Squashed commit upgrading to mbedtls-2.16.5
Squash merging branch import/mbedtls-2.16.5
058aefb2bfa4 ("core: mbedtls: use SHA-256 crypto accelerated routines")
bcef9baed8f1 ("core: mbedtls: use SHA-1 crypto accelerated routines")
c9359f31db12 ("core: mbedtls: use AES crypto accelerated routines")
0e6c1e2642c7 ("core: merge tee_*_get_digest_size() into a single function")
0cb3c28a2f4d ("libmbedtls: mbedtls_mpi_exp_mod(): optimize mempool usage")
5abf0e6ab72e ("libmbedtls: mbedtls_mpi_exp_mod(): reduce stack usage")
2ccc08ac7fef ("libmbedtls: preserve mempool usage on reinit")
cd2a24648569 ("libmbedtls: mbedtls_mpi_exp_mod() initialize W")
7727182ecb56 ("libmbedtls: fix no CRT issue")
120737075dcf ("libmbedtls: add interfaces in mbedtls for context memory operation")
1126250b3af8 ("libmbedtls: add missing source file chachapoly.c")
23972e9f1c98 ("libmedtls: mpi_miller_rabin: increase count limit")
1fcbc05b3cd2 ("libmbedtls: add mbedtls_mpi_init_mempool()")
66e03f068078 ("libmbedtls: make mbedtls_mpi_mont*() available")
d07e0ce56236 ("libmbedtls: refine mbedtls license header")
491ee2cd0ff4 ("mbedtls: configure mbedtls to reach for config")
9b6cee685d9a ("mbedtls: remove default include/mbedtls/config.h")
84f7467a0a91 ("Import mbedtls-2.16.5")
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
diff --git a/lib/libmbedtls/mbedtls/library/hmac_drbg.c b/lib/libmbedtls/mbedtls/library/hmac_drbg.c
index 4361670..3fce52d 100644
--- a/lib/libmbedtls/mbedtls/library/hmac_drbg.c
+++ b/lib/libmbedtls/mbedtls/library/hmac_drbg.c
@@ -149,20 +149,32 @@
}
/*
- * HMAC_DRBG reseeding: 10.1.2.4 (arabic) + 9.2 (Roman)
+ * Internal function used both for seeding and reseeding the DRBG.
+ * Comments starting with arabic numbers refer to section 10.1.2.4
+ * of SP800-90A, while roman numbers refer to section 9.2.
*/
-int mbedtls_hmac_drbg_reseed( mbedtls_hmac_drbg_context *ctx,
- const unsigned char *additional, size_t len )
+static int hmac_drbg_reseed_core( mbedtls_hmac_drbg_context *ctx,
+ const unsigned char *additional, size_t len,
+ int use_nonce )
{
unsigned char seed[MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT];
- size_t seedlen;
+ size_t seedlen = 0;
int ret;
- /* III. Check input length */
- if( len > MBEDTLS_HMAC_DRBG_MAX_INPUT ||
- ctx->entropy_len + len > MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT )
{
- return( MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG );
+ size_t total_entropy_len;
+
+ if( use_nonce == 0 )
+ total_entropy_len = ctx->entropy_len;
+ else
+ total_entropy_len = ctx->entropy_len * 3 / 2;
+
+ /* III. Check input length */
+ if( len > MBEDTLS_HMAC_DRBG_MAX_INPUT ||
+ total_entropy_len + len > MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT )
+ {
+ return( MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG );
+ }
}
memset( seed, 0, MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT );
@@ -170,9 +182,32 @@
/* IV. Gather entropy_len bytes of entropy for the seed */
if( ( ret = ctx->f_entropy( ctx->p_entropy,
seed, ctx->entropy_len ) ) != 0 )
+ {
return( MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED );
+ }
+ seedlen += ctx->entropy_len;
