diff --git a/include/mbedtls/pk.h b/include/mbedtls/pk.h index 5c7b2f646..dec511112 100644 --- a/include/mbedtls/pk.h +++ b/include/mbedtls/pk.h @@ -667,6 +667,8 @@ mbedtls_pk_type_t mbedtls_pk_get_type( const mbedtls_pk_context *ctx ); * The empty password is not supported. * \param pwdlen Size of the password in bytes. * Ignored if \p pwd is \c NULL. + * \param f_rng RNG function, must not be \c NULL. Used for blinding. + * \param p_rng RNG parameter * * \note On entry, ctx must be empty, either freshly initialised * with mbedtls_pk_init() or reset with mbedtls_pk_free(). If you need a @@ -677,8 +679,9 @@ mbedtls_pk_type_t mbedtls_pk_get_type( const mbedtls_pk_context *ctx ); * \return 0 if successful, or a specific PK or PEM error code */ int mbedtls_pk_parse_key( mbedtls_pk_context *ctx, - const unsigned char *key, size_t keylen, - const unsigned char *pwd, size_t pwdlen ); + const unsigned char *key, size_t keylen, + const unsigned char *pwd, size_t pwdlen, + int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ); /** \ingroup pk_module */ /** @@ -718,6 +721,8 @@ int mbedtls_pk_parse_public_key( mbedtls_pk_context *ctx, * Pass a null-terminated string if expecting an encrypted * key; a non-encrypted key will also be accepted. * The empty password is not supported. + * \param f_rng RNG function, must not be \c NULL. Used for blinding. + * \param p_rng RNG parameter * * \note On entry, ctx must be empty, either freshly initialised * with mbedtls_pk_init() or reset with mbedtls_pk_free(). If you need a @@ -728,7 +733,8 @@ int mbedtls_pk_parse_public_key( mbedtls_pk_context *ctx, * \return 0 if successful, or a specific PK or PEM error code */ int mbedtls_pk_parse_keyfile( mbedtls_pk_context *ctx, - const char *path, const char *password ); + const char *path, const char *password, + int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ); /** \ingroup pk_module */ /** diff --git a/library/pkparse.c b/library/pkparse.c index 3222ca20f..5438ee4a0 100644 --- a/library/pkparse.c +++ b/library/pkparse.c @@ -123,7 +123,8 @@ int mbedtls_pk_load_file( const char *path, unsigned char **buf, size_t *n ) * Load and parse a private key */ int mbedtls_pk_parse_keyfile( mbedtls_pk_context *ctx, - const char *path, const char *pwd ) + const char *path, const char *pwd, + int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; size_t n; @@ -136,10 +137,10 @@ int mbedtls_pk_parse_keyfile( mbedtls_pk_context *ctx, return( ret ); if( pwd == NULL ) - ret = mbedtls_pk_parse_key( ctx, buf, n, NULL, 0 ); + ret = mbedtls_pk_parse_key( ctx, buf, n, NULL, 0, f_rng, p_rng ); else ret = mbedtls_pk_parse_key( ctx, buf, n, - (const unsigned char *) pwd, strlen( pwd ) ); + (const unsigned char *) pwd, strlen( pwd ), f_rng, p_rng ); mbedtls_platform_zeroize( buf, n ); mbedtls_free( buf ); @@ -859,8 +860,8 @@ cleanup: * Parse a SEC1 encoded private EC key */ static int pk_parse_key_sec1_der( mbedtls_ecp_keypair *eck, - const unsigned char *key, - size_t keylen ) + const unsigned char *key, size_t keylen, + int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; int version, pubkey_done; @@ -967,7 +968,7 @@ static int pk_parse_key_sec1_der( mbedtls_ecp_keypair *eck, if( ! pubkey_done && ( ret = mbedtls_ecp_mul( &eck->grp, &eck->Q, &eck->d, &eck->grp.G, - NULL, NULL ) ) != 0 ) + f_rng, p_rng ) ) != 0 ) { mbedtls_ecp_keypair_free( eck ); return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) ); @@ -997,9 +998,9 @@ static int pk_parse_key_sec1_der( mbedtls_ecp_keypair *eck, * */ static int pk_parse_key_pkcs8_unencrypted_der( - mbedtls_pk_context *pk, - const unsigned char* key, - size_t keylen ) + mbedtls_pk_context *pk, + const unsigned char* key, size_t