yuzu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2025-01-22 22:00:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

Allow ssl_client2/ssl_server2 to use HMAC DRBG instead of CTR DRBG

Browse source 
So far, ssl_client2 and ssl_server2 were relying on MBEDTLS_CTR_DRBG_C
being set. This commit adapts them to use HMAC DRBG in case CTR DRBG
is disabled in the configuration.

Note that disabling CTR DRBG in favor of HMAC DRBG can be useful on
constrained systems because Mbed TLS' HMAC DRBG is slightly smaller,
and moreover needed anyway as part of deterministic ECDSA.
This commit is contained in:
Hanno Becker 2019-08-26 13:30:13 +01:00
parent df9633b21c
commit 7f1c805b23
2 changed files with 118 additions and 19 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

64
programs/ssl/ssl_client2.c
View file

@ -43,13 +43,16 @@
#endif
#if !defined(MBEDTLS_ENTROPY_C) || \
!defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_CLI_C) || \
!defined(MBEDTLS_NET_C) || !defined(MBEDTLS_CTR_DRBG_C)
!defined(MBEDTLS_SSL_TLS_C) || \
!defined(MBEDTLS_SSL_CLI_C) || \
!defined(MBEDTLS_NET_C) || \
!( defined(MBEDTLS_CTR_DRBG_C) || defined(MBEDTLS_HMAC_DRBG_C) )
int main( void )
{
mbedtls_printf("MBEDTLS_ENTROPY_C and/or "
"MBEDTLS_SSL_TLS_C and/or MBEDTLS_SSL_CLI_C and/or "
"MBEDTLS_NET_C and/or MBEDTLS_CTR_DRBG_C and/or not defined.\n");
"MBEDTLS_NET_C not defined, or "
"neither MBEDTLS_CTR_DRBG_C nor MBEDTLS_HMAC_DRBG_C defined.\n");
return( 0 );
}
#else
@ -59,6 +62,7 @@ int main( void )
#include "mbedtls/ssl_ciphersuites.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/hmac_drbg.h"
#include "mbedtls/certs.h"
#include "mbedtls/x509.h"
#include "mbedtls/error.h"
@ -701,8 +705,9 @@ static int my_verify( void *data, mbedtls_x509_crt *crt,
return( 0 );
}
#if !defined(MBEDTLS_SSL_CONF_SINGLE_HASH)
static int ssl_sig_hashes_for_test[] = {
#endif /* MBEDTLS_X509_CRT_PARSE_C */
static int available_hashes[] = {
#if defined(MBEDTLS_SHA512_C)
MBEDTLS_MD_SHA512,
MBEDTLS_MD_SHA384,
@ -717,8 +722,6 @@ static int ssl_sig_hashes_for_test[] = {
#endif
MBEDTLS_MD_NONE
};
#endif /* !MBEDTLS_SSL_CONF_SINGLE_HASH */
#endif /* MBEDTLS_X509_CRT_PARSE_C */
/*
* Wait for an event from the underlying transport or the timer
@ -892,14 +895,23 @@ int report_cid_usage( mbedtls_ssl_context *ssl,
#if defined(MBEDTLS_SSL_CONF_RNG)
int rng_wrap( void *ctx, unsigned char *dst, size_t len );
#if defined(MBEDTLS_CTR_DRBG_C)
mbedtls_ctr_drbg_context *rng_ctx_global = NULL;
#else
mbedtls_hmac_drbg_context *rng_ctx_global = NULL;
#endif /* MBEDTLS_CTR_DRBG_C */
int rng_wrap( void *ctx, unsigned char *dst, size_t len )
{
/* We expect the NULL parameter here. */
if( ctx != NULL )
return( -1 );
#if defined(MBEDTLS_CTR_DRBG_C)
return( mbedtls_ctr_drbg_random( rng_ctx_global, dst, len ) );
#else
return( mbedtls_hmac_drbg_random( rng_ctx_global, dst, len ) );
#endif
}
#endif /* MBEDTLS_SSL_CONF_RNG */
@ -941,7 +953,11 @@ int main( int argc, char *argv[] )
