Unrated severityNVD Advisory· Published Jan 23, 2020· Updated Aug 5, 2024
CVE-2019-18222
CVE-2019-18222
Description
ECDSA side-channel vulnerability in Arm Mbed Crypto 2.1 and Mbed TLS through 2.19.1 allows local attackers to recover private keys via insufficient scalar reduction.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ECDSA side-channel vulnerability in Arm Mbed Crypto 2.1 and Mbed TLS through 2.19.1 allows local attackers to recover private keys via insufficient scalar reduction.
Vulnerability
The ECDSA signature implementation in ecdsa.c in Arm Mbed Crypto 2.1 and Mbed TLS through 2.19.1 does not reduce the blinded scalar before computing the modular inverse. This missing reduction allows an attacker to exploit side-channel leakage to recover the private key.
Exploitation
A local attacker with the ability to observe side-channel emissions (e.g., timing, power consumption) during ECDSA signing operations can collect multiple signature traces. By analyzing the variations caused by the missing scalar reduction, the attacker can deduce the private key.
Impact
Full recovery of the ECDSA private key, enabling the attacker to forge signatures and compromise the integrity of authenticated communications.
Mitigation
The provided references are behind a CAPTCHA and not accessible. Users should update to a patched version of Mbed TLS (e.g., 2.21.0 or later) that includes the fix for proper scalar reduction. No workaround is mentioned in the available sources.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Arm/Mbed Cryptodescription
- Range: =2.1
Patches
4dbcb44202c9bUpdate Mbed Crypto to 3.0.0
1 file changed · +1 −1
crypto+1 −1 modified@@ -1 +1 @@ -Subproject commit 795c6bab62177f48f1457c1ffac93d0a1245beb0 +Subproject commit d27a88438fe785f0906c01e3216044d1c98be875
d8180f8d8412Merge remote-tracking branch 'origin/mbedtls-2.7' into mbedtls-2.7-restricted
9 files changed · +133 −103
ChangeLog+7 −1 modified@@ -1,6 +1,6 @@ mbed TLS ChangeLog (Sorted per branch, date) -= mbed TLS 2.7.x branch released xxxx-xx-xx += mbed TLS 2.7.13 branch released 2020-01-15 Security * Fix side channel vulnerability in ECDSA. Our bignum implementation is not @@ -25,6 +25,12 @@ Security reported and fix proposed by Johan Uppman Bruce and Christoffer Lauri, Sectra. +Bugfix + * Support mbedtls_hmac_drbg_set_entropy_len() and + mbedtls_ctr_drbg_set_entropy_len() before the DRBG is seeded. Before, + the initial seeding always reset the entropy length to the compile-time + default. + Changes * Add unit tests for AES-GCM when called through mbedtls_cipher_auth_xxx() from the cipher abstraction layer. Fixes #2198.
include/mbedtls/ctr_drbg.h+12 −11 modified@@ -190,11 +190,8 @@ void mbedtls_ctr_drbg_init( mbedtls_ctr_drbg_context *ctx ); * with mbedtls_entropy_init() (which registers the platform's default * entropy sources). * - * \p f_entropy is always called with a buffer size equal to the entropy - * length. The entropy length is initially #MBEDTLS_CTR_DRBG_ENTROPY_LEN - * and this value is always used for the initial seeding. You can change - * the entropy length for subsequent seeding by calling - * mbedtls_ctr_drbg_set_entropy_len() after this function. + * The entropy length is #MBEDTLS_CTR_DRBG_ENTROPY_LEN by default. + * You can override it by calling mbedtls_ctr_drbg_set_entropy_len(). * * You can provide a personalization string in addition to the * entropy source, to make this instantiation as unique as possible. @@ -227,9 +224,18 @@ void mbedtls_ctr_drbg_init( mbedtls_ctr_drbg_context *ctx ); #endif /** * \param ctx The CTR_DRBG context to seed. + * It must have been initialized with + * mbedtls_ctr_drbg_init(). + * After a successful call to mbedtls_ctr_drbg_seed(), + * you may not call mbedtls_ctr_drbg_seed() again on + * the same context unless you call + * mbedtls_ctr_drbg_free() and mbedtls_ctr_drbg_init() + * again first. * \param f_entropy The entropy callback, taking as arguments the * \p p_entropy context, the buffer to fill, and the * length of the buffer. + * \p f_entropy is always called with a buffer size + * equal to the entropy length. * \param p_entropy The entropy context to pass to \p f_entropy. * \param custom The personalization string. * This can be \c NULL, in which case the personalization @@ -273,15 +279,10 @@ void mbedtls_ctr_drbg_set_prediction_resistance( mbedtls_ctr_drbg_context *ctx, /** * \brief This function sets the amount of entropy grabbed on each - * subsequent reseed. + * seed or reseed. * * The default value is #MBEDTLS_CTR_DRBG_ENTROPY_LEN. * - * \note mbedtls_ctr_drbg_seed() always sets the entropy length - * to #MBEDTLS_CTR_DRBG_ENTROPY_LEN, so this function - * only has an effect when it is called after - * mbedtls_ctr_drbg_seed(). - * * \note The security strength of CTR_DRBG is bounded by the * entropy length. Thus \p len must be at least * 32 (in bytes) to achieve a 256-bit strength.
