From 2bcd312cda2f1eafaf827ae389963f2591d8f043 Mon Sep 17 00:00:00 2001 From: Netanel Gonen Date: Mon, 19 Nov 2018 11:53:02 +0200 Subject: [PATCH 01/11] Add entropy injection function to psa cripto APIs --- include/psa/crypto_extra.h | 27 +++++++++++++++++++++++++++ library/psa_crypto.c | 29 ++++++++++++++++++++++++++++- 2 files changed, 55 insertions(+), 1 deletion(-) diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h index 2d03f7311..f39f33963 100644 --- a/include/psa/crypto_extra.h +++ b/include/psa/crypto_extra.h @@ -34,6 +34,9 @@ extern "C" { #endif +/* UID for secure storage seed */ +#define MBED_RANDOM_SEED_ITS_UID 0xFFFFFF52 + /** * \brief Library deinitialization. * @@ -44,6 +47,30 @@ extern "C" { */ void mbedtls_psa_crypto_free( void ); + +#if ( defined(MBEDTLS_ENTROPY_NV_SEED) && defined(MBEDTLS_PSA_HAS_ITS_IO) ) +/** + * \brief Inject initial entropy seed into persistent storage for random capabilities. + * + * \warning This function **can** fail! Callers MUST check the return status. + * + * \note To use this function both mbedtls_nv_seed_read and mbedtls_nv_seed_write + * must be defined. + * + * \param seed[in] Buffer storing the seed value to inject. + * \param seed_size[in] Size of the \p seed buffer. The minimum size of the seed is MBEDTLS_ENTROPY_MIN_PLATFORM + * + * \retval #PSA_SUCCESS + * \retval #PSA_ERROR_INVALID_ARGUMENT + * \retval #PSA_ERROR_STORAGE_FAILURE + * \retval #PSA_ERROR_NOT_PERMITTED + * \retval #PSA_ERROR_BAD_STATE + */ +psa_status_t mbedtls_psa_inject_entropy(const unsigned char *seed, + size_t seed_size); + +#endif + #ifdef __cplusplus } #endif diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 58cb73830..77314f2dd 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -69,6 +69,7 @@ #include "mbedtls/ecdh.h" #include "mbedtls/ecp.h" #include "mbedtls/entropy.h" +#include "mbedtls/entropy_poll.h" #include "mbedtls/error.h" #include "mbedtls/gcm.h" #include "mbedtls/md2.h" @@ -85,7 +86,9 @@ #include "mbedtls/sha512.h" #include "mbedtls/xtea.h" - +#if ( defined(MBEDTLS_ENTROPY_NV_SEED) && defined(MBEDTLS_PSA_HAS_ITS_IO) ) +#include "psa_prot_internal_storage.h" +#endif #define ARRAY_LENGTH( array ) ( sizeof( array ) / sizeof( *( array ) ) ) @@ -4223,6 +4226,30 @@ psa_status_t psa_generate_random( uint8_t *output, return( mbedtls_to_psa_error( ret ) ); } +#if ( defined(MBEDTLS_ENTROPY_NV_SEED) && defined(MBEDTLS_PSA_HAS_ITS_IO) ) +psa_status_t mbedtls_psa_inject_entropy( const unsigned char *seed, + size_t seed_size ) +{ + psa_status_t status; + struct psa_its_info_t p_info; + if( global_data.initialized ) + return( PSA_ERROR_NOT_PERMITTED ); + if( ( seed_size < MBEDTLS_ENTROPY_MIN_PLATFORM ) || ( seed_size > MBEDTLS_ENTROPY_MAX_SEED_SIZE ) ) + return( PSA_ERROR_INVALID_ARGUMENT ); + status = psa_its_get_info( MBED_RANDOM_SEED_ITS_UID, &p_info ); + if( PSA_ITS_ERROR_KEY_NOT_FOUND == status ) /* No seed exists */ + { + status = psa_its_set( MBED_RANDOM_SEED_ITS_UID, seed_size, seed, 0 ); + } + else if( PSA_ITS_SUCCESS == status ) + { + /* You should not be here. Seed needs to be injected only once */ + status = PSA_ERROR_NOT_PERMITTED; + } + return( status ); +} +#endif + psa_status_t psa_generate_key( psa_key_slot_t key, psa_key_type_t type, size_t bits, From 9468bb241c5c4ad9d7353966cb2db93eff540dd5 Mon Sep 17 00:00:00 2001 From: Netanel Gonen Date: Mon, 19 Nov 2018 11:53:55 +0200 Subject: [PATCH 02/11] Add Tests for psa crypto entropy incjection --- tests/CMakeLists.txt | 1 + .../suites/test_suite_psa_crypto_entropy.data | 14 +++ .../test_suite_psa_crypto_entropy.function | 88 +++++++++++++++++++ 3 files changed, 103 insertions(+) create mode 100644 tests/suites/test_suite_psa_crypto_entropy.data create mode 100644 tests/suites/test_suite_psa_crypto_entropy.function diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt index 34658c8e1..95d60ff31 100644 --- a/tests/CMakeLists.txt +++ b/tests/CMakeLists.txt @@ -111,6 +111,7 @@ add_test_suite(pkparse) add_test_suite(pkwrite) add_test_suite(poly1305) add_test_suite(psa_crypto) +add_test_suite(psa_crypto_entropy) add_test_suite(psa_crypto_hash) add_test_suite(psa_crypto_metadata) add_test_suite(psa_crypto_persistent_key) diff --git a/tests/suites/test_suite_psa_crypto_entropy.data b/tests/suites/test_suite_psa_crypto_entropy.data new file mode 100644 index 000000000..1fc972aa0 --- /dev/null +++ b/tests/suites/test_suite_psa_crypto_entropy.data @@ -0,0 +1,14 @@ +PSA validate entropy injection: good, minimum size +validate_entropy_seed_injection:MBEDTLS_ENTROPY_MIN_PLATFORM:PSA_SUCCESS:MBEDTLS_ENTROPY_MIN_PLATFORM:PSA_ERROR_NOT_PERMITTED + +PSA validate entropy injection: good, max size +validate_entropy_seed_injection:MBEDTLS_ENTROPY_MAX_SEED_SIZE:PSA_SUCCESS:MBEDTLS_ENTROPY_MAX_SEED_SIZE:PSA_ERROR_NOT_PERMITTED + +PSA validate entropy injection: bad, too big +validate_entropy_seed_injection:MBEDTLS_ENTROPY_MAX_SEED_SIZE+1:PSA_ERROR_INVALID_ARGUMENT:MBEDTLS_ENTROPY_MIN_PLATFORM:PSA_SUCCESS + +PSA validate entropy injection: bad, too small +validate_entropy_seed_injection:MBEDTLS_ENTROPY_MIN_PLATFORM-1:PSA_ERROR_INVALID_ARGUMENT:MBEDTLS_ENTROPY_MIN_PLATFORM:PSA_SUCCESS + +PSA validate entropy injection: before and after crypto_init +run_entropy_inject_with_crypto_init: \ No newline at end of file diff --git a/tests/suites/test_suite_psa_crypto_entropy.function b/tests/suites/test_suite_psa_crypto_entropy.function new file mode 100644 index 000000000..a134abe71 --- /dev/null +++ b/tests/suites/test_suite_psa_crypto_entropy.function @@ -0,0 +1,88 @@ +/* BEGIN_HEADER */ +#include + +#include "psa/crypto.h" +#include "psa_prot_internal_storage.h" +#include "mbedtls/entropy.h" +#include "mbedtls/entropy_poll.h" + +/* END_HEADER */ + +/* BEGIN_DEPENDENCIES + * depends_on:MBEDTLS_ENTROPY_NV_SEED:MBEDTLS_PSA_HAS_ITS_IO:MBEDTLS_PSA_CRYPTO_C + * END_DEPENDENCIES + */ + +/* BEGIN_CASE */ +void validate_entropy_seed_injection( int seed_length_a, + int expected_status_a, + int seed_length_b, + int expected_status_b ) +{ + psa_its_status_t its_status; + psa_status_t status; + uint8_t output[32] = { 0 }; + uint8_t zeros[32] = { 0 }; + uint8_t *seed = NULL; + int i; + int seed_size; + if( seed_length_a > seed_length_b) + { + seed_size = seed_length_a; + } + else + { + seed_size = seed_length_b; + } + ASSERT_ALLOC( seed, seed_size ); + /* fill seed in some data */ + for( i = 0; i < seed_size; ++i) + { + seed[i] = i; + } + its_status = psa_its_remove(MBED_RANDOM_SEED_ITS_UID); + TEST_ASSERT( (its_status == PSA_ITS_SUCCESS) || (its_status == PSA_ITS_ERROR_KEY_NOT_FOUND) ); + status = mbedtls_psa_inject_entropy( seed, seed_length_a ); + TEST_ASSERT( status == expected_status_a ); + status = mbedtls_psa_inject_entropy( seed, seed_length_b ); + TEST_ASSERT( status == expected_status_b ); + TEST_ASSERT( psa_crypto_init( ) == PSA_SUCCESS ); + TEST_ASSERT( psa_generate_random( output, sizeof( output ) ) == PSA_SUCCESS ); + TEST_ASSERT( memcmp( output , zeros, sizeof( output ) ) != 0 ); +exit: + mbedtls_free( seed ); + psa_its_remove(MBED_RANDOM_SEED_ITS_UID); + mbedtls_psa_crypto_free( ); +} +/* END_CASE */ + +/* BEGIN_CASE */ +void run_entropy_inject_with_crypto_init( ) +{ + psa_its_status_t its_status; + psa_status_t status; + int i; + uint8_t seed[MBEDTLS_ENTROPY_MIN_PLATFORM] = {0}; + /* fill seed in some data */ + for( i = 0; i < MBEDTLS_ENTROPY_MIN_PLATFORM; ++i) + { + seed[i] = i; + } + its_status = psa_its_remove(MBED_RANDOM_SEED_ITS_UID); + TEST_ASSERT( (its_status == PSA_ITS_SUCCESS) || (its_status == PSA_ITS_ERROR_KEY_NOT_FOUND) ); + status = mbedtls_psa_inject_entropy( seed, MBEDTLS_ENTROPY_MIN_PLATFORM ); + TEST_ASSERT( status == PSA_SUCCESS ); + its_status = psa_its_remove(MBED_RANDOM_SEED_ITS_UID); + TEST_ASSERT( its_status == PSA_ITS_SUCCESS ); + TEST_ASSERT( psa_crypto_init( ) == PSA_SUCCESS ); + status = mbedtls_psa_inject_entropy( seed, MBEDTLS_ENTROPY_MIN_PLATFORM ); + TEST_ASSERT( status == PSA_ERROR_NOT_PERMITTED ); + mbedtls_psa_crypto_free( ); + /* The seed is written by nv_seed callback functions therefore the injection will fail */ + status = mbedtls_psa_inject_entropy( seed, MBEDTLS_ENTROPY_MIN_PLATFORM ); + TEST_ASSERT( status == PSA_ERROR_NOT_PERMITTED ); +exit: + psa_its_remove(MBED_RANDOM_SEED_ITS_UID); + mbedtls_psa_crypto_free( ); +} +/* END_CASE */ From 212a793217b8356852f54c88d3769df28b970a97 Mon Sep 17 00:00:00 2001 From: Netanel Gonen Date: Mon, 19 Nov 2018 12:19:19 +0200 Subject: [PATCH 03/11] add MBEDTLS_PSA_HAS_ITS_IO to config.h --- include/mbedtls/config.h | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index c47c4714a..c1619fbad 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1103,6 +1103,16 @@ */ //#define MBEDTLS_ENTROPY_NV_SEED +/** + * \def MBEDTLS_PSA_HAS_ITS_IO + * + * Enable the non-volatile secure storage usage. + * + * This is crucial on systems that do not have a HW TRNG support. + * + */ +//#define MBEDTLS_PSA_HAS_ITS_IO + /** * \def MBEDTLS_MEMORY_DEBUG * From 0338ded2f4183251b6c4a8971087ba998629840f Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 15 Nov 2018 18:19:27 +0100 Subject: [PATCH 04/11] Improve documentation of mbedtls_psa_inject_entropy Explain what the function does, why one would use it, how to use it, how to handle its input, and what the status codes mean. --- include/psa/crypto_extra.h | 51 +++++++++++++++++++++++++++++++++----- 1 file changed, 45 insertions(+), 6 deletions(-) diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h index f39f33963..e40a50520 100644 --- a/include/psa/crypto_extra.h +++ b/include/psa/crypto_extra.h @@ -50,21 +50,60 @@ void mbedtls_psa_crypto_free( void ); #if ( defined(MBEDTLS_ENTROPY_NV_SEED) && defined(MBEDTLS_PSA_HAS_ITS_IO) ) /** - * \brief Inject initial entropy seed into persistent storage for random capabilities. + * \brief Inject an initial entropy seed for