mbedtls_x509_crt_profile crt_profile_for_test = mbedtls_x509_crt_profile_default;
#endif
mbedtls_entropy_context entropy;
#if defined(MBEDTLS_CTR_DRBG_C)
mbedtls_ctr_drbg_context ctr_drbg;
#else
mbedtls_hmac_drbg_context hmac_drbg;
#endif
mbedtls_ssl_context ssl;
mbedtls_ssl_config conf;
mbedtls_ssl_session saved_session;
@ -970,7 +986,11 @@ int main( int argc, char *argv[] )
mbedtls_ssl_init( &ssl );
mbedtls_ssl_config_init( &conf );
memset( &saved_session, 0, sizeof( mbedtls_ssl_session ) );
#if defined(MBEDTLS_CTR_DRBG_C)
mbedtls_ctr_drbg_init( &ctr_drbg );
#else
mbedtls_hmac_drbg_init( &hmac_drbg );
#endif /* MBEDTLS_CTR_DRBG_C */
#if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_x509_crt_init( &cacert );
mbedtls_x509_crt_init( &clicert );
@ -1664,6 +1684,7 @@ int main( int argc, char *argv[] )
fflush( stdout );
mbedtls_entropy_init( &entropy );
#if defined(MBEDTLS_CTR_DRBG_C)
if( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func,
&entropy, (const unsigned char *) pers,
strlen( pers ) ) ) != 0 )
@ -1672,6 +1693,19 @@ int main( int argc, char *argv[] )
-ret );
goto exit;
}
#else /* MBEDTLS_CTR_DRBG_C */
if( ( ret = mbedtls_hmac_drbg_seed( &hmac_drbg,
mbedtls_md_info_from_type(
available_hashes[0] ),
mbedtls_entropy_func,
&entropy, (const unsigned char *) pers,
strlen( pers ) ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ctr_drbg_seed returned -0x%x\n",
-ret );
goto exit;
}
#endif /* MBEDTLS_CTR_DRBG */
mbedtls_printf( " ok\n" );
@ -1851,7 +1885,7 @@ int main( int argc, char *argv[] )
crt_profile_for_test.allowed_mds |= MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 );
mbedtls_ssl_conf_cert_profile( &conf, &crt_profile_for_test );
#if !defined(MBEDTLS_SSL_CONF_SINGLE_HASH)
mbedtls_ssl_conf_sig_hashes( &conf, ssl_sig_hashes_for_test );
mbedtls_ssl_conf_sig_hashes( &conf, available_hashes );
#endif
}
@ -1953,11 +1987,19 @@ int main( int argc, char *argv[] )
}
#endif
#if defined(MBEDTLS_CTR_DRBG_C)
#if !defined(MBEDTLS_SSL_CONF_RNG)
mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg );
#else
rng_ctx_global = &ctr_drbg;
#endif
#else /* MBEDTLS_CTR_DRBG_C */
#if !defined(MBEDTLS_SSL_CONF_RNG)
mbedtls_ssl_conf_rng( &conf, mbedtls_hmac_drbg_random, &hmac_drbg );
#else
rng_ctx_global = &hmac_drbg;
#endif
#endif /* MBEDTLS_CTR_DRBG_C */
#if defined(MBEDTLS_DEBUG_C)
mbedtls_ssl_conf_dbg( &conf, my_debug, stdout );
@ -2871,7 +2913,11 @@ exit:
mbedtls_ssl_session_free( &saved_session );
mbedtls_ssl_free( &ssl );
mbedtls_ssl_config_free( &conf );
#if defined(MBEDTLS_CTR_DRBG_C)
mbedtls_ctr_drbg_free( &ctr_drbg );
#else
mbedtls_hmac_drbg_free( &hmac_drbg );
#endif
mbedtls_entropy_free( &entropy );
if( session_data != NULL )
mbedtls_platform_zeroize( session_data, session_data_len );
@ -2895,4 +2941,4 @@ exit:
}
#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_ENTROPY_C && MBEDTLS_SSL_TLS_C &&
MBEDTLS_SSL_CLI_C && MBEDTLS_NET_C && MBEDTLS_RSA_C &&
MBEDTLS_CTR_DRBG_C MBEDTLS_TIMING_C */
( MBEDTLS_CTR_DRBG_C || MBEDTLS_HMAC_DRBG_C ) && MBEDTLS_TIMING_C */

