From 03ee3834a0c848cf0daa77c2700478ab5ff0f024 Mon Sep 17 00:00:00 2001 From: stroebeljc Date: Tue, 5 Jan 2021 11:28:30 -0600 Subject: [PATCH] Updated change description as suggested by @gilles-peskine-arm. Signed-off-by: stroebeljc --- ChangeLog.d/issue3819.txt | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/ChangeLog.d/issue3819.txt b/ChangeLog.d/issue3819.txt index 58e55c1f1..e41520f46 100644 --- a/ChangeLog.d/issue3819.txt +++ b/ChangeLog.d/issue3819.txt @@ -1,5 +1,10 @@ Security - * Fix a security reduction error that causes all bits of the nonce - to be zero in mbedtls_ctr_drbg_reseed_internal. This prevents - the security strength from reaching the level required by NIST. + * Fix a security reduction in CTR_DRBG when the initial seeding obtained a + nonce from entropy. Applications were affected if they called + mbedtls_ctr_drbg_set_nonce_len(), if they called + mbedtls_ctr_drbg_set_entropy_len() with a size that was 3/2 times the key + length, or when the entropy module uses SHA-256 and CTR_DRBG uses AES-256. + In such cases, a random nonce was necessary to achieve the advertised + security strength, but the code incorrectly used a constant instead of + entropy from the nonce. Found by John Stroebel in #3819 and fixed in #3973.