16] = - { 0x1b, 0x54, 0xb8, 0xff, 0x06, 0x42, 0xbf, 0xf5, - 0x21, 0xf1, 0x5c, 0x1c, 0x0b, 0x66, 0x5f, 0x3f }; - #if defined(MBEDTLS_CTR_DRBG_USE_128_BIT_KEY) -static const unsigned char result_pr[16] = - { 0x77, 0x84, 0x98, 0x63, 0xad, 0x37, 0xcc, 0xf3, - 0x17, 0x66, 0xb2, 0xa5, 0x06, 0x8c, 0xa9, 0x4f }; +static const unsigned char entropy_source_pr[] = + { 0x04, 0xd9, 0x49, 0xa6, 0xdc, 0xe8, 0x6e, 0xbb, + 0xf1, 0x08, 0x77, 0x2b, 0x9e, 0x08, 0xca, 0x92, + 0x65, 0x16, 0xda, 0x99, 0xa2, 0x59, 0xf3, 0xe8, + 0x38, 0x7e, 0x3f, 0x6b, 0x51, 0x70, 0x7b, 0x20, + 0xec, 0x53, 0xd0, 0x66, 0xc3, 0x0f, 0xe3, 0xb0, + 0xe0, 0x86, 0xa6, 0xaa, 0x5f, 0x72, 0x2f, 0xad, + 0xf7, 0xef, 0x06, 0xb8, 0xd6, 0x9c, 0x9d, 0xe8 }; -static const unsigned char result_nopr[16] = - { 0xd0, 0xf2, 0xc7, 0x7e, 0x12, 0x08, 0xf3, 0xcb, - 0xf1, 0xbc, 0xd9, 0xff, 0x33, 0x6b, 0x7c, 0xa8 }; +static const unsigned char entropy_source_nopr[] = + { 0x07, 0x0d, 0x59, 0x63, 0x98, 0x73, 0xa5, 0x45, + 0x27, 0x38, 0x22, 0x7b, 0x76, 0x85, 0xd1, 0xa9, + 0x74, 0x18, 0x1f, 0x3c, 0x22, 0xf6, 0x49, 0x20, + 0x4a, 0x47, 0xc2, 0xf3, 0x85, 0x16, 0xb4, 0x6f, + 0x00, 0x2e, 0x71, 0xda, 0xed, 0x16, 0x9b, 0x5c }; + +static const unsigned char nonce_pers_pr[] = + { 0xbf, 0xa4, 0x9a, 0x8f, 0x7b, 0xd8, 0xb1, 0x7a, + 0x9d, 0xfa, 0x45, 0xed, 0x21, 0x52, 0xb3, 0xad }; + +static const unsigned char nonce_pers_nopr[] = + { 0x4e, 0x61, 0x79, 0xd4, 0xc2, 0x72, 0xa1, 0x4c, + 0xf1, 0x3d, 0xf6, 0x5e, 0xa3, 0xa6, 0xe5, 0x0f }; + +static const unsigned char result_pr[] = + { 0xc9, 0x0a, 0xaf, 0x85, 0x89, 0x71, 0x44, 0x66, + 0x4f, 0x25, 0x0b, 0x2b, 0xde, 0xd8, 0xfa, 0xff, + 0x52, 0x5a, 0x1b, 0x32, 0x5e, 0x41, 0x7a, 0x10, + 0x1f, 0xef, 0x1e, 0x62, 0x23, 0xe9, 0x20, 0x30, + 0xc9, 0x0d, 0xad, 0x69, 0xb4, 0x9c, 0x5b, 0xf4, + 0x87, 0x42, 0xd5, 0xae, 0x5e, 0x5e, 0x43, 0xcc, + 0xd9, 0xfd, 0x0b, 0x93, 0x4a, 0xe3, 0xd4, 0x06, + 0x37, 0x36, 0x0f, 0x3f, 0x72, 0x82, 0x0c, 0xcf }; + +static const unsigned char result_nopr[] = + { 0x31, 0xc9, 0x91, 0x09, 0xf8, 0xc5, 0x10, 0x13, + 0x3c, 0xd3, 0x96, 0xf9, 0xbc, 0x2c, 0x12, 0xc0, + 0x7c, 0xc1, 0x61, 0x5f, 0xa3, 0x09, 0x99, 0xaf, + 0xd7, 0xf2, 0x36, 0xfd, 0x40, 0x1a, 0x8b, 0xf2, + 0x33, 0x38, 0xee, 0x1d, 0x03, 0x5f, 0x83, 0xb7, + 0xa2, 0x53, 0xdc, 0xee, 0x18, 0xfc, 0xa7, 0xf2, + 0xee, 0x96, 0xc6, 0xc2, 0xcd, 0x0c, 0xff, 0x02, + 0x76, 0x70, 0x69, 