Merge pull request #10090 from valeriosetti/issue9618-development

[development] MBEDTLS_PLATFORM_GET_ENTROPY_ALT in 4.0
2025-05-07 23:46:23 +08:00 · 2025-05-06 22:35:03 +02:00 · 2025-05-06 22:35:03 +02:00 · 2439c4c14a
commit 2439c4c14a
parent 5f6c6334f8 7f8b7b768b
15 changed files with 55 additions and 27 deletions
--- a/configs/crypto-config-ccm-psk-tls1_2.h
+++ b/configs/crypto-config-ccm-psk-tls1_2.h
@ -31,6 +31,7 @@

 #define MBEDTLS_CTR_DRBG_C
 #define MBEDTLS_ENTROPY_C
+#define MBEDTLS_PLATFORM_C

 /* Save RAM at the expense of ROM */
 #define MBEDTLS_AES_ROM_TABLES
--- a/configs/crypto-config-suite-b.h
+++ b/configs/crypto-config-suite-b.h
@ -49,6 +49,7 @@
 #define MBEDTLS_ASN1_WRITE_C
 #define MBEDTLS_CTR_DRBG_C
 #define MBEDTLS_ENTROPY_C
+#define MBEDTLS_PLATFORM_C
 #define MBEDTLS_OID_C
 #define MBEDTLS_PK_C
 #define MBEDTLS_PK_PARSE_C
--- a/configs/crypto-config-thread.h
+++ b/configs/crypto-config-thread.h
@ -56,6 +56,7 @@
 #define MBEDTLS_ASN1_WRITE_C
 #define MBEDTLS_CTR_DRBG_C
 #define MBEDTLS_ENTROPY_C
+#define MBEDTLS_PLATFORM_C
 #define MBEDTLS_HMAC_DRBG_C
 #define MBEDTLS_MD_C
 #define MBEDTLS_OID_C
--- a/2
+++ b/2
@ -1 +1 @@
-Subproject commit 1e7b5d54d3823b65fd4755bcf60f9ca39cfcbca3
+Subproject commit 1a83e0c84d4b7aa11c7cfd3771322486fc87d281
--- a/programs/test/generate_cpp_dummy_build.sh
+++ b/programs/test/generate_cpp_dummy_build.sh
@ -73,8 +73,12 @@ EOF

    cat <<'EOF'

+#include <iostream>
+
 int main()
 {
+    std::cout << "CPP dummy build\n";
+
    mbedtls_platform_context *ctx = NULL;
    mbedtls_platform_setup(ctx);
    mbedtls_printf("CPP Build test passed\n");
--- a/programs/test/selftest.c
+++ b/programs/test/selftest.c
@ -211,11 +211,18 @@ static int run_test_snprintf(void)
 * back.
 */
 #if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_ENTROPY_C)
-#if defined(MBEDTLS_ENTROPY_NV_SEED) && !defined(MBEDTLS_NO_PLATFORM_ENTROPY)
+#if defined(MBEDTLS_ENTROPY_NV_SEED) && !defined(MBEDTLS_PLATFORM_GET_ENTROPY_ALT)
+static void dummy_entropy(unsigned char *output, size_t output_size)
+{
+    srand(1);
+    for (size_t i = 0; i < output_size; i++) {
+        output[i] = rand();
+    }
+}
+
 static void create_entropy_seed_file(void)
 {
    int result;
-    size_t output_len = 0;
    unsigned char seed_value[MBEDTLS_ENTROPY_BLOCK_SIZE];

    /* Attempt to read the entropy seed file. If this fails - attempt to write
@ -226,25 +233,14 @@ static void create_entropy_seed_file(void)
        return;
    }

-    result = mbedtls_platform_entropy_poll(NULL,
-                                           seed_value,
-                                           MBEDTLS_ENTROPY_BLOCK_SIZE,
-                                           &output_len);
-    if (0 != result) {
-        return;
-    }
-
-    if (MBEDTLS_ENTROPY_BLOCK_SIZE != output_len) {
-        return;
-    }
-
+    dummy_entropy(seed_value, MBEDTLS_ENTROPY_BLOCK_SIZE);
    mbedtls_platform_std_nv_seed_write(seed_value, MBEDTLS_ENTROPY_BLOCK_SIZE);
 }
 #endif

