cuberite/polarssl
1
0
Fork 0
mirror of https://github.com/cuberite/polarssl.git synced 2025-10-04 19:16:58 -04:00
Code Issues Packages Projects Releases Wiki Activity

test_suite_psa_crypto_slot_management: some fix for available key slots

Browse Source 
When AES_C is not defined, CTR_DRBG relies on PSA to get AES-ECB. This means
that PSA holds an open AES key since psa_crypto_init() is called, which
- reduces the maximum number of available key slots
- shifts the 1st available index

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
This commit is contained in:
Valerio Setti 2023-11-13 10:29:53 +01:00
parent dc32ac20fd
commit 0a903db804
1 changed files with 20 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
tests/suites/test_suite_psa_crypto_slot_management.function
View File

@ -90,8 +90,10 @@ static int invalidate_psa(invalidate_method_t invalidate_method)
break; break;
} }
PSA_ASSERT(psa_crypto_init()); /* When AES_C is not defined CTR_DRBG relies on PSA to get AES-ECB so it
* holds an open key once psa_crypto_init() is called. */
ASSERT_PSA_PRISTINE(); ASSERT_PSA_PRISTINE();
PSA_ASSERT(psa_crypto_init());
return 1; return 1;
exit: exit:
@ -746,19 +748,12 @@ void invalid_handle(int handle_construction,
* MBEDTLS_SVC_KEY_ID_GET_KEY_ID( valid_handle ) is a volatile * MBEDTLS_SVC_KEY_ID_GET_KEY_ID( valid_handle ) is a volatile
* key identifier as the imported key is a volatile key. Volatile * key identifier as the imported key is a volatile key. Volatile
* key identifiers are in the range from PSA_KEY_ID_VOLATILE_MIN * key identifiers are in the range from PSA_KEY_ID_VOLATILE_MIN
* to PSA_KEY_ID_VOLATILE_MAX included. Thus pick a key identifier * to PSA_KEY_ID_VOLATILE_MAX included. It is very unlikely that
* in the range from PSA_KEY_ID_VOLATILE_MIN to * all IDs are used up to the last one, so pick
* PSA_KEY_ID_VOLATILE_MAX different from * PSA_KEY_ID_VOLATILE_MAX to build an unopened and thus invalid
* MBEDTLS_SVC_KEY_ID_GET_KEY_ID( valid_handle ) to build an * identifier.
* unopened and thus invalid identifier.
*/ */
key_id = PSA_KEY_ID_VOLATILE_MAX;
if (MBEDTLS_SVC_KEY_ID_GET_KEY_ID(valid_handle) ==
PSA_KEY_ID_VOLATILE_MIN) {
key_id = PSA_KEY_ID_VOLATILE_MIN + 1;
} else {
key_id = MBEDTLS_SVC_KEY_ID_GET_KEY_ID(valid_handle) - 1;
}
invalid_handle = invalid_handle =
mbedtls_svc_key_id_make(0, key_id); mbedtls_svc_key_id_make(0, key_id);
@ -938,11 +933,16 @@ void non_reusable_key_slots_integrity_in_case_of_key_slot_starvation()
mbedtls_svc_key_id_t persistent_key2 = MBEDTLS_SVC_KEY_ID_INIT; mbedtls_svc_key_id_t persistent_key2 = MBEDTLS_SVC_KEY_ID_INIT;
mbedtls_svc_key_id_t returned_key_id = MBEDTLS_SVC_KEY_ID_INIT; mbedtls_svc_key_id_t returned_key_id = MBEDTLS_SVC_KEY_ID_INIT;
mbedtls_svc_key_id_t *keys = NULL; mbedtls_svc_key_id_t *keys = NULL;
mbedtls_psa_stats_t psa_key_slots_stats;
size_t available_key_slots = 0;
TEST_ASSERT(MBEDTLS_PSA_KEY_SLOT_COUNT >= 1); TEST_ASSERT(MBEDTLS_PSA_KEY_SLOT_COUNT >= 1);
TEST_CALLOC(keys, MBEDTLS_PSA_KEY_SLOT_COUNT);
PSA_ASSERT(psa_crypto_init()); PSA_ASSERT(psa_crypto_init());
mbedtls_psa_get_stats(&psa_key_slots_stats);
available_key_slots = psa_key_slots_stats.empty_slots;
TEST_CALLOC(keys, available_key_slots);
psa_set_key_usage_flags(&attributes, psa_set_key_usage_flags(&attributes,
PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY); PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_COPY);
@ -961,10 +961,10 @@ void non_reusable_key_slots_integrity_in_case_of_key_slot_starvation()
TEST_ASSERT(mbedtls_svc_key_id_equal(returned_key_id, persistent_key)); TEST_ASSERT(mbedtls_svc_key_id_equal(returned_key_id, persistent_key));
/* /*
* Create MBEDTLS_PSA_KEY_SLOT_COUNT volatile keys * Create the maximum available number of volatile keys
*/ */
psa_set_key_lifetime(&attributes, PSA_KEY_LIFETIME_VOLATILE); psa_set_key_lifetime(&attributes, PSA_KEY_LIFETIME_VOLATILE);
for (i = 0; i < MBEDTLS_PSA_KEY_SLOT_COUNT; i++) { for (i = 0; i < available_key_slots; i++) {
PSA_ASSERT(psa_import_key(&attributes, PSA_ASSERT(psa_import_key(&attributes,
(uint8_t *) &i, sizeof(i), (uint8_t *) &i, sizeof(i),
&keys[i])); &keys[i]));
@ -983,12 +983,12 @@ void non_reusable_key_slots_integrity_in_case_of_key_slot_starvation()
* Check we can export the volatile key created last and that it has the * Check we can export the volatile key created last and that it has the
* expected value. Then, destroy it. * expected value. Then, destroy it.
*/ */
PSA_ASSERT(psa_export_key(keys[MBEDTLS_PSA_KEY_SLOT_COUNT - 1], PSA_ASSERT(psa_export_key(keys[available_key_slots - 1],
exported, sizeof(exported), exported, sizeof(exported),
&exported_length)); &exported_length));
i = MBEDTLS_PSA_KEY_SLOT_COUNT - 1; i = available_key_slots - 1;
TEST_MEMORY_COMPARE(exported, exported_length, (uint8_t *) &i, sizeof(i)); TEST_MEMORY_COMPARE(exported, exported_length, (uint8_t *) &i, sizeof(i));
PSA_ASSERT(psa_destroy_key(keys[MBEDTLS_PSA_KEY_SLOT_COUNT - 1])); PSA_ASSERT(psa_destroy_key(keys[available_key_slots - 1]));
/* /*
* Check that we can now access the persistent key again. * Check that we can now access the persistent key again.
@ -1011,7 +1011,7 @@ void non_reusable_key_slots_integrity_in_case_of_key_slot_starvation()
* Check we can export the remaining volatile keys and that they have the * Check we can export the remaining volatile keys and that they have the
* expected values. * expected values.
*/ */
for (i = 0; i < (MBEDTLS_PSA_KEY_SLOT_COUNT - 1); i++) { for (i = 0; i < (available_key_slots - 1); i++) {
PSA_ASSERT(psa_export_key(keys[i], PSA_ASSERT(psa_export_key(keys[i],
exported, sizeof(exported), exported, sizeof(exported),
&exported_length)); &exported_length));