ARMmbed/mbedtls
1
0
Fork 0
mirror of https://github.com/ARMmbed/mbedtls.git synced 2025-06-24 14:20:59 +08:00
Code Issues Releases Wiki Activity

pre-test version of the mbedtls_ssl_conf_rng removal

Browse Source 
Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
This commit is contained in:
Ben Taylor 2025-03-07 15:52:50 +00:00
parent 47111a1cb1
commit 602b2968ca
7 changed files with 23 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
library/ssl_client.c
View File

@ -725,8 +725,7 @@ static int ssl_generate_random(mbedtls_ssl_context *ssl)
#endif /* MBEDTLS_HAVE_TIME */ #endif /* MBEDTLS_HAVE_TIME */
} }
ret = ssl->conf->f_rng(ssl->conf->p_rng, ret = psa_generate_random(randbytes + gmt_unix_time_len,
randbytes + gmt_unix_time_len,
MBEDTLS_CLIENT_HELLO_RANDOM_LEN - gmt_unix_time_len); MBEDTLS_CLIENT_HELLO_RANDOM_LEN - gmt_unix_time_len);
return ret; return ret;
} }
@ -867,8 +866,8 @@ static int ssl_prepare_client_hello(mbedtls_ssl_context *ssl)
if (session_id_len != session_negotiate->id_len) { if (session_id_len != session_negotiate->id_len) {
session_negotiate->id_len = session_id_len; session_negotiate->id_len = session_id_len;
if (session_id_len > 0) { if (session_id_len > 0) {
ret = ssl->conf->f_rng(ssl->conf->p_rng,
session_negotiate->id, ret = psa_generate_random(session_negotiate->id,
session_id_len); session_id_len);
if (ret != 0) { if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "creating session id failed", ret); MBEDTLS_SSL_DEBUG_RET(1, "creating session id failed", ret);

4
library/ssl_misc.h
View File

@ -1721,9 +1721,7 @@ void mbedtls_ssl_transform_init(mbedtls_ssl_transform *transform);
MBEDTLS_CHECK_RETURN_CRITICAL MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_encrypt_buf(mbedtls_ssl_context *ssl, int mbedtls_ssl_encrypt_buf(mbedtls_ssl_context *ssl,
mbedtls_ssl_transform *transform, mbedtls_ssl_transform *transform,
mbedtls_record *rec, mbedtls_record *rec);
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng);
MBEDTLS_CHECK_RETURN_CRITICAL MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_decrypt_buf(mbedtls_ssl_context const *ssl, int mbedtls_ssl_decrypt_buf(mbedtls_ssl_context const *ssl,
mbedtls_ssl_transform *transform, mbedtls_ssl_transform *transform,

13
library/ssl_msg.c
View File

@ -801,9 +801,7 @@ static void ssl_build_record_nonce(unsigned char *dst_iv,
int mbedtls_ssl_encrypt_buf(mbedtls_ssl_context *ssl, int mbedtls_ssl_encrypt_buf(mbedtls_ssl_context *ssl,
mbedtls_ssl_transform *transform, mbedtls_ssl_transform *transform,
mbedtls_record *rec, mbedtls_record *rec)
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng)
{ {
mbedtls_ssl_mode_t ssl_mode; mbedtls_ssl_mode_t ssl_mode;
int auth_done = 0; int auth_done = 0;
@ -1140,10 +1138,6 @@ hmac_failed_etm_disabled:
* Prepend per-record IV for block cipher in TLS v1.2 as per * Prepend per-record IV for block cipher in TLS v1.2 as per
* Method 1 (6.2.3.2. in RFC4346 and RFC5246) * Method 1 (6.2.3.2. in RFC4346 and RFC5246)
*/ */
if (f_rng == NULL) {
MBEDTLS_SSL_DEBUG_MSG(1, ("No PRNG provided to encrypt_record routine"));
return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
}
if (rec->data_offset < transform->ivlen) { if (rec->data_offset < transform->ivlen) {
MBEDTLS_SSL_DEBUG_MSG(1, ("Buffer provided for encrypted record not large enough")); MBEDTLS_SSL_DEBUG_MSG(1, ("Buffer provided for encrypted record not large enough"));
@ -1153,7 +1147,7 @@ hmac_failed_etm_disabled:
/* /*
* Generate IV * Generate IV
*/ */
ret = f_rng(p_rng, transform->iv_enc, transform->ivlen); ret = psa_generate_random(transform->iv_enc, transform->ivlen);
if (ret != 0) { if (ret != 0) {
return ret; return ret;
} }
@ -2725,8 +2719,7 @@ int mbedtls_ssl_write_record(mbedtls_ssl_context *ssl, int force_flush)
rec.cid_len = 0; rec.cid_len = 0;
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
if ((ret = mbedtls_ssl_encrypt_buf(ssl, ssl->transform_out, &rec, if ((ret = mbedtls_ssl_encrypt_buf(ssl, ssl->transform_out, &rec)) != 0) {
ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "ssl_encrypt_buf", ret); MBEDTLS_SSL_DEBUG_RET(1, "ssl_encrypt_buf", ret);
return ret; return ret;
} }

