mbedtls/ChangeLog.d/issue3819.txt

Security
   * Fix a security reduction in CTR_DRBG when the initial seeding obtained a
     nonce from entropy. Applications were affected if they called
     mbedtls_ctr_drbg_set_nonce_len(), if they called
     mbedtls_ctr_drbg_set_entropy_len() with a size that was 3/2 times the key
     length, or when the entropy module uses SHA-256 and CTR_DRBG uses AES-256.
     In such cases, a random nonce was necessary to achieve the advertised
     security strength, but the code incorrectly used a constant instead of
     entropy from the nonce.
     Found by John Stroebel in #3819 and fixed in #3973.
Updated per comments from @gilles-peskine-arm. Signed-off-by: stroebeljc <stroebeljc1@gmail.com> 2021-01-05 00:14:32 +00:00			`Security`
Updated change description as suggested by @gilles-peskine-arm. Signed-off-by: stroebeljc <stroebeljc1@gmail.com> 2021-01-05 17:28:30 +00:00			`* Fix a security reduction in CTR_DRBG when the initial seeding obtained a`
			`nonce from entropy. Applications were affected if they called`
			`mbedtls_ctr_drbg_set_nonce_len(), if they called`
			`mbedtls_ctr_drbg_set_entropy_len() with a size that was 3/2 times the key`
			`length, or when the entropy module uses SHA-256 and CTR_DRBG uses AES-256.`
			`In such cases, a random nonce was necessary to achieve the advertised`
			`security strength, but the code incorrectly used a constant instead of`
			`entropy from the nonce.`
$ENT\stroej1$ Added ChangeLog entry for related issue. Signed-off-by: ENT\stroej1 <john.stroebel@medtronic.com> 2020-12-24 18:39:13 +00:00			`Found by John Stroebel in #3819 and fixed in #3973.`