0xaa, 0x69, 0xd1, 0x3b, 0xe8 }; #else /* MBEDTLS_CTR_DRBG_USE_128_BIT_KEY */ -static const unsigned char result_pr[16] = - { 0xd5, 0x9e, 0xbb, 0xda, 0x5c, 0xb1, 0xd7, 0x60, - 0x15, 0x18, 0x28, 0x82, 0xd9, 0xd5, 0x71, 0x51 }; -static const unsigned char result_nopr[16] = - { 0xfd, 0x43, 0xf2, 0xf6, 0x44, 0x6c, 0x62, 0xbf, - 0x9d, 0xd3, 0x6e, 0xfa, 0xdd, 0xc7, 0x2c, 0x02 }; +static const unsigned char entropy_source_pr[] = + { 0xca, 0x58, 0xfd, 0xf2, 0xb9, 0x77, 0xcb, 0x49, + 0xd4, 0xe0, 0x5b, 0xe2, 0x39, 0x50, 0xd9, 0x8a, + 0x6a, 0xb3, 0xc5, 0x2f, 0xdf, 0x74, 0xd5, 0x85, + 0x8f, 0xd1, 0xba, 0x64, 0x54, 0x7b, 0xdb, 0x1e, + 0xc5, 0xea, 0x24, 0xc0, 0xfa, 0x0c, 0x90, 0x15, + 0x09, 0x20, 0x92, 0x42, 0x32, 0x36, 0x45, 0x45, + 0x7d, 0x20, 0x76, 0x6b, 0xcf, 0xa2, 0x15, 0xc8, + 0x2f, 0x9f, 0xbc, 0x88, 0x3f, 0x80, 0xd1, 0x2c, + 0xb7, 0x16, 0xd1, 0x80, 0x9e, 0xe1, 0xc9, 0xb3, + 0x88, 0x1b, 0x21, 0x45, 0xef, 0xa1, 0x7f, 0xce, + 0xc8, 0x92, 0x35, 0x55, 0x2a, 0xd9, 0x1d, 0x8e, + 0x12, 0x38, 0xac, 0x01, 0x4e, 0x38, 0x18, 0x76, + 0x9c, 0xf2, 0xb6, 0xd4, 0x13, 0xb6, 0x2c, 0x77, + 0xc0, 0xe7, 0xe6, 0x0c, 0x47, 0x44, 0x95, 0xbe }; + +static const unsigned char entropy_source_nopr[] = + { 0x4c, 0xfb, 0x21, 0x86, 0x73, 0x34, 0x6d, 0x9d, + 0x50, 0xc9, 0x22, 0xe4, 0x9b, 0x0d, 0xfc, 0xd0, + 0x90, 0xad, 0xf0, 0x4f, 0x5c, 0x3b, 0xa4, 0x73, + 0x27, 0xdf, 0xcd, 0x6f, 0xa6, 0x3a, 0x78, 0x5c, + 0x01, 0x69, 0x62, 0xa7, 0xfd, 0x27, 0x87, 0xa2, + 0x4b, 0xf6, 0xbe, 0x47, 0xef, 0x37, 0x83, 0xf1, + 0xb7, 0xec, 0x46, 0x07, 0x23, 0x63, 0x83, 0x4a, + 0x1b, 0x01, 0x33, 0xf2, 0xc2, 0x38, 0x91, 0xdb, + 0x4f, 0x11, 0xa6, 0x86, 0x51, 0xf2, 0x3e, 0x3a, + 0x8b, 0x1f, 0xdc, 0x03, 0xb1, 0x92, 0xc7, 0xe7 }; + +static const unsigned char nonce_pers_pr[] = + { 0x5a, 0x70, 0x95, 0xe9, 0x81, 0x40, 0x52, 0x33, + 0x91, 0x53, 0x7e, 0x75, 0xd6, 0x19, 0x9d, 0x1e, + 0xad, 0x0d, 0xc6, 0xa7, 0xde, 0x6c, 0x1f, 0xe0, + 0xea, 0x18, 0x33, 0xa8, 0x7e, 0x06, 0x20, 0xe9 }; + +static const unsigned char nonce_pers_nopr[] = + { 0x88, 0xee, 0xb8, 0xe0, 0xe8, 0x3b, 0xf3, 0x29, + 0x4b, 0xda, 0xcd, 0x60, 0x99, 0xeb, 0xe4, 0xbf, + 0x55, 0xec, 0xd9, 0x11, 0x3f, 0x71, 0xe5, 0xeb, + 0xcb, 0x45, 0x75, 0xf3, 0xd6, 0xa6, 0x8a, 0x6b }; + +static const unsigned char result_pr[] = + { 0xce, 0x2f, 0xdb, 0xb6, 0xd9, 0xb7, 0x39, 0x85, + 0x04, 0xc5, 0xc0, 0x42, 0xc2, 0x31, 0xc6, 