10
library/ssl_tls.c
View File

@ -1223,11 +1223,6 @@ static int ssl_conf_check(const mbedtls_ssl_context *ssl)
return ret; return ret;
} }
if (ssl->conf->f_rng == NULL) {
MBEDTLS_SSL_DEBUG_MSG(1, ("no RNG provided"));
return MBEDTLS_ERR_SSL_NO_RNG;
}
/* Space for further checks */ /* Space for further checks */
return 0; return 0;
@ -1249,6 +1244,7 @@ int mbedtls_ssl_setup(mbedtls_ssl_context *ssl,
if ((ret = ssl_conf_check(ssl)) != 0) { if ((ret = ssl_conf_check(ssl)) != 0) {
return ret; return ret;
} }
ssl->tls_version = ssl->conf->max_tls_version; ssl->tls_version = ssl->conf->max_tls_version;
/* /*
@ -1289,6 +1285,10 @@ int mbedtls_ssl_setup(mbedtls_ssl_context *ssl,
goto error; goto error;
} }
if((ret = psa_crypto_init()) != 0) {
goto error;
}
return 0; return 0;
error: error:

9
library/ssl_tls12_server.c
View File

@ -2133,14 +2133,14 @@ static int ssl_write_server_hello(mbedtls_ssl_context *ssl)
MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, current time: %" MBEDTLS_PRINTF_LONGLONG, MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, current time: %" MBEDTLS_PRINTF_LONGLONG,
(long long) t)); (long long) t));
#else #else
if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 4)) != 0) { if ((ret = psa_generate_random(ssl->conf->p_rng, p, 4)) != 0) {
return ret; return ret;
} }
p += 4; p += 4;
#endif /* MBEDTLS_HAVE_TIME */ #endif /* MBEDTLS_HAVE_TIME */
if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 20)) != 0) { if ((ret = psa_generate_random(p, 20)) != 0) {
return ret; return ret;
} }
p += 20; p += 20;
@ -2166,7 +2166,8 @@ static int ssl_write_server_hello(mbedtls_ssl_context *ssl)
} else } else
#endif #endif
{ {
if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 8)) != 0) {
if ((ret = psa_generate_random(p, 8)) != 0) {
return ret; return ret;
} }
} }
@ -2197,7 +2198,7 @@ static int ssl_write_server_hello(mbedtls_ssl_context *ssl)
#endif /* MBEDTLS_SSL_SESSION_TICKETS */ #endif /* MBEDTLS_SSL_SESSION_TICKETS */
{ {
ssl->session_negotiate->id_len = n = 32; ssl->session_negotiate->id_len = n = 32;
if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, ssl->session_negotiate->id, if ((ret = psa_generate_random(ssl->session_negotiate->id,
n)) != 0) { n)) != 0) {
return ret; return ret;
} }

