mirror of
				https://github.com/Mbed-TLS/mbedtls.git
				synced 2025-10-24 13:32:59 +03:00 
			
		
		
		
	psa: free RNG implementation before checking for remaining open key slots
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
This commit is contained in:
		| @@ -193,6 +193,15 @@ psa_status_t mbedtls_psa_register_se_key( | |||||||
|  |  | ||||||
| /**@}*/ | /**@}*/ | ||||||
|  |  | ||||||
|  | /** | ||||||
|  |  * \brief PSA random deinitialization. | ||||||
|  |  * | ||||||
|  |  * This function frees the RNG implementation used by PSA. | ||||||
|  |  * | ||||||
|  |  * This is an Mbed TLS extension. | ||||||
|  |  */ | ||||||
|  | void mbedtls_psa_random_free(void); | ||||||
|  |  | ||||||
| /** | /** | ||||||
|  * \brief Library deinitialization. |  * \brief Library deinitialization. | ||||||
|  * |  * | ||||||
|   | |||||||
| @@ -7327,15 +7327,17 @@ static void mbedtls_psa_random_init(mbedtls_psa_random_context_t *rng) | |||||||
|  |  | ||||||
| /** Deinitialize the PSA random generator. | /** Deinitialize the PSA random generator. | ||||||
|  */ |  */ | ||||||
| static void mbedtls_psa_random_free(mbedtls_psa_random_context_t *rng) | void mbedtls_psa_random_free(void) | ||||||
| { | { | ||||||
|  |     if (global_data.rng_state != RNG_NOT_INITIALIZED) { | ||||||
| #if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) | #if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) | ||||||
|     memset(rng, 0, sizeof(*rng)); |         memset(&global_data.rng, 0, sizeof(global_data.rng)); | ||||||
| #else /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */ | #else /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */ | ||||||
|         mbedtls_psa_drbg_free(MBEDTLS_PSA_RANDOM_STATE); |         mbedtls_psa_drbg_free(MBEDTLS_PSA_RANDOM_STATE); | ||||||
|     rng->entropy_free(&rng->entropy); |         global_data.rng.entropy_free(&global_data.rng.entropy); | ||||||
| #endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */ | #endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */ | ||||||
|     } |     } | ||||||
|  | } | ||||||
|  |  | ||||||
| /** Seed the PSA random generator. | /** Seed the PSA random generator. | ||||||
|  */ |  */ | ||||||
| @@ -7661,9 +7663,7 @@ psa_status_t mbedtls_psa_crypto_configure_entropy_sources( | |||||||
| void mbedtls_psa_crypto_free(void) | void mbedtls_psa_crypto_free(void) | ||||||
| { | { | ||||||
|     psa_wipe_all_key_slots(); |     psa_wipe_all_key_slots(); | ||||||
|     if (global_data.rng_state != RNG_NOT_INITIALIZED) { |     mbedtls_psa_random_free(); | ||||||
|         mbedtls_psa_random_free(&global_data.rng); |  | ||||||
|     } |  | ||||||
|     /* Wipe all remaining data, including configuration. |     /* Wipe all remaining data, including configuration. | ||||||
|      * In particular, this sets all state indicator to the value |      * In particular, this sets all state indicator to the value | ||||||
|      * indicating "uninitialized". */ |      * indicating "uninitialized". */ | ||||||
| @@ -7714,6 +7714,11 @@ psa_status_t psa_crypto_init(void) | |||||||
|     } |     } | ||||||
|     global_data.drivers_initialized = 1; |     global_data.drivers_initialized = 1; | ||||||
|  |  | ||||||
|  |     status = psa_initialize_key_slots(); | ||||||
|  |     if (status != PSA_SUCCESS) { | ||||||
|  |         goto exit; | ||||||
|  |     } | ||||||
|  |  | ||||||
|     /* Initialize and seed the random generator. */ |     /* Initialize and seed the random generator. */ | ||||||
|     mbedtls_psa_random_init(&global_data.rng); |     mbedtls_psa_random_init(&global_data.rng); | ||||||
|     global_data.rng_state = RNG_INITIALIZED; |     global_data.rng_state = RNG_INITIALIZED; | ||||||
| @@ -7723,11 +7728,6 @@ psa_status_t psa_crypto_init(void) | |||||||
|     } |     } | ||||||
|     global_data.rng_state = RNG_SEEDED; |     global_data.rng_state = RNG_SEEDED; | ||||||
|  |  | ||||||
|     status = psa_initialize_key_slots(); |  | ||||||
|     if (status != PSA_SUCCESS) { |  | ||||||
|         goto exit; |  | ||||||
|     } |  | ||||||
|  |  | ||||||
| #if defined(PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS) | #if defined(PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS) | ||||||
|     status = psa_crypto_load_transaction(); |     status = psa_crypto_load_transaction(); | ||||||
|     if (status == PSA_SUCCESS) { |     if (status == PSA_SUCCESS) { | ||||||
|   | |||||||
| @@ -34,6 +34,7 @@ | |||||||
| #define PSA_DONE()                                                      \ | #define PSA_DONE()                                                      \ | ||||||
|     do                                                                  \ |     do                                                                  \ | ||||||
|     {                                                                   \ |     {                                                                   \ | ||||||
|  |         mbedtls_psa_random_free();                                      \ | ||||||
|         mbedtls_test_fail_if_psa_leaking(__LINE__, __FILE__);           \ |         mbedtls_test_fail_if_psa_leaking(__LINE__, __FILE__);           \ | ||||||
|         mbedtls_test_psa_purge_key_storage();                           \ |         mbedtls_test_psa_purge_key_storage();                           \ | ||||||
|         mbedtls_psa_crypto_free();                                      \ |         mbedtls_psa_crypto_free();                                      \ | ||||||
| @@ -125,6 +126,9 @@ const char *mbedtls_test_helper_is_psa_leaking(void); | |||||||
|  |  | ||||||
| /** Shut down the PSA Crypto subsystem, allowing persistent keys to survive. | /** Shut down the PSA Crypto subsystem, allowing persistent keys to survive. | ||||||
|  * Expect a clean shutdown, with no slots in use. |  * Expect a clean shutdown, with no slots in use. | ||||||
|  |  * mbedtls_psa_random_free() is called before any check for remaining open | ||||||
|  |  * keys because when AES_C is not defined, CTR_DRBG relies on PSA to perform | ||||||
|  |  * AES-ECB so it holds an open AES key for that since psa_crypto_init(). | ||||||
|  * |  * | ||||||
|  * If some key slots are still in use, record the test case as failed and |  * If some key slots are still in use, record the test case as failed and | ||||||
|  * jump to the `exit` label. |  * jump to the `exit` label. | ||||||
| @@ -132,6 +136,7 @@ const char *mbedtls_test_helper_is_psa_leaking(void); | |||||||
| #define PSA_SESSION_DONE()                                             \ | #define PSA_SESSION_DONE()                                             \ | ||||||
|     do                                                                 \ |     do                                                                 \ | ||||||
|     {                                                                  \ |     {                                                                  \ | ||||||
|  |         mbedtls_psa_random_free();                                     \ | ||||||
|         mbedtls_test_psa_purge_key_cache();                            \ |         mbedtls_test_psa_purge_key_cache();                            \ | ||||||
|         ASSERT_PSA_PRISTINE();                                         \ |         ASSERT_PSA_PRISTINE();                                         \ | ||||||
|         mbedtls_psa_crypto_free();                                     \ |         mbedtls_psa_crypto_free();                                     \ | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user