diff --git a/library/ssl_client.c b/library/ssl_client.c index be4d621d6c..f8abfde377 100644 --- a/library/ssl_client.c +++ b/library/ssl_client.c @@ -725,8 +725,7 @@ static int ssl_generate_random(mbedtls_ssl_context *ssl) #endif /* MBEDTLS_HAVE_TIME */ } - ret = ssl->conf->f_rng(ssl->conf->p_rng, - randbytes + gmt_unix_time_len, + ret = psa_generate_random(randbytes + gmt_unix_time_len, MBEDTLS_CLIENT_HELLO_RANDOM_LEN - gmt_unix_time_len); return ret; } @@ -867,8 +866,8 @@ static int ssl_prepare_client_hello(mbedtls_ssl_context *ssl) if (session_id_len != session_negotiate->id_len) { session_negotiate->id_len = session_id_len; if (session_id_len > 0) { - ret = ssl->conf->f_rng(ssl->conf->p_rng, - session_negotiate->id, + + ret = psa_generate_random(session_negotiate->id, session_id_len); if (ret != 0) { MBEDTLS_SSL_DEBUG_RET(1, "creating session id failed", ret); diff --git a/library/ssl_misc.h b/library/ssl_misc.h index d12cee3ceb..e51a3df5ed 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -1721,9 +1721,7 @@ void mbedtls_ssl_transform_init(mbedtls_ssl_transform *transform); MBEDTLS_CHECK_RETURN_CRITICAL int mbedtls_ssl_encrypt_buf(mbedtls_ssl_context *ssl, mbedtls_ssl_transform *transform, - mbedtls_record *rec, - int (*f_rng)(void *, unsigned char *, size_t), - void *p_rng); + mbedtls_record *rec); MBEDTLS_CHECK_RETURN_CRITICAL int mbedtls_ssl_decrypt_buf(mbedtls_ssl_context const *ssl, mbedtls_ssl_transform *transform, diff --git a/library/ssl_msg.c b/library/ssl_msg.c index f5ea8dd277..96c1a7c96e 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -801,9 +801,7 @@ static void ssl_build_record_nonce(unsigned char *dst_iv, int mbedtls_ssl_encrypt_buf(mbedtls_ssl_context *ssl, mbedtls_ssl_transform *transform, - mbedtls_record *rec, - int (*f_rng)(void *, unsigned char *, size_t), - void *p_rng) + mbedtls_record *rec) { mbedtls_ssl_mode_t ssl_mode; int auth_done = 0; @@ -1140,10 +1138,6 @@ hmac_failed_etm_disabled: * Prepend per-record IV for block cipher in TLS v1.2 as per * Method 1 (6.2.3.2. in RFC4346 and RFC5246) */ - if (f_rng == NULL) { - MBEDTLS_SSL_DEBUG_MSG(1, ("No PRNG provided to encrypt_record routine")); - return MBEDTLS_ERR_SSL_INTERNAL_ERROR; - } if (rec->data_offset < transform->ivlen) { MBEDTLS_SSL_DEBUG_MSG(1, ("Buffer provided for encrypted record not large enough")); @@ -1153,7 +1147,7 @@ hmac_failed_etm_disabled: /* * Generate IV */ - ret = f_rng(p_rng, transform->iv_enc, transform->ivlen); + ret = psa_generate_random(transform->iv_enc, transform->ivlen); if (ret != 0) { return ret; } @@ -2725,8 +2719,7 @@ int mbedtls_ssl_write_record(mbedtls_ssl_context *ssl, int force_flush) rec.cid_len = 0; #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ - if ((ret = mbedtls_ssl_encrypt_buf(ssl, ssl->transform_out, &rec, - ssl->conf->f_rng, ssl->conf->p_rng)) != 0) { + if ((ret = mbedtls_ssl_encrypt_buf(ssl, ssl->transform_out, &rec)) != 0) { MBEDTLS_SSL_DEBUG_RET(1, "ssl_encrypt_buf", ret); return ret; } diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 8f90fa1b98..20a2538290 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1223,11 +1223,6 @@ static int ssl_conf_check(const mbedtls_ssl_context *ssl) return ret; } - if (ssl->conf->f_rng == NULL) { - MBEDTLS_SSL_DEBUG_MSG(1, ("no RNG provided")); - return MBEDTLS_ERR_SSL_NO_RNG; - } - /* Space for further checks */ return 0; @@ -1249,6 +1244,7 @@ int mbedtls_ssl_setup(mbedtls_ssl_context *ssl, if ((ret = ssl_conf_check(ssl)) != 0) { return ret; } + ssl->tls_version = ssl->conf->max_tls_version; /* @@ -1289,6 +1285,10 @@ int mbedtls_ssl_setup(mbedtls_ssl_context *ssl, goto error; } + if((ret = psa_crypto_init()) != 0) { + goto error; + } + return 0; error: diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index 84d5994ca0..d3c422369a 