keylen, + int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) { int ret, version; size_t len; @@ -1071,7 +1072,7 @@ static int pk_parse_key_pkcs8_unencrypted_der( if( pk_alg == MBEDTLS_PK_ECKEY || pk_alg == MBEDTLS_PK_ECKEY_DH ) { if( ( ret = pk_use_ecparams( ¶ms, &mbedtls_pk_ec( *pk )->grp ) ) != 0 || - ( ret = pk_parse_key_sec1_der( mbedtls_pk_ec( *pk ), p, len ) ) != 0 ) + ( ret = pk_parse_key_sec1_der( mbedtls_pk_ec( *pk ), p, len, f_rng, p_rng ) ) != 0 ) { mbedtls_pk_free( pk ); return( ret ); @@ -1094,9 +1095,10 @@ static int pk_parse_key_pkcs8_unencrypted_der( */ #if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C) static int pk_parse_key_pkcs8_encrypted_der( - mbedtls_pk_context *pk, - unsigned char *key, size_t keylen, - const unsigned char *pwd, size_t pwdlen ) + mbedtls_pk_context *pk, + unsigned char *key, size_t keylen, + const unsigned char *pwd, size_t pwdlen, + int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) { int ret, decrypted = 0; size_t len; @@ -1206,7 +1208,7 @@ static int pk_parse_key_pkcs8_encrypted_der( if( decrypted == 0 ) return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE ); - return( pk_parse_key_pkcs8_unencrypted_der( pk, buf, len ) ); + return( pk_parse_key_pkcs8_unencrypted_der( pk, buf, len, f_rng, p_rng ) ); } #endif /* MBEDTLS_PKCS12_C || MBEDTLS_PKCS5_C */ @@ -1215,7 +1217,8 @@ static int pk_parse_key_pkcs8_encrypted_der( */ int mbedtls_pk_parse_key( mbedtls_pk_context *pk, const unsigned char *key, size_t keylen, - const unsigned char *pwd, size_t pwdlen ) + const unsigned char *pwd, size_t pwdlen, + int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; const mbedtls_pk_info_t *pk_info; @@ -1278,7 +1281,8 @@ int mbedtls_pk_parse_key( mbedtls_pk_context *pk, if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 || ( ret = pk_parse_key_sec1_der( mbedtls_pk_ec( *pk ), - pem.buf, pem.buflen ) ) != 0 ) + pem.buf, pem.buflen, + f_rng, p_rng ) ) != 0 ) { mbedtls_pk_free( pk ); } @@ -1305,7 +1309,7 @@ int mbedtls_pk_parse_key( mbedtls_pk_context *pk, if( ret == 0 ) { if( ( ret = pk_parse_key_pkcs8_unencrypted_der( pk, - pem.buf, pem.buflen ) ) != 0 ) + pem.buf, pem.buflen, f_rng, p_rng ) ) != 0 ) { mbedtls_pk_free( pk ); } @@ -1327,9 +1331,8 @@ int mbedtls_pk_parse_key( mbedtls_pk_context *pk, key, NULL, 0, &len ); if( ret == 0 ) { - if( ( ret = pk_parse_key_pkcs8_encrypted_der( pk, - pem.buf, pem.buflen, - pwd, pwdlen ) ) != 0 ) + if( ( ret = pk_parse_key_pkcs8_encrypted_der( pk, pem.buf, pem.buflen, + pwd, pwdlen, f_rng, p_rng ) ) != 0 ) { mbedtls_pk_free( pk ); } @@ -1362,7 +1365,7 @@ int mbedtls_pk_parse_key( mbedtls_pk_context *pk, memcpy( key_copy, key, keylen ); ret = pk_parse_key_pkcs8_encrypted_der( pk, key_copy, keylen, - pwd, pwdlen ); + pwd, pwdlen, f_rng, p_rng ); mbedtls_platform_zeroize( key_copy, keylen ); mbedtls_free( key_copy ); @@ -1380,8 +1383,11 @@ int mbedtls_pk_parse_key( mbedtls_pk_context *pk, } #endif /* MBEDTLS_PKCS12_C || MBEDTLS_PKCS5_C */ - if( ( ret = pk_parse_key_pkcs8_unencrypted_der( pk, key, keylen ) ) == 0 ) + if( ( ret = pk_parse_key_pkcs8_unencrypted_der( + pk, key, keylen, f_rng, p_rng ) ) == 0 ) + { return( 0 ); + } mbedtls_pk_free( pk ); mbedtls_pk_init( pk ); @@ -1403,7 +1409,7 @@ int mbedtls_pk_parse_key( mbedtls_pk_context *pk, pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_ECKEY ); if( mbedtls_pk_setup( pk, pk_info ) == 0 && pk_parse_key_sec1_der( mbedtls_pk_ec( *pk ), - key, keylen ) == 0 ) + key, keylen, f_rng, p_rng ) == 0 ) { return( 0 ); } diff --git a/library/psa_crypto_rsa.c b/library/psa_crypto_rsa.c index f2e9a1c05..ef2adc134 100644 --- a/library/psa_crypto_rsa.c +++ b/library/psa_crypto_rsa.c @@ -108,7 +108,8 @@ psa_status_t