2021-01-05 00:14:32 +00:00
|
|
|
Security
|
2021-01-05 17:28:30 +00:00
|
|
|
* Fix a security reduction in CTR_DRBG when the initial seeding obtained a
|
|
|
|
nonce from entropy. Applications were affected if they called
|
|
|
|
mbedtls_ctr_drbg_set_nonce_len(), if they called
|
|
|
|
mbedtls_ctr_drbg_set_entropy_len() with a size that was 3/2 times the key
|
|
|
|
length, or when the entropy module uses SHA-256 and CTR_DRBG uses AES-256.
|
|
|
|
In such cases, a random nonce was necessary to achieve the advertised
|
|
|
|
security strength, but the code incorrectly used a constant instead of
|
|
|
|
entropy from the nonce.
|
2020-12-24 18:39:13 +00:00
|
|
|
Found by John Stroebel in #3819 and fixed in #3973.
|