 static int mbedtls_entropy_self_test_wrapper(int verbose)
 {
-#if defined(MBEDTLS_ENTROPY_NV_SEED) && !defined(MBEDTLS_NO_PLATFORM_ENTROPY)
+#if defined(MBEDTLS_ENTROPY_NV_SEED) && !defined(MBEDTLS_PLATFORM_GET_ENTROPY_ALT)
    create_entropy_seed_file();
 #endif
    return mbedtls_entropy_self_test(verbose);
--- a/scripts/config.py
+++ b/scripts/config.py
@ -88,7 +88,6 @@ EXCLUDE_FROM_FULL = frozenset([
    'MBEDTLS_MEMORY_DEBUG', # depends on MEMORY_BUFFER_ALLOC_C
    'MBEDTLS_NO_64BIT_MULTIPLICATION', # influences anything that uses bignum
    'MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES', # removes a feature
-    'MBEDTLS_NO_PLATFORM_ENTROPY', # removes a feature
    'MBEDTLS_NO_UDBL_DIVISION', # influences anything that uses bignum
    'MBEDTLS_PSA_P256M_DRIVER_ENABLED', # influences SECP256R1 KeyGen/ECDH/ECDSA
    'MBEDTLS_PLATFORM_NO_STD_FUNCTIONS', # removes a feature
@ -123,6 +122,7 @@ def is_seamless_alt(name):
    an implementation of the relevant functions and an xxx_alt.h header.
    """
    if name in (
+            'MBEDTLS_PLATFORM_GET_ENTROPY_ALT',
            'MBEDTLS_PLATFORM_GMTIME_R_ALT',
            'MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT',
            'MBEDTLS_PLATFORM_MS_TIME_ALT',
@ -181,7 +181,7 @@ def baremetal_adapter(name, value, active):
    """Config adapter for "baremetal"."""
    if not is_boolean_setting(name, value):
        return active
-    if name == 'MBEDTLS_NO_PLATFORM_ENTROPY':
+    if name == 'MBEDTLS_PLATFORM_GET_ENTROPY_ALT':
        # No OS-provided entropy source
        return True
    return include_in_full(name) and keep_in_baremetal(name)
--- a/scripts/footprint.sh
+++ b/scripts/footprint.sh
@ -64,7 +64,7 @@ doit()
        scripts/config.py unset MBEDTLS_NET_C || true
        scripts/config.py unset MBEDTLS_TIMING_C || true
        scripts/config.py unset MBEDTLS_FS_IO || true
-        scripts/config.py --force set MBEDTLS_NO_PLATFORM_ENTROPY || true
+        scripts/config.py --force set MBEDTLS_PLATFORM_GET_ENTROPY_ALT || true
    } >/dev/null 2>&1

    make clean >/dev/null
--- a/tests/psa-client-server/psasim/test/start_server.sh
+++ b/tests/psa-client-server/psasim/test/start_server.sh
@ -8,7 +8,14 @@ set -e
 # The server creates some local files when it starts up so we can wait for this
 # event as signal that the server is ready so that we can start client(s).
 function wait_for_server_startup() {
+    SECONDS=0
+    TIMEOUT=10
+
    while [ $(find . -name "psa_notify_*" | wc -l) -eq 0 ]; do
+        if [ "$SECONDS" -ge "$TIMEOUT" ]; then
+            echo "Timeout: psa_server not started within $TIMEOUT seconds."
+            return 1
+        fi
        sleep 0.1
    done
 }
--- a/tests/scripts/analyze_outcomes.py
+++ b/tests/scripts/analyze_outcomes.py
@ -121,7 +121,6 @@ class CoverageTask(outcome_analysis.CoverageTask):
            # Obsolete configuration options, to be replaced by
            # PSA entropy drivers.
            # https://github.com/Mbed-TLS/mbedtls/issues/8150
-            'Config: MBEDTLS_NO_PLATFORM_ENTROPY',
            'Config: MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES',
            # Untested aspect of the platform interface.
            # https://github.com/Mbed-TLS/mbedtls/issues/9589
--- a/tests/scripts/components-build-system.sh
+++ b/tests/scripts/components-build-system.sh
@ -65,7 +65,9 @@ component_test_cmake_out_of_source () {
    mkdir "$OUT_OF_SOURCE_DIR"
    cd "$OUT_OF_SOURCE_DIR"
    # Note: Explicitly generate files as these are turned off in releases
-    cmake -D CMAKE_BUILD_TYPE:String=Check -D GEN_FILES=ON -D TEST_CPP=1 "$MBEDTLS_ROOT_DIR"
+    # Note: Use Clang compiler also for C++ (C uses it by default)
+    CXX=clang++ cmake -D CMAKE_BUILD_TYPE:String=Check -D GEN_FILES=ON \
+                      -D TEST_CPP=1 "$MBEDTLS_ROOT_DIR"
    make

