1010 * Bit Generators</em>.
1111 *
1212 * The Mbed TLS implementation of CTR_DRBG uses AES-256 (default) or AES-128
13- * (if \c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is enabled at compile time)
14- * as the underlying block cipher, with a derivation function.
15- * The initial seeding grabs #MBEDTLS_CTR_DRBG_ENTROPY_LEN bytes of entropy.
16- * See the documentation of mbedtls_ctr_drbg_seed() for more details.
17- *
18- * Based on NIST SP 800-90A §10.2.1 table 3 and NIST SP 800-57 part 1 table 2,
19- * here are the security strengths achieved in typical configuration:
20- * - 256 bits under the default configuration of the library, with AES-256
21- * and with #MBEDTLS_CTR_DRBG_ENTROPY_LEN set to 48 or more.
22- * - 256 bits if AES-256 is used, #MBEDTLS_CTR_DRBG_ENTROPY_LEN is set
23- * to 32 or more, and the DRBG is initialized with an explicit
24- * nonce in the \c custom parameter to mbedtls_ctr_drbg_seed().
25- * - 128 bits if AES-256 is used but #MBEDTLS_CTR_DRBG_ENTROPY_LEN is
26- * between 24 and 47 and the DRBG is not initialized with an explicit
27- * nonce (see mbedtls_ctr_drbg_seed()).
28- * - 128 bits if AES-128 is used (\c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY enabled)
29- * and #MBEDTLS_CTR_DRBG_ENTROPY_LEN is set to 24 or more (which is
30- * always the case unless it is explicitly set to a different value
31- * in config.h).
13+ * (if #MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is enabled at compile time)
14+ * as the underlying block cipher, with a derivation function. The security
15+ * strength is the smaller of the AES key size and the entropy length.
3216 *
3317 * Note that the value of #MBEDTLS_CTR_DRBG_ENTROPY_LEN defaults to:
34- * - \c 48 if the module \c MBEDTLS_SHA512_C is enabled and the symbol
35- * \c MBEDTLS_ENTROPY_FORCE_SHA256 is disabled at compile time.
18+ * - \c 48 bytes if the module # MBEDTLS_SHA512_C is enabled and the symbol
19+ * # MBEDTLS_ENTROPY_FORCE_SHA256 is not enabled at compile time.
3620 * This is the default configuration of the library.
37- * - \c 32 if the module \c MBEDTLS_SHA512_C is disabled at compile time.
38- * - \c 32 if \c MBEDTLS_ENTROPY_FORCE_SHA256 is enabled at compile time.
21+ * - \c 32 bytes if the module #MBEDTLS_SHA512_C is disabled at compile time.
22+ * - \c 32 bytes if #MBEDTLS_ENTROPY_FORCE_SHA256 is enabled at compile time.
23+ *
24+ * This is always sufficient to reach the maximum security strength that can
25+ * be achieved given the AES key size.
3926 */
4027/*
4128 * Copyright (C) 2006-2019, Arm Limited (or its affiliates), All Rights Reserved
123110 * (the SHA512 module is disabled or
124111 * \c MBEDTLS_ENTROPY_FORCE_SHA256 is enabled).
125112 */
126- #if !defined(MBEDTLS_CTR_DRBG_USE_128_BIT_KEY )
127- /** \warning To achieve a 256-bit security strength, you must pass a nonce
128- * to mbedtls_ctr_drbg_seed().
129- */
130- #endif /* !defined(MBEDTLS_CTR_DRBG_USE_128_BIT_KEY) */
131113#define MBEDTLS_CTR_DRBG_ENTROPY_LEN 32
132114#endif /* defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_ENTROPY_FORCE_SHA256) */
133115#endif /* !defined(MBEDTLS_CTR_DRBG_ENTROPY_LEN) */
134116
117+ /** The length of the nonce for the initial seeding.
118+ *
119+ * This implementation always reads a nonce from the entropy source.
120+ */
121+ #define MBEDTLS_CTR_DRBG_NONCE_LEN (MBEDTLS_CTR_DRBG_ENTROPY_LEN / 2)
122+
135123#if !defined(MBEDTLS_CTR_DRBG_RESEED_INTERVAL )
136124#define MBEDTLS_CTR_DRBG_RESEED_INTERVAL 10000
137125/**< The interval before reseed is performed by default. */
@@ -214,7 +202,7 @@ void mbedtls_ctr_drbg_init( mbedtls_ctr_drbg_context *ctx );
214202 * with mbedtls_entropy_init() (which registers the platform's default
215203 * entropy sources).