mbedtls_psa_rsa_load_representation( /* Parse the data. */ if( PSA_KEY_TYPE_IS_KEY_PAIR( type ) ) status = mbedtls_to_psa_error( - mbedtls_pk_parse_key( &ctx, data, data_length, NULL, 0 ) ); + mbedtls_pk_parse_key( &ctx, data, data_length, NULL, 0, + mbedtls_psa_get_random, MBEDTLS_PSA_RANDOM_STATE ) ); else status = mbedtls_to_psa_error( mbedtls_pk_parse_public_key( &ctx, data, data_length ) ); diff --git a/programs/fuzz/fuzz_dtlsserver.c b/programs/fuzz/fuzz_dtlsserver.c index 34ff63ede..a64eef979 100644 --- a/programs/fuzz/fuzz_dtlsserver.c +++ b/programs/fuzz/fuzz_dtlsserver.c @@ -6,6 +6,7 @@ #include "common.h" #include "mbedtls/ssl.h" #include "test/certs.h" +#include "test/random.h" #if defined(MBEDTLS_SSL_PROTO_DTLS) #include "mbedtls/entropy.h" #include "mbedtls/ctr_drbg.h" @@ -55,7 +56,8 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { mbedtls_test_cas_pem_len ) != 0) return 1; if (mbedtls_pk_parse_key( &pkey, (const unsigned char *) mbedtls_test_srv_key, - mbedtls_test_srv_key_len, NULL, 0 ) != 0) + mbedtls_test_srv_key_len, NULL, 0, + mbedtls_test_rnd_std_rand, NULL ) != 0) return 1; #endif dummy_init(); diff --git a/programs/fuzz/fuzz_privkey.c b/programs/fuzz/fuzz_privkey.c index f76afd1c5..a06187562 100644 --- a/programs/fuzz/fuzz_privkey.c +++ b/programs/fuzz/fuzz_privkey.c @@ -3,6 +3,7 @@ #include #include #include "mbedtls/pk.h" +#include "test/random.h" //4 Kb should be enough for every bug ;-) #define MAX_LEN 0x1000 @@ -19,7 +20,8 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { } mbedtls_pk_init( &pk ); - ret = mbedtls_pk_parse_key( &pk, Data, Size, NULL, 0 ); + ret = mbedtls_pk_parse_key( &pk, Data, Size, NULL, 0, + mbedtls_test_rnd_std_rand, NULL ); if (ret == 0) { #if defined(MBEDTLS_RSA_C) if( mbedtls_pk_get_type( &pk ) == MBEDTLS_PK_RSA ) diff --git a/programs/fuzz/fuzz_server.c b/programs/fuzz/fuzz_server.c index 5480e3e87..d4480c5c8 100644 --- a/programs/fuzz/fuzz_server.c +++ b/programs/fuzz/fuzz_server.c @@ -66,7 +66,8 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { mbedtls_test_cas_pem_len ) != 0) return 1; if (mbedtls_pk_parse_key( &pkey, (const unsigned char *) mbedtls_test_srv_key, - mbedtls_test_srv_key_len, NULL, 0 ) != 0) + mbedtls_test_srv_key_len, NULL, 0, + mbedtls_ctr_drbg_random, &ctr_drbg ) != 0) return 1; #endif diff --git a/programs/pkey/key_app.c b/programs/pkey/key_app.c index 7bd93c72b..0e30be4b2 100644 --- a/programs/pkey/key_app.c +++ b/programs/pkey/key_app.c @@ -40,6 +40,8 @@ #include "mbedtls/rsa.h" #include "mbedtls/pk.h" +#include "test/random.h" + #include #endif @@ -181,7 +183,8 @@ int main( int argc, char *argv[] ) mbedtls_printf( "\n . Loading the private key ..." ); fflush( stdout ); - ret = mbedtls_pk_parse_keyfile( &pk, opt.filename, opt.password ); + ret = mbedtls_pk_parse_keyfile( &pk, opt.filename, opt.password, + mbedtls_test_rnd_std_rand, NULL ); if( ret != 0 ) { diff --git a/programs/pkey/key_app_writer.c b/programs/pkey/key_app_writer.c index 4b65262d0..c7f974118 100644 --- a/programs/pkey/key_app_writer.c +++ b/programs/pkey/key_app_writer.c @@ -39,6 +39,8 @@ #include "mbedtls/pk.h" #include "mbedtls/error.h" +#include "test/random.h" + #include #include #endif @@ -292,8 +294,8 @@ int main( int argc, char *argv[] ) mbedtls_printf( "\n . Loading the private key ..." ); fflush( stdout ); - ret = mbedtls_pk_parse_keyfile( &key, opt.filename, NULL ); - + ret = mbedtls_pk_parse_keyfile( &key, opt.filename, NULL, + mbedtls_test_rnd_std_rand, NULL ); if( ret != 0 ) { mbedtls_strerror( ret, (char *) buf, sizeof(buf) ); diff --git a/programs/pkey/pk_decrypt.c b/programs/pkey/pk_decrypt.c index 810d6fb3e..e01f5d558 100644 --- a/programs/pkey/pk_decrypt.c +++ b/programs/pkey/pk_decrypt.c @@ -106,7 +106,8 @@ int main( int argc, char *argv[] ) mbedtls_printf( "\n . Reading private key from '%s'", argv[1] ); fflush( stdout ); - if( ( ret = mbedtls_pk_parse_keyfile( &pk, argv[1], "" ) ) != 0 ) + if( ( ret = mbedtls_pk_parse_keyfile( &pk, argv[1], "", + mbedtls_ctr_drbg_random, &ctr_drbg ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_pk_parse_keyfile returned -0x%04x\n", (unsigned int) -ret ); goto exit; diff --git a/programs/pkey/pk_sign.c b/programs/pkey/pk_sign.c index 451e3de9b..422fa257e 100644 --- a/programs/pkey/pk_sign.c +++ b/programs/pkey/pk_sign.c @@ -101,7 +101,8 @@ int main( int argc, char *argv[] ) mbedtls_printf( "\n . Reading private key from '%s'", argv[1] ); fflush( stdout ); - if( ( ret = mbedtls_pk_parse_keyfile( &pk, argv[1], "" ) ) != 0 ) + if( ( ret = mbedtls_pk_parse_keyfile( &pk, argv[1], "", + mbedtls_ctr_drbg_random, &ctr_drbg ) ) != 0 ) { mbedtls_printf( " failed\n ! Could not parse '%s'\n", argv[1] ); goto exit; diff --git a/programs/pkey/rsa_sign_pss.c b/programs/pkey/rsa_sign_pss.c index 26056dd9b..bbbe0a9bd 100644 --- a/programs/pkey/rsa_sign_pss.c +++ b/programs/pkey/rsa_sign_pss.c @@ -102,7 +102,8 @@ int main( int argc, char *argv[] ) mbedtls_printf( "\n . Reading private key from '%s'", argv[1] ); fflush( stdout ); - if( ( ret = mbedtls_pk_parse_keyfile( &pk, argv[1], "" ) ) != 0 ) + if( ( ret = mbedtls_pk_parse_keyfile( &pk, argv[1], "", + mbedtls_ctr_drbg_random, &ctr_drbg ) ) != 0 ) { mbedtls_printf( " failed\n ! Could not read key from '%s'\n", argv[1] ); mbedtls_printf( " ! mbedtls_pk_parse_public_keyfile returned %d\n\n", ret ); diff --git a/programs/ssl/dtls_server.c b/programs/ssl/dtls_server.c index de47aab25..857671ff4 100644 --- a/programs/ssl/dtls_server.c +++ b/programs/ssl/dtls_server.c @@ -79,7 +79,9 @@ int main( void ) #include "mbedtls/error.h" #include "mbedtls/debug.h" #include "mbedtls/timing.h" + #include "test/certs.h" +#include "test/random.h" #if defined(MBEDTLS_SSL_CACHE_C) #include "mbedtls/ssl_cache.h" @@ -138,7 +140,23 @@ int main( void ) #endif /* - * 1. Load the certificates and private RSA key + * 1. Seed the RNG + */ + printf( " . Seeding the random number generator..." ); + fflush( stdout ); + + if( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, &entropy, + (const unsigned char *) pers, + strlen( pers ) ) ) != 0 ) + { + printf( " failed\n ! mbedtls_ctr_drbg_seed returned %d\n", ret ); + goto exit; + } + + printf( " ok\n" ); + + /* + * 2. Load the certificates and private RSA key */ printf( "\n . Loading the server cert. and key..." ); fflush( stdout ); @@ -165,7 +183,7 @@ int main( void ) } ret = mbedtls_pk_parse_key( &pkey, (const unsigned char *) mbedtls_test_srv_key, - mbedtls_test_srv_key_len, NULL, 0 ); + mbedtls_test_srv_key_len, NULL, 0, mbedtls_ctr_drbg_random, &ctr_drbg ); if( ret != 0 ) { printf( " failed\n ! mbedtls_pk_parse_key returned %d\n\n", ret ); @@ -175,7 +193,7 @@ int main( void ) printf( " ok\n" ); /* - * 2. Setup the "listening" UDP socket + * 3. Setup the "listening" UDP socket */ printf( " . Bind on udp/*/4433 ..." ); fflush( stdout ); @@ -188,22 +206,6 @@ int main( void ) printf( " ok\n" ); - /* - * 3. Seed the RNG - */ - printf( " . Seeding the random number generator..." ); - fflush( stdout ); - - if( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, &entropy, - (const unsigned char *) pers, - strlen( pers ) ) ) != 0 ) - { - printf( " failed\n ! mbedtls_ctr_drbg_seed returned %d\n", ret ); - goto exit; - } - - printf( " ok\n" ); - /* * 4. Setup stuff */ diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 98a304868..6501c4927 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -1548,12 +1548,12 @@ int main( int