Merge pull request #3532 from AndrzejKurek/fi-hmac-drbg-fixes

Fi-related hmac_drbg fixes

include/mbedtls/hmac_drbg.h

@@ -77,6 +77,9 @@
 #define MBEDTLS_HMAC_DRBG_PR_OFF   0x55555555   /**< No prediction resistance       */
 #define MBEDTLS_HMAC_DRBG_PR_ON    0x2AAAAAAA   /**< Prediction resistance enabled  */
 
+#define MBEDTLS_HMAC_DRBG_RESEED    0x78547854   /**< Default environment, reseeding enabled */
+#define MBEDTLS_HMAC_DRBG_NO_RESEED 0x07AB87F0   /**< Reseeding disabled, no f_entropy required */
+
 #ifdef __cplusplus
 extern "C" {
 #endif
@@ -91,7 +94,7 @@ typedef struct mbedtls_hmac_drbg_context
     mbedtls_md_context_t md_ctx;                    /*!< HMAC context (inc. K)  */
     unsigned char V[MBEDTLS_MD_MAX_SIZE];  /*!< V in the spec          */
     int reseed_counter;                     /*!< reseed counter         */
-
+    int reseed_flag;  /*!< disables reseeding if set to MBEDTLS_HMAC_DRBG_NO_RESEED */
     /* Administrative state */
     size_t entropy_len;         /*!< entropy bytes grabbed on each (re)seed */
     int prediction_resistance;  /*!< enable prediction resistance (Automatic
@@ -220,6 +223,20 @@ int mbedtls_hmac_drbg_seed_buf( mbedtls_hmac_drbg_context *ctx,
 void mbedtls_hmac_drbg_set_prediction_resistance( mbedtls_hmac_drbg_context *ctx,
                                           int resistance );
 
+/**
+ * \brief               This function turns reseeding on or off.
+ *                      Default value is on.
+ *
+ * \note                If set to MBEDTLS_HMAC_DRBG_NO_RESEED, this function
+ *                      disables reseeding, providing a no_reseed environment.
+ *                      f_entropy can then be null.
+ *
+ * \param ctx           The HMAC_DRBG context.
+ * \param reseed_flag   #MBEDTLS_HMAC_DRBG_NO_RESEED or #MBEDTLS_HMAC_DRBG_RESEED
+ */
+void mbedtls_hmac_drbg_set_reseeding( mbedtls_hmac_drbg_context *ctx,
+                                      int reseed_flag );
+
 /**
  * \brief               This function sets the amount of entropy grabbed on each
  *                      seed or reseed.
@@ -228,8 +245,10 @@ void mbedtls_hmac_drbg_set_prediction_resistance( mbedtls_hmac_drbg_context *ctx
  *
  * \param ctx           The HMAC_DRBG context.
  * \param len           The amount of entropy to grab, in bytes.
+ *
+ * \return              \c 0 if \p len is valid, MBEDTLS_HMAC_DRBG_MAX_INPUT otherwise.
  */
-void mbedtls_hmac_drbg_set_entropy_len( mbedtls_hmac_drbg_context *ctx,
+int mbedtls_hmac_drbg_set_entropy_len( mbedtls_hmac_drbg_context *ctx,
                                        size_t len );
 
 /**

library/ecdsa.c

@@ -482,6 +482,7 @@ sign:
         mbedtls_hmac_drbg_context rng_ctx_blind;
 
         mbedtls_hmac_drbg_init( &rng_ctx_blind );
+        mbedtls_hmac_drbg_set_reseeding( &rng_ctx_blind, MBEDTLS_HMAC_DRBG_NO_RESEED );
         p_rng_blind_det = &rng_ctx_blind;
 
         mbedtls_hmac_drbg_seed_buf( p_rng_blind_det, md_info,
@@ -509,6 +510,7 @@ sign:
          * a valid ECDSA signature.
          */
         p_rng_blind_det = p_rng;
+        mbedtls_hmac_drbg_set_reseeding( p_rng_blind_det, MBEDTLS_HMAC_DRBG_NO_RESEED );
 #endif /* MBEDTLS_ECP_RESTARTABLE */
 
         /*

library/hmac_drbg.c

@@ -62,6 +62,8 @@ void mbedtls_hmac_drbg_init( mbedtls_hmac_drbg_context *ctx )
 {
     memset( ctx, 0, sizeof( mbedtls_hmac_drbg_context ) );
 
+    ctx->prediction_resistance = MBEDTLS_HMAC_DRBG_PR_OFF;
+    ctx->reseed_flag = MBEDTLS_HMAC_DRBG_RESEED;
 #if defined(MBEDTLS_THREADING_C)
     mbedtls_mutex_init( &ctx->mutex );
 #endif
@@ -210,7 +212,7 @@ static int hmac_drbg_reseed_core( mbedtls_hmac_drbg_context *ctx,
     size_t seedlen = 0;
     size_t total_entropy_len;
     int ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
-    volatile const unsigned char *additional_dup = additional;
+    const unsigned char * volatile additional_dup = additional;
     volatile size_t len_dup = len;
     int reseed_counter_backup = -1;
 