73
programs/ssl/ssl_server2.c
View file

@ -42,13 +42,16 @@
#endif
#if !defined(MBEDTLS_ENTROPY_C) || \
!defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_SRV_C) || \
!defined(MBEDTLS_NET_C) || !defined(MBEDTLS_CTR_DRBG_C)
!defined(MBEDTLS_SSL_TLS_C) || \
!defined(MBEDTLS_SSL_SRV_C) || \
!defined(MBEDTLS_NET_C) || \
!( defined(MBEDTLS_CTR_DRBG_C) || defined(MBEDTLS_HMAC_DRBG_C) )
int main( void )
{
mbedtls_printf("MBEDTLS_ENTROPY_C and/or "
"MBEDTLS_SSL_TLS_C and/or MBEDTLS_SSL_SRV_C and/or "
"MBEDTLS_NET_C and/or MBEDTLS_CTR_DRBG_C and/or not defined.\n");
"MBEDTLS_NET_C not defined, or "
"neither MBEDTLS_CTR_DRBG_C nor MBEDTLS_HMAC_DRBG_C defined.\n");
return( 0 );
}
#else
@ -58,6 +61,7 @@ int main( void )
#include "mbedtls/ssl_ciphersuites.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/hmac_drbg.h"
#include "mbedtls/certs.h"
#include "mbedtls/x509.h"
#include "mbedtls/error.h"
@ -1133,9 +1137,7 @@ void term_handler( int sig )
}
#endif
#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
!defined(MBEDTLS_SSL_CONF_SINGLE_HASH)
static int ssl_sig_hashes_for_test[] = {
static int available_hashes[] = {
#if defined(MBEDTLS_SHA512_C)
MBEDTLS_MD_SHA512,
MBEDTLS_MD_SHA384,
@ -1150,7 +1152,6 @@ static int ssl_sig_hashes_for_test[] = {
#endif
MBEDTLS_MD_NONE
};
#endif /* MBEDTLS_X509_CRT_PARSE_C && !defined(MBEDTLS_SSL_CONF_SINGLE_HASH) */
/** Return true if \p ret is a status code indicating that there is an
* operation in progress on an SSL connection, and false if it indicates
@ -1508,14 +1509,23 @@ int report_cid_usage( mbedtls_ssl_context *ssl,
#if defined(MBEDTLS_SSL_CONF_RNG)
int rng_wrap( void *ctx, unsigned char *dst, size_t len );
#if defined(MBEDTLS_CTR_DRBG_C)
mbedtls_ctr_drbg_context *rng_ctx_global = NULL;
#else
mbedtls_hmac_drbg_context *rng_ctx_global = NULL;
#endif /* MBEDTLS_CTR_DRBG_C */
int rng_wrap( void *ctx, unsigned char *dst, size_t len )
{
/* We expect the NULL parameter here. */
if( ctx != NULL )
return( -1 );
#if defined(MBEDTLS_CTR_DRBG_C)
return( mbedtls_ctr_drbg_random( rng_ctx_global, dst, len ) );
#else
return( mbedtls_hmac_drbg_random( rng_ctx_global, dst, len ) );
#endif
}
#endif /* MBEDTLS_SSL_CONF_RNG */
@ -1545,7 +1555,11 @@ int main( int argc, char *argv[] )
mbedtls_x509_crt_profile crt_profile_for_test = mbedtls_x509_crt_profile_default;
#endif
mbedtls_entropy_context entropy;
#if defined(MBEDTLS_CTR_DRBG_C)
mbedtls_ctr_drbg_context ctr_drbg;
#else
mbedtls_hmac_drbg_context hmac_drbg;
#endif
mbedtls_ssl_context ssl;
mbedtls_ssl_config conf;
#if defined(MBEDTLS_TIMING_C)
@ -1615,7 +1629,11 @@ int main( int argc, char *argv[] )
mbedtls_net_init( &listen_fd );
mbedtls_ssl_init( &ssl );
mbedtls_ssl_config_init( &conf );
#if defined(MBEDTLS_CTR_DRBG_C)
mbedtls_ctr_drbg_init( &ctr_drbg );
#else
mbedtls_hmac_drbg_init( &hmac_drbg );
#endif /* MBEDTLS_CTR_DRBG_C */
#if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_x509_crt_init( &cacert );
mbedtls_x509_crt_init( &srvcert );
