Always gather MBEDTLS_ENTROPY_BLOCK_SIZE bytes of entropy #293
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Always pass a context object to entropy_dummy_source. This lets us write tests that register more than one source and keep track of how many times each one is called.
There were tests to ensure that each entropy source reaches its threshold, but no test that covers the total amount of entropy. Add test cases with a known set of entropy sources and make sure that we always gather at least MBEDTLS_ENTROPY_BLOCK_SIZE bytes from a strong source.
mbedtls_entropy_func returns up to MBEDTLS_ENTROPY_BLOCK_SIZE bytes. This is the output of a hash function and does not indicate how many bytes of entropy went into the hash computation. Enforce that mbedtls_entropy_func gathers a total of MBEDTLS_ENTROPY_BLOCK_SIZE bytes or more from strong sources. Weak sources don't count for this calculation. This is complementary to the per-source threshold mechanism. In particular, we define system sources with a threshold of 32. But when using SHA-512 for the entropy accumulator, MBEDTLS_ENTROPY_BLOCK_SIZE = 64, so users can expect 64 bytes' worth of entropy. Before, you only got 64 bytes of entropy if there were two sources. Now you get 64 bytes of entropy even with a single source with a threshold of 32.
gilles-peskine-arm
added
bug
k-stachowiak
previously approved these changes
Oct 29, 2019
gilles-peskine-arm
added
needs: work
|
The CI failures are not just due to unrelated problems that plagued the CI for the past few months. I'm investigating. |
Don't use the default entropy sources so as not to depend on their characteristics.
gilles-peskine-arm
force-pushed
the
entropy-min
branch
from
c2746ea to
cbd91e0
Compare
gilles-peskine-arm
added
needs: review
|
The CI seems to still be failing in strange ways. Are these fails related to the PR? |
|
I think many jobs are failing on -head because it's an old branch that's broken on some boards and incompatible with the current version in mbedtls. Since -merge is passing, the CI is ok. |
AndrzejKurek
approved these changes
Nov 26, 2019
dgreen-arm
approved these changes
Nov 26, 2019
gilles-peskine-arm
removed
the
needs: review
gilles-peskine-arm
added a commit
to gilles-peskine-arm/mbed-crypto
that referenced
this pull request
Feb 3, 2020
* ARMmbed#321: Replace config.pl by config.py * ARMmbed#322: Update Mbed Crypto with latest Mbed TLS changes as of 2019-11-15 * ARMmbed#308: Small performance improvement of mbedtls_mpi_div_mpi() * ARMmbed#324: test_psa_constant_names: support key agreement, better code structure * ARMmbed#320: Link to the PSA crypto portal page from README.md * ARMmbed#293: Always gather MBEDTLS_ENTROPY_BLOCK_SIZE bytes of entropy * ARMmbed#310: Clarify test descriptions in test_suite_memory_buffer_alloc * ARMmbed#307: Add ASN.1 ENUMERATED tag support * ARMmbed#328: Remove dependency of crypto_values.h on crypto_extra.h * ARMmbed#325: Rename psa_asymmetric_{sign_verify} to psa_{sign,verify}_hash Missed listing in the previous submodule update: * ARMmbed#304: Make sure Asan failures are detected in 'make test'
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Enforce that
mbedtls_entropy_funcgathers a total ofMBEDTLS_ENTROPY_BLOCK_SIZEbytes or more from strong sources. In particular, in the default configuration, on a platform with a single entropy source,mbedtls_entropy_funcwill now grab 64 bytes from that source (due to the new lower bound ofMBEDTLS_ENTROPY_BLOCK_SIZE), whereas it formerly only grabbed 32 bytes (due to the per-source threshold).Backports: no — this is a security improvement but not a critical fix (32 bytes is enough if the entropy is of good quality) and it could be a problem on platforms where gathering more entropy would take an unacceptable amount of time.
Internal ref: IOTCRYPT-454