include/mbedtls/hmac_drbg.h+6 −13 modified@@ -139,13 +139,11 @@ void mbedtls_hmac_drbg_init( mbedtls_hmac_drbg_context *ctx ); * Note that SHA-256 is just as efficient as SHA-224. * The security strength can be reduced if a smaller * entropy length is set with - * mbedtls_hmac_drbg_set_entropy_len() afterwards. + * mbedtls_hmac_drbg_set_entropy_len(). * - * \note The entropy length for the initial seeding is - * the security strength (converted from bits to bytes). - * You can set a different entropy length for subsequent - * seeding by calling mbedtls_hmac_drbg_set_entropy_len() - * after this function. + * \note The default entropy length is the security strength + * (converted from bits to bytes). You can override + * it by calling mbedtls_hmac_drbg_set_entropy_len(). * * \note During the initial seeding, this function calls * the entropy source to obtain a nonce @@ -224,14 +222,9 @@ void mbedtls_hmac_drbg_set_prediction_resistance( mbedtls_hmac_drbg_context *ctx /** * \brief This function sets the amount of entropy grabbed on each - * reseed. + * seed or reseed. * - * The default value is set by mbedtls_hmac_drbg_seed(). - * - * \note mbedtls_hmac_drbg_seed() always sets the entropy length - * to the default value based on the chosen MD algorithm, - * so this function only has an effect if it is called - * after mbedtls_hmac_drbg_seed(). + * See the documentation of mbedtls_hmac_drbg_seed() for the default value. * * \param ctx The HMAC_DRBG context. * \param len The amount of entropy to grab, in bytes.
library/ctr_drbg.c+56 −54 modified@@ -66,56 +66,6 @@ void mbedtls_ctr_drbg_init( mbedtls_ctr_drbg_context *ctx ) #endif } -/* - * Non-public function wrapped by mbedtls_ctr_drbg_seed(). Necessary to allow - * NIST tests to succeed (which require known length fixed entropy) - */ -int mbedtls_ctr_drbg_seed_entropy_len( - mbedtls_ctr_drbg_context *ctx, - int (*f_entropy)(void *, unsigned char *, size_t), - void *p_entropy, - const unsigned char *custom, - size_t len, - size_t entropy_len ) -{ - int ret; - unsigned char key[MBEDTLS_CTR_DRBG_KEYSIZE]; - - memset( key, 0, MBEDTLS_CTR_DRBG_KEYSIZE ); - - mbedtls_aes_init( &ctx->aes_ctx ); - - ctx->f_entropy = f_entropy; - ctx->p_entropy = p_entropy; - - ctx->entropy_len = entropy_len; - ctx->reseed_interval = MBEDTLS_CTR_DRBG_RESEED_INTERVAL; - - /* - * Initialize with an empty key - */ - if( ( ret = mbedtls_aes_setkey_enc( &ctx->aes_ctx, key, MBEDTLS_CTR_DRBG_KEYBITS ) ) != 0 ) - { - return( ret ); - } - - if( ( ret = mbedtls_ctr_drbg_reseed( ctx, custom, len ) ) != 0 ) - { - return( ret ); - } - return( 0 ); -} - -int mbedtls_ctr_drbg_seed( mbedtls_ctr_drbg_context *ctx, - int (*f_entropy)(void *, unsigned char *, size_t), - void *p_entropy, - const unsigned char *custom, - size_t len ) -{ - return( mbedtls_ctr_drbg_seed_entropy_len( ctx, f_entropy, p_entropy, custom, len, - MBEDTLS_CTR_DRBG_ENTROPY_LEN ) ); -} - void mbedtls_ctr_drbg_free( mbedtls_ctr_drbg_context *ctx ) { if( ctx == NULL ) @@ -386,6 +336,52 @@ int mbedtls_ctr_drbg_reseed( mbedtls_ctr_drbg_context *ctx, return( ret ); } +int mbedtls_ctr_drbg_seed( mbedtls_ctr_drbg_context *ctx, + int (*f_entropy)(void *, unsigned char *, size_t), + void *p_entropy, + const unsigned char *custom, + size_t len ) +{ + int ret; + unsigned char key[MBEDTLS_CTR_DRBG_KEYSIZE]; + + memset( key, 0, MBEDTLS_CTR_DRBG_KEYSIZE ); + + mbedtls_aes_init( &ctx->aes_ctx ); + + ctx->f_entropy = f_entropy; + ctx->p_entropy = p_entropy; + + if( ctx->entropy_len == 0 ) + ctx->entropy_len = MBEDTLS_CTR_DRBG_ENTROPY_LEN; + ctx->reseed_interval = MBEDTLS_CTR_DRBG_RESEED_INTERVAL; + + /* + * Initialize with an empty key + */ + if( ( ret = mbedtls_aes_setkey_enc( &ctx->aes_ctx, key, MBEDTLS_CTR_DRBG_KEYBITS ) ) != 0 ) + { + return( ret ); + } + + if( ( ret = mbedtls_ctr_drbg_reseed( ctx, custom, len ) ) != 0 ) + { + return( ret ); + } + return( 0 ); +} + +/* Backward compatibility wrapper */ +int mbedtls_ctr_drbg_seed_entropy_len( + mbedtls_ctr_drbg_context *ctx, + int (*f_entropy)(void *, unsigned char *, size_t), void *p_entropy, + const unsigned char *custom, size_t len, + size_t entropy_len ) +{ + mbedtls_ctr_drbg_set_entropy_len( ctx, entropy_len ); + return( mbedtls_ctr_drbg_seed( ctx, f_entropy, p_entropy, custom, len ) ); +} + int mbedtls_ctr_drbg_random_with_add( void *p_rng, unsigned char *output, size_t