@ -2418,6 +2436,7 @@ int main( int argc, char *argv[] )
fflush( stdout );
mbedtls_entropy_init( &entropy );
#if defined(MBEDTLS_CTR_DRBG_C)
if( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func,
&entropy, (const unsigned char *) pers,
strlen( pers ) ) ) != 0 )
@ -2426,6 +2445,19 @@ int main( int argc, char *argv[] )
-ret );
goto exit;
}
#else /* MBEDTLS_CTR_DRBG_C */
if( ( ret = mbedtls_hmac_drbg_seed( &hmac_drbg,
mbedtls_md_info_from_type(
available_hashes[0] ),
mbedtls_entropy_func,
&entropy, (const unsigned char *) pers,
strlen( pers ) ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ctr_drbg_seed returned -0x%x\n",
-ret );
goto exit;
}
#endif /* MBEDTLS_CTR_DRBG */
mbedtls_printf( " ok\n" );
@ -2674,7 +2706,7 @@ int main( int argc, char *argv[] )
crt_profile_for_test.allowed_mds |= MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 );
mbedtls_ssl_conf_cert_profile( &conf, &crt_profile_for_test );
#if !defined(MBEDTLS_SSL_CONF_SINGLE_HASH)
mbedtls_ssl_conf_sig_hashes( &conf, ssl_sig_hashes_for_test );
mbedtls_ssl_conf_sig_hashes( &conf, available_hashes );
#endif
}
#endif /* MBEDTLS_X509_CRT_PARSE_C */
@ -2765,11 +2797,19 @@ int main( int argc, char *argv[] )
}
#endif
#if defined(MBEDTLS_CTR_DRBG_C)
#if !defined(MBEDTLS_SSL_CONF_RNG)
mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg );
#else
rng_ctx_global = &ctr_drbg;
#endif
#else /* MBEDTLS_CTR_DRBG_C */
#if !defined(MBEDTLS_SSL_CONF_RNG)
mbedtls_ssl_conf_rng( &conf, mbedtls_hmac_drbg_random, &hmac_drbg );
#else
rng_ctx_global = &hmac_drbg;
#endif
#endif /* MBEDTLS_CTR_DRBG_C */
#if defined(MBEDTLS_DEBUG_C)
mbedtls_ssl_conf_dbg( &conf, my_debug, stdout );
@ -2793,7 +2833,11 @@ int main( int argc, char *argv[] )
if( opt.tickets == MBEDTLS_SSL_SESSION_TICKETS_ENABLED )
{
if( ( ret = mbedtls_ssl_ticket_setup( &ticket_ctx,
#if defined(MBEDTLS_CTR_DRBG_C)
mbedtls_ctr_drbg_random, &ctr_drbg,
#else
mbedtls_hmac_drbg_random, &hmac_drbg,
#endif
MBEDTLS_CIPHER_AES_256_GCM,
opt.ticket_timeout ) ) != 0 )
{
@ -2815,7 +2859,12 @@ int main( int argc, char *argv[] )
if( opt.cookies > 0 )
{
if( ( ret = mbedtls_ssl_cookie_setup( &cookie_ctx,
mbedtls_ctr_drbg_random, &ctr_drbg ) ) != 0 )
#if defined(MBEDTLS_CTR_DRBG_C)
mbedtls_ctr_drbg_random, &ctr_drbg
#else
mbedtls_hmac_drbg_random, &hmac_drbg
#endif /* MBEDTLS_CTR_DRBG_C */
) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_cookie_setup returned %d\n\n", ret );
goto exit;
@ -3852,7 +3901,11 @@ exit:
mbedtls_ssl_free( &ssl );
mbedtls_ssl_config_free( &conf );
#if defined(MBEDTLS_CTR_DRBG_C)
mbedtls_ctr_drbg_free( &ctr_drbg );
#else
mbedtls_hmac_drbg_free( &hmac_drbg );
#endif
mbedtls_entropy_free( &entropy );
#if defined(MBEDTLS_SSL_CACHE_C)
@ -3895,4 +3948,4 @@ exit:
}
#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_ENTROPY_C && MBEDTLS_SSL_TLS_C &&
MBEDTLS_SSL_SRV_C && MBEDTLS_NET_C && MBEDTLS_RSA_C &&
MBEDTLS_CTR_DRBG_C */
( MBEDTLS_CTR_DRBG_C || MBEDTLS_HMAC_DRBG_C ) */