Conversation
- rand: auto-seed - health-tests: health tests for entropy - hmac: incremental API - hmac: wycheproof tests
This reverts commit 248f96d.
| } | ||
|
|
||
| mod impl_hacl; | ||
| mod incremental; |
There was a problem hiding this comment.
We should update the docs around this new, not yet verified version.
There was a problem hiding this comment.
Should include a changelog entry, too.
There was a problem hiding this comment.
The changelog entry should be under an ### Added heading. (We started doing a bit more fine-grained tracking of the change categories at some point, but didn't adapt do the categorization for earlier versions retroactively.)
| libcrux-secrets = { version = "=0.0.5", path = "crates/utils/secrets" } | ||
|
|
||
| # 3rd Party | ||
| rand = { version = "0.9", default-features = false } |
There was a problem hiding this comment.
We may bump to 0.10 before merging this and need to update here then as well.
There was a problem hiding this comment.
I've updated the dependabot PR for this here: #1385
jschneider-bensch
left a comment
jschneider-bensch
left a comment
There was a problem hiding this comment.
Just some initial comments on docs, will give it a more thorough review later.
| /// [`HmacDrbg::generate`]: crate::HmacDrbg::generate | ||
| #[derive(Debug, PartialEq)] | ||
| pub enum GenerateError { | ||
| /// The reseed counter has exceeded [`RESEED_INTERVAL`]; call `reseed` before generating. |
There was a problem hiding this comment.
| /// The reseed counter has exceeded [`RESEED_INTERVAL`]; call `reseed` before generating. | |
| /// The reseed counter has exceeded [`RESEED_INTERVAL`](crate::RESEED_INTERVAL); call `reseed` before generating. |
| /// The reseed counter has exceeded [`RESEED_INTERVAL`]; call `reseed` before generating. | ||
| ReseedRequired, | ||
|
|
||
| /// The requested output length is zero or exceeds [`MAX_GENERATE_BYTES`]. |
There was a problem hiding this comment.
| /// The requested output length is zero or exceeds [`MAX_GENERATE_BYTES`]. | |
| /// The requested output length is zero or exceeds [`MAX_GENERATE_BYTES`](crate::MAX_GENERATE_BYTES). |
| /// `V ≠ V_old`; equality signals a catastrophic HMAC fixed-point. | ||
| /// - **Inter-call / T4** (AIS 20/31): each new block must differ from the last | ||
| /// block of the previous `generate` call. | ||
| /// - **RCT** (SP 800-90B §4.4.1): no run of ≥ [`RCT_C`] identical bytes. |
There was a problem hiding this comment.
The doc links here are broken if the health-tests feature is not enabled.
jschneider-bensch
left a comment
jschneider-bensch
left a comment
There was a problem hiding this comment.
Still didn't look too closely at the health checks yet, but have enough comments on the rest.
| /// Requesting more returns [`GenerateError::RequestTooLarge`]. | ||
| pub const MAX_GENERATE_BYTES: usize = 65_536; | ||
|
|
||
| /// Minimum entropy input length in bytes (SP 800-90A Table 2: security strength). |
There was a problem hiding this comment.
Should we reference Table 1 here as well? That is where the justification is that a maximum designed security strength of 256 bits allows for instantiating all the lower security strengths as well. I found it a bit confusing since the concrete number stated here is not found in Table 2, which instead references another recommendation document for the security strength.
|
|
||
| /// Instantiate an HMAC_DRBG from explicit entropy material (SP 800-90A §10.1.2.3). | ||
| /// | ||
| /// - `entropy_input`: must contain at least [`MIN_ENTROPY_BYTES`] bytes of entropy. |
There was a problem hiding this comment.
We do check the length of the provided entropy with the health-tests feature, but should we maybe do it in any case since it's relatively inexpensive?
I see that we don't have Error variants for these checks conditions failing outside of the health-tests feature...
There was a problem hiding this comment.
I was thinking about this as well. This is how it's done in the standard and it was given to me like this by @franziskuskiefer, so I decided against changing it. I liked that the health check error was so opaque and didn't want to open it up. Maybe we can add the check to only run if we don't do the health checks? Then we only need the additional error variant in that case, and the error variants don't overlap.
We'll have to do the same changes in Reseed.
There was a problem hiding this comment.
yeah sounds reasonable to me.
| for b in self.v.iter_mut() { | ||
| unsafe { core::ptr::write_volatile(b, 0) }; | ||
| } | ||
| atomic::compiler_fence(atomic::Ordering::SeqCst); |
There was a problem hiding this comment.
For my understanding: What's the purpose of this atomic::compiler_fence here?
There was a problem hiding this comment.
It tells the compiler to not move a read before the zeroization when it reorders for optimization.
I think.
There was a problem hiding this comment.
I'm not sure about the reasoning here. From the documentation for std::sync::atomic::compiler_fence I understand that it applies to intra-thread synchronization only and for this to work the read/write operations should be atomic ones. But as far as I can tell we don't do any atomic reads. The write_volatile is guaranteed to not to be re-ordered wrt to other externally observable events but can not be considered atomic.
@franziskuskiefer What are the requirements for zeroization here?
There was a problem hiding this comment.
This is stupid zeroization. I'd be totally fine with dropping this here, or moving into a separate crate to allow zerization across crates at some point.
|
|
||
| /// Block-level tests run on each generated V block. | ||
| /// | ||
| /// - **Test 1** (NIST 800-90C §9.3.3): `new_block ≠ v_before` (HMAC fixed-point). |
There was a problem hiding this comment.
Is that reference correct? I can't find section 9.3.3 in NIST SP-800-90C.
There was a problem hiding this comment.
It also is not in SP-800-90Ar1, or in the Health Test section of that document. Not sure where that came from.
There was a problem hiding this comment.
@franziskuskiefer I think you added this. Do you remember?
There was a problem hiding this comment.
Oh, that looks hallucinated. 800-90A §10.1.2 may be more appropriate here.
There was a problem hiding this comment.
That's the thing. I can't find the check anywhere in the document.Not in 10.1.2 and not in 11.3.
| } | ||
|
|
||
| mod impl_hacl; | ||
| mod incremental; |
There was a problem hiding this comment.
Should include a changelog entry, too.
jschneider-bensch
added
the
waiting-on-author
|
How do you all feel about renaming the crate and module to hmac_drbg? It seems DRBG would be the scheme/primitive, but the construction we put into the algorithms folder is HMAC_DRBG. |
That sounds reasonable 👍 |
…l enum variant also conditional
github-actions
Bot
dismissed stale reviews from jschneider-bensch and jschneider-bensch
Review re-requested
|
@keks Are the remaining comments all related to health tests? If so, we could also address those in a follow up. |
3 participants
This PR adds a DRBG and a wrapper that allows it to implement rand::CryptoRng.