output_len, const unsigned char *additional, size_t add_len ) @@ -617,8 +613,11 @@ int mbedtls_ctr_drbg_self_test( int verbose ) mbedtls_printf( " CTR_DRBG (PR = TRUE) : " ); test_offset = 0; - CHK( mbedtls_ctr_drbg_seed_entropy_len( &ctx, ctr_drbg_self_test_entropy, - (void *) entropy_source_pr, nonce_pers_pr, 16, 32 ) ); + mbedtls_ctr_drbg_set_entropy_len( &ctx, 32 ); + CHK( mbedtls_ctr_drbg_seed( &ctx, + ctr_drbg_self_test_entropy, + (void *) entropy_source_pr, + nonce_pers_pr, 16 ) ); mbedtls_ctr_drbg_set_prediction_resistance( &ctx, MBEDTLS_CTR_DRBG_PR_ON ); CHK( mbedtls_ctr_drbg_random( &ctx, buf, MBEDTLS_CTR_DRBG_BLOCKSIZE ) ); CHK( mbedtls_ctr_drbg_random( &ctx, buf, MBEDTLS_CTR_DRBG_BLOCKSIZE ) ); @@ -638,8 +637,11 @@ int mbedtls_ctr_drbg_self_test( int verbose ) mbedtls_ctr_drbg_init( &ctx ); test_offset = 0; - CHK( mbedtls_ctr_drbg_seed_entropy_len( &ctx, ctr_drbg_self_test_entropy, - (void *) entropy_source_nopr, nonce_pers_nopr, 16, 32 ) ); + mbedtls_ctr_drbg_set_entropy_len( &ctx, 32 ); + CHK( mbedtls_ctr_drbg_seed( &ctx, + ctr_drbg_self_test_entropy, + (void *) entropy_source_nopr, + nonce_pers_nopr, 16 ) ); CHK( mbedtls_ctr_drbg_random( &ctx, buf, 16 ) ); CHK( mbedtls_ctr_drbg_reseed( &ctx, NULL, 0 ) ); CHK( mbedtls_ctr_drbg_random( &ctx, buf, 16 ) );
library/hmac_drbg.c+14 −11 modified@@ -275,16 +275,19 @@ int mbedtls_hmac_drbg_seed( mbedtls_hmac_drbg_context *ctx, ctx->reseed_interval = MBEDTLS_HMAC_DRBG_RESEED_INTERVAL; - /* - * See SP800-57 5.6.1 (p. 65-66) for the security strength provided by - * each hash function, then according to SP800-90A rev1 10.1 table 2, - * min_entropy_len (in bits) is security_strength. - * - * (This also matches the sizes used in the NIST test vectors.) - */ - ctx->entropy_len = md_size <= 20 ? 16 : /* 160-bits hash -> 128 bits */ - md_size <= 28 ? 24 : /* 224-bits hash -> 192 bits */ - 32; /* better (256+) -> 256 bits */ + if( ctx->entropy_len == 0 ) + { + /* + * See SP800-57 5.6.1 (p. 65-66) for the security strength provided by + * each hash function, then according to SP800-90A rev1 10.1 table 2, + * min_entropy_len (in bits) is security_strength. + * + * (This also matches the sizes used in the NIST test vectors.) + */ + ctx->entropy_len = md_size <= 20 ? 16 : /* 160-bits hash -> 128 bits */ + md_size <= 28 ? 24 : /* 224-bits hash -> 192 bits */ + 32; /* better (256+) -> 256 bits */ + } if( ( ret = hmac_drbg_reseed_core( ctx, custom, len, 1 /* add nonce */ ) ) != 0 ) @@ -305,7 +308,7 @@ void mbedtls_hmac_drbg_set_prediction_resistance( mbedtls_hmac_drbg_context *ctx } /* - * Set entropy length grabbed for reseeds + * Set entropy length grabbed for seeding */ void mbedtls_hmac_drbg_set_entropy_len( mbedtls_hmac_drbg_context *ctx, size_t len ) {
programs/test/benchmark.c+2 −1 modified@@ -560,13 +560,14 @@ int main( int argc, char *argv[] ) mbedtls_ctr_drbg_context ctr_drbg; mbedtls_ctr_drbg_init( &ctr_drbg ); - if( mbedtls_ctr_drbg_seed( &ctr_drbg, myrand, NULL, NULL, 0 ) != 0 ) mbedtls_exit(1); TIME_AND_TSC( "CTR_DRBG (NOPR)", if( mbedtls_ctr_drbg_random( &ctr_drbg, buf, BUFSIZE ) != 0 ) mbedtls_exit(1) ); + mbedtls_ctr_drbg_free( &ctr_drbg ); + mbedtls_ctr_drbg_init( &ctr_drbg ); if( mbedtls_ctr_drbg_seed( &ctr_drbg, myrand, NULL, NULL, 0 ) != 0 ) mbedtls_exit(1); mbedtls_ctr_drbg_set_prediction_resistance( &ctr_drbg, MBEDTLS_CTR_DRBG_PR_ON );
tests/suites/test_suite_ctr_drbg.function+8 −2 modified@@ -72,7 +72,10 @@ void ctr_drbg_validate_pr( char *add_init_string, char *entropy_string, add2_len = unhexify( add2, add2_string ); test_offset_idx = 0; - TEST_ASSERT( mbedtls_ctr_drbg_seed_entropy_len( &ctx, mbedtls_test_entropy_func, entropy, add_init, add_init_len, 32 ) == 0 ); + mbedtls_ctr_drbg_set_entropy_len( &ctx, 32 ); + TEST_ASSERT( mbedtls_ctr_drbg_seed( &ctx, + mbedtls_test_entropy_func, entropy, + add_init, add_init_len ) == 0 ); mbedtls_ctr_drbg_set_prediction_resistance( &ctx, MBEDTLS_CTR_DRBG_PR_ON ); TEST_ASSERT( mbedtls_ctr_drbg_random_with_add( &ctx, buf, 16, add1, add1_len ) == 0 ); @@ -110,7 +113,10 @@ void ctr_drbg_validate_nopr( char *add_init_string, char *entropy_string, add2_len = unhexify( add2, add2_string ); test_offset_idx = 0; - TEST_ASSERT( mbedtls_ctr_drbg_seed_entropy_len( &ctx, mbedtls_test_entropy_func, entropy, add_init, add_init_len, 32 ) == 0 ); + mbedtls_ctr_drbg_set_entropy_len( &ctx, 32 ); + TEST_ASSERT( mbedtls_ctr_drbg_seed( &ctx, + mbedtls_test_entropy_func, entropy, + add_init, add_init_len ) == 0 ); TEST_ASSERT( mbedtls_ctr_drbg_random_with_add( &ctx, buf, 16, add1, add1_len ) == 0 ); TEST_ASSERT( mbedtls_ctr_drbg_reseed( &ctx, add_reseed, add_reseed_len ) == 0 );
