From f08b3f862408f03f78e30b524d0589446d9234a0 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 13 Nov 2020 17:36:48 +0100 Subject: [PATCH] Autonomous random driver: create configuration option Create a configuration option for autonomous random drivers, i.e. PSA crypto drivers that provide a random generator, that have their own entropy source and do not support injecting entropy from another source. This commit only creates the configuration option. Subsequent commits will add the implementation and tests. Signed-off-by: Gilles Peskine --- include/mbedtls/check_config.h | 9 +++++---- include/mbedtls/config.h | 32 +++++++++++++++++++++++++++++++- library/version_features.c | 3 +++ programs/test/query_config.c | 8 ++++++++ scripts/config.py | 1 + 5 files changed, 48 insertions(+), 5 deletions(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 1ebb7066a..91aaf80dc 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -572,10 +572,11 @@ #error "MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO and MBEDTLS_PLATFORM_STD_NV_SEED_WRITE cannot be defined simultaneously" #endif -#if defined(MBEDTLS_PSA_CRYPTO_C) && \ - !( defined(MBEDTLS_CTR_DRBG_C) && \ - defined(MBEDTLS_ENTROPY_C) ) -#error "MBEDTLS_PSA_CRYPTO_C defined, but not all prerequisites" +#if defined(MBEDTLS_PSA_CRYPTO_C) && \ + !( ( defined(MBEDTLS_CTR_DRBG_C) && \ + defined(MBEDTLS_ENTROPY_C) ) || \ + defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) ) +#error "MBEDTLS_PSA_CRYPTO_C defined, but not all prerequisites (missing RNG)" #endif #if defined(MBEDTLS_PSA_CRYPTO_SPM) && !defined(MBEDTLS_PSA_CRYPTO_C) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 464b61ee2..02618fbfa 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1337,6 +1337,35 @@ */ //#define MBEDTLS_PSA_CRYPTO_DRIVERS +/** \def MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG + * + * Make the PSA Crypto module use an external random generator provided + * by a driver, instead of Mbed TLS's entropy and DRBG modules. + * + * If you enable this option, you must supply a type called + * \c mbedtls_psa_external_random_context_t and a function called + * mbedtls_psa_external_get_random() with the following prototype: + * ``` + * psa_status_t mbedtls_psa_external_get_random( + * mbedtls_psa_external_random_context_t *context, + * uint8_t *output, size_t output_size, size_t *output_length); + * ); + * ``` + * The \c context value is initialized to 0 before the first call. + * The function must fill the \c output buffer with \p output_size bytes + * of random data and set \c *output_length to \p output_size. + * + * Requires: MBEDTLS_PSA_CRYPTO_C + * + * \warning If you enable this option, code that uses the PSA cryptography + * interface will not use any of the entropy sources set up for + * the entropy module, nor the NV seed that MBEDTLS_ENTROPY_NV_SEED + * enables. + * + * \note This option is experimental and may be removed without notice. + */ +//#define MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG + /** * \def MBEDTLS_PSA_CRYPTO_SPM * @@ -3115,7 +3144,8 @@ * * Module: library/psa_crypto.c * - * Requires: MBEDTLS_CTR_DRBG_C, MBEDTLS_ENTROPY_C + * Requires: either MBEDTLS_CTR_DRBG_C and MBEDTLS_ENTROPY_C, + * or MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG. * */ #define MBEDTLS_PSA_CRYPTO_C diff --git a/library/version_features.c b/library/version_features.c index 42ccaf954..80f121a0d 100644 --- a/library/version_features.c +++ b/library/version_features.c @@ -438,6 +438,9 @@ static const char * const features[] = { #if defined(MBEDTLS_PSA_CRYPTO_DRIVERS) "MBEDTLS_PSA_CRYPTO_DRIVERS", #endif /* MBEDTLS_PSA_CRYPTO_DRIVERS */ +#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) + "MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG", +#endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */ #if defined(MBEDTLS_PSA_CRYPTO_SPM) "MBEDTLS_PSA_CRYPTO_SPM", #endif /* MBEDTLS_PSA_CRYPTO_SPM */ diff --git a/programs/test/query_config.c b/programs/test/query_config.c index 1345b11fe..05a953c63 100644 --- a/programs/test/query_config.c +++ b/programs/test/query_config.c @@ -1224,6 +1224,14 @@ int query_config( const char *config ) } #endif /* MBEDTLS_PSA_CRYPTO_DRIVERS */ +#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) + if( strcmp( "MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG", config ) == 0 ) + { + MACRO_EXPANSION_TO_STR( MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG ); + return( 0 ); + } +#endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */ + #if defined(MBEDTLS_PSA_CRYPTO_SPM) if( strcmp( "MBEDTLS_PSA_CRYPTO_SPM", config ) == 0 ) { diff --git a/scripts/config.py b/scripts/config.py index ae0614ae0..b60f93d7d 100755 --- a/scripts/config.py +++ b/scripts/config.py @@ -185,6 +185,7 @@ EXCLUDE_FROM_FULL = frozenset([ 'MBEDTLS_PKCS11_C', # build dependency (libpkcs11-helper) 'MBEDTLS_PLATFORM_NO_STD_FUNCTIONS', # removes a feature 'MBEDTLS_PSA_CRYPTO_CONFIG', # toggles old/new style PSA config + 'MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG', # behavior change + build dependency 'MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER', # incompatible with USE_PSA_CRYPTO 'MBEDTLS_PSA_CRYPTO_SPM', # platform dependency (PSA SPM) 'MBEDTLS_PSA_INJECT_ENTROPY', # build dependency (hook functions)