Platform entropy is available when `MBEDTLS_NO_PLATFORM_ENTROPY` is _not_
defined.
This caused the ok/not-supported behavior of `broke
psa_random_set_prediction_resistance() to be inverted, and the unit tests
checking that behavior to be similarly inverted, so the unit tests didn't
catch it.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Let applications configure prediction resistance at runtime.
Prediction resistance is always considered disabled when there is no actual
entropy source, only a nonvolatile seed.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
In some scenarios, application or integration code knows that the random
generator should be reseeded, but the reseed cannot or must not happen
immediately and there is no way to report errors. In such scenarios, users
can call the new function `psa_random_deplete()`, which just marks the DRBG
as needing a reseed.
This change requires DRBG modules to treat `reseed_counter == reseed_interval`
as a condition that requires a reseed. Historically they reseeded when
`reseed_counter > reseed_interval`, but that made it impossible to require
a reseed when `reseed_interval == MAX_INT`. Note that this edge case is not
tested.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Change `reseed_counter` to be the number of requests made since the last
reseed, rather than this number minus 1. Thus, reseed when
`reseed_counter >= reseed_interval` rather than
`reseed_counter > reseed_interval`. The field `reseed_counter` is private so
this is not an API change.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Define `MBEDTLS_ENTROPY_TRUE_SOURCES` and `MBEDTLS_ENTROPY_HAVE_SOURCES`
similarly to TF-PSA-Crypto 1.0. Also define
`MBEDTLS_ENTROPY_HAVE_TRUE_SOURCES` for test function dependencies.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Fix the location of the ending braket of "extern C" block in order to
have it balanced between C guards.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
Take also MAC's key types into account when computing the size of the
buffer to store key material in static key slot configuration.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
Integrators in a client-server architecture need to provide this function on
the client side.
Fixesmbedtls/issues#10341.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The decrypted length reveals the amount of padding that was eliminated, and
thus reveals partial information about the last ciphertext block.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
In internal `get_padding` functions, report whether the padding was invalid
through a separate output parameter, rather than the return code. Take
advantage of this to have `mbedtls_cipher_finish_padded()` be the easy path
that just passes the `invalid_padding` through. Make
`mbedtls_cipher_finish()` a wrapper around `mbedtls_cipher_finish_padded()`
that converts the invalid-padding output into an error code.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
New function `mbedtls_cipher_finish_padded()`, similar to
`mbedtls_cipher_finish()`, but reporting padding errors through a separate
output parameter. This makes it easier to avoid leaking the presence of a
padding error, especially through timing. Thus the new function is
recommended to defend against padding oracle attacks.
In this commit, implement this function naively, with timing that depends on
whether an error happened. A subsequent commit will make this function
constant-time.
Copy the test decrypt_test_vec and decrypt_test_vec_cf test cases into
variants that call `mbedtls_cipher_finish_padded()`.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
As the definition of psa_pake_operation_s has
been moved the "xyt_t" structure types can not
be used anymore (defined later).
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
In crypto_extra.h, move PAKE size calculation macros,
the definition of psa_pake_cipher_suite_s and
psa_pake_operation_s just after PAKE type and values
definitions.
This aligns with the order of crypto header inclusions
in crypto.h: crypto_types.h, then crypto_values.h,
then crypto_sizes.h, and then crypto_struct.h.
Take care of keeping them outside of the pake Doxygen
group as they used to be.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
That way when API are declared, the types they use are defined.
This should resolve the issues related to psa_xyz_init functions
returning a structure described in #7087.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