7
library/ssl_tls13_server.c
View File

@ -1996,7 +1996,7 @@ static int ssl_tls13_prepare_server_hello(mbedtls_ssl_context *ssl)
unsigned char *server_randbytes = unsigned char *server_randbytes =
ssl->handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN; ssl->handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN;
if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, server_randbytes, if ((ret = psa_generate_random(server_randbytes,
MBEDTLS_SERVER_HELLO_RANDOM_LEN)) != 0) { MBEDTLS_SERVER_HELLO_RANDOM_LEN)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "f_rng", ret); MBEDTLS_SSL_DEBUG_RET(1, "f_rng", ret);
return ret; return ret;
@ -3172,8 +3172,7 @@ static int ssl_tls13_prepare_new_session_ticket(mbedtls_ssl_context *ssl,
#endif #endif
/* Generate ticket_age_add */ /* Generate ticket_age_add */
if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, if ((ret = psa_generate_random((unsigned char *) &session->ticket_age_add,
(unsigned char *) &session->ticket_age_add,
sizeof(session->ticket_age_add)) != 0)) { sizeof(session->ticket_age_add)) != 0)) {
MBEDTLS_SSL_DEBUG_RET(1, "generate_ticket_age_add", ret); MBEDTLS_SSL_DEBUG_RET(1, "generate_ticket_age_add", ret);
return ret; return ret;
@ -3182,7 +3181,7 @@ static int ssl_tls13_prepare_new_session_ticket(mbedtls_ssl_context *ssl,
(unsigned int) session->ticket_age_add)); (unsigned int) session->ticket_age_add));
/* Generate ticket_nonce */ /* Generate ticket_nonce */
ret = ssl->conf->f_rng(ssl->conf->p_rng, ticket_nonce, ticket_nonce_size); ret = psa_generate_random(ticket_nonce, ticket_nonce_size);
if (ret != 0) { if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "generate_ticket_nonce", ret); MBEDTLS_SSL_DEBUG_RET(1, "generate_ticket_nonce", ret);
return ret; return ret;

9
tests/suites/test_suite_ssl.function
View File

@ -1340,8 +1340,7 @@ void ssl_crypt_record(int cipher_type, int hash_id,
rec_backup = rec; rec_backup = rec;
/* Encrypt record */ /* Encrypt record */
ret = mbedtls_ssl_encrypt_buf(&ssl, t_enc, &rec, ret = mbedtls_ssl_encrypt_buf(&ssl, t_enc, &rec);
mbedtls_test_rnd_std_rand, NULL);
TEST_ASSERT(ret == 0 || ret == MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL); TEST_ASSERT(ret == 0 || ret == MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL);
if (ret != 0) { if (ret != 0) {
continue; continue;
@ -1494,8 +1493,7 @@ void ssl_crypt_record_small(int cipher_type, int hash_id,
rec_backup = rec; rec_backup = rec;
/* Encrypt record */ /* Encrypt record */
ret = mbedtls_ssl_encrypt_buf(&ssl, t_enc, &rec, ret = mbedtls_ssl_encrypt_buf(&ssl, t_enc, &rec);
mbedtls_test_rnd_std_rand, NULL);
if (ret == MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL) { if (ret == MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL) {
/* It's ok if the output buffer is too small. We do insist /* It's ok if the output buffer is too small. We do insist
@ -1948,8 +1946,7 @@ void ssl_tls13_record_protection(int ciphersuite,
memset(&rec.ctr[0], 0, 8); memset(&rec.ctr[0], 0, 8);
rec.ctr[7] = ctr; rec.ctr[7] = ctr;
TEST_ASSERT(mbedtls_ssl_encrypt_buf(NULL, &transform_send, &rec, TEST_ASSERT(mbedtls_ssl_encrypt_buf(NULL, &transform_send, &rec) == 0);
NULL, NULL) == 0);
if (padding_used == MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY) { if (padding_used == MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY) {
TEST_MEMORY_COMPARE(rec.buf + rec.data_offset, rec.data_len, TEST_MEMORY_COMPARE(rec.buf + rec.data_offset, rec.data_len,