0x1d, + 0x9b, 0x5a, 0x59, 0xf8, 0x7e, 0x0d, 0xcc, 0x62, + 0x7b, 0x65, 0x11, 0x55, 0x10, 0xeb, 0x9e, 0x3d, + 0xa4, 0xfb, 0x1c, 0x6a, 0x18, 0xc0, 0x74, 0xdb, + 0xdd, 0xe7, 0x02, 0x23, 0x63, 0x21, 0xd0, 0x39, + 0xf9, 0xa7, 0xc4, 0x52, 0x84, 0x3b, 0x49, 0x40, + 0x72, 0x2b, 0xb0, 0x6c, 0x9c, 0xdb, 0xc3, 0x43 }; + +static const unsigned char result_nopr[] = + { 0xa5, 0x51, 0x80, 0xa1, 0x90, 0xbe, 0xf3, 0xad, + 0xaf, 0x28, 0xf6, 0xb7, 0x95, 0xe9, 0xf1, 0xf3, + 0xd6, 0xdf, 0xa1, 0xb2, 0x7d, 0xd0, 0x46, 0x7b, + 0x0c, 0x75, 0xf5, 0xfa, 0x93, 0x1e, 0x97, 0x14, + 0x75, 0xb2, 0x7c, 0xae, 0x03, 0xa2, 0x96, 0x54, + 0xe2, 0xf4, 0x09, 0x66, 0xea, 0x33, 0x64, 0x30, + 0x40, 0xd1, 0x40, 0x0f, 0xe6, 0x77, 0x87, 0x3a, + 0xf8, 0x09, 0x7c, 0x1f, 0xe9, 0xf0, 0x02, 0x98 }; #endif /* MBEDTLS_CTR_DRBG_USE_128_BIT_KEY */ static size_t test_offset; @@ -761,7 +814,7 @@ static int ctr_drbg_self_test_entropy( void *data, unsigned char *buf, int mbedtls_ctr_drbg_self_test( int verbose ) { mbedtls_ctr_drbg_context ctx; - unsigned char buf[16]; + unsigned char buf[64]; mbedtls_ctr_drbg_init( &ctx ); @@ -772,16 +825,16 @@ int mbedtls_ctr_drbg_self_test( int verbose ) mbedtls_printf( " CTR_DRBG (PR = TRUE) : " ); test_offset = 0; - mbedtls_ctr_drbg_set_entropy_len( &ctx, 32 ); - mbedtls_ctr_drbg_set_nonce_len( &ctx, 16 ); + mbedtls_ctr_drbg_set_entropy_len( &ctx, MBEDTLS_CTR_DRBG_KEYSIZE ); + mbedtls_ctr_drbg_set_nonce_len( &ctx, MBEDTLS_CTR_DRBG_KEYSIZE >> 1 ); CHK( mbedtls_ctr_drbg_seed( &ctx, ctr_drbg_self_test_entropy, (void *) entropy_source_pr, - nonce_pers_pr, 16 ) ); + nonce_pers_pr, MBEDTLS_CTR_DRBG_KEYSIZE ) ); mbedtls_ctr_drbg_set_prediction_resistance( &ctx, MBEDTLS_CTR_DRBG_PR_ON ); - CHK( mbedtls_ctr_drbg_random( &ctx, buf, MBEDTLS_CTR_DRBG_BLOCKSIZE ) ); - CHK( mbedtls_ctr_drbg_random( &ctx, buf, MBEDTLS_CTR_DRBG_BLOCKSIZE ) ); - CHK( memcmp( buf, result_pr, MBEDTLS_CTR_DRBG_BLOCKSIZE ) ); + CHK( mbedtls_ctr_drbg_random( &ctx, buf, 64 ) ); + CHK( mbedtls_ctr_drbg_random( &ctx, buf, 64 ) ); + CHK( memcmp( buf, result_pr, 64 ) ); mbedtls_ctr_drbg_free( &ctx ); @@ -797,16 +850,16 @@ int mbedtls_ctr_drbg_self_test( int verbose ) mbedtls_ctr_drbg_init( &ctx ); test_offset = 0; - mbedtls_ctr_drbg_set_entropy_len( &ctx, 32 ); - mbedtls_ctr_drbg_set_nonce_len( &ctx, 16 ); + mbedtls_ctr_drbg_set_entropy_len( &ctx, MBEDTLS_CTR_DRBG_KEYSIZE); + mbedtls_ctr_drbg_set_nonce_len( &ctx, MBEDTLS_CTR_DRBG_KEYSIZE >> 1 ); CHK( mbedtls_ctr_drbg_seed( &ctx, ctr_drbg_self_test_entropy, (void *) entropy_source_nopr, - nonce_pers_nopr, 16 ) ); - CHK( mbedtls_ctr_drbg_random( &ctx, buf, 16 ) ); + nonce_pers_nopr, MBEDTLS_CTR_DRBG_KEYSIZE ) ); CHK( mbedtls_ctr_drbg_reseed( &ctx, NULL, 0 ) ); - CHK( mbedtls_ctr_drbg_random( &ctx, buf, 16 ) ); - CHK( memcmp( buf, result_nopr, 16 ) ); + CHK( mbedtls_ctr_drbg_random( &ctx, buf, 64 ) ); + CHK( mbedtls_ctr_drbg_random( &ctx, buf, 64 ) ); + CHK( memcmp( buf, result_nopr, 64 ) ); mbedtls_ctr_drbg_free( &ctx ); From 70f63d08836ac6907ecf7ea2b626db8af9565f38 Mon Sep 17 00:00:00 2001 From: "ENT\\stroej1" Date: Mon, 28 Dec 2020 08:50:23 -0600 Subject: [PATCH 06/10] Added references to the NIST test data used in the self-test function. Signed-off-by: ENT\stroej1 --- library/ctr_drbg.c | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/library/ctr_drbg.c b/library/ctr_drbg.c index 51a4129eb1..7958041d52 100644 --- a/library/ctr_drbg.c +++ b/library/ctr_drbg.c @@ -684,6 +684,29 @@ exit: #if defined(MBEDTLS_SELF_TEST) +/* The CTR_DRBG NIST test vectors used here are available at + * https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Algorithm-Validation-Program/documents/drbg/drbgtestvectors.zip + * + * The parameters used to derive the test data are: + * + * [AES-128 use df] + * [PredictionResistance = True/False] + * [EntropyInputLen = 128] + * [NonceLen = 64] + * [PersonalizationStringLen = 128] + * [AdditionalInputLen = 0] + * [ReturnedBitsLen = 512] + * + * [AES-256 use df] + * [PredictionResistance = True/False] + * [EntropyInputLen = 256] + * [NonceLen = 128] + * [PersonalizationStringLen = 256] + * [AdditionalInputLen = 0] + * [ReturnedBitsLen = 512] + * + */ + #if defined(MBEDTLS_CTR_DRBG_USE_128_BIT_KEY) static const unsigned char entropy_source_pr[] = { 0x04, 0xd9, 0x49, 0xa6, 0xdc, 0xe8, 0x6e, 0xbb, From d4de1b5d4e99c7f14d2d6713124b3fd6d2e48d11 Mon Sep 17 00:00:00 2001 From: stroebeljc Date: Mon, 4 Jan 2021 18:14:32 -0600 Subject: [PATCH 07/10] Updated per comments from @gilles-peskine-arm. Signed-off-by: stroebeljc --- ChangeLog.d/issue3819.txt | 7 ++++--- library/ctr_drbg.c | 32 +++++++++++++++++--------------- 2 files changed, 21 insertions(+), 18 deletions(-) diff --git