/* BEGIN_HEADER */ #include #include #include #include "mbedtls/entropy.h" #include "mbedtls/entropy_poll.h" /* Calculating the minimum allowed entropy size in bytes */ #define MBEDTLS_PSA_INJECT_ENTROPY_MIN_SIZE MAX(MBEDTLS_ENTROPY_MIN_PLATFORM, \ MBEDTLS_ENTROPY_BLOCK_SIZE) #if defined(MBEDTLS_PSA_INJECT_ENTROPY) #include /* Check the entropy seed file. * * \param expected_size Expected size in bytes. * If 0, the file must not exist. * * \retval 1 Either \p expected_size is nonzero and * the entropy seed file exists and has exactly this size, * or \p expected_size is zero and the file does not exist. * \retval 0 Either \p expected_size is nonzero but * the entropy seed file does not exist or has a different size, * or \p expected_size is zero but the file exists. * In this case, the test case is marked as failed. * * \note We enforce that the seed is in a specific ITS file. * This must not change, otherwise we break backward compatibility if * the library is upgraded on a device with an existing seed. */ int check_random_seed_file(size_t expected_size) { /* The value of the random seed UID must not change. Otherwise that would * break upgrades of the library on devices that already contain a seed * file. If this test assertion fails, you've presumably broken backward * compatibility! */ TEST_EQUAL(PSA_CRYPTO_ITS_RANDOM_SEED_UID, 0xFFFFFF52); struct psa_storage_info_t info = { 0, 0 }; psa_status_t status = psa_its_get_info(PSA_CRYPTO_ITS_RANDOM_SEED_UID, &info); if (expected_size == 0) { TEST_EQUAL(status, PSA_ERROR_DOES_NOT_EXIST); } else { TEST_EQUAL(status, PSA_SUCCESS); TEST_EQUAL(info.size, expected_size); } return 1; exit: return 0; } /* Remove the entropy seed file. * * See check_random_seed_file() regarding abstraction boundaries. */ psa_status_t remove_seed_file(void) { return psa_its_remove(PSA_CRYPTO_ITS_RANDOM_SEED_UID); } #endif /* MBEDTLS_PSA_INJECT_ENTROPY */ /* END_HEADER */ /* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */ void external_rng_failure_generate() { psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_set_key_type(&attributes, PSA_KEY_TYPE_DERIVE); psa_set_key_bits(&attributes, 128); mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; uint8_t output[1]; PSA_ASSERT(psa_crypto_init()); PSA_ASSERT(psa_generate_random(output, sizeof(output))); PSA_ASSERT(psa_generate_key(&attributes, &key)); PSA_ASSERT(psa_destroy_key(key)); mbedtls_test_disable_insecure_external_rng(); TEST_EQUAL(PSA_ERROR_INSUFFICIENT_ENTROPY, psa_generate_random(output, sizeof(output))); TEST_EQUAL(PSA_ERROR_INSUFFICIENT_ENTROPY, psa_generate_key(&attributes, &key)); exit: psa_destroy_key(key); PSA_DONE(); } /* END_CASE */ /* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */ void external_rng_failure_sign(int key_type, data_t *key_data, int alg, int input_size_arg) { /* This test case is only expected to pass if the signature mechanism * requires randomness, either because it is a randomized signature * or because the implementation uses blinding. */ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_set_key_type(&attributes, key_type); psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH); psa_set_key_algorithm(&attributes, alg); mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; size_t input_size = input_size_arg; uint8_t *input = NULL; uint8_t *signature = NULL; size_t signature_size = PSA_SIGNATURE_MAX_SIZE; size_t