Do not add entropy source more than once

src/crypto/CHIPCryptoPAL.h

@@ -967,6 +967,13 @@ CHIP_ERROR DRBG_get_bytes(uint8_t * out_buffer, size_t out_length);
 typedef int (*entropy_source)(void * data, uint8_t * output, size_t len, size_t * olen);
 
 /** @brief A function to add entropy sources to crypto library
+ *
+ * This function can be called multiple times to add multiple entropy sources. However,
+ * once the entropy source is added, it cannot be removed. Please make sure that the
+ * entropy source is valid for the lifetime of the application. Also, make sure that the
+ * same entropy source is not added multiple times, e.g.: by calling this function
+ * in class constructor or initialization function.
+ *
  * @param fn_source Function pointer to the entropy source
  * @param p_source  Data that should be provided when fn_source is called
  * @param threshold Minimum required from source before entropy is released

src/crypto/CHIPCryptoPALmbedTLS.cpp

@@ -448,25 +448,9 @@ CHIP_ERROR add_entropy_source(entropy_source fn_source, void * p_source, size_t
     EntropyContext * const entropy_ctxt = get_entropy_context();
     VerifyOrReturnError(entropy_ctxt != nullptr, CHIP_ERROR_INTERNAL);
 
-#if (MBEDTLS_ALLOW_PRIVATE_ACCESS + 0) == 1
-    // NOTE: This check is needed mostly for unit tests, where we might run
-    //       init/shutdown multiple times, however, mbedTLS does not provide
-    //       API to remove entropy source from the pool.
-    for (int i = 0; i < entropy_ctxt->mEntropy.source_count; i++)
-    {
-        const auto & source = entropy_ctxt->mEntropy.source[i];
-        if (source.f_source == fn_source && source.p_source == p_source && source.threshold == threshold &&
-            source.strong == MBEDTLS_ENTROPY_SOURCE_STRONG)
-        {
-            return CHIP_NO_ERROR;
-        }
-    }
-#endif
-
     const int result =
         mbedtls_entropy_add_source(&entropy_ctxt->mEntropy, fn_source, p_source, threshold, MBEDTLS_ENTROPY_SOURCE_STRONG);
     VerifyOrReturnError(result == 0, CHIP_ERROR_INTERNAL);
-
     return CHIP_NO_ERROR;
 }
 

src/platform/Zephyr/PlatformManagerImpl.cpp

@@ -46,6 +46,7 @@ PlatformManagerImpl PlatformManagerImpl::sInstance{ sChipThreadStack };
 static k_timer sOperationalHoursSavingTimer;
 
 #if !CONFIG_NORDIC_SECURITY_BACKEND
+static bool sChipStackEntropySourceAdded = false;
 static int app_entropy_source(void * data, unsigned char * output, size_t len, size_t * olen)
 {
     const struct device * entropy = DEVICE_DT_GET(DT_CHOSEN(zephyr_entropy));
@@ -118,9 +119,13 @@ CHIP_ERROR PlatformManagerImpl::_InitChipStack(void)
     SuccessOrExit(err);
 
 #if !CONFIG_NORDIC_SECURITY_BACKEND
-    // Add entropy source based on Zephyr entropy driver
-    err = chip::Crypto::add_entropy_source(app_entropy_source, NULL, kThreshold);
-    SuccessOrExit(err);
+    if (!sChipStackEntropySourceAdded)
+    {
+        // Add entropy source based on Zephyr entropy driver
+        err = chip::Crypto::add_entropy_source(app_entropy_source, NULL, kThreshold);
+        SuccessOrExit(err);
+        sChipStackEntropySourceAdded = true;
+    }
 #endif // !CONFIG_NORDIC_SECURITY_BACKEND
 
     // Call _InitChipStack() on the generic implementation base class to finish the initialization process.

src/test_driver/nrfconnect/CMakeLists.txt

@@ -44,11 +44,6 @@ set(CHIP_CFLAGS
     -I${CMAKE_CURRENT_SOURCE_DIR}/main/include
 )
 
-# Allow access to private members of mbedtls structures, which is needed by CHIP
-# crypto PAL implementation to make the add_entropy_source() independent for the
-# purpose of running unit tests.
-set(CHIP_CFLAGS ${CHIP_CFLAGS} -DMBEDTLS_ALLOW_PRIVATE_ACCESS=1)
-
 # Load NCS/Zephyr build system
 list(APPEND ZEPHYR_EXTRA_MODULES ${CHIP_ROOT}/config/nrfconnect/chip-module)
 find_package(Zephyr HINTS $ENV{ZEPHYR_BASE})