a/ChangeLog.d/issue3819.txt b/ChangeLog.d/issue3819.txt index 927b6a2b32..7723c650f7 100644 --- a/ChangeLog.d/issue3819.txt +++ b/ChangeLog.d/issue3819.txt @@ -1,4 +1,5 @@ -Bugfix - * Fix incorrect seed generation when a nonce is included - in mbedtls_ctr_drbg_reseed_internal. +Security + * Fix a security reduction error that caused all bits of the nonce + to be zero in mbedtls_ctr_drbg_reseed_internal. This prevented + the security strength from reaching the level required by NIST. Found by John Stroebel in #3819 and fixed in #3973. diff --git a/library/ctr_drbg.c b/library/ctr_drbg.c index 7958041d52..3815dc7ca8 100644 --- a/library/ctr_drbg.c +++ b/library/ctr_drbg.c @@ -724,11 +724,11 @@ static const unsigned char entropy_source_nopr[] = 0x4a, 0x47, 0xc2, 0xf3, 0x85, 0x16, 0xb4, 0x6f, 0x00, 0x2e, 0x71, 0xda, 0xed, 0x16, 0x9b, 0x5c }; -static const unsigned char nonce_pers_pr[] = +static const unsigned char pers_pr[] = { 0xbf, 0xa4, 0x9a, 0x8f, 0x7b, 0xd8, 0xb1, 0x7a, 0x9d, 0xfa, 0x45, 0xed, 0x21, 0x52, 0xb3, 0xad }; -static const unsigned char nonce_pers_nopr[] = +static const unsigned char pers_nopr[] = { 0x4e, 0x61, 0x79, 0xd4, 0xc2, 0x72, 0xa1, 0x4c, 0xf1, 0x3d, 0xf6, 0x5e, 0xa3, 0xa6, 0xe5, 0x0f }; @@ -781,13 +781,13 @@ static const unsigned char entropy_source_nopr[] = 0x4f, 0x11, 0xa6, 0x86, 0x51, 0xf2, 0x3e, 0x3a, 0x8b, 0x1f, 0xdc, 0x03, 0xb1, 0x92, 0xc7, 0xe7 }; -static const unsigned char nonce_pers_pr[] = +static const unsigned char pers_pr[] = { 0x5a, 0x70, 0x95, 0xe9, 0x81, 0x40, 0x52, 0x33, 0x91, 0x53, 0x7e, 0x75, 0xd6, 0x19, 0x9d, 0x1e, 0xad, 0x0d, 0xc6, 0xa7, 0xde, 0x6c, 0x1f, 0xe0, 0xea, 0x18, 0x33, 0xa8, 0x7e, 0x06, 0x20, 0xe9 }; -static const unsigned char nonce_pers_nopr[] = +static const unsigned char pers_nopr[] = { 0x88, 0xee, 0xb8, 0xe0, 0xe8, 0x3b, 0xf3, 0x29, 0x4b, 0xda, 0xcd, 0x60, 0x99, 0xeb, 0xe4, 0xbf, 0x55, 0xec, 0xd9, 0x11, 0x3f, 0x71, 0xe5, 0xeb, @@ -831,13 +831,15 @@ static int ctr_drbg_self_test_entropy( void *data, unsigned char *buf, return( 1 ); \ } +#define SELF_TEST_OUPUT_DISCARD_LENGTH 64 + /* * Checkup routine */ int mbedtls_ctr_drbg_self_test( int verbose ) { mbedtls_ctr_drbg_context ctx; - unsigned char buf[64]; + unsigned char buf[ sizeof( result_pr ) ]; mbedtls_ctr_drbg_init( &ctx ); @@ -849,15 +851,15 @@ int mbedtls_ctr_drbg_self_test( int verbose ) test_offset = 0; mbedtls_ctr_drbg_set_entropy_len( &ctx, MBEDTLS_CTR_DRBG_KEYSIZE ); - mbedtls_ctr_drbg_set_nonce_len( &ctx, MBEDTLS_CTR_DRBG_KEYSIZE >> 1 ); + mbedtls_ctr_drbg_set_nonce_len( &ctx, MBEDTLS_CTR_DRBG_KEYSIZE / 2 ); CHK( mbedtls_ctr_drbg_seed( &ctx, ctr_drbg_self_test_entropy, (void *) entropy_source_pr, - nonce_pers_pr, MBEDTLS_CTR_DRBG_KEYSIZE ) ); + pers_pr, MBEDTLS_CTR_DRBG_KEYSIZE ) ); mbedtls_ctr_drbg_set_prediction_resistance( &ctx, MBEDTLS_CTR_DRBG_PR_ON ); - CHK( mbedtls_ctr_drbg_random( &ctx, buf, 64 ) ); - CHK( mbedtls_ctr_drbg_random( &ctx, buf, 64 ) ); - CHK( memcmp( buf, result_pr, 64 ) ); + CHK( mbedtls_ctr_drbg_random( &ctx, buf, SELF_TEST_OUPUT_DISCARD_LENGTH ) ); + CHK( mbedtls_ctr_drbg_random( &ctx, buf, sizeof( result_pr ) ) ); + CHK( memcmp( buf, result_pr, sizeof( result_pr ) ) ); mbedtls_ctr_drbg_free( &ctx ); @@ -874,15 +876,15 @@ int mbedtls_ctr_drbg_self_test( int verbose ) test_offset = 0; mbedtls_ctr_drbg_set_entropy_len( &ctx, MBEDTLS_CTR_DRBG_KEYSIZE); - mbedtls_ctr_drbg_set_nonce_len( &ctx, MBEDTLS_CTR_DRBG_KEYSIZE >> 1 ); + mbedtls_ctr_drbg_set_nonce_len( &ctx, MBEDTLS_CTR_DRBG_KEYSIZE / 2 ); CHK( mbedtls_ctr_drbg_seed( &ctx, ctr_drbg_self_test_entropy, (void *) entropy_source_nopr, - nonce_pers_nopr, MBEDTLS_CTR_DRBG_KEYSIZE ) ); + pers_nopr, MBEDTLS_CTR_DRBG_KEYSIZE ) ); CHK( mbedtls_ctr_drbg_reseed( &ctx, NULL, 0 ) ); - CHK( mbedtls_ctr_drbg_random( &ctx, buf, 64 ) ); - CHK( mbedtls_ctr_drbg_random( &ctx, buf, 64 ) ); - CHK( memcmp( buf, result_nopr, 64 ) ); + CHK( mbedtls_ctr_drbg_random( &ctx, buf, SELF_TEST_OUPUT_DISCARD_LENGTH ) ); + CHK( mbedtls_ctr_drbg_random( &ctx, buf, sizeof( result_nopr ) ) ); + CHK( memcmp( buf, result_nopr, sizeof( result_nopr ) ) ); mbedtls_ctr_drbg_free( &ctx ); From 2b50d7897226abc25aaac0752dbc7cf6cc5aff85 Mon Sep 17 00:00:00 2001 From: stroebeljc Date: Mon, 4 Jan 2021 18:17:35 -0600 Subject: [PATCH 08/10] Fixed incorrect change log formatting. Signed-off-by: stroebeljc --- ChangeLog.d/issue3819.