216204 *
217- * \p f_entropy is always called with a buffer size equal to the entropy
205+ * \p f_entropy is always called with a buffer size less or equal to the entropy
218206 * length. The entropy length is initially #MBEDTLS_CTR_DRBG_ENTROPY_LEN
219207 * and this value is always used for the initial seeding. You can change
220208 * the entropy length for subsequent seeding by calling
@@ -223,34 +211,16 @@ void mbedtls_ctr_drbg_init( mbedtls_ctr_drbg_context *ctx );
223211 * You can provide a personalization string in addition to the
224212 * entropy source, to make this instantiation as unique as possible.
225213 *
226- * \note The _seed_material_ value passed to the derivation
227- * function in the CTR_DRBG Instantiate Process
228- * described in NIST SP 800-90A §10.2.1.3.2
229- * is the concatenation of the string obtained from
230- * calling \p f_entropy and the \p custom string.
231- * The origin of the nonce depends on the value of
232- * the entropy length relative to the security strength.
233- * - If the entropy length is at least 1.5 times the
234- * security strength then the nonce is taken from the
235- * string obtained with \p f_entropy.
236- * - If the entropy length is less than the security
237- * strength, then the nonce is taken from \p custom.
238- * In this case, for compliance with SP 800-90A,
239- * you must pass a unique value of \p custom at
240- * each invocation. See SP 800-90A §8.6.7 for more
241- * details.
242- */
243- #if MBEDTLS_CTR_DRBG_ENTROPY_LEN < MBEDTLS_CTR_DRBG_KEYSIZE * 3 / 2
244- /** \warning When #MBEDTLS_CTR_DRBG_ENTROPY_LEN is less than
245- * #MBEDTLS_CTR_DRBG_KEYSIZE * 3 / 2, to achieve the
246- * maximum security strength permitted by CTR_DRBG,
247- * you must pass a value of \p custom that is a nonce:
248- * this value must never be repeated in subsequent
249- * runs of the same application or on a different
250- * device.
251- */
252- #endif
253- /**
214+ * The _seed_material_ value passed to the derivation
215+ * function in the CTR_DRBG Instantiate Process
216+ * described in NIST SP 800-90A §10.2.1.3.2
217+ * is the concatenation of:
218+ * - the entropy input, obtained by calling \p f_entropy for
219+ * #MBEDTLS_CTR_DRBG_ENTROPY_LEN bytes;
220+ * - the nonce, obtained by calling \p f_entropy for
221+ * #MBEDTLS_CTR_DRBG_NONCE_LEN bytes;
222+ * - the \p custom string.
223+ *
254224 * \param ctx The CTR_DRBG context to seed.
255225 * \param f_entropy The entropy callback, taking as arguments the
256226 * \p p_entropy context, the buffer to fill, and the
@@ -263,6 +233,7 @@ void mbedtls_ctr_drbg_init( mbedtls_ctr_drbg_context *ctx );
263233 * This must be at most
264234 * #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT
265235 * - #MBEDTLS_CTR_DRBG_ENTROPY_LEN.
236+ * - #MBEDTLS_CTR_DRBG_NONCE_LEN.
266237 *
267238 * \return \c 0 on success.
268239 * \return #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED on failure.
@@ -302,22 +273,8 @@ void mbedtls_ctr_drbg_set_prediction_resistance( mbedtls_ctr_drbg_context *ctx,
302273 *
303274 * The default value is #MBEDTLS_CTR_DRBG_ENTROPY_LEN.
304275 *
305- * \note The security strength of CTR_DRBG is bounded by the
306- * entropy length. Thus:
307- * - When using AES-256
308- * (\c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is disabled,
309- * which is the default),
310- * \p len must be at least 32 (in bytes)
311- * to achieve a 256-bit strength.
312- * - When using AES-128
313- * (\c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is enabled)
314- * \p len must be at least 16 (in bytes)
315- * to achieve a 128-bit strength.
316- *
317- * \note The initial seeding of the CTR_DRBG instance always
318- * grabs #MBEDTLS_CTR_DRBG_ENTROPY_LEN bytes. See
319- * the documentation of mbedtls_ctr_drbg_seed()
320- * for more information.
276+ * This function has no effect on the initial seeding,
277+ * even if you call it before mbedtls_ctr_drbg_seed().
321278 *
322279 * \param ctx The CTR_DRBG context.
323280 * \param len The amount of entropy to grab, in bytes.
@@ -502,7 +459,7 @@ int mbedtls_ctr_drbg_self_test( int verbose );
502459/* Internal functions (do not call directly) */
503460int mbedtls_ctr_drbg_seed_entropy_len ( mbedtls_ctr_drbg_context * ,
504461 int (* )(void * , unsigned char * , size_t ), void * ,
505- const unsigned char * , size_t , size_t );
462+ const unsigned char * , size_t , size_t , size_t );
506463
507464#ifdef __cplusplus
508465}
0 commit comments