DRBG documentation improvements #287
Conversation
* State explicit whether several numbers are in bits or bytes. * Clarify whether buffer pointer parameters can be NULL. * Explain the value of constants that are dependent on the configuration.
gilles-peskine-arm
added
bug
Document that a derivation function is used. Document the security strength of the DRBG depending on the compile-time configuration and how it is set up. In particular, document how the nonce specified in SP 800-90A is set. Mention how to link the ctr_drbg module with the entropy module.
Improve the formatting and writing of the documentation based on what had been done for CTR_DRBG. Document the maximum size and nullability of some buffer parameters.
NIST and many other sources call it a "personalization string", and certainly not "device-specific identifiers" which is actually somewhat misleading since this is just one of many things that might go into a personalization string.
Explain how MBEDTLS_CTR_DRBG_ENTROPY_LEN is set next to the security strength statement, rather than giving a partial explanation (current setting only) in the documentation of MBEDTLS_CTR_DRBG_ENTROPY_LEN.
Separate the cases that achieve a 128-bit strength and the cases that achieve a 256-bit strength.
In particular, don't use #MBEDTLS_xxx on macros that are undefined in some configurations, since this would be typeset with a literal '#'.
It's an on/off feature, so it should be listed in version_features.
gilles-peskine-arm
force-pushed
the
ctr_drbg-doc-nist-crypto
branch
from
5fe1885 to
fa2bea9
Compare
gilles-peskine-arm
added
needs: work
include/mbedtls/hmac_drbg.h
Outdated
| * mbedtls_hmac_drbg_set_entropy_len(). | ||
| * | ||
| * \note The default entropy length is the security strength | ||
| * (converted from bits to bytes). You can override |
There was a problem hiding this comment.
Minor: This sentence is probably missing something like "You can override it with..."
The documentation of CTR_DRBG erroneously claimed that mbedtls_ctr_drbg_set_entropy_len() had an impact on the initial seeding. This is in fact not the case: mbedtls_ctr_drbg_seed() forces the initial seeding to grab MBEDTLS_CTR_DRBG_ENTROPY_LEN bytes of entropy. Fix the documentation and rewrite the discussion of the entropy length and the security strength accordingly.
The documentation of HMAC_DRBG erroneously claimed that mbedtls_hmac_drbg_set_entropy_len() had an impact on the initial seeding. This is in fact not the case: mbedtls_hmac_drbg_seed() forces the entropy length to its chosen value. Fix the documentation.
gilles-peskine-arm
force-pushed
the
ctr_drbg-doc-nist-crypto
branch
from
fa2bea9 to
77d4457
Compare
gilles-peskine-arm
added
needs: review
gilles-peskine-arm
changed the title
This is a variant toggle, not an extra feature, so it should be tested separately.
|
CI failed in the Windows 2013 job. The failure is the CTR_DRBG selftest, The reason the selftest started failing is that I moved I've excluded |
|
The merge job passed except for The head job failed because of some Jenkins wonkiness that's unrelated to the PR. |
| /**< The key size in bytes used by the cipher. | ||
| * | ||
| * Compile-time choice: 16 bytes (128 bits) | ||
| * because #MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is enabled. |
There was a problem hiding this comment.
What's the difference between #MBEDTLS_CTR_DRBG_USE_128_BIT_KEY and \c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY? Since I can see that both of these versions are used.
There was a problem hiding this comment.
#MACRO typesets MACRO and links to the definition of MACRO if MACRO is defined, but typesets #MACRO if MACRO is undefined, so it isn't good for preprocessor symbols that may or may not be defined. Hence the use of \c MACRO for symbols that may or may not be defined.
There was a problem hiding this comment.
Shouldn't it be \c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY everywhere then? Or will doxygen ignore blocks that won't get compiled?
There was a problem hiding this comment.
It can be #MBEDTLS_CTR_DRBG_USE_128_BIT_KEY here because this comment is surrounded by #ifdef MBEDTLS_CTR_DRBG_USE_128_BIT_KEY.
| * to achieve a 256-bit strength. | ||
| * - When using AES-128 | ||
| * (\c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is enabled) | ||
| * \p len must be at least 16 (in bytes) |
There was a problem hiding this comment.
Didn't you mention previously that in such case the entropy len has to be at least 24?
128 bits if AES-128 is used (\c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY enabled)
- and #MBEDTLS_CTR_DRBG_ENTROPY_LEN is set to 24 or more (which is
- always the case unless it is explicitly set to a different value
- in config.h).
There was a problem hiding this comment.
24 for the initial seeding, 16 for subsequent reseeds. This function only influences subsequent reseeds. MBEDTLS_CTR_DRBG_ENTROPY_LEN influences both.
|
CI ok. PR approved, near-identical PR for 2.16 approved, 2.7 backport approved. This is good to merge. |
gilles-peskine-arm
removed
the
needs: review
* ARMmbed#272: Insert doxygen comments on old algorithms so they appear in PSA documentation * ARMmbed#285: SE driver: make persistent data work * ARMmbed#279: Include IANA reference in the definition of ECC curves and DH groups * ARMmbed#287: DRBG documentation improvements * ARMmbed#297: Fix int overflow in mbedtls_asn1_get_int (Credit to OSS-Fuzz)
Improve the documentation of the CTR_DRBG and HMAC_DRBG modules. This part is a straightfoward forward-port of Mbed-TLS/mbedtls#2860: the 2.16 and 2.19 versions of
hmac_drbg.handctr_drbg.hwere near-identical and I changed them in identical ways.I am working on a separate pull request for the following changes (separate PR because it was getting really messy):
mbedtls_hmac_drbg_seed()andmbedtls_ctr_drbg_seed()overrode the entropy length in the DRBG context, so callingmbedtls_hmac_drbg_set_entropy_len()ormbedtls_ctr_drbg_set_entropy_len()before callingxxx_seed()had no effect. Change thexxx_seed()functions to respect the entropy length set withxxx_set_entropy_len().Backports: 2.16 in Mbed-TLS/mbedtls#2860, 2.7 in Mbed-TLS/mbedtls#2878.
Internal ref: IOTCRYPT-180, IOTCRYPT-457