    msg "test: cmake 'out-of-source' build"
--- a/tests/scripts/components-configuration-crypto.sh
+++ b/tests/scripts/components-configuration-crypto.sh
@ -2207,6 +2207,7 @@ END
        #define MBEDTLS_AES_C
        #define MBEDTLS_CTR_DRBG_C
        #define MBEDTLS_ENTROPY_C
+        #define MBEDTLS_PLATFORM_C
        #define MBEDTLS_PSA_CRYPTO_C
        #define MBEDTLS_SELF_TEST
 END
--- a/tests/scripts/components-configuration-platform.sh
+++ b/tests/scripts/components-configuration-platform.sh
@ -20,13 +20,27 @@ component_build_no_std_function () {
    make
 }

+component_test_platform_get_entropy_alt()
+{
+    msg "build: default config + MBEDTLS_PLATFORM_GET_ENTROPY_ALT"
+    # Use hardware polling as the only source for entropy
+    scripts/config.py set MBEDTLS_PLATFORM_GET_ENTROPY_ALT
+    scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED
+
+    make
+
+    # Run all the tests
+    msg "test: default config + MBEDTLS_PLATFORM_GET_ENTROPY_ALT"
+    make test
+}
+
 component_build_no_sockets () {
    # Note, C99 compliance can also be tested with the sockets support disabled,
    # as that requires a POSIX platform (which isn't the same as C99).
    msg "build: full config except net_sockets.c, make, gcc -std=c99 -pedantic" # ~ 30s
    scripts/config.py full
    scripts/config.py unset MBEDTLS_NET_C # getaddrinfo() undeclared, etc.
-    scripts/config.py set MBEDTLS_NO_PLATFORM_ENTROPY # uses syscall() on GNU/Linux
+    scripts/config.py set MBEDTLS_PLATFORM_GET_ENTROPY_ALT # prevent syscall() on GNU/Linux
    make CC=gcc CFLAGS='-Werror -Wall -Wextra -O1 -std=c99 -pedantic' lib
 }

@ -106,6 +120,3 @@ component_test_no_64bit_multiplication () {
    msg "test: MBEDTLS_NO_64BIT_MULTIPLICATION native" # ~ 10s
    make test
 }
-
-
-
--- a/tests/scripts/components-configuration.sh
+++ b/tests/scripts/components-configuration.sh
@ -132,7 +132,8 @@ component_test_full_cmake_gcc_asan_new_bignum () {
 component_test_full_cmake_clang () {
    msg "build: cmake, full config, clang" # ~ 50s
    scripts/config.py full
-    CC=clang CXX=clang cmake -D CMAKE_BUILD_TYPE:String=Release -D ENABLE_TESTING=On -D TEST_CPP=1 .
+    CC=clang CXX=clang++ cmake -D CMAKE_BUILD_TYPE:String=Release \
+                               -D ENABLE_TESTING=On -D TEST_CPP=1 .
    make

    msg "test: main suites (full config, clang)" # ~ 5s
@ -280,6 +281,10 @@ component_test_no_platform () {
    scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C
    scripts/config.py unset MBEDTLS_PSA_ITS_FILE_C
    scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED
+    # Use the test alternative implementation of mbedtls_platform_get_entropy()
+    # which is provided in "framework/tests/src/fake_external_rng_for_test.c"
+    # since the default one is excluded in this scenario.
+    scripts/config.py set MBEDTLS_PLATFORM_GET_ENTROPY_ALT
    # Note, _DEFAULT_SOURCE needs to be defined for platforms using glibc version >2.19,
    # to re-enable platform integration features otherwise disabled in C99 builds
    make CC=gcc CFLAGS='-Werror -Wall -Wextra -std=c99 -pedantic -Os -D_DEFAULT_SOURCE' lib programs
--- a/2
+++ b/2
@ -1 +1 @@
-Subproject commit f936d86b2587eb4a961cac5b3b95b949ee056ee6
+Subproject commit 5ab6c9c8d6fae90fa46f51fbc7d5d1327a041388