signature_length; TEST_CALLOC(input, input_size); TEST_CALLOC(signature, signature_size); PSA_ASSERT(psa_crypto_init()); PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, &key)); PSA_ASSERT(psa_sign_hash(key, alg, input, input_size, signature, signature_size, &signature_length)); PSA_ASSERT(psa_destroy_key(key)); mbedtls_test_disable_insecure_external_rng(); /* Import the key again, because for RSA Mbed TLS caches blinding values * in the key object and this could perturb the test. */ PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, &key)); TEST_EQUAL(PSA_ERROR_INSUFFICIENT_ENTROPY, psa_sign_hash(key, alg, input, input_size, signature, signature_size, &signature_length)); PSA_ASSERT(psa_destroy_key(key)); exit: psa_destroy_key(key); PSA_DONE(); mbedtls_free(input); mbedtls_free(signature); } /* END_CASE */ /* BEGIN_CASE depends_on:MBEDTLS_PSA_INJECT_ENTROPY */ void validate_entropy_seed_injection(int seed_length_a, int expected_status_a, int seed_length_b, int expected_status_b) { psa_status_t status; uint8_t output[32] = { 0 }; uint8_t zeros[32] = { 0 }; uint8_t *seed = NULL; int i; int seed_size; if (seed_length_a > seed_length_b) { seed_size = seed_length_a; } else { seed_size = seed_length_b; } TEST_CALLOC(seed, seed_size); /* fill seed with some data */ for (i = 0; i < seed_size; ++i) { seed[i] = i; } status = remove_seed_file(); TEST_ASSERT((status == PSA_SUCCESS) || (status == PSA_ERROR_DOES_NOT_EXIST)); if (!check_random_seed_file(0)) { goto exit; } status = mbedtls_psa_inject_entropy(seed, seed_length_a); TEST_EQUAL(status, expected_status_a); if (!check_random_seed_file(expected_status_a == PSA_SUCCESS ? seed_length_a : 0)) { goto exit; } status = mbedtls_psa_inject_entropy(seed, seed_length_b); TEST_EQUAL(status, expected_status_b); if (!check_random_seed_file(expected_status_a == PSA_SUCCESS ? seed_length_a : expected_status_b == PSA_SUCCESS ? seed_length_b : 0)) { goto exit; } PSA_ASSERT(psa_crypto_init()); PSA_ASSERT(psa_generate_random(output, sizeof(output))); TEST_ASSERT(memcmp(output, zeros, sizeof(output)) != 0); exit: mbedtls_free(seed); PSA_DONE(); mbedtls_test_inject_entropy_restore(); } /* END_CASE */ /* BEGIN_CASE depends_on:MBEDTLS_PSA_INJECT_ENTROPY */ void run_entropy_inject_with_crypto_init() { psa_status_t status; size_t i; uint8_t seed[MBEDTLS_PSA_INJECT_ENTROPY_MIN_SIZE] = { 0 }; /* fill seed with some data */ for (i = 0; i < sizeof(seed); ++i) { seed[i] = i; } status = remove_seed_file(); TEST_ASSERT((status == PSA_SUCCESS) || (status == PSA_ERROR_DOES_NOT_EXIST)); if (!check_random_seed_file(0)) { goto exit; } status = mbedtls_psa_inject_entropy(seed, sizeof(seed)); PSA_ASSERT(status); TEST_ASSERT(check_random_seed_file(sizeof(seed))); status = remove_seed_file(); TEST_EQUAL(status, PSA_SUCCESS); if (!check_random_seed_file(0)) { goto exit; } status = psa_crypto_init(); TEST_EQUAL(status, PSA_ERROR_INSUFFICIENT_ENTROPY); status = mbedtls_psa_inject_entropy(seed, sizeof(seed)); PSA_ASSERT(status); if (!check_random_seed_file(sizeof(seed))) { goto exit; } status = psa_crypto_init(); PSA_ASSERT(status); PSA_DONE(); /* The seed is written by nv_seed callback functions therefore the injection will fail */ status = mbedtls_psa_inject_entropy(seed, sizeof(seed)); TEST_EQUAL(status, PSA_ERROR_NOT_PERMITTED); exit: PSA_DONE(); mbedtls_test_inject_entropy_restore(); } /* END_CASE */