mirror of
https://github.com/Mbed-TLS/mbedtls.git
synced 2025-03-16 04:20:49 +00:00
Merge pull request #1249 from gilles-peskine-arm/psa-drbg-no-hmac-document
Document that MBEDTLS_PSA_HMAC_DRBG_MD_TYPE does not force HMAC
This commit is contained in:
commit
726e57f6f0
4
ChangeLog.d/MBEDTLS_PSA_HMAC_DRBG_MD_TYPE.txt
Normal file
4
ChangeLog.d/MBEDTLS_PSA_HMAC_DRBG_MD_TYPE.txt
Normal file
@ -0,0 +1,4 @@
|
||||
Security
|
||||
* Unlike previously documented, enabling MBEDTLS_PSA_HMAC_DRBG_MD_TYPE does
|
||||
not cause the PSA subsystem to use HMAC_DRBG: it uses HMAC_DRBG only when
|
||||
MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG and MBEDTLS_CTR_DRBG_C are disabled.
|
@ -4000,11 +4000,18 @@
|
||||
* Use HMAC_DRBG with the specified hash algorithm for HMAC_DRBG for the
|
||||
* PSA crypto subsystem.
|
||||
*
|
||||
* If this option is unset:
|
||||
* - If CTR_DRBG is available, the PSA subsystem uses it rather than HMAC_DRBG.
|
||||
* - Otherwise, the PSA subsystem uses HMAC_DRBG with either
|
||||
* #MBEDTLS_MD_SHA512 or #MBEDTLS_MD_SHA256 based on availability and
|
||||
* on unspecified heuristics.
|
||||
* If this option is unset, the library chooses a hash (currently between
|
||||
* #MBEDTLS_MD_SHA512 and #MBEDTLS_MD_SHA256) based on availability and
|
||||
* unspecified heuristics.
|
||||
*
|
||||
* \note The PSA crypto subsystem uses the first available mechanism amongst
|
||||
* the following:
|
||||
* - #MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG if enabled;
|
||||
* - Entropy from #MBEDTLS_ENTROPY_C plus CTR_DRBG with AES
|
||||
* if #MBEDTLS_CTR_DRBG_C is enabled;
|
||||
* - Entropy from #MBEDTLS_ENTROPY_C plus HMAC_DRBG.
|
||||
*
|
||||
* A future version may reevaluate the prioritization of DRBG mechanisms.
|
||||
*/
|
||||
//#define MBEDTLS_PSA_HMAC_DRBG_MD_TYPE MBEDTLS_MD_SHA256
|
||||
|
||||
|
@ -21,13 +21,10 @@ typedef mbedtls_psa_external_random_context_t mbedtls_psa_random_context_t;
|
||||
#include "mbedtls/entropy.h"
|
||||
|
||||
/* Choose a DRBG based on configuration and availability */
|
||||
#if defined(MBEDTLS_PSA_HMAC_DRBG_MD_TYPE)
|
||||
|
||||
#include "mbedtls/hmac_drbg.h"
|
||||
|
||||
#elif defined(MBEDTLS_CTR_DRBG_C)
|
||||
#if defined(MBEDTLS_CTR_DRBG_C)
|
||||
|
||||
#include "mbedtls/ctr_drbg.h"
|
||||
#undef MBEDTLS_PSA_HMAC_DRBG_MD_TYPE
|
||||
|
||||
#elif defined(MBEDTLS_HMAC_DRBG_C)
|
||||
|
||||
@ -49,17 +46,11 @@ typedef mbedtls_psa_external_random_context_t mbedtls_psa_random_context_t;
|
||||
#error "No hash algorithm available for HMAC_DBRG."
|
||||
#endif
|
||||
|
||||
#else /* !MBEDTLS_PSA_HMAC_DRBG_MD_TYPE && !MBEDTLS_CTR_DRBG_C && !MBEDTLS_HMAC_DRBG_C*/
|
||||
#else /* !MBEDTLS_CTR_DRBG_C && !MBEDTLS_HMAC_DRBG_C*/
|
||||
|
||||
#error "No DRBG module available for the psa_crypto module."
|
||||
|
||||
#endif /* !MBEDTLS_PSA_HMAC_DRBG_MD_TYPE && !MBEDTLS_CTR_DRBG_C && !MBEDTLS_HMAC_DRBG_C*/
|
||||
|
||||
#if defined(MBEDTLS_CTR_DRBG_C)
|
||||
#include "mbedtls/ctr_drbg.h"
|
||||
#elif defined(MBEDTLS_HMAC_DRBG_C)
|
||||
#include "mbedtls/hmac_drbg.h"
|
||||
#endif /* !MBEDTLS_CTR_DRBG_C && !MBEDTLS_HMAC_DRBG_C */
|
||||
#endif /* !MBEDTLS_CTR_DRBG_C && !MBEDTLS_HMAC_DRBG_C*/
|
||||
|
||||
/* The maximum number of bytes that mbedtls_psa_get_random() is expected to return. */
|
||||
#if defined(MBEDTLS_CTR_DRBG_C)
|
||||
|
Loading…
x
Reference in New Issue
Block a user