- seedlen = ctx->entropy_len;
+ /* For initial seeding, allow adding of nonce generated
+ * from the entropy source. See Sect 8.6.7 in SP800-90A. */
+ if( use_nonce )
+ {
+ /* Note: We don't merge the two calls to f_entropy() in order
+ * to avoid requesting too much entropy from f_entropy()
+ * at once. Specifically, if the underlying digest is not
+ * SHA-1, 3 / 2 * entropy_len is at least 36 Bytes, which
+ * is larger than the maximum of 32 Bytes that our own
+ * entropy source implementation can emit in a single
+ * call in configurations disabling SHA-512. */
+ if( ( ret = ctx->f_entropy( ctx->p_entropy,
+ seed + seedlen,
+ ctx->entropy_len / 2 ) ) != 0 )
+ {
+ return( MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED );
+ }
+
+ seedlen += ctx->entropy_len / 2;
+ }
+
/* 1. Concatenate entropy and additional data if any */
if( additional != NULL && len != 0 )
@@ -195,7 +230,19 @@
}
/*
+ * HMAC_DRBG reseeding: 10.1.2.4 + 9.2
+ */
+int mbedtls_hmac_drbg_reseed( mbedtls_hmac_drbg_context *ctx,
+ const unsigned char *additional, size_t len )
+{
+ return( hmac_drbg_reseed_core( ctx, additional, len, 0 ) );
+}
+
+/*
* HMAC_DRBG initialisation (10.1.2.3 + 9.1)
+ *
+ * The nonce is not passed as a separate parameter but extracted
+ * from the entropy source as suggested in 8.6.7.
*/
int mbedtls_hmac_drbg_seed( mbedtls_hmac_drbg_context *ctx,
const mbedtls_md_info_t * md_info,
@@ -205,7 +252,7 @@
size_t len )
{
int ret;
- size_t entropy_len, md_size;
+ size_t md_size;
if( ( ret = mbedtls_md_setup( &ctx->md_ctx, md_info, 1 ) ) != 0 )
return( ret );
@@ -226,27 +273,25 @@
ctx->reseed_interval = MBEDTLS_HMAC_DRBG_RESEED_INTERVAL;
- /*
- * See SP800-57 5.6.1 (p. 65-66) for the security strength provided by
- * each hash function, then according to SP800-90A rev1 10.1 table 2,
- * min_entropy_len (in bits) is security_strength.
- *
- * (This also matches the sizes used in the NIST test vectors.)
- */
- entropy_len = md_size <= 20 ? 16 : /* 160-bits hash -> 128 bits */
- md_size <= 28 ? 24 : /* 224-bits hash -> 192 bits */
- 32; /* better (256+) -> 256 bits */
+ if( ctx->entropy_len == 0 )
+ {
+ /*
+ * See SP800-57 5.6.1 (p. 65-66) for the security strength provided by
+ * each hash function, then according to SP800-90A rev1 10.1 table 2,
+ * min_entropy_len (in bits) is security_strength.
+ *
+ * (This also matches the sizes used in the NIST test vectors.)
+ */
+ ctx->entropy_len = md_size <= 20 ? 16 : /* 160-bits hash -> 128 bits */
+ md_size <= 28 ? 24 : /* 224-bits hash -> 192 bits */
+ 32; /* better (256+) -> 256 bits */
+ }
- /*
- * For initialisation, use more entropy to emulate a nonce
- * (Again, matches test vectors.)
- */
- ctx->entropy_len = entropy_len * 3 / 2;
-
- if( ( ret = mbedtls_hmac_drbg_reseed( ctx, custom, len ) ) != 0 )
+ if( ( ret = hmac_drbg_reseed_core( ctx, custom, len,
+ 1 /* add nonce */ ) ) != 0 )
+ {
return( ret );
-
- ctx->entropy_len = entropy_len;
+ }
return( 0 );
}
@@ -261,7 +306,7 @@
}
/*
- * Set entropy length grabbed for reseeds
+ * Set entropy length grabbed for seeding
*/
void mbedtls_hmac_drbg_set_entropy_len( mbedtls_hmac_drbg_context *ctx, size_t len )
{