From ece325c8dd0e4fb1847b92530bfaaddc88e8d467 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 13 Jun 2019 15:39:27 +0100 Subject: [PATCH] Allow compile-time configuration of PRNG in SSL module Introduces MBEDTLS_SSL_CONF_RNG to allow configuring the RNG to be used by the SSL module at compile-time. Impact on code-size: | | GCC 8.2.1 | ARMC5 5.06 | ARMC6 6.12 | | --- | --- | --- | --- | | `libmbedtls.a` before | 23535 | 24089 | 27103 | | `libmbedtls.a` after | 23471 | 24077 | 27045 | | gain in Bytes | 64 | 12 | 58 | --- configs/baremetal.h | 1 + configs/baremetal_test.h | 2 ++ include/mbedtls/config.h | 7 +++++ include/mbedtls/ssl.h | 19 +++++++++++++ include/mbedtls/ssl_internal.h | 21 ++++++++++++++ library/ssl_cli.c | 51 +++++++++++++++++++++++----------- library/ssl_srv.c | 47 +++++++++++++++++++++---------- library/ssl_tls.c | 17 ++++++++++-- programs/ssl/mini_client.c | 4 +++ programs/ssl/query_config.c | 8 ++++++ programs/ssl/ssl_client2.c | 5 ++++ programs/ssl/ssl_server2.c | 5 ++++ 12 files changed, 153 insertions(+), 34 deletions(-) diff --git a/configs/baremetal.h b/configs/baremetal.h index 7ff7b07c9..a6da5c361 100644 --- a/configs/baremetal.h +++ b/configs/baremetal.h @@ -93,6 +93,7 @@ #define MBEDTLS_SSL_CONF_AUTHMODE MBEDTLS_SSL_VERIFY_REQUIRED #define MBEDTLS_SSL_CONF_BADMAC_LIMIT 0 #define MBEDTLS_SSL_CONF_ANTI_REPLAY MBEDTLS_SSL_ANTI_REPLAY_ENABLED +#define MBEDTLS_SSL_CONF_RNG mbedtls_hmac_drbg_random #define MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET \ MBEDTLS_SSL_EXTENDED_MS_ENABLED #define MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET \ diff --git a/configs/baremetal_test.h b/configs/baremetal_test.h index 82c0ed17c..1b87474fc 100644 --- a/configs/baremetal_test.h +++ b/configs/baremetal_test.h @@ -51,6 +51,8 @@ /* ssl_client2 and ssl_server2 use CTR-DRBG so far. */ #define MBEDTLS_CTR_DRBG_C +#undef MBEDTLS_SSL_CONF_RNG +#define MBEDTLS_SSL_CONF_RNG mbedtls_ctr_drbg_random /* The ticket implementation hardcodes AES-GCM */ #define MBEDTLS_GCM_C diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 95dd4cdbe..597f2a33d 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -3601,6 +3601,13 @@ //#define MBEDTLS_SSL_CONF_CID_LEN 0 //#define MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID MBEDTLS_SSL_UNEXPECTED_CID_IGNORE +/* The PRNG to use by the SSL module. If defined, this must + * evaluate to the name on externally defined function with signature + * int (*f_rng)(void *, unsigned char *, size_t), + * e.g. mbedtls_ctr_drbg_random or mbedtls_hmac_drbg_random. + */ +//#define MBEDTLS_SSL_CONF_RNG mbedtls_ctr_drbg_random + /* ExtendedMasterSecret extension * The following two options must be set/unset simultaneously. */ //#define MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET MBEDTLS_SSL_EXTENDED_MS_ENABLED diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index ead0fa7b4..7364dc497 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -902,8 +902,10 @@ struct mbedtls_ssl_config void (*f_dbg)(void *, int, const char *, int, const char *); void *p_dbg; /*!< context for the debug function */ +#if !defined(MBEDTLS_SSL_CONF_RNG) /** Callback for getting (pseudo-)random numbers */ int (*f_rng)(void *, unsigned char *, size_t); +#endif /* !MBEDTLS_SSL_CONF_RNG */ void *p_rng; /*!< context for the RNG function */ #if defined(MBEDTLS_SSL_SRV_C) && !defined(MBEDTLS_SSL_NO_SESSION_CACHE) @@ -1462,9 +1464,16 @@ void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf, void *p_vrfy ); #endif /* MBEDTLS_X509_CRT_PARSE_C */ +#if !defined(MBEDTLS_SSL_CONF_RNG) /** * \brief Set the random number generator callback * + * \note On constrained systems, the RNG can also be + * configured at compile-time via the option + * MBEDTLS_SSL_CONF_RNG. In this case, the + * \p f_rng argument in this function has no + * effect. + * * \param conf SSL configuration * \param f_rng RNG function * \param p_rng RNG parameter @@ -1472,6 +1481,16 @@ void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf, void mbedtls_ssl_conf_rng( mbedtls_ssl_config *conf, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ); +#else +/** + * \brief Set the random number generator callback context. + * + * \param conf SSL configuration + * \param p_rng RNG parameter + */ +void mbedtls_ssl_conf_rng_ctx( mbedtls_ssl_config *conf, + void *p_rng ); +#endif /** * \brief Set the debug callback diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h index 74c9f1a94..52835b49c 100644 --- a/include/mbedtls/ssl_internal.h +++ b/include/mbedtls/ssl_internal.h @@ -1289,6 +1289,27 @@ static inline unsigned int mbedtls_ssl_conf_get_anti_replay( #endif /* MBEDTLS_SSL_CONF_ANTI_REPLAY */ #endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */ +typedef int (*mbedtls_frng_t)( void*, unsigned char*, size_t ); + +#if !defined(MBEDTLS_SSL_CONF_RNG) +static inline mbedtls_frng_t mbedtls_ssl_conf_get_frng( + mbedtls_ssl_config const *conf ) +{ + return( conf->f_rng ); +} +#else /* !MBEDTLS_SSL_CONF_RNG */ + +#define mbedtls_ssl_conf_rng_func MBEDTLS_SSL_CONF_RNG +extern int mbedtls_ssl_conf_rng_func( void*, unsigned char*, size_t ); + +static inline mbedtls_frng_t mbedtls_ssl_conf_get_frng( + mbedtls_ssl_config const *conf ) +{ + ((void) conf); + return ((mbedtls_frng_t*) mbedtls_ssl_conf_rng_func); +} +#endif /* MBEDTLS_SSL_CONF_RNG */ + #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) static inline unsigned int mbedtls_ssl_conf_get_ems( mbedtls_ssl_config const *conf ) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 274938979..a050adb3b 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -394,7 +394,8 @@ static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx, p + 2, end - p - 2, &kkpp_len, - ssl->conf->f_rng, ssl->conf->p_rng ); + mbedtls_ssl_conf_get_frng( ssl->conf ), + ssl->conf->p_rng ); if( ret != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret ); @@ -751,14 +752,20 @@ static int ssl_generate_random( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, current time: %lu", t ) ); #else - if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 ) + if( ( ret = mbedtls_ssl_conf_get_frng( ssl->conf ) + ( ssl->conf->p_rng, p, 4 ) ) != 0 ) + { return( ret ); + } p += 4; #endif /* MBEDTLS_HAVE_TIME */ - if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 28 ) ) != 0 ) + if( ( ret = mbedtls_ssl_conf_get_frng( ssl->conf ) + ( ssl->conf->p_rng, p, 28 ) ) != 0 ) + { return( ret ); + } return( 0 ); } @@ -822,7 +829,7 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client hello" ) ); - if( ssl->conf->f_rng == NULL ) + if( mbedtls_ssl_conf_get_frng( ssl->conf ) == NULL ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") ); return( MBEDTLS_ERR_SSL_NO_RNG ); @@ -908,7 +915,8 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) ssl->session_negotiate->ticket != NULL && ssl->session_negotiate->ticket_len != 0 ) { - ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->session_negotiate->id, 32 ); + ret = mbedtls_ssl_conf_get_frng( ssl->conf ) + ( ssl->conf->p_rng, ssl->session_negotiate->id, 32 ); if( ret != 0 ) return( ret ); @@ -2333,7 +2341,8 @@ static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl, mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver, ssl->conf->transport, p ); - if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p + 2, 46 ) ) != 0 ) + if( ( ret = mbedtls_ssl_conf_get_frng( ssl->conf ) + ( ssl->conf->p_rng, p + 2, 46 ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "f_rng", ret ); return( ret ); @@ -2382,7 +2391,8 @@ static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl, p, ssl->handshake->pmslen, ssl->out_msg + offset + len_bytes, olen, MBEDTLS_SSL_OUT_CONTENT_LEN - offset - len_bytes, - ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) + mbedtls_ssl_conf_get_frng( ssl->conf ), + ssl->conf->p_rng ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_rsa_pkcs1_encrypt", ret ); goto cleanup; @@ -3155,7 +3165,8 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl ) ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx, (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ), &ssl->out_msg[i], n, - ssl->conf->f_rng, ssl->conf->p_rng ); + mbedtls_ssl_conf_get_frng( ssl->conf ), + ssl->conf->p_rng ); if( ret != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret ); @@ -3169,7 +3180,8 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl ) ssl->handshake->premaster, MBEDTLS_PREMASTER_SIZE, &ssl->handshake->pmslen, - ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) + mbedtls_ssl_conf_get_frng( ssl->conf ), + ssl->conf->p_rng ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret ); return( ret ); @@ -3206,7 +3218,8 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl ) ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx, &n, &ssl->out_msg[i], 1000, - ssl->conf->f_rng, ssl->conf->p_rng ); + mbedtls_ssl_conf_get_frng( ssl->conf ), + ssl->conf->p_rng ); if( ret != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret ); @@ -3235,7 +3248,8 @@ ecdh_calc_secret: &ssl->handshake->pmslen, ssl->handshake->premaster, MBEDTLS_MPI_MAX_SIZE, - ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) + mbedtls_ssl_conf_get_frng( ssl->conf ), + ssl->conf->p_rng ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret ); #if defined(MBEDTLS_SSL__ECP_RESTARTABLE) @@ -3317,7 +3331,8 @@ ecdh_calc_secret: ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx, (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ), &ssl->out_msg[i], n, - ssl->conf->f_rng, ssl->conf->p_rng ); + mbedtls_ssl_conf_get_frng( ssl->conf ), + ssl->conf->p_rng ); if( ret != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret ); @@ -3334,7 +3349,8 @@ ecdh_calc_secret: */ ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx, &n, &ssl->out_msg[i], MBEDTLS_SSL_OUT_CONTENT_LEN - i, - ssl->conf->f_rng, ssl->conf->p_rng ); + mbedtls_ssl_conf_get_frng( ssl->conf ), + ssl->conf->p_rng ); if( ret != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret ); @@ -3376,7 +3392,8 @@ ecdh_calc_secret: ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx, ssl->out_msg + i, MBEDTLS_SSL_OUT_CONTENT_LEN - i, &n, - ssl->conf->f_rng, ssl->conf->p_rng ); + mbedtls_ssl_conf_get_frng( ssl->conf ), + ssl->conf->p_rng ); if( ret != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret ); @@ -3385,7 +3402,8 @@ ecdh_calc_secret: ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx, ssl->handshake->premaster, 32, &ssl->handshake->pmslen, - ssl->conf->f_rng, ssl->conf->p_rng ); + mbedtls_ssl_conf_get_frng( ssl->conf ), + ssl->conf->p_rng ); if( ret != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret ); @@ -3583,7 +3601,8 @@ sign: if( ( ret = mbedtls_pk_sign_restartable( mbedtls_ssl_own_key( ssl ), md_alg, hash_start, hashlen, ssl->out_msg + 6 + offset, &n, - ssl->conf->f_rng, ssl->conf->p_rng, rs_ctx ) ) != 0 ) + mbedtls_ssl_conf_get_frng( ssl->conf ), + ssl->conf->p_rng, rs_ctx ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret ); #if defined(MBEDTLS_SSL__ECP_RESTARTABLE) diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 66f25ead9..00555c94d 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -2493,7 +2493,8 @@ static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx, p + 2, end - p - 2, &kkpp_len, - ssl->conf->f_rng, ssl->conf->p_rng ); + mbedtls_ssl_conf_get_frng( ssl->conf ), + ssl->conf->p_rng ); if( ret != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret ); @@ -2637,7 +2638,7 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl ) } #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */ - if( ssl->conf->f_rng == NULL ) + if( mbedtls_ssl_conf_get_frng( ssl->conf ) == NULL ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") ); return( MBEDTLS_ERR_SSL_NO_RNG ); @@ -2669,14 +2670,20 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) ); #else - if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 ) + if( ( ret = mbedtls_ssl_conf_get_frng( ssl->conf ) + ( ssl->conf->p_rng, p, 4 ) ) != 0 ) + { return( ret ); + } p += 4; #endif /* MBEDTLS_HAVE_TIME */ - if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 28 ) ) != 0 ) + if( ( ret = mbedtls_ssl_conf_get_frng( ssl->conf ) + ( ssl->conf->p_rng, p, 28 ) ) != 0 ) + { return( ret ); + } p += 28; @@ -2739,9 +2746,11 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl ) #endif /* MBEDTLS_SSL_SESSION_TICKETS */ { ssl->session_negotiate->id_len = n = 32; - if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->session_negotiate->id, - n ) ) != 0 ) + if( ( ret = mbedtls_ssl_conf_get_frng( ssl->conf ) + ( ssl->conf->p_rng, ssl->session_negotiate->id, n ) ) != 0 ) + { return( ret ); + } } } @@ -3145,7 +3154,8 @@ static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl, &ssl->handshake->ecjpake_ctx, ssl->out_msg + ssl->out_msglen, MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen, &len, - ssl->conf->f_rng, ssl->conf->p_rng ); + mbedtls_ssl_conf_get_frng( ssl->conf ), + ssl->conf->p_rng ); if( ret != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret ); @@ -3208,7 +3218,8 @@ static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl, &ssl->handshake->dhm_ctx, (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ), ssl->out_msg + ssl->out_msglen, &len, - ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) + mbedtls_ssl_conf_get_frng( ssl->conf ), + ssl->conf->p_rng ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_params", ret ); return( ret ); @@ -3272,7 +3283,8 @@ curve_matching_done: &ssl->handshake->ecdh_ctx, &len, ssl->out_msg + ssl->out_msglen, MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen, - ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) + mbedtls_ssl_conf_get_frng( ssl->conf ), + ssl->conf->p_rng ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_params", ret ); return( ret ); @@ -3456,7 +3468,7 @@ curve_matching_done: md_alg, hash, hashlen, ssl->out_msg + ssl->out_msglen + 2, signature_len, - ssl->conf->f_rng, + mbedtls_ssl_conf_get_frng( ssl->conf ), ssl->conf->p_rng ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret ); @@ -3753,7 +3765,8 @@ static int ssl_decrypt_encrypted_pms( mbedtls_ssl_context *ssl, ret = mbedtls_pk_decrypt( private_key, p, len, peer_pms, peer_pmslen, peer_pmssize, - ssl->conf->f_rng, ssl->conf->p_rng ); + mbedtls_ssl_conf_get_frng( ssl->conf ), + ssl->conf->p_rng ); return( ret ); } @@ -3822,7 +3835,8 @@ static int ssl_parse_encrypted_pms( mbedtls_ssl_context *ssl, * successful. In particular, always generate the fake premaster secret, * regardless of whether it will ultimately influence the output or not. */ - ret = ssl->conf->f_rng( ssl->conf->p_rng, fake_pms, sizeof( fake_pms ) ); + ret = mbedtls_ssl_conf_get_frng( ssl->conf ) + ( ssl->conf->p_rng, fake_pms, sizeof( fake_pms ) ); if( ret != 0 ) { /* It's ok to abort on an RNG failure, since this does not reveal @@ -3980,7 +3994,8 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) ssl->handshake->premaster, MBEDTLS_PREMASTER_SIZE, &ssl->handshake->pmslen, - ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) + mbedtls_ssl_conf_get_frng( ssl->conf ), + ssl->conf->p_rng ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret ); return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS ); @@ -4013,7 +4028,8 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) &ssl->handshake->pmslen, ssl->handshake->premaster, MBEDTLS_MPI_MAX_SIZE, - ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) + mbedtls_ssl_conf_get_frng( ssl->conf ), + ssl->conf->p_rng ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret ); return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS ); @@ -4169,7 +4185,8 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx, ssl->handshake->premaster, 32, &ssl->handshake->pmslen, - ssl->conf->f_rng, ssl->conf->p_rng ); + mbedtls_ssl_conf_get_frng( ssl->conf ), + ssl->conf->p_rng ); if( ret != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret ); diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 91b944cc4..8c24ee995 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1623,7 +1623,8 @@ int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exch /* Write length only when we know the actual value */ if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx, p + 2, end - ( p + 2 ), &len, - ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) + mbedtls_ssl_conf_get_frng( ssl->conf ), + ssl->conf->p_rng ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret ); return( ret ); @@ -1644,7 +1645,8 @@ int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exch if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx, &zlen, p + 2, end - ( p + 2 ), - ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) + mbedtls_ssl_conf_get_frng( ssl->conf ), + ssl->conf->p_rng ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret ); return( ret ); @@ -3941,7 +3943,8 @@ int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, uint8_t force_flush ) #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ if( ( ret = mbedtls_ssl_encrypt_buf( ssl, ssl->transform_out, &rec, - ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) + mbedtls_ssl_conf_get_frng( ssl->conf ), + ssl->conf->p_rng ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret ); return( ret ); @@ -8185,6 +8188,7 @@ void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf, } #endif /* MBEDTLS_X509_CRT_PARSE_C */ +#if !defined(MBEDTLS_SSL_CONF_RNG) void mbedtls_ssl_conf_rng( mbedtls_ssl_config *conf, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) @@ -8192,6 +8196,13 @@ void mbedtls_ssl_conf_rng( mbedtls_ssl_config *conf, conf->f_rng = f_rng; conf->p_rng = p_rng; } +#else +void mbedtls_ssl_conf_rng_ctx( mbedtls_ssl_config *conf, + void *p_rng ) +{ + conf->p_rng = p_rng; +} +#endif void mbedtls_ssl_conf_dbg( mbedtls_ssl_config *conf, void (*f_dbg)(void *, int, const char *, int, const char *), diff --git a/programs/ssl/mini_client.c b/programs/ssl/mini_client.c index 4b8140e68..18e11d0a6 100644 --- a/programs/ssl/mini_client.c +++ b/programs/ssl/mini_client.c @@ -209,7 +209,11 @@ int main( void ) goto exit; } +#if !defined(MBEDTLS_SSL_CONF_RNG) mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg ); +#else + mbedtls_ssl_conf_rng_ctx( &conf, &ctr_drbg ); +#endif #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) mbedtls_ssl_conf_psk( &conf, psk, sizeof( psk ), diff --git a/programs/ssl/query_config.c b/programs/ssl/query_config.c index 419be6bdb..6d2b67bbe 100644 --- a/programs/ssl/query_config.c +++ b/programs/ssl/query_config.c @@ -2706,6 +2706,14 @@ int query_config( const char *config ) } #endif /* MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID */ +#if defined(MBEDTLS_SSL_CONF_RNG) + if( strcmp( "MBEDTLS_SSL_CONF_RNG", config ) == 0 ) + { + MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CONF_RNG ); + return( 0 ); + } +#endif /* MBEDTLS_SSL_CONF_RNG */ + #if defined(MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET) if( strcmp( "MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET", config ) == 0 ) { diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 8d7ee0a36..a4af97a5b 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -1764,7 +1764,12 @@ int main( int argc, char *argv[] ) } #endif +#if !defined(MBEDTLS_SSL_CONF_RNG) mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg ); +#else + mbedtls_ssl_conf_rng_ctx( &conf, &ctr_drbg ); +#endif + mbedtls_ssl_conf_dbg( &conf, my_debug, stdout ); #if !defined(MBEDTLS_SSL_CONF_READ_TIMEOUT) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 5135ad407..2704d4efe 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -2570,7 +2570,12 @@ int main( int argc, char *argv[] ) } #endif +#if !defined(MBEDTLS_SSL_CONF_RNG) mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg ); +#else + mbedtls_ssl_conf_rng_ctx( &conf, &ctr_drbg ); +#endif + mbedtls_ssl_conf_dbg( &conf, my_debug, stdout ); #if defined(MBEDTLS_SSL_CACHE_C)