tests/suites/test_suite_memory_buffer_alloc.data+3 −3 modified@@ -16,8 +16,8 @@ memory_buffer_alloc_free_alloc:100:64:100:100:0:0:0:1:200:0 Memory buffer alloc - Out of Memory test memory_buffer_alloc_oom_test: -Memory buffer small buffer -memory_buffer_small_buffer: +Memory buffer: heap too small (header verification should fail) +memory_buffer_heap_too_small: -Memory buffer underalloc +Memory buffer: attempt to allocate SIZE_MAX memory_buffer_underalloc:
tests/suites/test_suite_memory_buffer_alloc.function+25 −7 modified@@ -29,7 +29,7 @@ void mbedtls_memory_buffer_alloc_self_test( ) } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_MEMORY_DEBUG */ +/* BEGIN_CASE */ void memory_buffer_alloc_free_alloc( int a_bytes, int b_bytes, int c_bytes, int d_bytes, int free_a, int free_b, int free_c, @@ -40,8 +40,11 @@ void memory_buffer_alloc_free_alloc( int a_bytes, int b_bytes, int c_bytes, unsigned char *ptr_a = NULL, *ptr_b = NULL, *ptr_c = NULL, *ptr_d = NULL, *ptr_e = NULL, *ptr_f = NULL; +#if defined(MBEDTLS_MEMORY_DEBUG) size_t reported_blocks; - size_t allocated_bytes = 0, reported_bytes; + size_t reported_bytes; +#endif + size_t allocated_bytes = 0; mbedtls_memory_buffer_alloc_init( buf, sizeof( buf ) ); @@ -79,8 +82,10 @@ void memory_buffer_alloc_free_alloc( int a_bytes, int b_bytes, int c_bytes, allocated_bytes += d_bytes * sizeof(char); } +#if defined(MBEDTLS_MEMORY_DEBUG) mbedtls_memory_buffer_alloc_cur_get( &reported_bytes, &reported_blocks ); TEST_ASSERT( reported_bytes == allocated_bytes ); +#endif if( free_a ) { @@ -118,8 +123,10 @@ void memory_buffer_alloc_free_alloc( int a_bytes, int b_bytes, int c_bytes, allocated_bytes -= d_bytes * sizeof(char); } +#if defined(MBEDTLS_MEMORY_DEBUG) mbedtls_memory_buffer_alloc_cur_get( &reported_bytes, &reported_blocks ); TEST_ASSERT( reported_bytes == allocated_bytes ); +#endif if( e_bytes > 0 ) { @@ -179,8 +186,10 @@ void memory_buffer_alloc_free_alloc( int a_bytes, int b_bytes, int c_bytes, ptr_f = NULL; } +#if defined(MBEDTLS_MEMORY_DEBUG) mbedtls_memory_buffer_alloc_cur_get( &reported_bytes, &reported_blocks ); TEST_ASSERT( reported_bytes == 0 ); +#endif TEST_ASSERT( mbedtls_memory_buffer_alloc_verify() == 0 ); @@ -189,12 +198,14 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_MEMORY_DEBUG */ -void memory_buffer_alloc_oom_test() +/* BEGIN_CASE */ +void memory_buffer_alloc_oom_test( ) { unsigned char buf[1024]; unsigned char *ptr_a = NULL, *ptr_b = NULL, *ptr_c = NULL; +#if defined(MBEDTLS_MEMORY_DEBUG) size_t reported_blocks, reported_bytes; +#endif (void)ptr_c; @@ -211,8 +222,10 @@ void memory_buffer_alloc_oom_test() ptr_c = mbedtls_calloc( 431, sizeof(char) ); TEST_ASSERT( ptr_c == NULL ); +#if defined(MBEDTLS_MEMORY_DEBUG) mbedtls_memory_buffer_alloc_cur_get( &reported_bytes, &reported_blocks ); TEST_ASSERT( reported_bytes >= 864 && reported_bytes <= sizeof(buf) ); +#endif mbedtls_free( ptr_a ); ptr_a = NULL; @@ -222,8 +235,10 @@ void memory_buffer_alloc_oom_test() ptr_b = NULL; TEST_ASSERT( mbedtls_memory_buffer_alloc_verify() == 0 ); +#if defined(MBEDTLS_MEMORY_DEBUG) mbedtls_memory_buffer_alloc_cur_get( &reported_bytes, &reported_blocks ); TEST_ASSERT( reported_bytes == 0 ); +#endif TEST_ASSERT( mbedtls_memory_buffer_alloc_verify() == 0 ); @@ -232,17 +247,20 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_MEMORY_DEBUG */ -void memory_buffer_small_buffer( ) +/* BEGIN_CASE */ +void memory_buffer_heap_too_small( ) { unsigned char buf[1]; mbedtls_memory_buffer_alloc_init( buf, sizeof( buf ) ); + /* With MBEDTLS_MEMORY_DEBUG enabled, this prints a message + * "FATAL: verification of first header failed". + */ TEST_ASSERT( mbedtls_memory_buffer_alloc_verify() != 0 ); } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_MEMORY_DEBUG */ +/* BEGIN_CASE */ void memory_buffer_underalloc( ) { unsigned char buf[100];
39e2c0eeb650Merge remote-tracking branch 'origin/mbedtls-2.16' into mbedtls-2.16-restricted
10 files changed · +140 −116