the random generator. + * + * This function injects data to be used as a seed for the random generator + * used by the PSA Crypto implementation. On devices that lack a trusted + * entropy source (preferably a hardware random number generator), + * the Mbed PSA Crypto implementation uses this value to seed its + * random generator. + * + * On devices without a trusted entropy source, this function must be + * called exactly once in the lifetime of the device. On devices with + * a trusted entropy source, calling this function is optional. + * In all cases, this function may only be called before calling any + * other function in the PSA Crypto API, including psa_crypto_init(). + * + * When this function returns successfully, it populates a file in + * persistent storage. Once the file has been created, this function + * can no longer succeed. + * If any error occurs, the file is not created, and you may call this + * function again after correcting the reason for the error. * * \warning This function **can** fail! Callers MUST check the return status. * - * \note To use this function both mbedtls_nv_seed_read and mbedtls_nv_seed_write - * must be defined. + * \warning If you use this function, you should use it as part of a + * factory provisioning process. The value of the injected seed + * is critical to the security of the device. It must be + * *secret*, *unpredictable* and (statistically) *unique per device*. + * You should be generate it randomly using a cryptographically + * secure random generator seeded from trusted entropy sources. + * You should transmit it securely to the device and ensure + * that its value is not leaked or stored anywhere beyond the + * needs of transmitting it from the point of generation to + * the call of this function, and erase all copies of the value + * once this function returns. * - * \param seed[in] Buffer storing the seed value to inject. - * \param seed_size[in] Size of the \p seed buffer. The minimum size of the seed is MBEDTLS_ENTROPY_MIN_PLATFORM + * This is an Mbed TLS extension. + * + * \param seed[in] Buffer containing the seed value to inject. + * \param seed_size Size of the \p seed buffer. + * The minimum size of the seed is + * #MBEDTLS_ENTROPY_MIN_PLATFORM. * * \retval #PSA_SUCCESS + * The seed value was injected successfully. The random generator + * of the PSA Crypto implementation is now ready for use. + * You may now call psa_crypto_init() and use the PSA Crypto + * implementation. * \retval #PSA_ERROR_INVALID_ARGUMENT + * \p seed_size is not large enough. * \retval #PSA_ERROR_STORAGE_FAILURE + * \retval `PSA_ITS_ERROR_XXX` + * There was a failure reading or writing from storage. * \retval #PSA_ERROR_NOT_PERMITTED - * \retval #PSA_ERROR_BAD_STATE + * The library has already been initialized. It is no longer + * possible to call this function. */ psa_status_t mbedtls_psa_inject_entropy(const unsigned char *seed, size_t seed_size); From ee2ffd311bf5496f20d6984eb2f1b0c83390704c Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 16 Nov 2018 11:02:49 +0100 Subject: [PATCH 05/11] Document the maximum seed size as well as the minimum --- include/psa/crypto_extra.h | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h index e40a50520..c7accd1f9 100644 --- a/include/psa/crypto_extra.h +++ b/include/psa/crypto_extra.h @@ -50,7 +50,8 @@ void mbedtls_psa_crypto_free( void ); #if ( defined(MBEDTLS_ENTROPY_NV_SEED) && defined(MBEDTLS_PSA_HAS_ITS_IO) ) /** - * \brief Inject an initial entropy seed for the random generator. + * \brief Inject an initial entropy seed for the random generator into + * secure storage. * * This function injects data to be used as a seed for the random generator * used by the PSA Crypto implementation. On devices that lack a trusted @@ -67,8 +68,10 @@ void mbedtls_psa_crypto_free( void ); * When this function returns successfully, it populates a file in * persistent storage. Once the file has been created, this function * can no longer succeed. - * If any error occurs, the file is not created, and you may call this - * function again after correcting the reason for the error. + * + * If any error occurs, this function does not change the system state. + * You can call this function again after correcting the reason for the + * error if possible. * * \warning This function **can** fail! Callers MUST check the return status. * @@ -88,8 +91,9 @@ void mbedtls_psa_crypto_free( void ); * * \param seed[in] Buffer containing the seed value to inject. * \param seed_size Size of the \p seed buffer. - * The minimum size of the seed is - * #MBEDTLS_ENTROPY_MIN_PLATFORM. + * The size of the seed must be + * at least #MBEDTLS_ENTROPY_MIN_PLATFORM bytes + * and at most #MBEDTLS_ENTROPY_MAX_SEED_SIZE bytes. * * \retval #PSA_SUCCESS * The seed value was injected successfully. The random generator @@ -97,7 +101,7 @@ void mbedtls_psa_crypto_free( void ); * You may now call