1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
|
/* BEGIN_HEADER */
#include <stdint.h>
#include <string.h>
#include <psa/crypto.h>
#include "mbedtls/entropy.h"
#include "entropy_poll.h"
/* Calculating the minimum allowed entropy size in bytes */
#define MBEDTLS_PSA_INJECT_ENTROPY_MIN_SIZE MAX(MBEDTLS_ENTROPY_MIN_PLATFORM, \
MBEDTLS_ENTROPY_BLOCK_SIZE)
#if defined(MBEDTLS_PSA_INJECT_ENTROPY)
#include <psa_crypto_its.h>
/* Check the entropy seed file.
*
* \param expected_size Expected size in bytes.
* If 0, the file must not exist.
*
* \retval 1 Either \p expected_size is nonzero and
* the entropy seed file exists and has exactly this size,
* or \p expected_size is zero and the file does not exist.
* \retval 0 Either \p expected_size is nonzero but
* the entropy seed file does not exist or has a different size,
* or \p expected_size is zero but the file exists.
* In this case, the test case is marked as failed.
*
* \note We enforce that the seed is in a specific ITS file.
* This must not change, otherwise we break backward compatibility if
* the library is upgraded on a device with an existing seed.
*/
int check_random_seed_file(size_t expected_size)
{
/* The value of the random seed UID must not change. Otherwise that would
* break upgrades of the library on devices that already contain a seed
* file. If this test assertion fails, you've presumably broken backward
* compatibility! */
TEST_EQUAL(PSA_CRYPTO_ITS_RANDOM_SEED_UID, 0xFFFFFF52);
struct psa_storage_info_t info = { 0, 0 };
psa_status_t status = psa_its_get_info(PSA_CRYPTO_ITS_RANDOM_SEED_UID,
&info);
if (expected_size == 0) {
TEST_EQUAL(status, PSA_ERROR_DOES_NOT_EXIST);
} else {
TEST_EQUAL(status, PSA_SUCCESS);
TEST_EQUAL(info.size, expected_size);
}
return 1;
exit:
return 0;
}
/* Remove the entropy seed file.
*
* See check_random_seed_file() regarding abstraction boundaries.
*/
psa_status_t remove_seed_file(void)
{
return psa_its_remove(PSA_CRYPTO_ITS_RANDOM_SEED_UID);
}
#endif /* MBEDTLS_PSA_INJECT_ENTROPY */
/* END_HEADER */
/* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
void external_rng_failure_generate()
{
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_set_key_type(&attributes, PSA_KEY_TYPE_DERIVE);
psa_set_key_bits(&attributes, 128);
mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
uint8_t output[1];
PSA_ASSERT(psa_crypto_init());
PSA_ASSERT(psa_generate_random(output, sizeof(output)));
PSA_ASSERT(psa_generate_key(&attributes, &key));
PSA_ASSERT(psa_destroy_key(key));
mbedtls_test_disable_insecure_external_rng();
TEST_EQUAL(PSA_ERROR_INSUFFICIENT_ENTROPY,
psa_generate_random(output, sizeof(output)));
TEST_EQUAL(PSA_ERROR_INSUFFICIENT_ENTROPY,
psa_generate_key(&attributes, &key));
exit:
psa_destroy_key(key);
PSA_DONE();
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
void external_rng_failure_sign(int key_type, data_t *key_data, int alg,
int input_size_arg)
{
/* This test case is only expected to pass if the signature mechanism
* requires randomness, either because it is a randomized signature
* or because the implementation uses blinding. */
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_set_key_type(&attributes, key_type);
psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH);
psa_set_key_algorithm(&attributes, alg);
mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
size_t input_size = input_size_arg;
uint8_t *input = NULL;
uint8_t *signature = NULL;