ChangeLog+5 −1 modified@@ -1,6 +1,6 @@ mbed TLS ChangeLog (Sorted per branch, date) -= mbed TLS 2.16.x branch released xxxx-xx-xx += mbed TLS 2.16.4 branch released 2020-01-15 Security * Fix side channel vulnerability in ECDSA. Our bignum implementation is not @@ -29,6 +29,10 @@ Bugfix * Remove redundant line for getting the bitlen of a bignum, since the variable holding the returned value is overwritten a line after. Found by irwir in #2377. + * Support mbedtls_hmac_drbg_set_entropy_len() and + mbedtls_ctr_drbg_set_entropy_len() before the DRBG is seeded. Before, + the initial seeding always reset the entropy length to the compile-time + default. Changes * Add unit tests for AES-GCM when called through mbedtls_cipher_auth_xxx()
include/mbedtls/ctr_drbg.h+12 −11 modified@@ -214,11 +214,8 @@ void mbedtls_ctr_drbg_init( mbedtls_ctr_drbg_context *ctx ); * with mbedtls_entropy_init() (which registers the platform's default * entropy sources). * - * \p f_entropy is always called with a buffer size equal to the entropy - * length. The entropy length is initially #MBEDTLS_CTR_DRBG_ENTROPY_LEN - * and this value is always used for the initial seeding. You can change - * the entropy length for subsequent seeding by calling - * mbedtls_ctr_drbg_set_entropy_len() after this function. + * The entropy length is #MBEDTLS_CTR_DRBG_ENTROPY_LEN by default. + * You can override it by calling mbedtls_ctr_drbg_set_entropy_len(). * * You can provide a personalization string in addition to the * entropy source, to make this instantiation as unique as possible. @@ -252,9 +249,18 @@ void mbedtls_ctr_drbg_init( mbedtls_ctr_drbg_context *ctx ); #endif /** * \param ctx The CTR_DRBG context to seed. + * It must have been initialized with + * mbedtls_ctr_drbg_init(). + * After a successful call to mbedtls_ctr_drbg_seed(), + * you may not call mbedtls_ctr_drbg_seed() again on + * the same context unless you call + * mbedtls_ctr_drbg_free() and mbedtls_ctr_drbg_init() + * again first. * \param f_entropy The entropy callback, taking as arguments the * \p p_entropy context, the buffer to fill, and the * length of the buffer. + * \p f_entropy is always called with a buffer size + * equal to the entropy length. * \param p_entropy The entropy context to pass to \p f_entropy. * \param custom The personalization string. * This can be \c NULL, in which case the personalization @@ -298,15 +304,10 @@ void mbedtls_ctr_drbg_set_prediction_resistance( mbedtls_ctr_drbg_context *ctx, /** * \brief This function sets the amount of entropy grabbed on each - * subsequent reseed. + * seed or reseed. * * The default value is #MBEDTLS_CTR_DRBG_ENTROPY_LEN. * - * \note mbedtls_ctr_drbg_seed() always sets the entropy length - * to #MBEDTLS_CTR_DRBG_ENTROPY_LEN, so this function - * only has an effect when it is called after - * mbedtls_ctr_drbg_seed(). - * * \note The security strength of CTR_DRBG is bounded by the * entropy length. Thus: * - When using AES-256
include/mbedtls/hmac_drbg.h+6 −13 modified@@ -139,13 +139,11 @@ void mbedtls_hmac_drbg_init( mbedtls_hmac_drbg_context *ctx ); * Note that SHA-256 is just as efficient as SHA-224. * The security strength can be reduced if a smaller * entropy length is set with - * mbedtls_hmac_drbg_set_entropy_len() afterwards. + * mbedtls_hmac_drbg_set_entropy_len(). * - * \note The entropy length for the initial seeding is - * the security strength (converted from bits to bytes). - * You can set a different entropy length for subsequent - * seeding by calling mbedtls_hmac_drbg_set_entropy_len() - * after this function. + * \note The default entropy length is the security strength + * (converted from bits to bytes). You can override + * it by calling mbedtls_hmac_drbg_set_entropy_len(). * * \note During the initial seeding, this function calls * the entropy source to obtain a nonce @@ -224,14 +222,9 @@ void mbedtls_hmac_drbg_set_prediction_resistance( mbedtls_hmac_drbg_context *ctx /** * \brief This function sets the amount of entropy grabbed on each - * reseed. + * seed or reseed. * - * The default value is set by mbedtls_hmac_drbg_seed(). - * - * \note mbedtls_hmac_drbg_seed() always sets the entropy length - * to the default value based on the chosen MD algorithm, - * so this function only has an effect if it is called - * after mbedtls_hmac_drbg_seed(). + * See the documentation of mbedtls_hmac_drbg_seed() for the default value. * * \param ctx The HMAC_DRBG context. * \param len The amount of entropy to grab, in bytes.
