From 13beb100c285a19e7c71cd50cb15ef68662fdc3a Mon Sep 17 00:00:00 2001 From: avolinski Date: Tue, 20 Nov 2018 16:51:49 +0200 Subject: [PATCH] Adjust psa entropy inject tests to take as minimum seed size the maximum of MBEDTLS_ENTROPY_MIN_PLATFORM and MBEDTLS_ENTROPY_BLOCK_SIZE --- library/psa_crypto.c | 48 +++++++++++++++-- .../suites/test_suite_psa_crypto_entropy.data | 8 +-- .../test_suite_psa_crypto_entropy.function | 54 ++++++++++++------- 3 files changed, 82 insertions(+), 28 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index fe73d1d35..cc5532a00 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -4227,10 +4227,46 @@ psa_status_t psa_generate_random( uint8_t *output, } #if ( defined(MBEDTLS_ENTROPY_NV_SEED) && defined(MBEDTLS_PSA_HAS_ITS_IO) ) + +/* Support function for error conversion between psa_its error codes to psa crypto */ +static psa_status_t its_to_psa_error( psa_its_status_t ret ) +{ + switch( ret ) + { + case PSA_ITS_SUCCESS: + return( PSA_SUCCESS ); + + case PSA_ITS_ERROR_KEY_NOT_FOUND: + return( PSA_ERROR_EMPTY_SLOT ); + + case PSA_ITS_ERROR_STORAGE_FAILURE: + return( PSA_ERROR_STORAGE_FAILURE ); + + case PSA_ITS_ERROR_INSUFFICIENT_SPACE: + return( PSA_ERROR_INSUFFICIENT_STORAGE ); + + case PSA_ITS_ERROR_INVALID_KEY: + case PSA_PS_ERROR_OFFSET_INVALID: + case PSA_ITS_ERROR_INCORRECT_SIZE: + case PSA_ITS_ERROR_BAD_POINTER: + return( PSA_ERROR_INVALID_ARGUMENT ); + + case PSA_ITS_ERROR_FLAGS_NOT_SUPPORTED: + return( PSA_ERROR_NOT_SUPPORTED ); + + case PSA_ITS_ERROR_WRITE_ONCE: + return( PSA_ERROR_OCCUPIED_SLOT ); + + default: + return( PSA_ERROR_UNKNOWN_ERROR ); + } +} + psa_status_t mbedtls_psa_inject_entropy( const unsigned char *seed, size_t seed_size ) { psa_status_t status; + psa_its_status_t its_status; struct psa_its_info_t p_info; if( global_data.initialized ) return( PSA_ERROR_NOT_PERMITTED ); @@ -4240,16 +4276,20 @@ psa_status_t mbedtls_psa_inject_entropy( const unsigned char *seed, ( seed_size > MBEDTLS_ENTROPY_MAX_SEED_SIZE ) ) return( PSA_ERROR_INVALID_ARGUMENT ); - status = psa_its_get_info( MBEDTLS_RANDOM_SEED_ITS_UID, &p_info ); - if( PSA_ITS_ERROR_KEY_NOT_FOUND == status ) /* No seed exists */ + its_status = psa_its_get_info( MBEDTLS_RANDOM_SEED_ITS_UID, &p_info ); + status = its_to_psa_error( its_status ); + + if( PSA_ITS_ERROR_KEY_NOT_FOUND == its_status ) /* No seed exists */ { - status = psa_its_set( MBEDTLS_RANDOM_SEED_ITS_UID, seed_size, seed, 0 ); + its_status = psa_its_set( MBEDTLS_RANDOM_SEED_ITS_UID, seed_size, seed, 0 ); + status = its_to_psa_error( its_status ); } - else if( PSA_ITS_SUCCESS == status ) + else if( PSA_ITS_SUCCESS == its_status ) { /* You should not be here. Seed needs to be injected only once */ status = PSA_ERROR_NOT_PERMITTED; } + return( status ); } #endif diff --git a/tests/suites/test_suite_psa_crypto_entropy.data b/tests/suites/test_suite_psa_crypto_entropy.data index a2355d50a..61593e9d6 100644 --- a/tests/suites/test_suite_psa_crypto_entropy.data +++ b/tests/suites/test_suite_psa_crypto_entropy.data @@ -1,17 +1,17 @@ PSA validate entropy injection: good, minimum size -validate_entropy_seed_injection:MBEDTLS_ENTROPY_BLOCK_SIZE:PSA_SUCCESS:MBEDTLS_ENTROPY_BLOCK_SIZE:PSA_ERROR_NOT_PERMITTED +validate_entropy_seed_injection:MBEDTLS_PSA_INJECT_ENTROPY_MIN_SIZE:PSA_SUCCESS:MBEDTLS_PSA_INJECT_ENTROPY_MIN_SIZE:PSA_ERROR_NOT_PERMITTED PSA validate entropy injection: good, max size validate_entropy_seed_injection:MBEDTLS_ENTROPY_MAX_SEED_SIZE:PSA_SUCCESS:MBEDTLS_ENTROPY_MAX_SEED_SIZE:PSA_ERROR_NOT_PERMITTED PSA validate entropy injection: bad, too big -validate_entropy_seed_injection:MBEDTLS_ENTROPY_MAX_SEED_SIZE+1:PSA_ERROR_INVALID_ARGUMENT:MBEDTLS_ENTROPY_BLOCK_SIZE:PSA_SUCCESS +validate_entropy_seed_injection:MBEDTLS_ENTROPY_MAX_SEED_SIZE+1:PSA_ERROR_INVALID_ARGUMENT:MBEDTLS_PSA_INJECT_ENTROPY_MIN_SIZE:PSA_SUCCESS PSA validate entropy injection: bad, too small using MBEDTLS_ENTROPY_MIN_PLATFORM -validate_entropy_seed_injection:MBEDTLS_ENTROPY_MIN_PLATFORM-1:PSA_ERROR_INVALID_ARGUMENT:MBEDTLS_ENTROPY_BLOCK_SIZE:PSA_SUCCESS +validate_entropy_seed_injection:MBEDTLS_ENTROPY_MIN_PLATFORM-1:PSA_ERROR_INVALID_ARGUMENT:MBEDTLS_PSA_INJECT_ENTROPY_MIN_SIZE:PSA_SUCCESS PSA validate entropy injection: bad, too small using MBEDTLS_ENTROPY_BLOCK_SIZE -validate_entropy_seed_injection:MBEDTLS_ENTROPY_BLOCK_SIZE-1:PSA_ERROR_INVALID_ARGUMENT:MBEDTLS_ENTROPY_BLOCK_SIZE:PSA_SUCCESS +validate_entropy_seed_injection:MBEDTLS_ENTROPY_BLOCK_SIZE-1:PSA_ERROR_INVALID_ARGUMENT:MBEDTLS_PSA_INJECT_ENTROPY_MIN_SIZE:PSA_SUCCESS PSA validate entropy injection: before and after crypto_init run_entropy_inject_with_crypto_init: diff --git a/tests/suites/test_suite_psa_crypto_entropy.function b/tests/suites/test_suite_psa_crypto_entropy.function index 4be2c5a34..2c069a9e3 100644 --- a/tests/suites/test_suite_psa_crypto_entropy.function +++ b/tests/suites/test_suite_psa_crypto_entropy.function @@ -6,6 +6,14 @@ #include "mbedtls/entropy.h" #include "mbedtls/entropy_poll.h" +/* MAX value support macro */ +#if !defined(MAX) +#define MAX(a,b) (((a)>(b))?(a):(b)) +#endif + +/* Calculating the minimum allowed entropy size in bytes */ +#define MBEDTLS_PSA_INJECT_ENTROPY_MIN_SIZE MAX(MBEDTLS_ENTROPY_MIN_PLATFORM, MBEDTLS_ENTROPY_BLOCK_SIZE) + /* END_HEADER */ /* BEGIN_DEPENDENCIES @@ -26,7 +34,7 @@ void validate_entropy_seed_injection( int seed_length_a, uint8_t *seed = NULL; int i; int seed_size; - if( seed_length_a > seed_length_b) + if( seed_length_a > seed_length_b ) { seed_size = seed_length_a; } @@ -35,23 +43,25 @@ void validate_entropy_seed_injection( int seed_length_a, seed_size = seed_length_b; } ASSERT_ALLOC( seed, seed_size ); - /* fill seed in some data */ - for( i = 0; i < seed_size; ++i) + /* fill seed with some data */ + for( i = 0; i < seed_size; ++i ) { seed[i] = i; } - its_status = psa_its_remove(MBEDTLS_RANDOM_SEED_ITS_UID); - TEST_ASSERT( (its_status == PSA_ITS_SUCCESS) || (its_status == PSA_ITS_ERROR_KEY_NOT_FOUND) ); + its_status = psa_its_remove( MBEDTLS_RANDOM_SEED_ITS_UID ); + TEST_ASSERT( ( its_status == PSA_ITS_SUCCESS ) || + ( its_status == PSA_ITS_ERROR_KEY_NOT_FOUND ) ); status = mbedtls_psa_inject_entropy( seed, seed_length_a ); TEST_ASSERT( status == expected_status_a ); status = mbedtls_psa_inject_entropy( seed, seed_length_b ); TEST_ASSERT( status == expected_status_b ); TEST_ASSERT( psa_crypto_init( ) == PSA_SUCCESS ); - TEST_ASSERT( psa_generate_random( output, sizeof( output ) ) == PSA_SUCCESS ); - TEST_ASSERT( memcmp( output , zeros, sizeof( output ) ) != 0 ); + TEST_ASSERT( psa_generate_random( output, + sizeof( output ) ) == PSA_SUCCESS ); + TEST_ASSERT( memcmp( output, zeros, sizeof( output ) ) != 0 ); exit: mbedtls_free( seed ); - psa_its_remove(MBEDTLS_RANDOM_SEED_ITS_UID); + psa_its_remove( MBEDTLS_RANDOM_SEED_ITS_UID ); mbedtls_psa_crypto_free( ); } /* END_CASE */ @@ -62,27 +72,31 @@ void run_entropy_inject_with_crypto_init( ) psa_its_status_t its_status; psa_status_t status; int i; - uint8_t seed[MBEDTLS_ENTROPY_BLOCK_SIZE] = {0}; - /* fill seed in some data */ - for( i = 0; i < MBEDTLS_ENTROPY_BLOCK_SIZE; ++i) + uint8_t seed[MBEDTLS_PSA_INJECT_ENTROPY_MIN_SIZE] = { 0 }; + /* fill seed with some data */ + for( i = 0; i < sizeof( seed ); ++i ) { seed[i] = i; } - its_status = psa_its_remove(MBEDTLS_RANDOM_SEED_ITS_UID); - TEST_ASSERT( (its_status == PSA_ITS_SUCCESS) || (its_status == PSA_ITS_ERROR_KEY_NOT_FOUND) ); - status = mbedtls_psa_inject_entropy( seed, MBEDTLS_ENTROPY_BLOCK_SIZE ); + its_status = psa_its_remove( MBEDTLS_RANDOM_SEED_ITS_UID ); + TEST_ASSERT( ( its_status == PSA_ITS_SUCCESS ) || + ( its_status == PSA_ITS_ERROR_KEY_NOT_FOUND ) ); + status = mbedtls_psa_inject_entropy( seed, sizeof( seed ) ); TEST_ASSERT( status == PSA_SUCCESS ); - its_status = psa_its_remove(MBEDTLS_RANDOM_SEED_ITS_UID); + its_status = psa_its_remove( MBEDTLS_RANDOM_SEED_ITS_UID ); TEST_ASSERT( its_status == PSA_ITS_SUCCESS ); - TEST_ASSERT( psa_crypto_init( ) == PSA_SUCCESS ); - status = mbedtls_psa_inject_entropy( seed, MBEDTLS_ENTROPY_BLOCK_SIZE ); - TEST_ASSERT( status == PSA_ERROR_NOT_PERMITTED ); + status = psa_crypto_init( ); + TEST_ASSERT( status == PSA_ERROR_INSUFFICIENT_ENTROPY ); + status = mbedtls_psa_inject_entropy( seed, sizeof( seed ) ); + TEST_ASSERT( status == PSA_SUCCESS ); + status = psa_crypto_init( ); + TEST_ASSERT( status == PSA_SUCCESS ); mbedtls_psa_crypto_free( ); /* The seed is written by nv_seed callback functions therefore the injection will fail */ - status = mbedtls_psa_inject_entropy( seed, MBEDTLS_ENTROPY_BLOCK_SIZE ); + status = mbedtls_psa_inject_entropy( seed, sizeof( seed ) ); TEST_ASSERT( status == PSA_ERROR_NOT_PERMITTED ); exit: - psa_its_remove(MBEDTLS_RANDOM_SEED_ITS_UID); + psa_its_remove( MBEDTLS_RANDOM_SEED_ITS_UID ); mbedtls_psa_crypto_free( ); } /* END_CASE */