Add missing f_rng/p_rng arguments to x509write_crt

include/polarssl/x509write.h

@@ -373,11 +373,20 @@ void x509write_crt_free( x509write_cert *ctx );
  * \param crt       certificate to write away
  * \param buf       buffer to write to
  * \param size      size of the buffer
+ * \param f_rng     RNG function (for signature, see note)
+ * \param p_rng     RNG parameter
  *
  * \return          length of data written if successful, or a specific
  *                  error code
+ *
+ * \note            f_rng may be NULL if RSA is used for signature and the
+ *                  signature is made offline (otherwise f_rng is desirable
+ *                  for countermeasures against timing attacks).
+ *                  ECDSA signatures always require a non-NULL f_rng.
  */
-int x509write_crt_der( x509write_cert *ctx, unsigned char *buf, size_t size );
+int x509write_crt_der( x509write_cert *ctx, unsigned char *buf, size_t size,
+                       int (*f_rng)(void *, unsigned char *, size_t),
+                       void *p_rng );
 
 /**
  * \brief           Write a public key to a DER structure
@@ -441,10 +450,19 @@ int x509write_csr_der( x509write_csr *ctx, unsigned char *buf, size_t size,
  * \param crt       certificate to write away
  * \param buf       buffer to write to
  * \param size      size of the buffer
+ * \param f_rng     RNG function (for signature, see note)
+ * \param p_rng     RNG parameter
  *
  * \return          0 successful, or a specific error code
+ *
+ * \note            f_rng may be NULL if RSA is used for signature and the
+ *                  signature is made offline (otherwise f_rng is desirable
+ *                  for countermeasures against timing attacks).
+ *                  ECDSA signatures always require a non-NULL f_rng.
  */
-int x509write_crt_pem( x509write_cert *ctx, unsigned char *buf, size_t size );
+int x509write_crt_pem( x509write_cert *ctx, unsigned char *buf, size_t size,
+                       int (*f_rng)(void *, unsigned char *, size_t),
+                       void *p_rng );
 
 /**
  * \brief           Write a public key to a PEM string

library/x509write.c

@@ -905,7 +905,9 @@ int x509write_csr_der( x509write_csr *ctx, unsigned char *buf, size_t size,
     return( len );
 }
 
-int x509write_crt_der( x509write_cert *ctx, unsigned char *buf, size_t size )
+int x509write_crt_der( x509write_cert *ctx, unsigned char *buf, size_t size,
+                       int (*f_rng)(void *, unsigned char *, size_t),
+                       void *p_rng )
 {
     int ret;
     const char *sig_oid;
@@ -1007,7 +1009,7 @@ int x509write_crt_der( x509write_cert *ctx, unsigned char *buf, size_t size )
     md( md_info_from_type( ctx->md_alg ), c, len, hash );
 
     if( ( ret = pk_sign( ctx->issuer_key, ctx->md_alg, hash, 0, sig, &sig_len,
-                         NULL, NULL ) ) != 0 )
+                         f_rng, p_rng ) ) != 0 )
     {
         return( ret );
     }
@@ -1083,13 +1085,15 @@ static int x509write_pemify( const char *begin_str, const char *end_str,
     return( 0 );
 }
 
-int x509write_crt_pem( x509write_cert *crt, unsigned char *buf, size_t size )
+int x509write_crt_pem( x509write_cert *crt, unsigned char *buf, size_t size,
+                       int (*f_rng)(void *, unsigned char *, size_t),
+                       void *p_rng )
 {
     int ret;
     unsigned char output_buf[4096];
 
-    if( ( ret = x509write_crt_der( crt, output_buf,
-                                   sizeof(output_buf) ) ) < 0 )
+    if( ( ret = x509write_crt_der( crt, output_buf, sizeof(output_buf),
+                                   f_rng, p_rng ) ) < 0 )
     {
         return( ret );
     }

programs/x509/cert_req.c

@@ -34,19 +34,21 @@
 #include "polarssl/config.h"
 