library/ctr_drbg.c+67 −66 modified@@ -62,68 +62,6 @@ void mbedtls_ctr_drbg_init( mbedtls_ctr_drbg_context *ctx ) #endif } -/* - * Non-public function wrapped by mbedtls_ctr_drbg_seed(). Necessary to allow - * NIST tests to succeed (which require known length fixed entropy) - */ -/* CTR_DRBG_Instantiate with derivation function (SP 800-90A §10.2.1.3.2) - * mbedtls_ctr_drbg_seed_entropy_len(ctx, f_entropy, p_entropy, - * custom, len, entropy_len) - * implements - * CTR_DRBG_Instantiate(entropy_input, nonce, personalization_string, - * security_strength) -> initial_working_state - * with inputs - * custom[:len] = nonce || personalization_string - * where entropy_input comes from f_entropy for entropy_len bytes - * and with outputs - * ctx = initial_working_state - */ -int mbedtls_ctr_drbg_seed_entropy_len( - mbedtls_ctr_drbg_context *ctx, - int (*f_entropy)(void *, unsigned char *, size_t), - void *p_entropy, - const unsigned char *custom, - size_t len, - size_t entropy_len ) -{ - int ret; - unsigned char key[MBEDTLS_CTR_DRBG_KEYSIZE]; - - memset( key, 0, MBEDTLS_CTR_DRBG_KEYSIZE ); - - mbedtls_aes_init( &ctx->aes_ctx ); - - ctx->f_entropy = f_entropy; - ctx->p_entropy = p_entropy; - - ctx->entropy_len = entropy_len; - ctx->reseed_interval = MBEDTLS_CTR_DRBG_RESEED_INTERVAL; - - /* - * Initialize with an empty key - */ - if( ( ret = mbedtls_aes_setkey_enc( &ctx->aes_ctx, key, MBEDTLS_CTR_DRBG_KEYBITS ) ) != 0 ) - { - return( ret ); - } - - if( ( ret = mbedtls_ctr_drbg_reseed( ctx, custom, len ) ) != 0 ) - { - return( ret ); - } - return( 0 ); -} - -int mbedtls_ctr_drbg_seed( mbedtls_ctr_drbg_context *ctx, - int (*f_entropy)(void *, unsigned char *, size_t), - void *p_entropy, - const unsigned char *custom, - size_t len ) -{ - return( mbedtls_ctr_drbg_seed_entropy_len( ctx, f_entropy, p_entropy, custom, len, - MBEDTLS_CTR_DRBG_ENTROPY_LEN ) ); -} - void mbedtls_ctr_drbg_free( mbedtls_ctr_drbg_context *ctx ) { if( ctx == NULL ) @@ -427,6 +365,63 @@ int mbedtls_ctr_drbg_reseed( mbedtls_ctr_drbg_context *ctx, return( ret ); } +/* CTR_DRBG_Instantiate with derivation function (SP 800-90A §10.2.1.3.2) + * mbedtls_ctr_drbg_seed(ctx, f_entropy, p_entropy, custom, len) + * implements + * CTR_DRBG_Instantiate(entropy_input, nonce, personalization_string, + * security_strength) -> initial_working_state + * with inputs + * custom[:len] = nonce || personalization_string + * where entropy_input comes from f_entropy for ctx->entropy_len bytes + * and with outputs + * ctx = initial_working_state + */ +int mbedtls_ctr_drbg_seed( mbedtls_ctr_drbg_context *ctx, + int (*f_entropy)(void *, unsigned char *, size_t), + void *p_entropy, + const unsigned char *custom, + size_t len ) +{ + int ret; + unsigned char key[MBEDTLS_CTR_DRBG_KEYSIZE]; + + memset( key, 0, MBEDTLS_CTR_DRBG_KEYSIZE ); + + mbedtls_aes_init( &ctx->aes_ctx ); + + ctx->f_entropy = f_entropy; + ctx->p_entropy = p_entropy; + + if( ctx->entropy_len == 0 ) + ctx->entropy_len = MBEDTLS_CTR_DRBG_ENTROPY_LEN; + ctx->reseed_interval = MBEDTLS_CTR_DRBG_RESEED_INTERVAL; + + /* + * Initialize with an empty key + */ + if( ( ret = mbedtls_aes_setkey_enc( &ctx->aes_ctx, key, MBEDTLS_CTR_DRBG_KEYBITS ) ) != 0 ) + { + return( ret ); + } + + if( ( ret = mbedtls_ctr_drbg_reseed( ctx, custom, len ) ) != 0 ) + { + return( ret ); + } + return( 0 ); +} + +/* Backward compatibility wrapper */ +int mbedtls_ctr_drbg_seed_entropy_len( + mbedtls_ctr_drbg_context *ctx, + int (*f_entropy)(void *, unsigned char *, size_t), void *p_entropy, + const unsigned char *custom, size_t len, + size_t entropy_len ) +{ + mbedtls_ctr_drbg_set_entropy_len( ctx, entropy_len ); + return( mbedtls_ctr_drbg_seed( ctx, f_entropy, p_entropy, custom, len ) ); +} + /* CTR_DRBG_Generate with derivation function (SP 800-90A §10.2.1.5.2) * mbedtls_ctr_drbg_random_with_add(ctx, output, output_len, additional, add_len) * implements @@ -678,8 +673,11 @@ int mbedtls_ctr_drbg_self_test( int verbose ) mbedtls_printf( " CTR_DRBG (PR = TRUE) : " ); test_offset = 0; - CHK( mbedtls_ctr_drbg_seed_entropy_len( &ctx, ctr_drbg_self_test_entropy, - (void *) entropy_source_pr, nonce_pers_pr, 16, 32 ) ); + mbedtls_ctr_drbg_set_entropy_len( &ctx, 32 ); + CHK( mbedtls_ctr_drbg_seed( &ctx, + ctr_drbg_self_test_entropy, + (void *) entropy_source_pr, + nonce_pers_pr, 16 ) ); mbedtls_ctr_drbg_set_prediction_resistance( &ctx, MBEDTLS_CTR_DRBG_PR_ON ); CHK( mbedtls_ctr_drbg_random( &ctx, buf, MBEDTLS_CTR_DRBG_BLOCKSIZE ) ); CHK( mbedtls_ctr_drbg_random( &ctx, buf, MBEDTLS_CTR_DRBG_BLOCKSIZE ) ); @@ -699,8 +697,11 @@ int mbedtls_ctr_drbg_self_test( int verbose ) mbedtls_ctr_drbg_init( &ctx ); test_offset = 0; - CHK( mbedtls_ctr_drbg_seed_entropy_len( &ctx, ctr_drbg_self_test_entropy, - (void *) entropy_source_nopr, nonce_pers_nopr, 16, 32 ) ); + mbedtls_ctr_drbg_set_entropy_len( &ctx, 32 ); + CHK( mbedtls_ctr_drbg_seed( &ctx, + ctr_drbg_self_test_entropy, + (void *) entropy_source_nopr, + nonce_pers_nopr, 16 ) ); CHK( mbedtls_ctr_drbg_random( &ctx, buf, 16 ) ); CHK( mbedtls_ctr_drbg_reseed( &ctx, NULL, 0 ) ); CHK( mbedtls_ctr_drbg_random( &ctx, buf, 16 ) );
library/hmac_drbg.c+14 −11 modified@@ -273,16 +273,19 @@ int mbedtls_hmac_drbg_seed( mbedtls_hmac_drbg_context *ctx, ctx->reseed_interval = MBEDTLS_HMAC_DRBG_RESEED_INTERVAL; - /* - * See SP800-57 5.6.1 (p. 65-66) for the security strength provided by - * each hash function, then according to SP800-90A rev1 10.1 table 2, - * min_entropy_len (in bits) is security_strength. - * - * (This also matches the sizes used in the NIST test vectors.) - */ - ctx->entropy_len = md_size <= 20 ? 16 : /* 160-bits hash -> 128 bits */ - md_size <= 28 ? 24 : /* 224-bits hash -> 192 bits */ - 32; /* better (256+) -> 256 bits */ + if( ctx->entropy_len == 0 ) + { + /* + * See SP800-57 5.6.1 (p. 65-66) for the security strength provided by + * each hash function, then according to SP800-90A rev1 10.1 table 2, + * min_entropy_len (in bits) is security_strength. + * + * (This also matches the sizes used in the NIST test vectors.) + */ + ctx->entropy_len = md_size <= 20 ? 16 : /* 160-bits hash -> 128 bits */ + md_size <= 28 ? 24 : /* 224-bits hash -> 192 bits */ + 32; /* better (256+) -> 256 bits */ + } if( ( ret = hmac_drbg_reseed_core( ctx, custom, len, 1 /* add nonce */ ) ) != 0 ) @@ -303,7 +306,7 @@ void mbedtls_hmac_drbg_set_prediction_resistance( mbedtls_hmac_drbg_context *ctx } /* - * Set entropy length grabbed for reseeds + * Set entropy length grabbed for seeding */ void mbedtls_hmac_drbg_set_entropy_len( mbedtls_hmac_drbg_context *ctx, size_t len ) {
programs/test/benchmark.c+2 −1 modified@@ -674,12 +674,13 @@ int main( int argc, char *argv[] ) mbedtls_ctr_drbg_context ctr_drbg; mbedtls_ctr_drbg_init( &ctr_drbg ); - if( mbedtls_ctr_drbg_seed( &ctr_drbg, myrand, NULL, NULL, 0 ) != 0 ) mbedtls_exit(1); TIME_AND_TSC( "CTR_DRBG (NOPR)", mbedtls_ctr_drbg_random( &ctr_drbg, buf, BUFSIZE ) ); + mbedtls_ctr_drbg_free( &ctr_drbg ); + mbedtls_ctr_drbg_init( &ctr_drbg ); if( mbedtls_ctr_drbg_seed( &ctr_drbg, myrand, NULL, NULL, 0 ) != 0 ) mbedtls_exit(1); mbedtls_ctr_drbg_set_prediction_resistance( &ctr_drbg, MBEDTLS_CTR_DRBG_PR_ON );
tests/scripts/mbedtls_test.py+4 −1 modified@@ -310,7 +310,10 @@ def run_test(self, name, function_id, dependencies, args): param_bytes, length = self.test_vector_to_bytes(function_id, dependencies, args) - self.send_kv(''.join('{:02x}'.format(x) for x in length), ''.join('{:02x}'.format(x) for x in param_bytes)) + self.send_kv( + ''.join('{:02x}'.format(x) for x in length), + ''.join('{:02x}'.format(x) for x in param_bytes) + ) @staticmethod def get_result(value):
tests/suites/test_suite_ctr_drbg.function+3 −3 modified@@ -44,11 +44,11 @@ static void ctr_drbg_validate_internal( int reseed_mode, data_t * nonce, /* CTR_DRBG_Instantiate(entropy[:entropy->len], nonce, perso, <ignored>) * where nonce||perso = nonce[nonce->len] */ - TEST_ASSERT( mbedtls_ctr_drbg_seed_entropy_len( + mbedtls_ctr_drbg_set_entropy_len( &ctx, entropy_chunk_len ); + TEST_ASSERT( mbedtls_ctr_drbg_seed( &ctx, mbedtls_test_entropy_func, entropy->x, - nonce->x, nonce->len, - entropy_chunk_len ) == 0 ); + nonce->x, nonce->len ) == 0 ); if( reseed_mode == RESEED_ALWAYS ) mbedtls_ctr_drbg_set_prediction_resistance( &ctx,
tests/suites/test_suite_memory_buffer_alloc.data+3 −3 modified@@ -16,8 +16,8 @@ memory_buffer_alloc_free_alloc:100:64:100:100:0:0:0:1:200:0 Memory buffer alloc - Out of Memory test memory_buffer_alloc_oom_test: -Memory buffer small buffer -memory_buffer_small_buffer: +Memory buffer: heap too small (header verification should fail) +memory_buffer_heap_too_small: -Memory buffer underalloc +Memory buffer: attempt to allocate SIZE_MAX memory_buffer_underalloc:
