Add fall-back to hash-based KDF for internal ECP DRBG

The dependency on a DRBG module was perhaps a bit strict for LTS branches, so let's have an option that works with no DRBG when at least one SHA module is present. This changes the internal API of ecp_drbg_seed() by adding the size of the MPI as a parameter. Re-computing the size from the number of limbs doesn't work too well here as we're writing out to a fixed-size buffer and for some curves (P-521) that would round up too much. Using mbedtls_mpi_get_len() is not entirely satisfactory either as it would mean using a variable-length encoding, with could open side channels. Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2026-01-05 22:19:11 +01:00 · 2020-06-16 12:51:42 +02:00 · 2020-06-16 12:51:42 +02:00 · 72177e362b
commit 72177e362b
parent 0defc579d7
3 changed files with 281 additions and 11 deletions
--- a/include/mbedtls/check_config.h
+++ b/include/mbedtls/check_config.h
@ -144,8 +144,11 @@
    defined(MBEDTLS_ECP_ALT) ||             \
    defined(MBEDTLS_CTR_DRBG_C) ||          \
    defined(MBEDTLS_HMAC_DRBG_C) ||         \
+    defined(MBEDTLS_SHA512_C) ||            \
+    defined(MBEDTLS_SHA256_C) ||            \
+    defined(MBEDTLS_SHA1_C) ||              \
    defined(MBEDTLS_ECP_NO_INTERNAL_RNG))
-#error "MBEDTLS_ECP_C requires a DRBG module unless MBEDTLS_ECP_NO_INTERNAL_RNG is defined or an alternative implementation is used"
+#error "MBEDTLS_ECP_C requires a DRBG or SHA module unless MBEDTLS_ECP_NO_INTERNAL_RNG is defined or an alternative implementation is used"
 #endif

 #if defined(MBEDTLS_PK_PARSE_C) && !defined(MBEDTLS_ASN1_PARSE_C)