argc, char *argv[] ) else #if defined(MBEDTLS_FS_IO) if( strlen( opt.key_file ) ) - ret = mbedtls_pk_parse_keyfile( &pkey, opt.key_file, opt.key_pwd ); + ret = mbedtls_pk_parse_keyfile( &pkey, opt.key_file, opt.key_pwd, rng_get, &rng ); else #endif ret = mbedtls_pk_parse_key( &pkey, (const unsigned char *) mbedtls_test_cli_key, - mbedtls_test_cli_key_len, NULL, 0 ); + mbedtls_test_cli_key_len, NULL, 0, rng_get, &rng ); if( ret != 0 ) { mbedtls_printf( " failed\n ! mbedtls_pk_parse_key returned -0x%x\n\n", diff --git a/programs/ssl/ssl_fork_server.c b/programs/ssl/ssl_fork_server.c index 573210870..74190103e 100644 --- a/programs/ssl/ssl_fork_server.c +++ b/programs/ssl/ssl_fork_server.c @@ -166,7 +166,8 @@ int main( void ) } ret = mbedtls_pk_parse_key( &pkey, (const unsigned char *) mbedtls_test_srv_key, - mbedtls_test_srv_key_len, NULL, 0 ); + mbedtls_test_srv_key_len, NULL, 0, + mbedtls_ctr_drbg_random, &ctr_drbg ); if( ret != 0 ) { mbedtls_printf( " failed! mbedtls_pk_parse_key returned %d\n\n", ret ); diff --git a/programs/ssl/ssl_mail_client.c b/programs/ssl/ssl_mail_client.c index 09bbc3d69..f223977a8 100644 --- a/programs/ssl/ssl_mail_client.c +++ b/programs/ssl/ssl_mail_client.c @@ -556,12 +556,17 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_FS_IO) if( strlen( opt.key_file ) ) - ret = mbedtls_pk_parse_keyfile( &pkey, opt.key_file, "" ); + { + ret = mbedtls_pk_parse_keyfile( &pkey, opt.key_file, "", + mbedtls_ctr_drbg_random, &ctr_drbg ); + } else #endif #if defined(MBEDTLS_PEM_PARSE_C) + { ret = mbedtls_pk_parse_key( &pkey, (const unsigned char *) mbedtls_test_cli_key, - mbedtls_test_cli_key_len, NULL, 0 ); + mbedtls_test_cli_key_len, NULL, 0, mbedtls_ctr_drbg_random, &ctr_drbg ); + } #else { mbedtls_printf("MBEDTLS_PEM_PARSE_C not defined."); diff --git a/programs/ssl/ssl_pthread_server.c b/programs/ssl/ssl_pthread_server.c index 93eab4620..a083e4b64 100644 --- a/programs/ssl/ssl_pthread_server.c +++ b/programs/ssl/ssl_pthread_server.c @@ -360,7 +360,23 @@ int main( void ) mbedtls_entropy_init( &entropy ); /* - * 1. Load the certificates and private RSA key + * 1a. Seed the random number generator + */ + mbedtls_printf( " . Seeding the random number generator..." ); + + if( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, &entropy, + (const unsigned char *) pers, + strlen( pers ) ) ) != 0 ) + { + mbedtls_printf( " failed: mbedtls_ctr_drbg_seed returned -0x%04x\n", + ( unsigned int ) -ret ); + goto exit; + } + + mbedtls_printf( " ok\n" ); + + /* + * 1b. Load the certificates and private RSA key */ mbedtls_printf( "\n . Loading the server cert. and key..." ); fflush( stdout ); @@ -388,7 +404,8 @@ int main( void ) mbedtls_pk_init( &pkey ); ret = mbedtls_pk_parse_key( &pkey, (const unsigned char *) mbedtls_test_srv_key, - mbedtls_test_srv_key_len, NULL, 0 ); + mbedtls_test_srv_key_len, NULL, 0, + mbedtls_ctr_drbg_random, &ctr_drbg ); if( ret != 0 ) { mbedtls_printf( " failed\n ! mbedtls_pk_parse_key returned %d\n\n", ret ); @@ -397,22 +414,6 @@ int main( void ) mbedtls_printf( " ok\n" ); - /* - * 1b. Seed the random number generator - */ - mbedtls_printf( " . Seeding the random number generator..." ); - - if( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, &entropy, - (const unsigned char *) pers, - strlen( pers ) ) ) != 0 ) - { - mbedtls_printf( " failed: mbedtls_ctr_drbg_seed returned -0x%04x\n", - ( unsigned int ) -ret ); - goto exit; - } - - mbedtls_printf( " ok\n" ); - /* * 1c. Prepare SSL configuration */ diff --git a/programs/ssl/ssl_server.c b/programs/ssl/ssl_server.c index 42196ffc0..aaccb58ec 100644 --- a/programs/ssl/ssl_server.c +++ b/programs/ssl/ssl_server.c @@ -125,7 +125,23 @@ int main( void ) #endif /* - * 1. Load the certificates and private RSA key + * 1. Seed the RNG + */ + mbedtls_printf( " . Seeding the random number generator..." ); + fflush( stdout ); + + if( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, &entropy, + (const unsigned char *) pers, + strlen( pers ) ) ) != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_ctr_drbg_seed returned %d\n", ret ); + goto exit; + } + + mbedtls_printf( " ok\n" ); + + /* + * 2. Load the certificates and private RSA key */ mbedtls_printf( "\n . Loading the server cert. and key..." ); fflush( stdout ); @@ -152,7 +168,8 @@ int main( void ) } ret = mbedtls_pk_parse_key( &pkey, (const unsigned char *) mbedtls_test_srv_key, - mbedtls_test_srv_key_len, NULL, 0 ); + mbedtls_test_srv_key_len, NULL, 0, + mbedtls_ctr_drbg_random, &ctr_drbg ); if( ret != 0 ) { mbedtls_printf( " failed\n ! mbedtls_pk_parse_key returned %d\n\n", ret ); @@ -162,7 +179,7 @@ int main( void ) mbedtls_printf( " ok\n" ); /* - * 2. Setup the listening TCP socket + * 3. Setup the listening TCP socket */ mbedtls_printf( " . Bind on https://localhost:4433/ ..." ); fflush( stdout ); @@ -175,22 +192,6 @@ int main( void ) mbedtls_printf( " ok\n" ); - /* - * 3. Seed the RNG - */ - mbedtls_printf( " . Seeding the random number generator..." ); - fflush( stdout ); - - if( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, &entropy, - (const unsigned char *) pers, - strlen( pers ) ) ) != 0 ) - { - mbedtls_printf( " failed\n ! mbedtls_ctr_drbg_seed returned %d\n", ret ); - goto exit; - } - - mbedtls_printf( " ok\n" ); - /* * 4. Setup stuff */ diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index de4eb6d87..37f4348ed 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -20,6 +20,7 @@ #define MBEDTLS_ALLOW_PRIVATE_ACCESS #include "ssl_test_lib.h" +#include "test/random.h" #if defined(MBEDTLS_SSL_TEST_IMPOSSIBLE) int main( void ) @@ -727,7 +728,8 @@ sni_entry *sni_parse( char *sni_string ) mbedtls_pk_init( new->key ); if( mbedtls_x509_crt_parse_file( new->cert, crt_file ) != 0 || - mbedtls_pk_parse_keyfile( new->key, key_file, "" ) != 0 ) + mbedtls_pk_parse_keyfile( new->key, key_file, "", + mbedtls_test_rnd_std_rand, NULL ) != 0 ) goto error; if( strcmp( ca_file, "-" ) != 0 ) @@ -2257,7 +2259,7 @@ int main( int argc, char *argv[] ) { key_cert_init++; if( ( ret = mbedtls_pk_parse_keyfile( &pkey, opt.key_file, - opt.key_pwd ) ) != 0 ) + opt.key_pwd, rng_get, &rng ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_pk_parse_keyfile returned -0x%x\n\n", (unsigned int) -ret ); goto exit; @@ -2283,7 +2285,7 @@ int main( int argc, char *argv[] ) { key_cert_init2++; if( ( ret = mbedtls_pk_parse_keyfile( &pkey2, opt.key_file2, - opt.key_pwd2 ) ) != 0 ) + opt.key_pwd2, rng_get, &rng ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_pk_parse_keyfile(2) returned -0x%x\n\n", (unsigned int) -ret ); @@ -2314,7 +2316,8 @@ int main( int argc, char *argv[] ) } if( ( ret = mbedtls_pk_parse_key( &pkey, (const unsigned char *) mbedtls_test_srv_key_rsa, - mbedtls_test_srv_key_rsa_len, NULL, 0 ) ) != 0 ) + mbedtls_test_srv_key_rsa_len, NULL, 0, + rng_get, &rng ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_pk_parse_key returned -0x%x\n\n", (unsigned int) -ret ); @@ -2333,7 +2336,8 @@ int main( int argc, char *argv[] ) } if( ( ret = mbedtls_pk_parse_key( &pkey2, (const unsigned char *) mbedtls_test_srv_key_ec, - mbedtls_test_srv_key_ec_len, NULL, 0 ) ) != 0 ) + mbedtls_test_srv_key_ec_len, NULL, 0, + rng_get, &rng ) ) != 0 ) { mbedtls_printf( " failed\n ! pk_parse_key2 returned -0x%x\n\n", (unsigned int) -ret ); diff --git a/programs/x509/cert_req.c b/programs/x509/cert_req.c index e8241a320..09414583e 100644 --- a/programs/x509/cert_req.c +++ b/programs/x509/cert_req.c @@ -346,7 +346,8 @@ int main( int argc, char *argv[] ) mbedtls_printf( " . Loading the private key ..." ); fflush( stdout ); - ret = mbedtls_pk_parse_keyfile( &key, opt.filename, opt.password ); + ret = mbedtls_pk_parse_keyfile( &key, opt.filename, opt.password, + mbedtls_ctr_drbg_random, &ctr_drbg ); if( ret != 0 ) { diff --git a/programs/x509/cert_write.c b/programs/x509/cert_write.c index 041f459cf..4b8fba968 100644 --- a/programs/x509/cert_write.c +++ b/programs/x509/cert_write.c @@ -577,7 +577,7 @@ int main( int argc, char *argv[] ) fflush( stdout ); ret = mbedtls_pk_parse_keyfile( &loaded_subject_key, opt.subject_key, - opt.subject_pwd ); + opt.subject_pwd, mbedtls_ctr_drbg_random, &ctr_drbg ); if( ret != 0 ) { mbedtls_strerror( ret, buf, 1024 ); @@ -593,7 +593,7 @@ int main( int argc, char *argv[] ) fflush( stdout ); ret = mbedtls_pk_parse_keyfile( &loaded_issuer_key, opt.issuer_key, - opt.issuer_pwd ); + opt.issuer_pwd, mbedtls_ctr_drbg_random, &ctr_drbg ); if( ret != 0 ) { mbedtls_strerror( ret, buf, 1024 ); diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function index b46cf05cf..5ccb072e7 100644 --- a/tests/suites/test_suite_pk.function +++ b/tests/suites/test_suite_pk.function @@ -279,7 +279,8 @@ void valid_parameters( ) MBEDTLS_ERR_PK_BAD_INPUT_DATA ); #if defined(MBEDTLS_PK_PARSE_C) - TEST_ASSERT( mbedtls_pk_parse_key( &pk, NULL, 0, NULL, 1 ) == + TEST_ASSERT( mbedtls_pk_parse_key( &pk, NULL, 0, NULL, 1, + mbedtls_test_rnd_std_rand, NULL ) == MBEDTLS_ERR_PK_KEY_INVALID_FORMAT ); TEST_ASSERT( mbedtls_pk_parse_public_key( &pk, NULL, 0 ) == @@ -296,8 +297,8 @@ void valid_parameters_pkwrite( data_t *key_data ) /* For the write tests to be effective, we need a valid key pair. */ mbedtls_pk_init( &pk ); TEST_ASSERT( mbedtls_pk_parse_key( &pk, - key_data->x, key_data->len, - NULL, 0 ) == 0 ); + key_data->x, key_data->len, NULL, 0, + mbedtls_test_rnd_std_rand, NULL ) == 0 ); TEST_ASSERT( mbedtls_pk_write_key_der( &pk, NULL, 0 ) == MBEDTLS_ERR_ASN1_BUF_TOO_SMALL ); @@ -349,7 +350,9 @@ void mbedtls_pk_check_pair( char * pub_file, char * prv_file, int ret ) mbedtls_pk_init( &alt ); TEST_ASSERT( mbedtls_pk_parse_public_keyfile( &pub, pub_file ) == 0 ); - TEST_ASSERT( mbedtls_pk_parse_keyfile( &prv, prv_file, NULL ) == 0 ); + TEST_ASSERT( mbedtls_pk_parse_keyfile( &prv, prv_file, NULL, + mbedtls_test_rnd_std_rand, NULL ) + == 0 ); TEST_ASSERT( mbedtls_pk_check_pair( &pub, &prv, mbedtls_test_rnd_std_rand, NULL ) diff --git a/tests/suites/test_suite_pkparse.function b/tests/suites/test_suite_pkparse.function index 4650d3311..4c7f3d2ca 100644 --- a/tests/suites/test_suite_pkparse.function +++ b/tests/suites/test_suite_pkparse.function @@ -21,7 +21,8 @@ void pk_parse_keyfile_rsa( char * key_file, char * password, int result ) if( strcmp( pwd, "NULL" ) == 0 ) pwd = NULL; - res = mbedtls_pk_parse_keyfile( &ctx, key_file, pwd ); + res = mbedtls_pk_parse_keyfile( &ctx, key_file, pwd, + mbedtls_test_rnd_std_rand, NULL ); TEST_ASSERT( res == result ); @@ -96,7 +97,8 @@ void pk_parse_keyfile_ec( char * key_file, char * password, int result ) mbedtls_pk_init( &ctx ); - res = mbedtls_pk_parse_keyfile( &ctx, key_file, password ); + res = mbedtls_pk_parse_keyfile( &ctx, key_file, password, + mbedtls_test_rnd_std_rand, NULL ); TEST_ASSERT( res == result ); @@ -120,7 +122,8 @@ void pk_parse_key( data_t * buf, int result ) mbedtls_pk_init( &pk ); - TEST_ASSERT( mbedtls_pk_parse_key( &pk, buf->x, buf->len, NULL, 0 ) == result ); + TEST_ASSERT( mbedtls_pk_parse_key( &pk, buf->x, buf->len, NULL, 0, + mbedtls_test_rnd_std_rand, NULL ) == result ); exit: mbedtls_pk_free( &pk ); diff --git a/tests/suites/test_suite_pkwrite.function