Merge pull request #1249 from gilles-peskine-arm/psa-drbg-no-hmac-document
Document that MBEDTLS_PSA_HMAC_DRBG_MD_TYPE does not force HMAC
diff --git a/ChangeLog.d/MBEDTLS_PSA_HMAC_DRBG_MD_TYPE.txt b/ChangeLog.d/MBEDTLS_PSA_HMAC_DRBG_MD_TYPE.txt
new file mode 100644
index 0000000..079cd74
--- /dev/null
+++ b/ChangeLog.d/MBEDTLS_PSA_HMAC_DRBG_MD_TYPE.txt
@@ -0,0 +1,4 @@
+Security
+ * Unlike previously documented, enabling MBEDTLS_PSA_HMAC_DRBG_MD_TYPE does
+ not cause the PSA subsystem to use HMAC_DRBG: it uses HMAC_DRBG only when
+ MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG and MBEDTLS_CTR_DRBG_C are disabled.
diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h
index 2e98c3a..b55ad54 100644
--- a/include/mbedtls/mbedtls_config.h
+++ b/include/mbedtls/mbedtls_config.h
@@ -4000,11 +4000,18 @@
* Use HMAC_DRBG with the specified hash algorithm for HMAC_DRBG for the
* PSA crypto subsystem.
*
- * If this option is unset:
- * - If CTR_DRBG is available, the PSA subsystem uses it rather than HMAC_DRBG.
- * - Otherwise, the PSA subsystem uses HMAC_DRBG with either
- * #MBEDTLS_MD_SHA512 or #MBEDTLS_MD_SHA256 based on availability and
- * on unspecified heuristics.
+ * If this option is unset, the library chooses a hash (currently between
+ * #MBEDTLS_MD_SHA512 and #MBEDTLS_MD_SHA256) based on availability and
+ * unspecified heuristics.
+ *
+ * \note The PSA crypto subsystem uses the first available mechanism amongst
+ * the following:
+ * - #MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG if enabled;
+ * - Entropy from #MBEDTLS_ENTROPY_C plus CTR_DRBG with AES
+ * if #MBEDTLS_CTR_DRBG_C is enabled;
+ * - Entropy from #MBEDTLS_ENTROPY_C plus HMAC_DRBG.
+ *
+ * A future version may reevaluate the prioritization of DRBG mechanisms.
*/
//#define MBEDTLS_PSA_HMAC_DRBG_MD_TYPE MBEDTLS_MD_SHA256
diff --git a/library/psa_crypto_random_impl.h b/library/psa_crypto_random_impl.h
index 533fb2e..5b51631 100644
--- a/library/psa_crypto_random_impl.h
+++ b/library/psa_crypto_random_impl.h
@@ -21,13 +21,10 @@
#include "mbedtls/entropy.h"
/* Choose a DRBG based on configuration and availability */
-#if defined(MBEDTLS_PSA_HMAC_DRBG_MD_TYPE)
-
-#include "mbedtls/hmac_drbg.h"
-
-#elif defined(MBEDTLS_CTR_DRBG_C)
+#if defined(MBEDTLS_CTR_DRBG_C)
#include "mbedtls/ctr_drbg.h"
+#undef MBEDTLS_PSA_HMAC_DRBG_MD_TYPE
#elif defined(MBEDTLS_HMAC_DRBG_C)
@@ -49,17 +46,11 @@
#error "No hash algorithm available for HMAC_DBRG."
#endif
-#else /* !MBEDTLS_PSA_HMAC_DRBG_MD_TYPE && !MBEDTLS_CTR_DRBG_C && !MBEDTLS_HMAC_DRBG_C*/
+#else /* !MBEDTLS_CTR_DRBG_C && !MBEDTLS_HMAC_DRBG_C*/
#error "No DRBG module available for the psa_crypto module."
-#endif /* !MBEDTLS_PSA_HMAC_DRBG_MD_TYPE && !MBEDTLS_CTR_DRBG_C && !MBEDTLS_HMAC_DRBG_C*/
-
-#if defined(MBEDTLS_CTR_DRBG_C)
-#include "mbedtls/ctr_drbg.h"
-#elif defined(MBEDTLS_HMAC_DRBG_C)
-#include "mbedtls/hmac_drbg.h"
-#endif /* !MBEDTLS_CTR_DRBG_C && !MBEDTLS_HMAC_DRBG_C */
+#endif /* !MBEDTLS_CTR_DRBG_C && !MBEDTLS_HMAC_DRBG_C*/
/* The maximum number of bytes that mbedtls_psa_get_random() is expected to return. */
#if defined(MBEDTLS_CTR_DRBG_C)