 #include "polarssl/x509write.h"
-#include "polarssl/error.h"
 #include "polarssl/entropy.h"
 #include "polarssl/ctr_drbg.h"
+#include "polarssl/error.h"
 
-#if !defined(POLARSSL_X509_PARSE_C) || !defined(POLARSSL_FS_IO) ||     \
-    !defined(POLARSSL_ENTROPY_C) || !defined(POLARSSL_CTR_DRBG_C) || \
+#if !defined(POLARSSL_X509_WRITE_C) || !defined(POLARSSL_X509_PARSE_C) ||   \
+    !defined(POLARSSL_FS_IO) ||                                             \
+    !defined(POLARSSL_ENTROPY_C) || !defined(POLARSSL_CTR_DRBG_C) ||        \
     !defined(POLARSSL_ERROR_C)
 int main( int argc, char *argv[] )
 {
     ((void) argc);
     ((void) argv);
 
-    printf( "POLARSSL_X509_PARSE_C and/or POLARSSL_FS_IO and/or "
+    printf( "POLARSSL_X509_WRITE_C and/or POLARSSL_X509_PARSE_C and/or "
+            "POLARSSL_FS_IO and/or "
             "POLARSSL_ENTROPY_C and/or POLARSSL_CTR_DRBG_C and/or "
             "POLARSSL_ERROR_C not defined.\n");
     return( 0 );
@@ -333,6 +335,6 @@ exit:
 
     return( ret );
 }
-#endif /* POLARSSL_X509_PARSE_C && POLARSSL_FS_IO &&
+#endif /* POLARSSL_X509_WRITE_C && POLARSSL_X509_PARSE_C && POLARSSL_FS_IO &&
           POLARSSL_ENTROPY_C && POLARSSL_CTR_DRBG_C &&
           POLARSSL_ERROR_C */

programs/x509/cert_write.c

@@ -33,24 +33,24 @@
 
 #include "polarssl/config.h"
 
-#include "polarssl/error.h"
-#include "polarssl/rsa.h"
-#include "polarssl/x509.h"
-#include "polarssl/base64.h"
 #include "polarssl/x509write.h"
-#include "polarssl/oid.h"
+#include "polarssl/entropy.h"
+#include "polarssl/ctr_drbg.h"
+#include "polarssl/error.h"
 
-#if !defined(POLARSSL_BIGNUM_C) || !defined(POLARSSL_RSA_C) ||         \
-    !defined(POLARSSL_X509_WRITE_C) || !defined(POLARSSL_FS_IO) ||     \
+#if !defined(POLARSSL_X509_WRITE_C) || !defined(POLARSSL_X509_PARSE_C) ||   \
+    !defined(POLARSSL_FS_IO) ||                                             \
+    !defined(POLARSSL_ENTROPY_C) || !defined(POLARSSL_CTR_DRBG_C) ||        \
     !defined(POLARSSL_ERROR_C)
 int main( int argc, char *argv[] )
 {
     ((void) argc);
     ((void) argv);
 
-    printf("POLARSSL_BIGNUM_C and/or POLARSSL_RSA_C and/or "
-           "POLARSSL_X509_WRITE_C and/or POLARSSL_FS_IO and/or "
-           "POLARSSL_ERROR_C not defined.\n");
+    printf( "POLARSSL_X509_WRITE_C and/or POLARSSL_X509_PARSE_C and/or "
+            "POLARSSL_FS_IO and/or "
+            "POLARSSL_ENTROPY_C and/or POLARSSL_CTR_DRBG_C and/or "
+            "POLARSSL_ERROR_C not defined.\n");
     return( 0 );
 }
 #else
@@ -97,7 +97,9 @@ struct options
     unsigned char ns_cert_type; /* NS cert type                         */
 } opt;
 