b/tests/suites/test_suite_pkwrite.function index 2bad4ed13..d1e029abb 100644 --- a/tests/suites/test_suite_pkwrite.function +++ b/tests/suites/test_suite_pkwrite.function @@ -63,7 +63,8 @@ void pk_write_key_check( char * key_file ) memset( check_buf, 0, sizeof( check_buf ) ); mbedtls_pk_init( &key ); - TEST_ASSERT( mbedtls_pk_parse_keyfile( &key, key_file, NULL ) == 0 ); + TEST_ASSERT( mbedtls_pk_parse_keyfile( &key, key_file, NULL, + mbedtls_test_rnd_std_rand, NULL ) == 0 ); ret = mbedtls_pk_write_key_pem( &key, buf, sizeof( buf )); TEST_ASSERT( ret == 0 ); diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index c555d74a2..d4aad60f8 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -800,7 +800,8 @@ int mbedtls_endpoint_certificate_init( mbedtls_endpoint *ep, int pk_alg ) ret = mbedtls_pk_parse_key( &( cert->pkey ), (const unsigned char*) mbedtls_test_srv_key_rsa_der, - mbedtls_test_srv_key_rsa_der_len, NULL, 0 ); + mbedtls_test_srv_key_rsa_der_len, NULL, 0, + mbedtls_test_rnd_std_rand, NULL ); TEST_ASSERT( ret == 0 ); } else @@ -812,7 +813,8 @@ int mbedtls_endpoint_certificate_init( mbedtls_endpoint *ep, int pk_alg ) ret = mbedtls_pk_parse_key( &( cert->pkey ), (const unsigned char*) mbedtls_test_srv_key_ec_der, - mbedtls_test_srv_key_ec_der_len, NULL, 0 ); + mbedtls_test_srv_key_ec_der_len, NULL, 0, + mbedtls_test_rnd_std_rand, NULL ); TEST_ASSERT( ret == 0 ); } } @@ -827,7 +829,8 @@ int mbedtls_endpoint_certificate_init( mbedtls_endpoint *ep, int pk_alg ) ret = mbedtls_pk_parse_key( &( cert->pkey ), (const unsigned char *) mbedtls_test_cli_key_rsa_der, - mbedtls_test_cli_key_rsa_der_len, NULL, 0 ); + mbedtls_test_cli_key_rsa_der_len, NULL, 0, + mbedtls_test_rnd_std_rand, NULL ); TEST_ASSERT( ret == 0 ); } else @@ -839,7 +842,8 @@ int mbedtls_endpoint_certificate_init( mbedtls_endpoint *ep, int pk_alg ) ret = mbedtls_pk_parse_key( &( cert->pkey ), (const unsigned char *) mbedtls_test_cli_key_ec_der, - mbedtls_test_cli_key_ec_der_len, NULL, 0 ); + mbedtls_test_cli_key_ec_der_len, NULL, 0, + mbedtls_test_rnd_std_rand, NULL ); TEST_ASSERT( ret == 0 ); } } diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function index 44f846fd3..c9b7cf9c5 100644 --- a/tests/suites/test_suite_x509write.function +++ b/tests/suites/test_suite_x509write.function @@ -94,7 +94,8 @@ void x509_csr_check( char * key_file, char * cert_req_check_file, int md_type, memset( &rnd_info, 0x2a, sizeof( mbedtls_test_rnd_pseudo_info ) ); mbedtls_pk_init( &key ); - TEST_ASSERT( mbedtls_pk_parse_keyfile( &key, key_file, NULL ) == 0 ); + TEST_ASSERT( mbedtls_pk_parse_keyfile( &key, key_file, NULL, + mbedtls_test_rnd_std_rand, NULL ) == 0 ); mbedtls_x509write_csr_init( &req ); mbedtls_x509write_csr_set_md_alg( &req, md_type ); @@ -163,7 +164,8 @@ void x509_csr_check_opaque( char *key_file, int md_type, int key_usage, TEST_ASSERT( md_alg_psa != MBEDTLS_MD_NONE ); mbedtls_pk_init( &key ); - TEST_ASSERT( mbedtls_pk_parse_keyfile( &key, key_file, NULL ) == 0 ); + TEST_ASSERT( mbedtls_pk_parse_keyfile( &key, key_file, NULL, + mbedtls_test_rnd_std_rand, NULL ) == 0 ); TEST_ASSERT( mbedtls_pk_wrap_as_opaque( &key, &key_id, md_alg_psa ) == 0 ); mbedtls_x509write_csr_init( &req ); @@ -225,10 +227,10 @@ void x509_crt_check( char *subject_key_file, char *subject_pwd, mbedtls_x509write_crt_init( &crt ); TEST_ASSERT( mbedtls_pk_parse_keyfile( &subject_key, subject_key_file, - subject_pwd ) == 0 ); + subject_pwd, mbedtls_test_rnd_std_rand, NULL ) == 0 ); TEST_ASSERT( mbedtls_pk_parse_keyfile( &issuer_key, issuer_key_file, - issuer_pwd ) == 0 ); + issuer_pwd, mbedtls_test_rnd_std_rand, NULL ) == 0 ); #if defined(MBEDTLS_RSA_C) /* For RSA PK contexts, create a copy as an alternative RSA context. */