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ChangeLog.d/issue3819.txt b/ChangeLog.d/issue3819.txt index 7723c650f7..38b483a586 100644 --- a/ChangeLog.d/issue3819.txt +++ b/ChangeLog.d/issue3819.txt @@ -1,5 +1,5 @@ Security * Fix a security reduction error that caused all bits of the nonce to be zero in mbedtls_ctr_drbg_reseed_internal. This prevented - the security strength from reaching the level required by NIST. + the security strength from reaching the level required by NIST. Found by John Stroebel in #3819 and fixed in #3973. From e67ba98581861f8e07bb808050b7ee37ec25f778 Mon Sep 17 00:00:00 2001 From: stroebeljc Date: Mon, 4 Jan 2021 18:19:29 -0600 Subject: [PATCH 09/10] Fixed verb tense in change log. Signed-off-by: stroebeljc --- ChangeLog.d/issue3819.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ChangeLog.d/issue3819.txt b/ChangeLog.d/issue3819.txt index 38b483a586..58e55c1f12 100644 --- a/ChangeLog.d/issue3819.txt +++ b/ChangeLog.d/issue3819.txt @@ -1,5 +1,5 @@ Security - * Fix a security reduction error that caused all bits of the nonce - to be zero in mbedtls_ctr_drbg_reseed_internal. This prevented + * Fix a security reduction error that causes all bits of the nonce + to be zero in mbedtls_ctr_drbg_reseed_internal. This prevents the security strength from reaching the level required by NIST. Found by John Stroebel in #3819 and fixed in #3973. From 03ee3834a0c848cf0daa77c2700478ab5ff0f024 Mon Sep 17 00:00:00 2001 From: stroebeljc Date: Tue, 5 Jan 2021 11:28:30 -0600 Subject: [PATCH 10/10] Updated change description as suggested by @gilles-peskine-arm. Signed-off-by: stroebeljc --- ChangeLog.d/issue3819.txt | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/ChangeLog.d/issue3819.txt b/ChangeLog.d/issue3819.txt index 58e55c1f12..e41520f46c 100644 --- a/ChangeLog.d/issue3819.txt +++ b/ChangeLog.d/issue3819.txt @@ -1,5 +1,10 @@ Security - * Fix a security reduction error that causes all bits of the nonce - to be zero in mbedtls_ctr_drbg_reseed_internal. This prevents - the security strength from reaching the level required by NIST. + * Fix a security reduction in CTR_DRBG when the initial seeding obtained a + nonce from entropy. Applications were affected if they called + mbedtls_ctr_drbg_set_nonce_len(), if they called + mbedtls_ctr_drbg_set_entropy_len() with a size that was 3/2 times the key + length, or when the entropy module uses SHA-256 and CTR_DRBG uses AES-256. + In such cases, a random nonce was necessary to achieve the advertised + security strength, but the code incorrectly used a constant instead of + entropy from the nonce. Found by John Stroebel in #3819 and fixed in #3973.