-int write_certificate( x509write_cert *crt, char *output_file )
+int write_certificate( x509write_cert *crt, char *output_file,
+                       int (*f_rng)(void *, unsigned char *, size_t),
+                       void *p_rng )
 {
     int ret;
     FILE *f;
@@ -105,7 +107,7 @@ int write_certificate( x509write_cert *crt, char *output_file )
     size_t len = 0;
 
     memset( output_buf, 0, 4096 );
-    if( ( ret = x509write_crt_pem( crt, output_buf, 4096 ) ) < 0 )
+    if( ( ret = x509write_crt_pem( crt, output_buf, 4096, f_rng, p_rng ) ) < 0 )
         return( ret );
 
     len = strlen( (char *) output_buf );
@@ -183,6 +185,9 @@ int main( int argc, char *argv[] )
     x509_csr csr;
     x509write_cert crt;
     mpi serial;
+    entropy_context entropy;
+    ctr_drbg_context ctr_drbg;
+    const char *pers = "crt example app";
 
     /*
      * Set to sane values
@@ -350,8 +355,29 @@ int main( int argc, char *argv[] )
 
     printf("\n");
 
+    /*
+     * 0. Seed the PRNG
+     */
+    printf( "  . Seeding the random number generator..." );
+    fflush( stdout );
+
+    entropy_init( &entropy );
+    if( ( ret = ctr_drbg_init( &ctr_drbg, entropy_func, &entropy,
+                               (const unsigned char *) pers,
+                               strlen( pers ) ) ) != 0 )
+    {
+        error_strerror( ret, buf, 1024 );
+        printf( " failed\n  !  ctr_drbg_init returned %d - %s\n", ret, buf );
+        goto exit;
+    }
+
+    printf( " ok\n" );
+
     // Parse serial to MPI
     //
+    printf( "  . Reading serial number..." );
+    fflush( stdout );
+
     if( ( ret = mpi_read_string( &serial, 10, opt.serial ) ) != 0 )
     {
         error_strerror( ret, buf, 1024 );
@@ -359,6 +385,8 @@ int main( int argc, char *argv[] )
         goto exit;
     }
 
+    printf( " ok\n" );
+
     // Parse issuer certificate if present
     //
     if( !opt.selfsign && strlen( opt.issuer_crt ) )
@@ -597,7 +625,8 @@ int main( int argc, char *argv[] )
     printf( "  . Writing the certificate..." );
     fflush( stdout );
 
-    if( ( ret = write_certificate( &crt, opt.output_file ) ) != 0 )
+    if( ( ret = write_certificate( &crt, opt.output_file,
+                                   ctr_drbg_random, &ctr_drbg ) ) != 0 )
     {
         error_strerror( ret, buf, 1024 );
         printf( " failed\n  !  write_certifcate -0x%02x - %s\n\n", -ret, buf );
@@ -619,5 +648,6 @@ exit:
 
     return( ret );
 }
-#endif /* POLARSSL_BIGNUM_C && POLARSSL_RSA_C &&
-          POLARSSet_serial_X509_WRITE_C && POLARSSL_FS_IO */
+#endif /* POLARSSL_X509_WRITE_C && POLARSSL_X509_PARSE_C && POLARSSL_FS_IO &&
+          POLARSSL_ENTROPY_C && POLARSSL_CTR_DRBG_C &&
+          POLARSSL_ERROR_C */

tests/suites/test_suite_x509write.function

@@ -76,7 +76,9 @@ void x509_crt_check( char *subject_key_file, char *subject_pwd,
     int ret;
     size_t olen = sizeof( check_buf );
     FILE *f;
+    rnd_pseudo_info rnd_info;
 
+    memset( &rnd_info, 0x2a, sizeof( rnd_pseudo_info ) );
     mpi_init( &serial );
     pk_init( &subject_key );
     pk_init( &issuer_key );
@@ -101,7 +103,8 @@ void x509_crt_check( char *subject_key_file, char *subject_pwd,
     TEST_ASSERT( x509write_crt_set_subject_key_identifier( &crt ) == 0 );
     TEST_ASSERT( x509write_crt_set_authority_key_identifier( &crt ) == 0 );
 
-    ret = x509write_crt_der( &crt, buf, sizeof(buf) );
+    ret = x509write_crt_der( &crt, buf, sizeof(buf),
+                             rnd_pseudo_rand, &rnd_info );
     TEST_ASSERT( ret >= 0 );
 
     c = buf + sizeof( buf ) - ret;