size_t signature_size = PSA_SIGNATURE_MAX_SIZE;
size_t signature_length;
TEST_CALLOC(input, input_size);
TEST_CALLOC(signature, signature_size);
PSA_ASSERT(psa_crypto_init());
PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
&key));
PSA_ASSERT(psa_sign_hash(key, alg,
input, input_size,
signature, signature_size,
&signature_length));
PSA_ASSERT(psa_destroy_key(key));
mbedtls_test_disable_insecure_external_rng();
/* Import the key again, because for RSA Mbed TLS caches blinding values
* in the key object and this could perturb the test. */
PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
&key));
TEST_EQUAL(PSA_ERROR_INSUFFICIENT_ENTROPY,
psa_sign_hash(key, alg,
input, input_size,
signature, signature_size,
&signature_length));
PSA_ASSERT(psa_destroy_key(key));
exit:
psa_destroy_key(key);
PSA_DONE();
mbedtls_free(input);
mbedtls_free(signature);
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_PSA_INJECT_ENTROPY */
void validate_entropy_seed_injection(int seed_length_a,
int expected_status_a,
int seed_length_b,
int expected_status_b)
{
psa_status_t status;
uint8_t output[32] = { 0 };
uint8_t zeros[32] = { 0 };
uint8_t *seed = NULL;
int i;
int seed_size;
if (seed_length_a > seed_length_b) {
seed_size = seed_length_a;
} else {
seed_size = seed_length_b;
}
TEST_CALLOC(seed, seed_size);
/* fill seed with some data */
for (i = 0; i < seed_size; ++i) {
seed[i] = i;
}
status = remove_seed_file();
TEST_ASSERT((status == PSA_SUCCESS) ||
(status == PSA_ERROR_DOES_NOT_EXIST));
if (!check_random_seed_file(0)) {
goto exit;
}
status = mbedtls_psa_inject_entropy(seed, seed_length_a);
TEST_EQUAL(status, expected_status_a);
if (!check_random_seed_file(expected_status_a == PSA_SUCCESS ? seed_length_a :
0)) {
goto exit;
}
status = mbedtls_psa_inject_entropy(seed, seed_length_b);
TEST_EQUAL(status, expected_status_b);
if (!check_random_seed_file(expected_status_a == PSA_SUCCESS ? seed_length_a :
expected_status_b == PSA_SUCCESS ? seed_length_b :
0)) {
goto exit;
}
PSA_ASSERT(psa_crypto_init());
PSA_ASSERT(psa_generate_random(output,
sizeof(output)));
TEST_ASSERT(memcmp(output, zeros, sizeof(output)) != 0);
exit:
mbedtls_free(seed);
PSA_DONE();
mbedtls_test_inject_entropy_restore();
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_PSA_INJECT_ENTROPY */
void run_entropy_inject_with_crypto_init()
{
psa_status_t status;
size_t i;
uint8_t seed[MBEDTLS_PSA_INJECT_ENTROPY_MIN_SIZE] = { 0 };
/* fill seed with some data */
for (i = 0; i < sizeof(seed); ++i) {
seed[i] = i;
}
status = remove_seed_file();
TEST_ASSERT((status == PSA_SUCCESS) ||
(status == PSA_ERROR_DOES_NOT_EXIST));
if (!check_random_seed_file(0)) {
goto exit;
}
status = mbedtls_psa_inject_entropy(seed, sizeof(seed));
PSA_ASSERT(status);
TEST_ASSERT(check_random_seed_file(sizeof(seed)));
status = remove_seed_file();
TEST_EQUAL(status, PSA_SUCCESS);
if (!check_random_seed_file(0)) {
goto exit;
}
status = psa_crypto_init();
TEST_EQUAL(status, PSA_ERROR_INSUFFICIENT_ENTROPY);
status = mbedtls_psa_inject_entropy(seed, sizeof(seed));
PSA_ASSERT(status);
if (!check_random_seed_file(sizeof(seed))) {
goto exit;
}
status = psa_crypto_init();
PSA_ASSERT(status);
PSA_DONE();
/* The seed is written by nv_seed callback functions therefore the injection will fail */
status = mbedtls_psa_inject_entropy(seed, sizeof(seed));
TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED);
exit:
PSA_DONE();
mbedtls_test_inject_entropy_restore();
}
/* END_CASE */
|
