Platform entropy is available when `MBEDTLS_NO_PLATFORM_ENTROPY` is _not_
defined.
This caused the ok/not-supported behavior of `broke
psa_random_set_prediction_resistance() to be inverted, and the unit tests
checking that behavior to be similarly inverted, so the unit tests didn't
catch it.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Let applications configure prediction resistance at runtime.
Prediction resistance is always considered disabled when there is no actual
entropy source, only a nonvolatile seed.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
In some scenarios, application or integration code knows that the random
generator should be reseeded, but the reseed cannot or must not happen
immediately and there is no way to report errors. In such scenarios, users
can call the new function `psa_random_deplete()`, which just marks the DRBG
as needing a reseed.
This change requires DRBG modules to treat `reseed_counter == reseed_interval`
as a condition that requires a reseed. Historically they reseeded when
`reseed_counter > reseed_interval`, but that made it impossible to require
a reseed when `reseed_interval == MAX_INT`. Note that this edge case is not
tested.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Change `reseed_counter` to be the number of requests made since the last
reseed, rather than this number minus 1. Thus, reseed when
`reseed_counter >= reseed_interval` rather than
`reseed_counter > reseed_interval`. The field `reseed_counter` is private so
this is not an API change.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Define `MBEDTLS_ENTROPY_TRUE_SOURCES` and `MBEDTLS_ENTROPY_HAVE_SOURCES`
similarly to TF-PSA-Crypto 1.0. Also define
`MBEDTLS_ENTROPY_HAVE_TRUE_SOURCES` for test function dependencies.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Document when this is not used. This was the case in TF-PSA-Crypto 1.0.0,
but not yet in Mbed TLS 3.6.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Instead of unconditionally using `/dev/urandom`, make the device path
configurable at compile time through `MBEDTLS_PLATFORM_DEV_RANDOM` or
at run time through `mbedtls_platform_dev_random`.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Fix the location of the ending braket of "extern C" block in order to
have it balanced between C guards.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
Take also MAC's key types into account when computing the size of the
buffer to store key material in static key slot configuration.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
Integrators in a client-server architecture need to provide this function on
the client side.
Fixesmbedtls/issues#10341.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The decrypted length reveals the amount of padding that was eliminated, and
thus reveals partial information about the last ciphertext block.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
In internal `get_padding` functions, report whether the padding was invalid
through a separate output parameter, rather than the return code. Take
advantage of this to have `mbedtls_cipher_finish_padded()` be the easy path
that just passes the `invalid_padding` through. Make
`mbedtls_cipher_finish()` a wrapper around `mbedtls_cipher_finish_padded()`
that converts the invalid-padding output into an error code.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
New function `mbedtls_cipher_finish_padded()`, similar to
`mbedtls_cipher_finish()`, but reporting padding errors through a separate
output parameter. This makes it easier to avoid leaking the presence of a
padding error, especially through timing. Thus the new function is
recommended to defend against padding oracle attacks.
In this commit, implement this function naively, with timing that depends on
whether an error happened. A subsequent commit will make this function
constant-time.
Copy the test decrypt_test_vec and decrypt_test_vec_cf test cases into
variants that call `mbedtls_cipher_finish_padded()`.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