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -2133,14 +2133,14 @@ static int ssl_write_server_hello(mbedtls_ssl_context *ssl) MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, current time: %" MBEDTLS_PRINTF_LONGLONG, (long long) t)); #else - if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 4)) != 0) { + if ((ret = psa_generate_random(ssl->conf->p_rng, p, 4)) != 0) { return ret; } p += 4; #endif /* MBEDTLS_HAVE_TIME */ - if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 20)) != 0) { + if ((ret = psa_generate_random(p, 20)) != 0) { return ret; } p += 20; @@ -2166,7 +2166,8 @@ static int ssl_write_server_hello(mbedtls_ssl_context *ssl) } else #endif { - if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 8)) != 0) { + + if ((ret = psa_generate_random(p, 8)) != 0) { return ret; } } @@ -2197,7 +2198,7 @@ static int ssl_write_server_hello(mbedtls_ssl_context *ssl) #endif /* MBEDTLS_SSL_SESSION_TICKETS */ { ssl->session_negotiate->id_len = n = 32; - if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, ssl->session_negotiate->id, + if ((ret = psa_generate_random(ssl->session_negotiate->id, n)) != 0) { return ret; } diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 1dde4ab3c9..4ef23f8fc2 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -1996,7 +1996,7 @@ static int ssl_tls13_prepare_server_hello(mbedtls_ssl_context *ssl) unsigned char *server_randbytes = ssl->handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN; - if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, server_randbytes, + if ((ret = psa_generate_random(server_randbytes, MBEDTLS_SERVER_HELLO_RANDOM_LEN)) != 0) { MBEDTLS_SSL_DEBUG_RET(1, "f_rng", ret); return ret; @@ -3172,8 +3172,7 @@ static int ssl_tls13_prepare_new_session_ticket(mbedtls_ssl_context *ssl, #endif /* Generate ticket_age_add */ - if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, - (unsigned char *) &session->ticket_age_add, + if ((ret = psa_generate_random((unsigned char *) &session->ticket_age_add, sizeof(session->ticket_age_add)) != 0)) { MBEDTLS_SSL_DEBUG_RET(1, "generate_ticket_age_add", ret); return ret; @@ -3182,7 +3181,7 @@ static int ssl_tls13_prepare_new_session_ticket(mbedtls_ssl_context *ssl, (unsigned int) session->ticket_age_add)); /* Generate ticket_nonce */ - ret = ssl->conf->f_rng(ssl->conf->p_rng, ticket_nonce, ticket_nonce_size); + ret = psa_generate_random(ticket_nonce, ticket_nonce_size); if (ret != 0) { MBEDTLS_SSL_DEBUG_RET(1, "generate_ticket_nonce", ret); return ret; diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 25aa44fc09..743b53c007 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -1340,8 +1340,7 @@ void ssl_crypt_record(int cipher_type, int hash_id, rec_backup = rec; /* Encrypt record */ - ret = mbedtls_ssl_encrypt_buf(&ssl, t_enc, &rec, - mbedtls_test_rnd_std_rand, NULL); + ret = mbedtls_ssl_encrypt_buf(&ssl, t_enc, &rec); TEST_ASSERT(ret == 0 || ret == MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL); if (ret != 0) { continue; @@ -1494,8 +1493,7 @@ void ssl_crypt_record_small(int cipher_type, int hash_id, rec_backup = rec; /* Encrypt record */ - ret = mbedtls_ssl_encrypt_buf(&ssl, t_enc, &rec, - mbedtls_test_rnd_std_rand, NULL); + ret = mbedtls_ssl_encrypt_buf(&ssl, t_enc, &rec); if (ret == MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL) { /* It's ok if the output buffer is too small. We do insist @@ -1948,8 +1946,7 @@ void ssl_tls13_record_protection(int ciphersuite, memset(&rec.ctr[0], 0, 8); rec.ctr[7] = ctr; - TEST_ASSERT(mbedtls_ssl_encrypt_buf(NULL, &transform_send, &rec, - NULL, NULL) == 0); + TEST_ASSERT(mbedtls_ssl_encrypt_buf(NULL, &transform_send, &rec) == 0); if (padding_used == MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY) { TEST_MEMORY_COMPARE(rec.buf + rec.data_offset, rec.data_len,