@@ -387,12 +389,25 @@ void mbedtls_hmac_drbg_set_prediction_resistance( mbedtls_hmac_drbg_context *ctx
     ctx->prediction_resistance = resistance;
 }
 
+/*
+ * Set the reseeding flag
+ */
+void mbedtls_hmac_drbg_set_reseeding( mbedtls_hmac_drbg_context *ctx,
+                                      int reseed_flag )
+{
+    ctx->reseed_flag = reseed_flag;
+}
+
 /*
  * Set entropy length grabbed for seeding
  */
-void mbedtls_hmac_drbg_set_entropy_len( mbedtls_hmac_drbg_context *ctx, size_t len )
+int mbedtls_hmac_drbg_set_entropy_len( mbedtls_hmac_drbg_context *ctx, size_t len )
 {
+    if( len > MBEDTLS_HMAC_DRBG_MAX_INPUT )
+        return( MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG );
+
     ctx->entropy_len = len;
+    return 0;
 }
 
 /*
@@ -417,7 +432,7 @@ int mbedtls_hmac_drbg_random_with_add( void *p_rng,
     mbedtls_hmac_drbg_context *ctx = (mbedtls_hmac_drbg_context *) p_rng;
     size_t md_len = mbedtls_md_get_size(
         mbedtls_md_get_handle( &ctx->md_ctx ) );
-    size_t left = out_len;
+    volatile size_t left = out_len;
     unsigned char *out = output;
 
     /* II. Check request length */
@@ -429,15 +444,21 @@ int mbedtls_hmac_drbg_random_with_add( void *p_rng,
         return( MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG );
 
     /* 1. (aka VII and IX) Check reseed counter and PR */
-    if( ctx->f_entropy != NULL && /* For no-reseeding instances */
+    if( ctx->reseed_flag != MBEDTLS_HMAC_DRBG_NO_RESEED &&
         ( ctx->prediction_resistance == MBEDTLS_HMAC_DRBG_PR_ON ||
           ctx->reseed_counter > ctx->reseed_interval ) )
+    {
+            if( ctx->f_entropy == NULL )
+            {
+                return( MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED );
+            }
+            else
             {
                 if( ( ret = mbedtls_hmac_drbg_reseed( ctx, additional, add_len ) ) != 0 )
                     return( ret );
-
                 add_len = 0; /* VII.4 */
             }
+    }
 
     /* 2. Use additional data if any */
     if( additional != NULL && add_len != 0 )

tests/suites/test_suite_hmac_drbg.function

@@ -94,12 +94,12 @@ void hmac_drbg_entropy_usage( int md_alg )
     TEST_ASSERT( entropy.len < last_len );
 
     /* Finally, check setting entropy_len */
-    mbedtls_hmac_drbg_set_entropy_len( &ctx, 42 );
+    TEST_ASSERT( mbedtls_hmac_drbg_set_entropy_len( &ctx, 42 ) == 0 );
     last_len = entropy.len;
     TEST_ASSERT( mbedtls_hmac_drbg_random( &ctx, out, sizeof( out ) ) == 0 );
     TEST_ASSERT( (int) last_len - entropy.len == 42 );
 
-    mbedtls_hmac_drbg_set_entropy_len( &ctx, 13 );
+    TEST_ASSERT( mbedtls_hmac_drbg_set_entropy_len( &ctx, 13 ) == 0 );
     last_len = entropy.len;
     TEST_ASSERT( mbedtls_hmac_drbg_random( &ctx, out, sizeof( out ) ) == 0 );
     TEST_ASSERT( (int) last_len - entropy.len == 13 );
@@ -149,6 +149,7 @@ void hmac_drbg_buf( int md_alg )
     TEST_ASSERT( mbedtls_hmac_drbg_seed_buf( &ctx, md_info, buf, sizeof( buf ) ) == 0 );
 
     /* Make sure it never tries to reseed (would segfault otherwise) */
+    mbedtls_hmac_drbg_set_reseeding( &ctx, MBEDTLS_HMAC_DRBG_NO_RESEED );
     mbedtls_hmac_drbg_set_reseed_interval( &ctx, 3 );
     mbedtls_hmac_drbg_set_prediction_resistance( &ctx, MBEDTLS_HMAC_DRBG_PR_ON );
 
@@ -172,7 +173,7 @@ void hmac_drbg_no_reseed( int md_alg, data_t * entropy,
     mbedtls_hmac_drbg_context ctx;
 
     mbedtls_hmac_drbg_init( &ctx );
-
+    mbedtls_hmac_drbg_set_reseeding( &ctx, MBEDTLS_HMAC_DRBG_NO_RESEED );
     p_entropy.p = entropy->x;
     p_entropy.len = entropy->len;
 
@@ -219,6 +220,7 @@ void hmac_drbg_nopr( int md_alg, data_t * entropy, data_t * custom,
     mbedtls_hmac_drbg_context ctx;
 
     mbedtls_hmac_drbg_init( &ctx );
+    mbedtls_hmac_drbg_set_reseeding( &ctx, MBEDTLS_HMAC_DRBG_NO_RESEED );
 
     p_entropy.p = entropy->x;
     p_entropy.len = entropy->len;