From 4d2d4ff9b041a6966db49365ed282a037f995584 Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Tue, 22 Oct 2019 19:10:33 +0200
Subject: [PATCH] HMAC_DRBG entropy usage: test the exact amount of consumed
 entropy

---
 tests/suites/test_suite_hmac_drbg.function | 35 ++++++++++++++--------
 1 file changed, 22 insertions(+), 13 deletions(-)

diff --git a/tests/suites/test_suite_hmac_drbg.function b/tests/suites/test_suite_hmac_drbg.function
index 13bc40062..b526f4313 100644
--- a/tests/suites/test_suite_hmac_drbg.function
+++ b/tests/suites/test_suite_hmac_drbg.function
@@ -37,7 +37,9 @@ void hmac_drbg_entropy_usage( int md_alg )
     const mbedtls_md_info_t *md_info;
     mbedtls_hmac_drbg_context ctx;
     entropy_ctx entropy;
-    size_t last_len, i, reps = 10;
+    size_t i, reps = 10;
+    size_t default_entropy_len;
+    size_t expected_consumed_entropy = 0;
 
     mbedtls_hmac_drbg_init( &ctx );
     memset( buf, 0, sizeof( buf ) );
@@ -48,23 +50,29 @@ void hmac_drbg_entropy_usage( int md_alg )
 
     md_info = mbedtls_md_info_from_type( md_alg );
     TEST_ASSERT( md_info != NULL );
+    if( mbedtls_md_get_size( md_info ) <= 20 )
+        default_entropy_len = 16;
+    else if( mbedtls_md_get_size( md_info ) <= 28 )
+        default_entropy_len = 24;
+    else
+        default_entropy_len = 32;
 
     /* Init must use entropy */
-    last_len = entropy.len;
     TEST_ASSERT( mbedtls_hmac_drbg_seed( &ctx, md_info, mbedtls_test_entropy_func, &entropy,
                                  NULL, 0 ) == 0 );
-    TEST_ASSERT( entropy.len < last_len );
+    /* default_entropy_len of entropy, plus half as much for the nonce */
+    expected_consumed_entropy += default_entropy_len * 3 / 2;
+    TEST_EQUAL( sizeof( buf )  - entropy.len, expected_consumed_entropy );
 
     /* By default, PR is off and reseed_interval is large,
      * so the next few calls should not use entropy */
-    last_len = entropy.len;
     for( i = 0; i < reps; i++ )
     {
         TEST_ASSERT( mbedtls_hmac_drbg_random( &ctx, out, sizeof( out ) - 4 ) == 0 );
         TEST_ASSERT( mbedtls_hmac_drbg_random_with_add( &ctx, out, sizeof( out ) - 4,
                                                 buf, 16 ) == 0 );
     }
-    TEST_ASSERT( entropy.len == last_len );
+    TEST_EQUAL( sizeof( buf )  - entropy.len, expected_consumed_entropy );
 
     /* While at it, make sure we didn't write past the requested length */
     TEST_ASSERT( out[sizeof( out ) - 4] == 0 );
@@ -76,33 +84,34 @@ void hmac_drbg_entropy_usage( int md_alg )
      * so the next call should reseed */
     mbedtls_hmac_drbg_set_reseed_interval( &ctx, 2 * reps );
     TEST_ASSERT( mbedtls_hmac_drbg_random( &ctx, out, sizeof( out ) ) == 0 );
-    TEST_ASSERT( entropy.len < last_len );
+    expected_consumed_entropy += default_entropy_len;
+    TEST_EQUAL( sizeof( buf )  - entropy.len, expected_consumed_entropy );
 
     /* The new few calls should not reseed */
-    last_len = entropy.len;
     for( i = 0; i < reps / 2; i++ )
     {
         TEST_ASSERT( mbedtls_hmac_drbg_random( &ctx, out, sizeof( out ) ) == 0 );
         TEST_ASSERT( mbedtls_hmac_drbg_random_with_add( &ctx, out, sizeof( out ) ,
                                                 buf, 16 ) == 0 );
     }
-    TEST_ASSERT( entropy.len == last_len );
+    TEST_EQUAL( sizeof( buf )  - entropy.len, expected_consumed_entropy );
 
     /* Now enable PR, so the next few calls should all reseed */
     mbedtls_hmac_drbg_set_prediction_resistance( &ctx, MBEDTLS_HMAC_DRBG_PR_ON );
     TEST_ASSERT( mbedtls_hmac_drbg_random( &ctx, out, sizeof( out ) ) == 0 );
-    TEST_ASSERT( entropy.len < last_len );
+    expected_consumed_entropy += default_entropy_len;
+    TEST_EQUAL( sizeof( buf )  - entropy.len, expected_consumed_entropy );
 
     /* Finally, check setting entropy_len */
     mbedtls_hmac_drbg_set_entropy_len( &ctx, 42 );
-    last_len = entropy.len;
     TEST_ASSERT( mbedtls_hmac_drbg_random( &ctx, out, sizeof( out ) ) == 0 );
-    TEST_ASSERT( (int) last_len - entropy.len == 42 );
+    expected_consumed_entropy += 42;
+    TEST_EQUAL( sizeof( buf )  - entropy.len, expected_consumed_entropy );
 
     mbedtls_hmac_drbg_set_entropy_len( &ctx, 13 );
-    last_len = entropy.len;
     TEST_ASSERT( mbedtls_hmac_drbg_random( &ctx, out, sizeof( out ) ) == 0 );
-    TEST_ASSERT( (int) last_len - entropy.len == 13 );
+    expected_consumed_entropy += 13;
+    TEST_EQUAL( sizeof( buf )  - entropy.len, expected_consumed_entropy );
 
 exit:
     mbedtls_hmac_drbg_free( &ctx );