psa_crypto_init() and use the PSA Crypto * implementation. * \retval #PSA_ERROR_INVALID_ARGUMENT - * \p seed_size is not large enough. + * \p seed_size is out of range. * \retval #PSA_ERROR_STORAGE_FAILURE * \retval `PSA_ITS_ERROR_XXX` * There was a failure reading or writing from storage. From 21f37cbbecd955f82854f2291a6e68dfd9183d8a Mon Sep 17 00:00:00 2001 From: Netanel Gonen Date: Mon, 19 Nov 2018 11:53:55 +0200 Subject: [PATCH 06/11] Add Tests for psa crypto entropy incjection Adjust code to handle and work with MBEDTLS_ENTROPY_BLOCK_SIZE definition option --- include/psa/crypto_extra.h | 6 ++++-- library/psa_crypto.c | 8 ++++++-- library/version_features.c | 3 +++ tests/suites/test_suite_psa_crypto_entropy.data | 9 +++++---- tests/suites/test_suite_psa_crypto_entropy.function | 10 +++++----- 5 files changed, 23 insertions(+), 13 deletions(-) diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h index c7accd1f9..13134926f 100644 --- a/include/psa/crypto_extra.h +++ b/include/psa/crypto_extra.h @@ -91,8 +91,10 @@ void mbedtls_psa_crypto_free( void ); * * \param seed[in] Buffer containing the seed value to inject. * \param seed_size Size of the \p seed buffer. - * The size of the seed must be - * at least #MBEDTLS_ENTROPY_MIN_PLATFORM bytes + * The size of the seed must be equal or larger than any + * of the values defined both in + * #MBEDTLS_ENTROPY_MIN_PLATFORM + * and in the #MBEDTLS_ENTROPY_BLOCK_SIZE defines * and at most #MBEDTLS_ENTROPY_MAX_SEED_SIZE bytes. * * \retval #PSA_SUCCESS diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 77314f2dd..26bea1980 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -4234,8 +4234,12 @@ psa_status_t mbedtls_psa_inject_entropy( const unsigned char *seed, struct psa_its_info_t p_info; if( global_data.initialized ) return( PSA_ERROR_NOT_PERMITTED ); - if( ( seed_size < MBEDTLS_ENTROPY_MIN_PLATFORM ) || ( seed_size > MBEDTLS_ENTROPY_MAX_SEED_SIZE ) ) - return( PSA_ERROR_INVALID_ARGUMENT ); + + if( ( ( seed_size < MBEDTLS_ENTROPY_MIN_PLATFORM ) || + ( seed_size < MBEDTLS_ENTROPY_BLOCK_SIZE ) ) || + ( seed_size > MBEDTLS_ENTROPY_MAX_SEED_SIZE ) ) + return( PSA_ERROR_INVALID_ARGUMENT ); + status = psa_its_get_info( MBED_RANDOM_SEED_ITS_UID, &p_info ); if( PSA_ITS_ERROR_KEY_NOT_FOUND == status ) /* No seed exists */ { diff --git a/library/version_features.c b/library/version_features.c index af8149052..590f949f4 100644 --- a/library/version_features.c +++ b/library/version_features.c @@ -402,6 +402,9 @@ static const char *features[] = { #if defined(MBEDTLS_ENTROPY_NV_SEED) "MBEDTLS_ENTROPY_NV_SEED", #endif /* MBEDTLS_ENTROPY_NV_SEED */ +#if defined(MBEDTLS_PSA_HAS_ITS_IO) + "MBEDTLS_PSA_HAS_ITS_IO", +#endif /* MBEDTLS_PSA_HAS_ITS_IO */ #if defined(MBEDTLS_MEMORY_DEBUG) "MBEDTLS_MEMORY_DEBUG", #endif /* MBEDTLS_MEMORY_DEBUG */ diff --git a/tests/suites/test_suite_psa_crypto_entropy.data b/tests/suites/test_suite_psa_crypto_entropy.data index 1fc972aa0..bbc056d92 100644 --- a/tests/suites/test_suite_psa_crypto_entropy.data +++ b/tests/suites/test_suite_psa_crypto_entropy.data @@ -1,14 +1,15 @@ PSA validate entropy injection: good, minimum size -validate_entropy_seed_injection:MBEDTLS_ENTROPY_MIN_PLATFORM:PSA_SUCCESS:MBEDTLS_ENTROPY_MIN_PLATFORM:PSA_ERROR_NOT_PERMITTED +validate_entropy_seed_injection:MBEDTLS_ENTROPY_BLOCK_SIZE:PSA_SUCCESS:MBEDTLS_ENTROPY_BLOCK_SIZE:PSA_ERROR_NOT_PERMITTED PSA validate entropy injection: good, max size validate_entropy_seed_injection:MBEDTLS_ENTROPY_MAX_SEED_SIZE:PSA_SUCCESS:MBEDTLS_ENTROPY_MAX_SEED_SIZE:PSA_ERROR_NOT_PERMITTED PSA validate entropy injection: bad, too big -validate_entropy_seed_injection:MBEDTLS_ENTROPY_MAX_SEED_SIZE+1:PSA_ERROR_INVALID_ARGUMENT:MBEDTLS_ENTROPY_MIN_PLATFORM:PSA_SUCCESS +validate_entropy_seed_injection:MBEDTLS_ENTROPY_MAX_SEED_SIZE+1:PSA_ERROR_INVALID_ARGUMENT:MBEDTLS_ENTROPY_BLOCK_SIZE:PSA_SUCCESS PSA validate entropy injection: bad, too small -validate_entropy_seed_injection:MBEDTLS_ENTROPY_MIN_PLATFORM-1:PSA_ERROR_INVALID_ARGUMENT:MBEDTLS_ENTROPY_MIN_PLATFORM:PSA_SUCCESS +validate_entropy_seed_injection:MBEDTLS_ENTROPY_BLOCK_SIZE-1:PSA_ERROR_INVALID_ARGUMENT:MBEDTLS_ENTROPY_BLOCK_SIZE:PSA_SUCCESS PSA validate entropy injection: before and after crypto_init -run_entropy_inject_with_crypto_init: \ No newline at end of file +run_entropy_inject_with_crypto_init: + diff --git a/tests/suites/test_suite_psa_crypto_entropy.function b/tests/suites/test_suite_psa_crypto_entropy.function index a134abe71..1cb58b9a2 100644 --- a/tests/suites/test_suite_psa_crypto_entropy.function +++ b/tests/suites/test_suite_psa_crypto_entropy.function @@ -62,24 +62,24 @@ void run_entropy_inject_with_crypto_init( ) psa_its_status_t its_status; psa_status_t status; int i; - uint8_t seed[MBEDTLS_ENTROPY_MIN_PLATFORM] = {0}; + uint8_t seed[MBEDTLS_ENTROPY_BLOCK_SIZE] = {0}; /* fill seed in some data */ - for( i = 0; i < MBEDTLS_ENTROPY_MIN_PLATFORM; ++i) + for( i = 0; i < MBEDTLS_ENTROPY_BLOCK_SIZE; ++i) { seed[i] = i; } its_status = psa_its_remove(MBED_RANDOM_SEED_ITS_UID); TEST_ASSERT( (its_status == PSA_ITS_SUCCESS) || (its_status == PSA_ITS_ERROR_KEY_NOT_FOUND) ); - status = mbedtls_psa_inject_entropy( seed, MBEDTLS_ENTROPY_MIN_PLATFORM ); + status = mbedtls_psa_inject_entropy( seed, MBEDTLS_ENTROPY_BLOCK_SIZE ); TEST_ASSERT( status == PSA_SUCCESS ); its_status = psa_its_remove(MBED_RANDOM_SEED_ITS_UID); TEST_ASSERT( its_status == PSA_ITS_SUCCESS ); TEST_ASSERT( psa_crypto_init( ) == PSA_SUCCESS ); - status = mbedtls_psa_inject_entropy( seed, MBEDTLS_ENTROPY_MIN_PLATFORM ); + status = mbedtls_psa_inject_entropy( seed, MBEDTLS_ENTROPY_BLOCK_SIZE ); TEST_ASSERT( status == PSA_ERROR_NOT_PERMITTED ); mbedtls_psa_crypto_free( ); /* The seed is written by nv_seed callback functions therefore the injection will fail */ - status = mbedtls_psa_inject_entropy( seed, MBEDTLS_ENTROPY_MIN_PLATFORM ); + status = mbedtls_psa_inject_entropy( seed, MBEDTLS_ENTROPY_BLOCK_SIZE ); TEST_ASSERT( status == PSA_ERROR_NOT_PERMITTED ); exit: psa_its_remove(MBED_RANDOM_SEED_ITS_UID); From 4d27c94aee2746a9bce74edab06ed1dadcc707f5 Mon Sep 17 00:00:00 2001 From: avolinski Date: Tue, 20 Nov 2018 15:48:54 +0200 Subject: [PATCH 07/11] Adding testcase for PSA validate entropy injection: bad, too small using MBEDTLS_ENTROPY_MIN_PLATFORM --- tests/suites/test_suite_psa_crypto_entropy.data | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/tests/suites/test_suite_psa_crypto_entropy.data b/tests/suites/test_suite_psa_crypto_entropy.data index bbc056d92..a2355d50a 100644 --- a/tests/suites/test_suite_psa_crypto_entropy.data +++ b/tests/suites/test_suite_psa_crypto_entropy.data @@ -7,7 +7,10 @@ validate_entropy_seed_injection:MBEDTLS_ENTROPY_MAX_SEED_SIZE:PSA_SUCCESS:MBEDTL PSA validate entropy injection: bad, too big validate_entropy_seed_injection:MBEDTLS_ENTROPY_MAX_SEED_SIZE+1:PSA_ERROR_INVALID_ARGUMENT:MBEDTLS_ENTROPY_BLOCK_SIZE:PSA_SUCCESS -PSA validate entropy injection: bad, too small +PSA validate entropy injection: bad, too small using MBEDTLS_ENTROPY_MIN_PLATFORM +validate_entropy_seed_injection:MBEDTLS_ENTROPY_MIN_PLATFORM-1:PSA_ERROR_INVALID_ARGUMENT:MBEDTLS_ENTROPY_BLOCK_SIZE:PSA_SUCCESS + +PSA validate entropy injection: bad, too small using MBEDTLS_ENTROPY_BLOCK_SIZE validate_entropy_seed_injection:MBEDTLS_ENTROPY_BLOCK_SIZE-1:PSA_ERROR_INVALID_ARGUMENT:MBEDTLS_ENTROPY_BLOCK_SIZE:PSA_SUCCESS PSA validate entropy injection: before and after crypto_init From 7cc8229d80110c4664306d6bc728727c035e7858 Mon Sep 17 00:00:00 2001 From: avolinski Date: Tue, 20 Nov 2018 15:52:25 +0200 Subject: [PATCH 08/11] Replace MBED_RANDOM_SEED_ITS_UID with MBEDTLS_RANDOM_SEED_ITS_UID Update mbedtls_psa_inject_entropy function documentation --- include/psa/crypto_extra.h | 12 ++++++------ library/psa_crypto.c | 4 ++-- tests/suites/test_suite_psa_crypto_entropy.function | 10 +++++----- 3 files changed, 13 insertions(+), 13 deletions(-) diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h index 13134926f..880e09c24 100644 --- a/include/psa/crypto_extra.h +++ b/include/psa/crypto_extra.h @@ -35,7 +35,7 @@ extern "C" { #endif /* UID for secure storage seed */ -#define MBED_RANDOM_SEED_ITS_UID 0xFFFFFF52 +#define MBEDTLS_RANDOM_SEED_ITS_UID 0xFFFFFF52 /** * \brief Library deinitialization. @@ -91,11 +91,11 @@ void mbedtls_psa_crypto_free( void ); * * \param seed[in] Buffer containing the seed value to inject. * \param seed_size Size of the \p seed buffer. - * The size of the seed must be equal or larger than any - * of the values defined both in - * #MBEDTLS_ENTROPY_MIN_PLATFORM - * and in the #MBEDTLS_ENTROPY_BLOCK_SIZE defines - * and at most #MBEDTLS_ENTROPY_MAX_SEED_SIZE bytes. + * The size of the seed in bytes must be greater + * or equal to both #MBEDTLS_ENTROPY_MIN_PLATFORM + * and #MBEDTLS_ENTROPY_BLOCK_SIZE. + * It must be less or equal to + * #MBEDTLS_ENTROPY_MAX_SEED_SIZE. * * \retval #PSA_SUCCESS * The seed value was injected successfully. The random generator diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 26bea1980..fe73d1d35 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -4240,10 +4240,10 @@ psa_status_t mbedtls_psa_inject_entropy( const unsigned char *seed, ( seed_size > MBEDTLS_ENTROPY_MAX_SEED_SIZE ) ) return( PSA_ERROR_INVALID_ARGUMENT ); - status = psa_its_get_info( MBED_RANDOM_SEED_ITS_UID, &p_info ); + status = psa_its_get_info( MBEDTLS_RANDOM_SEED_ITS_UID, &p_info ); if( PSA_ITS_ERROR_KEY_NOT_FOUND == status ) /* No seed exists */ { - status = psa_its_set( MBED_RANDOM_SEED_ITS_UID, seed_size, seed, 0 ); + status = psa_its_set( MBEDTLS_RANDOM_SEED_ITS_UID, seed_size, seed, 0 ); } else if( PSA_ITS_SUCCESS == status ) { diff --git a/tests/suites/test_suite_psa_crypto_entropy.function b/tests/suites/test_suite_psa_crypto_entropy.function index 1cb58b9a2..4be2c5a34 100644 --- a/tests/suites/test_suite_psa_crypto_entropy.function +++ b/tests/suites/test_suite_psa_crypto_entropy.function @@ -40,7 +40,7 @@ void validate_entropy_seed_injection( int seed_length_a, { seed[i] = i; } - its_status = psa_its_remove(MBED_RANDOM_SEED_ITS_UID); + its_status = psa_its_remove(MBEDTLS_RANDOM_SEED_ITS_UID); TEST_ASSERT( (its_status == PSA_ITS_SUCCESS) || (its_status == PSA_ITS_ERROR_KEY_NOT_FOUND) ); status = mbedtls_psa_inject_entropy( seed, seed_length_a ); TEST_ASSERT( status == expected_status_a ); @@ -51,7 +51,7 @@ void validate_entropy_seed_injection( int seed_length_a, TEST_ASSERT( memcmp( output , zeros, sizeof( output ) ) != 0 ); exit: mbedtls_free( seed ); - psa_its_remove(MBED_RANDOM_SEED_ITS_UID); + psa_its_remove(MBEDTLS_RANDOM_SEED_ITS_UID); mbedtls_psa_crypto_free( ); } /* END_CASE */ @@ -68,11 +68,11 @@ void run_entropy_inject_with_crypto_init( ) { seed[i] = i; } - its_status = psa_its_remove(MBED_RANDOM_SEED_ITS_UID); + its_status = psa_its_remove(MBEDTLS_RANDOM_SEED_ITS_UID); TEST_ASSERT( (its_status == PSA_ITS_SUCCESS) || (its_status == PSA_ITS_ERROR_KEY_NOT_FOUND) ); status = mbedtls_psa_inject_entropy( seed, MBEDTLS_ENTROPY_BLOCK_SIZE ); TEST_ASSERT( status == PSA_SUCCESS ); - its_status = psa_its_remove(MBED_RANDOM_SEED_ITS_UID); + its_status = psa_its_remove(MBEDTLS_RANDOM_SEED_ITS_UID); TEST_ASSERT( its_status == PSA_ITS_SUCCESS ); TEST_ASSERT( psa_crypto_init( ) == PSA_SUCCESS ); status = mbedtls_psa_inject_entropy( seed, MBEDTLS_ENTROPY_BLOCK_SIZE ); @@ -82,7 +82,7 @@ void run_entropy_inject_with_crypto_init( ) status = mbedtls_psa_inject_entropy( seed, MBEDTLS_ENTROPY_BLOCK_SIZE ); TEST_ASSERT( status == PSA_ERROR_NOT_PERMITTED ); exit: - psa_its_remove(MBED_RANDOM_SEED_ITS_UID); + psa_its_remove(MBEDTLS_RANDOM_SEED_ITS_UID); mbedtls_psa_crypto_free( ); } /* END_CASE */ From 13beb100c285a19e7c71cd50cb15ef68662fdc3a Mon Sep 17 00:00:00 2001 From: avolinski Date: Tue, 20 Nov 2018 16:51:49 +0200 Subject: [PATCH 09/11] Adjust psa entropy inject tests to take as minimum seed size the maximum of MBEDTLS_ENTROPY_MIN_PLATFORM and MBEDTLS_ENTROPY_BLOCK_SIZE --- library/psa_crypto.c | 48 +++++++++++++++-- .../suites/test_suite_psa_crypto_entropy.data | 8 +-- .../test_suite_psa_crypto_entropy.function | 54 ++++++++++++------- 3 files changed, 82 insertions(+), 28 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index fe73d1d35..cc5532a00 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -4227,10 +4227,46 @@ psa_status_t psa_generate_random( uint8_t *output, } #if ( defined(MBEDTLS_ENTROPY_NV_SEED) && defined(MBEDTLS_PSA_HAS_ITS_IO) ) + +/* Support function for error conversion between psa_its error codes to psa crypto */ +static psa_status_t its_to_psa_error( psa_its_status_t ret ) +{ + switch( ret ) + { + case PSA_ITS_SUCCESS: + return( PSA_SUCCESS ); + + case PSA_ITS_ERROR_KEY_NOT_FOUND: + return( PSA_ERROR_EMPTY_SLOT ); + + case PSA_ITS_ERROR_STORAGE_FAILURE: + return( PSA_ERROR_STORAGE_FAILURE ); + + case PSA_ITS_ERROR_INSUFFICIENT_SPACE: + return( PSA_ERROR_INSUFFICIENT_STORAGE ); + + case PSA_ITS_ERROR_INVALID_KEY: + case PSA_PS_ERROR_OFFSET_INVALID: + case PSA_ITS_ERROR_INCORRECT_SIZE: + case PSA_ITS_ERROR_BAD_POINTER: + return( PSA_ERROR_INVALID_ARGUMENT ); + + case PSA_ITS_ERROR_FLAGS_NOT_SUPPORTED: + return( PSA_ERROR_NOT_SUPPORTED ); + + case PSA_ITS_ERROR_WRITE_ONCE: + return( PSA_ERROR_OCCUPIED_SLOT ); + + default: + return( PSA_ERROR_UNKNOWN_ERROR ); + } +} + psa_status_t mbedtls_psa_inject_entropy( const unsigned char *seed, size_t seed_size ) { psa_status_t status; + psa_its_status_t its_status; struct psa_its_info_t p_info; if( global_data.initialized ) return( PSA_ERROR_NOT_PERMITTED ); @@ -4240,16 +4276,20 @@ psa_status_t mbedtls_psa_inject_entropy( const unsigned char *seed, ( seed_size > MBEDTLS_ENTROPY_MAX_SEED_SIZE ) ) return( PSA_ERROR_INVALID_ARGUMENT ); - status = psa_its_get_info( MBEDTLS_RANDOM_SEED_ITS_UID, &p_info ); - if( PSA_ITS_ERROR_KEY_NOT_FOUND == status ) /* No seed exists */ + its_status = psa_its_get_info( MBEDTLS_RANDOM_SEED_ITS_UID, &p_info ); + status = its_to_psa_error( its_status ); + + if( PSA_ITS_ERROR_KEY_NOT_FOUND == its_status ) /* No seed exists */ { - status = psa_its_set( MBEDTLS_RANDOM_SEED_ITS_UID, seed_size, seed, 0 ); + its_status = psa_its_set( MBEDTLS_RANDOM_SEED_ITS_UID, seed_size, seed, 0 ); + status = its_to_psa_error( its_status ); } - else if( PSA_ITS_SUCCESS == status ) + else if( PSA_ITS_SUCCESS == its_status ) { /* You should not be here. Seed needs to be injected only once */ status = PSA_ERROR_NOT_PERMITTED; } + return( status ); } #endif diff --git a/tests/suites/test_suite_psa_crypto_entropy.data b/tests/suites/test_suite_psa_crypto_entropy.data index a2355d50a..61593e9d6 100644 --- a/tests/suites/test_suite_psa_crypto_entropy.data +++ b/tests/suites/test_suite_psa_crypto_entropy.data @@ -1,17 +1,17 @@ PSA validate entropy