Expose the PSA RNG in mbedtls #4110
Conversation
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
With MBEDTLS_USE_PSA_CRYPTO, some of the randomness for the TLS connection is generated inside the PSA crypto subsystem, which has no reproducible mode. Whether there is a nonzero amount of randomness coming from inside the PSA subsystem rather than from the random generator set by mbedtls_ssl_conf_rng() depends on the choice of cipher suite and other connection parameters as well as the level of support for MBEDTLS_USE_PSA_CRYPTO. Rather than give unreliable results, conservatively abort with a clear error message. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Whether MBEDTLS_USE_PSA_CRYPTO is enabled makes a significant difference with respect to how random generators are used (and, for no-HMAC_DRBG, how ECDSA signature is dispatched), so test both with and without it. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Test random generation as a whole. This is different from test_suite_*_drbg and test_suite_entropy, which respectively test PRNG modules and entropy collection. Start with basic tests: good-case tests, and do it twice and compare the results to validate that entropy collection doesn't repeat itself. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
gilles-peskine-arm
added
enhancement
mbed TLS team
component-crypto
gilles-peskine-arm
force-pushed
the
psa-external-random-in-mbedtls
branch
2 times, most recently
from
cdf31a3
to
42c27ee
Compare
gilles-peskine-arm
added
needs-review
| * `MBEDTLS_ERR_CTR_DRBG_xxx` or | ||
| * `MBEDTLS_ERR_HMAC_DRBG_xxx` on error. | ||
| */ | ||
| int mbedtls_psa_get_random( void *p_rng, |
There was a problem hiding this comment.
Isn't this a straight-up copy of what's in psa_crypto_random_impl.h? If this is meant to replace that, why isn't the other file being removed?
There was a problem hiding this comment.
These are just the declarations that need to be in public headers. psa_crypto_random_impl.h has more declarations and definitions.
There's some duplication between the two headers, but I think it's the minimum necessary, or at least the minimum advisable. A couple of things are duplicated, in a way that a compiler will complain if they diverge, and this way all the implementation stuff is in psa_crypto_random_impl.h where it's easy to see all in one place, but we still get the compiler to complain if the implementation no longer matches the public interface.
There was a problem hiding this comment.
Are you convinced by my explanation, or do some things need to be removed from psa_crypto_random_impl.h?
There was a problem hiding this comment.
The duplication is fine by me but please add the reasons you mention here to the code documentation. It is not common to duplicate definitions thus better to have the reasons of the duplication.
There was a problem hiding this comment.
Once again I'm not sure what change you expect. To me, the comments at the top of the files referring to each other are sufficient. Do you want this to be also mentioned in the documentation of each macro/function/type?
There was a problem hiding this comment.
From your comment above the reason of the duplication seems to be:
"A couple of things are duplicated, in a way that a compiler will complain if they diverge, and this way all the implementation stuff is in psa_crypto_random_impl.h where it's easy to see all in one place, but we still get the compiler to complain if the implementation no longer matches the public interface."
I'm just saying what about to put something equivalent as documentation in the header files.
There was a problem hiding this comment.
Revisiting this, the compiler doesn't enforce consistency: there's duplication here that's rejected if both headers are included (static variable definition, type definition). So I do need to remove some things from psa_crypto_random_impl.h.
There was a problem hiding this comment.
I've removed the redundant definitions and kept redundant declarations where possible. I kept the duplication of the definition of the macro MBEDTLS_PSA_RANDOM_STATE because this is both permitted and checked by the C compiler.
| * Partial implementation of the PSA crypto driver interface: Mbed TLS can | ||
| now use an external random generator instead of the library's own | ||
| entropy collection and DRBG code. Enable MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG | ||
| and See the documentatio of mbedtls_psa_external_get_random() for details. |
There was a problem hiding this comment.
typos: see and documentation
| entropy collection and DRBG code. Enable MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG | ||
| and See the documentatio of mbedtls_psa_external_get_random() for details. | ||
| * Applications using PSA crypto can now use its random generator in the | ||
| mbedtls_xxx API. See the documentation of mbedtls_psa_get_random() for |
There was a problem hiding this comment.
Is it even recommended that applications using PSA Crypto continue to call directly into mbedtls_xxx? Having this wording in the public changelog makes it look like it's expected behaviour...
There was a problem hiding this comment.
This is the opposite: applications using mbedtls_xxx features (typically X.509/SSL) and calling into PSA. Is the wording here misleading?
There was a problem hiding this comment.
I think the wording might be too generic, in that case. To me (though my headspace is very much in crypto land and not in SSL) it reads like an implied approval to mix-and-match PSA and mbedtls_xxx for cryptographic functionality.
There was a problem hiding this comment.
I reworded the second changelog entry. Is it clear now?
ronald-cron-arm
removed
the
needs-reviewer
| * `MBEDTLS_ERR_CTR_DRBG_xxx` or | ||
| * `MBEDTLS_ERR_HMAC_DRBG_xxx` on error. | ||
| */ | ||
| int mbedtls_psa_get_random( void *p_rng, |
There was a problem hiding this comment.
The duplication is fine by me but please add the reasons you mention here to the code documentation. It is not common to duplicate definitions thus better to have the reasons of the duplication.
Expose whatever RNG the PSA subsystem uses to applications using the mbedtls_xxx API. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The SSL test programs can now use mbedtls_psa_get_random() rather than entropy+DRBG as a random generator. This happens if the configuration option MBEDTLS_USE_PSA_CRYPTO is enabled, or if MBEDTLS_TEST_USE_PSA_CRYPTO_RNG is set at build time. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Move the call to destroy the PSK to before freeing the SSL session data and calling rng_free(), which deinitializes the PSA subsystem. This particular ordering was chosen to make the ssl_client2 more similar to ssl_server2. This fixes the client failing on the psa_destroy_key() call in `ssl-opt.sh -f 'opaque psk on client'`. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The dependency is on MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG plus MBEDTLS_PSA_CRYPTO_C. MBEDTLS_USE_PSA_CRYPTO is irrelevant. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The point of having an external RNG is that you can disable all built-in RNG functionality: both the entropy part and the DRBG part. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The SSL test programs can now use the PSA RNG, and the PSA RNG can use an external RNG. The build conditions hadn't been updated and didn't cover the case when MBEDTLS_TEST_USE_PSA_CRYPTO_RNG is enabled but MBEDTLS_USE_PSA_CRYPTO is disabled. Fix this. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
It's no longer restricted to MBEDTLS_USE_PSA_CRYPTO. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Also fix some typos. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
gilles-peskine-arm
force-pushed
the
psa-external-random-in-mbedtls
branch
from
156809b
to
cd2d648
Compare
|
I modified the history in the following way (previous history in https://github.com/gilles-peskine-arm/mbedtls/tree/psa-external-random-in-mbedtls-4):
|
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
There was some intentional duplication between library/psa_crypto_random_impl.h and include/mbedtls/psa_util.h, with the intent that the compiler would complain if one file was edited in a way that's incompatible with the other file. However, the two files were never included together, and in fact could not be included together because some definitions can't be duplicated (type, static variable). Now library/psa_crypto_random_impl.h includes include/mbedtls/psa_util.h, so the compiler will check what it can. There is less redundancy since it isn't always possible to declare something twice (specifically, types can't be declared). Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Expose whatever RNG the PSA subsystem uses to applications using the classic (mbedtls_xxx) API. This is especially useful for applications that use both PSA and TLS and want to leverage the PSA RNG to either save memory or make use of
mbedtls_psa_external_get_random.Resolves #3883.