From 868d2524b8f91f9373f2f96ddd87dab5126555cf Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 1 Jul 2024 21:14:45 +0200 Subject: [PATCH] Document that MBEDTLS_PSA_HMAC_DRBG_MD_TYPE does not force HMAC MBEDTLS_PSA_HMAC_DRBG_MD_TYPE was documented and announced as causing the PSA DRBG to be HMAC_DRBG. However, that was never actually implemented: CTR_DRBG is prioritized if enabled. Since there is a simple workaround of disabling MBEDTLS_CTR_DRBG_C if you want to use HMAC_DRBG, we have decided to accept the actual behavior and fix the documentation. Signed-off-by: Gilles Peskine --- ChangeLog.d/MBEDTLS_PSA_HMAC_DRBG_MD_TYPE.txt | 4 ++++ include/mbedtls/mbedtls_config.h | 17 ++++++++++++----- 2 files changed, 16 insertions(+), 5 deletions(-) create mode 100644 ChangeLog.d/MBEDTLS_PSA_HMAC_DRBG_MD_TYPE.txt diff --git a/ChangeLog.d/MBEDTLS_PSA_HMAC_DRBG_MD_TYPE.txt b/ChangeLog.d/MBEDTLS_PSA_HMAC_DRBG_MD_TYPE.txt new file mode 100644 index 0000000000..079cd741dc --- /dev/null +++ b/ChangeLog.d/MBEDTLS_PSA_HMAC_DRBG_MD_TYPE.txt @@ -0,0 +1,4 @@ +Security + * Unlike previously documented, enabling MBEDTLS_PSA_HMAC_DRBG_MD_TYPE does + not cause the PSA subsystem to use HMAC_DRBG: it uses HMAC_DRBG only when + MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG and MBEDTLS_CTR_DRBG_C are disabled. diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index 35921412c6..871d54e48b 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -4016,11 +4016,18 @@ * Use HMAC_DRBG with the specified hash algorithm for HMAC_DRBG for the * PSA crypto subsystem. * - * If this option is unset: - * - If CTR_DRBG is available, the PSA subsystem uses it rather than HMAC_DRBG. - * - Otherwise, the PSA subsystem uses HMAC_DRBG with either - * #MBEDTLS_MD_SHA512 or #MBEDTLS_MD_SHA256 based on availability and - * on unspecified heuristics. + * If this option is unset, the library chooses a hash (currently between + * #MBEDTLS_MD_SHA512 and #MBEDTLS_MD_SHA256) based on availability and + * unspecified heuristics. + * + * \note The PSA crypto subsystem uses the first available mechanism amongst + * the following: + * - #MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG if enabled; + * - Entropy from #MBEDTLS_ENTROPY_C plus CTR_DRBG with AES + * if #MBEDTLS_CTR_DRBG_C is enabled; + * - Entropy from #MBEDTLS_ENTROPY_C plus HMAC_DRBG. + * + * A future version may reevaluate the prioritization of DRBG mechanisms. */ //#define MBEDTLS_PSA_HMAC_DRBG_MD_TYPE MBEDTLS_MD_SHA256