tests/suites/test_suite_memory_buffer_alloc.function+24 −6 modified@@ -29,7 +29,7 @@ void mbedtls_memory_buffer_alloc_self_test( ) } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_MEMORY_DEBUG */ +/* BEGIN_CASE */ void memory_buffer_alloc_free_alloc( int a_bytes, int b_bytes, int c_bytes, int d_bytes, int free_a, int free_b, int free_c, int free_d, int e_bytes, @@ -39,8 +39,11 @@ void memory_buffer_alloc_free_alloc( int a_bytes, int b_bytes, int c_bytes, unsigned char *ptr_a = NULL, *ptr_b = NULL, *ptr_c = NULL, *ptr_d = NULL, *ptr_e = NULL, *ptr_f = NULL; +#if defined(MBEDTLS_MEMORY_DEBUG) size_t reported_blocks; - size_t allocated_bytes = 0, reported_bytes; + size_t reported_bytes; +#endif + size_t allocated_bytes = 0; mbedtls_memory_buffer_alloc_init( buf, sizeof( buf ) ); @@ -78,8 +81,10 @@ void memory_buffer_alloc_free_alloc( int a_bytes, int b_bytes, int c_bytes, allocated_bytes += d_bytes * sizeof(char); } +#if defined(MBEDTLS_MEMORY_DEBUG) mbedtls_memory_buffer_alloc_cur_get( &reported_bytes, &reported_blocks ); TEST_ASSERT( reported_bytes == allocated_bytes ); +#endif if( free_a ) { @@ -117,8 +122,10 @@ void memory_buffer_alloc_free_alloc( int a_bytes, int b_bytes, int c_bytes, allocated_bytes -= d_bytes * sizeof(char); } +#if defined(MBEDTLS_MEMORY_DEBUG) mbedtls_memory_buffer_alloc_cur_get( &reported_bytes, &reported_blocks ); TEST_ASSERT( reported_bytes == allocated_bytes ); +#endif if( e_bytes > 0 ) { @@ -178,8 +185,10 @@ void memory_buffer_alloc_free_alloc( int a_bytes, int b_bytes, int c_bytes, ptr_f = NULL; } +#if defined(MBEDTLS_MEMORY_DEBUG) mbedtls_memory_buffer_alloc_cur_get( &reported_bytes, &reported_blocks ); TEST_ASSERT( reported_bytes == 0 ); +#endif TEST_ASSERT( mbedtls_memory_buffer_alloc_verify() == 0 ); @@ -188,12 +197,14 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_MEMORY_DEBUG */ +/* BEGIN_CASE */ void memory_buffer_alloc_oom_test( ) { unsigned char buf[1024]; unsigned char *ptr_a = NULL, *ptr_b = NULL, *ptr_c = NULL; +#if defined(MBEDTLS_MEMORY_DEBUG) size_t reported_blocks, reported_bytes; +#endif (void)ptr_c; @@ -210,8 +221,10 @@ void memory_buffer_alloc_oom_test( ) ptr_c = mbedtls_calloc( 431, sizeof(char) ); TEST_ASSERT( ptr_c == NULL ); +#if defined(MBEDTLS_MEMORY_DEBUG) mbedtls_memory_buffer_alloc_cur_get( &reported_bytes, &reported_blocks ); TEST_ASSERT( reported_bytes >= 864 && reported_bytes <= sizeof(buf) ); +#endif mbedtls_free( ptr_a ); ptr_a = NULL; @@ -221,8 +234,10 @@ void memory_buffer_alloc_oom_test( ) ptr_b = NULL; TEST_ASSERT( mbedtls_memory_buffer_alloc_verify() == 0 ); +#if defined(MBEDTLS_MEMORY_DEBUG) mbedtls_memory_buffer_alloc_cur_get( &reported_bytes, &reported_blocks ); TEST_ASSERT( reported_bytes == 0 ); +#endif TEST_ASSERT( mbedtls_memory_buffer_alloc_verify() == 0 ); @@ -231,17 +246,20 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_MEMORY_DEBUG */ -void memory_buffer_small_buffer( ) +/* BEGIN_CASE */ +void memory_buffer_heap_too_small( ) { unsigned char buf[1]; mbedtls_memory_buffer_alloc_init( buf, sizeof( buf ) ); + /* With MBEDTLS_MEMORY_DEBUG enabled, this prints a message + * "FATAL: verification of first header failed". + */ TEST_ASSERT( mbedtls_memory_buffer_alloc_verify() != 0 ); } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_MEMORY_DEBUG */ +/* BEGIN_CASE */ void memory_buffer_underalloc( ) { unsigned char buf[100];
a337167543d9Merge pull request #342 from Patater/reseed-counter-value-comment
1 file changed · +3 −1
include/mbedtls/ctr_drbg.h+3 −1 modified@@ -177,7 +177,9 @@ typedef struct mbedtls_ctr_drbg_context * minus one. * Before the initial seeding, this field * contains the amount of entropy in bytes - * to use as a nonce for the initial seeding. + * to use as a nonce for the initial seeding, + * or -1 if no nonce length has been explicitly + * set (see mbedtls_ctr_drbg_set_nonce_len()). */ int prediction_resistance; /*!< This determines whether prediction resistance is enabled, that is
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A3GWQNONS7GRORXZJ7MOJFUEJ2ZJ4OUW/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NGDACU65MYZXXVPQP2EBHUJGOR4RWLVY/mitrevendor-advisory
- lists.debian.org/debian-lts-announce/2022/12/msg00036.htmlmitremailing-list
- tls.mbed.org/tech-updates/security-advisoriesmitre
- tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2019-12mitre
News mentions
0No linked articles in our index yet.