CTR_DRBG: grab a nonce from the entropy source if needed

Change the default entropy nonce length to be nonzero in some cases. Specifically, the default nonce length is now set in such a way that the entropy input during the initial seeding always contains enough entropy to achieve the maximum possible security strength per NIST SP 800-90A given the key size and entropy length. If MBEDTLS_CTR_DRBG_ENTROPY_LEN is kept to its default value, mbedtls_ctr_drbg_seed() now grabs extra entropy for a nonce if MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is disabled and either MBEDTLS_ENTROPY_FORCE_SHA256 is enabled or MBEDTLS_SHA512_C is disabled. If MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is enabled, or if the entropy module uses SHA-512, then the default value of MBEDTLS_CTR_DRBG_ENTROPY_LEN does not require a second call to the entropy function to achieve the maximum security strength. This choice of default nonce size guarantees NIST compliance with the maximum security strength while keeping backward compatibility and performance high: in configurations that do not require grabbing more entropy, the code will not grab more entropy than before.
2025-08-08 17:42:09 +03:00 · 2019-10-22 20:43:24 +02:00
parent 0ed378aa02
commit e9a3454e09
4 changed files with 88 additions and 41 deletions
--- a/tests/suites/test_suite_ctr_drbg.data
+++ b/tests/suites/test_suite_ctr_drbg.data
@@ -1071,6 +1071,11 @@ depends_on:MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
 ctr_drbg_validate_pr:"d4f1f4ae08bcb3e1":"5d4041942bcf68864a4997d8171f1f9fef55a769b7eaf03fe082029bb32a2b9d8239e865c0a42e14b964b9c09de85a20":"":"":"4155320287eedcf7d484c2c2a1e2eb64b9c9ce77c87202a1ae1616c7a5cfd1c687c7a0bfcc85bda48fdd4629fd330c22d0a76076f88fc7cd04037ee06b7af602"

 CTR_DRBG entropy usage (entropy_nonce_len=0 by default)
+depends_on:!DEFAULT_ENTROPY_NONCE
+ctr_drbg_entropy_usage:-1
+
+CTR_DRBG entropy usage (entropy_nonce_len=entropy_len/2 by default)
+depends_on:DEFAULT_ENTROPY_NONCE
 ctr_drbg_entropy_usage:-1

 CTR_DRBG entropy usage (entropy_nonce_len=0)
--- a/tests/suites/test_suite_ctr_drbg.function
+++ b/tests/suites/test_suite_ctr_drbg.function
@@ -3,6 +3,14 @@
 #include "mbedtls/ctr_drbg.h"
 #include "string.h"

+/* mbedtls_ctr_drbg_seed() grabs a nonce by default if the entropy
+ * length is smaller than 3/2 times the maximum security strength. */
+#if MBEDTLS_CTR_DRBG_ENTROPY_LEN >= MBEDTLS_CTR_DRBG_KEYSIZE * 3 / 2
+#undef DEFAULT_ENTROPY_NONCE
+#else
+#define DEFAULT_ENTROPY_NONCE
+#endif
+
 /* Modes for ctr_drbg_validate */
 enum reseed_mode
 {
@@ -215,6 +223,12 @@ void ctr_drbg_entropy_usage( int entropy_nonce_len )
    expected_idx += MBEDTLS_CTR_DRBG_ENTROPY_LEN;
    if( entropy_nonce_len >= 0 )
        expected_idx += entropy_nonce_len;
+    else
+    {
+#if defined(DEFAULT_ENTROPY_NONCE)
+        expected_idx += ( MBEDTLS_CTR_DRBG_ENTROPY_LEN + 1 ) / 2;
+#endif
+    }
    TEST_EQUAL( test_offset_idx, expected_idx );

    /* By default, PR is off and reseed_interval is large,