From ed038902813a5afba50276f68d3a0a8a8c7c69c1 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 13 Nov 2020 21:33:21 +0100 Subject: [PATCH] PSA: allow the configuration to favor HMAC_DRBG Allow the user to configure PSA to use HMAC_DRBG even if CTR_DRBG is available, or to explicitly select the hash algorithm to use for HMAC_DRBG, by setting MBEDTLS_PSA_HMAC_DRBG_MD_TYPE in config.h. Signed-off-by: Gilles Peskine --- include/mbedtls/config.h | 14 ++++++++++++++ programs/test/query_config.c | 8 ++++++++ 2 files changed, 22 insertions(+) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index c022a61741..5755df3b9c 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -3635,6 +3635,20 @@ */ //#define MBEDTLS_PARAM_FAILED( cond ) assert( cond ) +/* PSA options */ +/** \def MBEDTLS_PSA_HMAC_DRBG_MD_TYPE + * + * Use HMAC_DRBG with the specified hash algorithm for HMAC_DRBG for the + * PSA crypto subsystem. + * + * If this option is unset: + * - If CTR_DRBG is available, the PSA subsystem uses it rather than HMAC_DRBG. + * - Otherwise, the PSA subsystem uses one HMAC_DRBG with of + * #MBEDTLS_MD_SHA512 or #MBEDTLS_MD_SHA256 based on availability and + * on unspecified heuristics. + */ +//#define MBEDTLS_PSA_HMAC_DRBG_MD_TYPE MBEDTLS_MD_SHA256 + /* SSL Cache options */ //#define MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT 86400 /**< 1 day */ //#define MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES 50 /**< Maximum entries in cache */ diff --git a/programs/test/query_config.c b/programs/test/query_config.c index 05a953c633..1fb7384fdb 100644 --- a/programs/test/query_config.c +++ b/programs/test/query_config.c @@ -2616,6 +2616,14 @@ int query_config( const char *config ) } #endif /* MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO */ +#if defined(MBEDTLS_PSA_HMAC_DRBG_MD_TYPE) + if( strcmp( "MBEDTLS_PSA_HMAC_DRBG_MD_TYPE", config ) == 0 ) + { + MACRO_EXPANSION_TO_STR( MBEDTLS_PSA_HMAC_DRBG_MD_TYPE ); + return( 0 ); + } +#endif /* MBEDTLS_PSA_HMAC_DRBG_MD_TYPE */ + #if defined(MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT) if( strcmp( "MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT", config ) == 0 ) {