injection: good, minimum size -validate_entropy_seed_injection:MBEDTLS_ENTROPY_BLOCK_SIZE:PSA_SUCCESS:MBEDTLS_ENTROPY_BLOCK_SIZE:PSA_ERROR_NOT_PERMITTED +validate_entropy_seed_injection:MBEDTLS_PSA_INJECT_ENTROPY_MIN_SIZE:PSA_SUCCESS:MBEDTLS_PSA_INJECT_ENTROPY_MIN_SIZE:PSA_ERROR_NOT_PERMITTED PSA validate entropy injection: good, max size validate_entropy_seed_injection:MBEDTLS_ENTROPY_MAX_SEED_SIZE:PSA_SUCCESS:MBEDTLS_ENTROPY_MAX_SEED_SIZE:PSA_ERROR_NOT_PERMITTED PSA validate entropy injection: bad, too big -validate_entropy_seed_injection:MBEDTLS_ENTROPY_MAX_SEED_SIZE+1:PSA_ERROR_INVALID_ARGUMENT:MBEDTLS_ENTROPY_BLOCK_SIZE:PSA_SUCCESS +validate_entropy_seed_injection:MBEDTLS_ENTROPY_MAX_SEED_SIZE+1:PSA_ERROR_INVALID_ARGUMENT:MBEDTLS_PSA_INJECT_ENTROPY_MIN_SIZE:PSA_SUCCESS PSA validate entropy injection: bad, too small using MBEDTLS_ENTROPY_MIN_PLATFORM -validate_entropy_seed_injection:MBEDTLS_ENTROPY_MIN_PLATFORM-1:PSA_ERROR_INVALID_ARGUMENT:MBEDTLS_ENTROPY_BLOCK_SIZE:PSA_SUCCESS +validate_entropy_seed_injection:MBEDTLS_ENTROPY_MIN_PLATFORM-1:PSA_ERROR_INVALID_ARGUMENT:MBEDTLS_PSA_INJECT_ENTROPY_MIN_SIZE:PSA_SUCCESS PSA validate entropy injection: bad, too small using MBEDTLS_ENTROPY_BLOCK_SIZE -validate_entropy_seed_injection:MBEDTLS_ENTROPY_BLOCK_SIZE-1:PSA_ERROR_INVALID_ARGUMENT:MBEDTLS_ENTROPY_BLOCK_SIZE:PSA_SUCCESS +validate_entropy_seed_injection:MBEDTLS_ENTROPY_BLOCK_SIZE-1:PSA_ERROR_INVALID_ARGUMENT:MBEDTLS_PSA_INJECT_ENTROPY_MIN_SIZE:PSA_SUCCESS PSA validate entropy injection: before and after crypto_init run_entropy_inject_with_crypto_init: diff --git a/tests/suites/test_suite_psa_crypto_entropy.function b/tests/suites/test_suite_psa_crypto_entropy.function index 4be2c5a34..2c069a9e3 100644 --- a/tests/suites/test_suite_psa_crypto_entropy.function +++ b/tests/suites/test_suite_psa_crypto_entropy.function @@ -6,6 +6,14 @@ #include "mbedtls/entropy.h" #include "mbedtls/entropy_poll.h" +/* MAX value support macro */ +#if !defined(MAX) +#define MAX(a,b) (((a)>(b))?(a):(b)) +#endif + +/* Calculating the minimum allowed entropy size in bytes */ +#define MBEDTLS_PSA_INJECT_ENTROPY_MIN_SIZE MAX(MBEDTLS_ENTROPY_MIN_PLATFORM, MBEDTLS_ENTROPY_BLOCK_SIZE) + /* END_HEADER */ /* BEGIN_DEPENDENCIES @@ -26,7 +34,7 @@ void validate_entropy_seed_injection( int seed_length_a, uint8_t *seed = NULL; int i; int seed_size; - if( seed_length_a > seed_length_b) + if( seed_length_a > seed_length_b ) { seed_size = seed_length_a; } @@ -35,23 +43,25 @@ void validate_entropy_seed_injection( int seed_length_a, seed_size = seed_length_b; } ASSERT_ALLOC( seed, seed_size ); - /* fill seed in some data */ - for( i = 0; i < seed_size; ++i) + /* fill seed with some data */ + for( i = 0; i < seed_size; ++i ) { seed[i] = i; } - its_status = psa_its_remove(MBEDTLS_RANDOM_SEED_ITS_UID); - TEST_ASSERT( (its_status == PSA_ITS_SUCCESS) || (its_status == PSA_ITS_ERROR_KEY_NOT_FOUND) ); + its_status = psa_its_remove( MBEDTLS_RANDOM_SEED_ITS_UID ); + TEST_ASSERT( ( its_status == PSA_ITS_SUCCESS ) || + ( its_status == PSA_ITS_ERROR_KEY_NOT_FOUND ) ); status = mbedtls_psa_inject_entropy( seed, seed_length_a ); TEST_ASSERT( status == expected_status_a ); status = mbedtls_psa_inject_entropy( seed, seed_length_b ); TEST_ASSERT( status == expected_status_b ); TEST_ASSERT( psa_crypto_init( ) == PSA_SUCCESS ); - TEST_ASSERT( psa_generate_random( output, sizeof( output ) ) == PSA_SUCCESS ); - TEST_ASSERT( memcmp( output , zeros, sizeof( output ) ) != 0 ); + TEST_ASSERT( psa_generate_random( output, + sizeof( output ) ) == PSA_SUCCESS ); + TEST_ASSERT( memcmp( output, zeros, sizeof( output ) ) != 0 ); exit: mbedtls_free( seed ); - psa_its_remove(MBEDTLS_RANDOM_SEED_ITS_UID); + psa_its_remove( MBEDTLS_RANDOM_SEED_ITS_UID ); mbedtls_psa_crypto_free( ); } /* END_CASE */ @@ -62,27 +72,31 @@ void run_entropy_inject_with_crypto_init( ) psa_its_status_t its_status; psa_status_t status; int i; - uint8_t seed[MBEDTLS_ENTROPY_BLOCK_SIZE] = {0}; - /* fill seed in some data */ - for( i = 0; i < MBEDTLS_ENTROPY_BLOCK_SIZE; ++i) + uint8_t seed[MBEDTLS_PSA_INJECT_ENTROPY_MIN_SIZE] = { 0 }; + /* fill seed with some data */ + for( i = 0; i < sizeof( seed ); ++i ) { seed[i] = i; } - its_status = psa_its_remove(MBEDTLS_RANDOM_SEED_ITS_UID); - TEST_ASSERT( (its_status == PSA_ITS_SUCCESS) || (its_status == PSA_ITS_ERROR_KEY_NOT_FOUND) ); - status = mbedtls_psa_inject_entropy( seed, MBEDTLS_ENTROPY_BLOCK_SIZE ); + its_status = psa_its_remove( MBEDTLS_RANDOM_SEED_ITS_UID ); + TEST_ASSERT( ( its_status == PSA_ITS_SUCCESS ) || + ( its_status == PSA_ITS_ERROR_KEY_NOT_FOUND ) ); + status = mbedtls_psa_inject_entropy( seed, sizeof( seed ) ); TEST_ASSERT( status == PSA_SUCCESS ); - its_status = psa_its_remove(MBEDTLS_RANDOM_SEED_ITS_UID); + its_status = psa_its_remove( MBEDTLS_RANDOM_SEED_ITS_UID ); TEST_ASSERT( its_status == PSA_ITS_SUCCESS ); - TEST_ASSERT( psa_crypto_init( ) == PSA_SUCCESS ); - status = mbedtls_psa_inject_entropy( seed, MBEDTLS_ENTROPY_BLOCK_SIZE ); - TEST_ASSERT( status == PSA_ERROR_NOT_PERMITTED ); + status = psa_crypto_init( ); + TEST_ASSERT( status == PSA_ERROR_INSUFFICIENT_ENTROPY ); + status = mbedtls_psa_inject_entropy( seed, sizeof( seed ) ); + TEST_ASSERT( status == PSA_SUCCESS ); + status = psa_crypto_init( ); + TEST_ASSERT( status == PSA_SUCCESS ); mbedtls_psa_crypto_free( ); /* The seed is written by nv_seed callback functions therefore the injection will fail */ - status = mbedtls_psa_inject_entropy( seed, MBEDTLS_ENTROPY_BLOCK_SIZE ); + status = mbedtls_psa_inject_entropy( seed, sizeof( seed ) ); TEST_ASSERT( status == PSA_ERROR_NOT_PERMITTED ); exit: - psa_its_remove(MBEDTLS_RANDOM_SEED_ITS_UID); + psa_its_remove( MBEDTLS_RANDOM_SEED_ITS_UID ); mbedtls_psa_crypto_free( ); } /* END_CASE */ From 1c66205df6ea46070adfb09a6490fc91c6e9a5b4 Mon Sep 17 00:00:00 2001 From: avolinski Date: Wed, 21 Nov 2018 16:54:09 +0200 Subject: [PATCH 10/11] Remove trailing space in psa_crypto.c --- library/psa_crypto.c | 1 - 1 file changed, 1 deletion(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index cc5532a00..9c85b7ce3 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -4289,7 +4289,6 @@ psa_status_t mbedtls_psa_inject_entropy( const unsigned char *seed, /* You should not be here. Seed needs to be injected only once */ status = PSA_ERROR_NOT_PERMITTED; } - return( status ); } #endif From 0d2c266c06aea854a6b9d40790a9ab0879caff2d Mon Sep 17 00:00:00 2001 From: avolinski Date: Wed, 21 Nov 2018 17:31:07 +0200 Subject: [PATCH 11/11] change MBEDTLS_RANDOM_SEED_ITS define to be PSA_CRYPTO_ITS_RANDOM_SEED_UID --- include/psa/crypto_extra.h | 2 +- library/psa_crypto.c | 4 ++-- tests/suites/test_suite_psa_crypto_entropy.function | 10 +++++----- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h index 880e09c24..b6f5adc89 100644 --- a/include/psa/crypto_extra.h +++ b/include/psa/crypto_extra.h @@ -35,7 +35,7 @@ extern "C" { #endif /* UID for secure storage seed */ -#define MBEDTLS_RANDOM_SEED_ITS_UID 0xFFFFFF52 +#define PSA_CRYPTO_ITS_RANDOM_SEED_UID 0xFFFFFF52 /** * \brief Library deinitialization. diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 9c85b7ce3..aefd3da14 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -4276,12 +4276,12 @@ psa_status_t mbedtls_psa_inject_entropy( const unsigned char *seed, ( seed_size > MBEDTLS_ENTROPY_MAX_SEED_SIZE ) ) return( PSA_ERROR_INVALID_ARGUMENT ); - its_status = psa_its_get_info( MBEDTLS_RANDOM_SEED_ITS_UID, &p_info ); + its_status = psa_its_get_info( PSA_CRYPTO_ITS_RANDOM_SEED_UID, &p_info ); status = its_to_psa_error( its_status ); if( PSA_ITS_ERROR_KEY_NOT_FOUND == its_status ) /* No seed exists */ { - its_status = psa_its_set( MBEDTLS_RANDOM_SEED_ITS_UID, seed_size, seed, 0 ); + its_status = psa_its_set( PSA_CRYPTO_ITS_RANDOM_SEED_UID, seed_size, seed, 0 ); status = its_to_psa_error( its_status ); } else if( PSA_ITS_SUCCESS == its_status ) diff --git a/tests/suites/test_suite_psa_crypto_entropy.function b/tests/suites/test_suite_psa_crypto_entropy.function index 2c069a9e3..46c77e97c 100644 --- a/tests/suites/test_suite_psa_crypto_entropy.function +++ b/tests/suites/test_suite_psa_crypto_entropy.function @@ -48,7 +48,7 @@ void validate_entropy_seed_injection( int seed_length_a, { seed[i] = i; } - its_status = psa_its_remove( MBEDTLS_RANDOM_SEED_ITS_UID ); + its_status = psa_its_remove( PSA_CRYPTO_ITS_RANDOM_SEED_UID ); TEST_ASSERT( ( its_status == PSA_ITS_SUCCESS ) || ( its_status == PSA_ITS_ERROR_KEY_NOT_FOUND ) ); status = mbedtls_psa_inject_entropy( seed, seed_length_a ); @@ -61,7 +61,7 @@ void validate_entropy_seed_injection( int seed_length_a, TEST_ASSERT( memcmp( output, zeros, sizeof( output ) ) != 0 ); exit: mbedtls_free( seed ); - psa_its_remove( MBEDTLS_RANDOM_SEED_ITS_UID ); + psa_its_remove( PSA_CRYPTO_ITS_RANDOM_SEED_UID ); mbedtls_psa_crypto_free( ); } /* END_CASE */ @@ -78,12 +78,12 @@ void run_entropy_inject_with_crypto_init( ) { seed[i] = i; } - its_status = psa_its_remove( MBEDTLS_RANDOM_SEED_ITS_UID ); + its_status = psa_its_remove( PSA_CRYPTO_ITS_RANDOM_SEED_UID ); TEST_ASSERT( ( its_status == PSA_ITS_SUCCESS ) || ( its_status == PSA_ITS_ERROR_KEY_NOT_FOUND ) ); status = mbedtls_psa_inject_entropy( seed, sizeof( seed ) ); TEST_ASSERT( status == PSA_SUCCESS ); - its_status = psa_its_remove( MBEDTLS_RANDOM_SEED_ITS_UID ); + its_status = psa_its_remove( PSA_CRYPTO_ITS_RANDOM_SEED_UID ); TEST_ASSERT( its_status == PSA_ITS_SUCCESS ); status = psa_crypto_init( ); TEST_ASSERT( status == PSA_ERROR_INSUFFICIENT_ENTROPY ); @@ -96,7 +96,7 @@ void run_entropy_inject_with_crypto_init( ) status = mbedtls_psa_inject_entropy( seed, sizeof( seed ) ); TEST_ASSERT( status == PSA_ERROR_NOT_PERMITTED ); exit: - psa_its_remove( MBEDTLS_RANDOM_SEED_ITS_UID ); + psa_its_remove( PSA_CRYPTO_ITS_RANDOM_SEED_UID ); mbedtls_psa_crypto_free( ); } /* END_CASE */