diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 5e65dff3..b7bfc70b 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -184,6 +184,7 @@ if (WITH_GCRYPT) gcrypt_missing.c pki_gcrypt.c ecdh_gcrypt.c + getrandom_gcrypt.c dh_key.c pki_ed25519.c external/ed25519.c @@ -207,6 +208,7 @@ elseif (WITH_MBEDTLS) mbedcrypto_missing.c pki_mbedcrypto.c ecdh_mbedcrypto.c + getrandom_mbedcrypto.c dh_key.c pki_ed25519.c external/ed25519.c @@ -229,6 +231,7 @@ else (WITH_GCRYPT) threads/libcrypto.c pki_crypto.c ecdh_crypto.c + getrandom_crypto.c libcrypto.c dh_crypto.c ) diff --git a/src/getrandom_crypto.c b/src/getrandom_crypto.c new file mode 100644 index 00000000..078560ec --- /dev/null +++ b/src/getrandom_crypto.c @@ -0,0 +1,54 @@ +/* + * This file is part of the SSH Library + * + * Copyright (c) 2009 by Aris Adamantiadis + * + * The SSH Library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The SSH Library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the SSH Library; see the file COPYING. If not, write to + * the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, + * MA 02111-1307, USA. + */ + +#include "config.h" + +#include "libssh/crypto.h" +#include + +/** + * @brief Get random bytes + * + * Make sure to always check the return code of this function! + * + * @param[in] where The buffer to fill with random bytes + * + * @param[in] len The size of the buffer to fill. + * + * @param[in] strong Use a strong or private RNG source. + * + * @return 1 on success, 0 on error. + */ +int +ssh_get_random(void *where, int len, int strong) +{ +#ifdef HAVE_OPENSSL_RAND_PRIV_BYTES + if (strong) { + /* Returns -1 when not supported, 0 on error, 1 on success */ + return !!RAND_priv_bytes(where, len); + } +#else + (void)strong; +#endif /* HAVE_RAND_PRIV_BYTES */ + + /* Returns -1 when not supported, 0 on error, 1 on success */ + return !!RAND_bytes(where, len); +} diff --git a/src/getrandom_gcrypt.c b/src/getrandom_gcrypt.c new file mode 100644 index 00000000..da726405 --- /dev/null +++ b/src/getrandom_gcrypt.c @@ -0,0 +1,38 @@ +/* + * This file is part of the SSH Library + * + * Copyright (c) 2009 by Aris Adamantiadis + * Copyright (C) 2016 g10 Code GmbH + * + * The SSH Library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The SSH Library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the SSH Library; see the file COPYING. If not, write to + * the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, + * MA 02111-1307, USA. + */ + +#include "config.h" + +#include "libssh/crypto.h" +#include + +int +ssh_get_random(void *where, int len, int strong) +{ + /* variable not used in gcrypt */ + (void)strong; + + /* not using GCRY_VERY_STRONG_RANDOM which is a bit overkill */ + gcry_randomize(where, len, GCRY_STRONG_RANDOM); + + return 1; +} diff --git a/src/getrandom_mbedcrypto.c b/src/getrandom_mbedcrypto.c new file mode 100644 index 00000000..7e87b6a6 --- /dev/null +++ b/src/getrandom_mbedcrypto.c @@ -0,0 +1,52 @@ +/* + * This file is part of the SSH Library + * + * Copyright (c) 2017 Sartura d.o.o. + * + * Author: Juraj Vijtiuk + * + * The SSH Library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The SSH Library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the SSH Library; see the file COPYING. If not, write to + * the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, + * MA 02111-1307, USA. + */ + +#include "config.h" + +#include "libssh/crypto.h" +#include "mbedcrypto-compat.h" + +mbedtls_ctr_drbg_context ssh_mbedtls_ctr_drbg; + +int +ssh_mbedtls_random(void *where, int len, int strong) +{ + int rc = 0; + if (strong) { + mbedtls_ctr_drbg_set_prediction_resistance(&ssh_mbedtls_ctr_drbg, + MBEDTLS_CTR_DRBG_PR_ON); + rc = mbedtls_ctr_drbg_random(&ssh_mbedtls_ctr_drbg, where, len); + mbedtls_ctr_drbg_set_prediction_resistance(&ssh_mbedtls_ctr_drbg, + MBEDTLS_CTR_DRBG_PR_OFF); + } else { + rc = mbedtls_ctr_drbg_random(&ssh_mbedtls_ctr_drbg, where, len); + } + + return !rc; +} + +int +ssh_get_random(void *where, int len, int strong) +{ + return ssh_mbedtls_random(where, len, strong); +} diff --git a/src/libcrypto.c b/src/libcrypto.c index 2968bb72..e0f87d51 100644 --- a/src/libcrypto.c +++ b/src/libcrypto.c @@ -93,34 +93,6 @@ void ssh_reseed(void){ #endif } -/** - * @brief Get random bytes - * - * Make sure to always check the return code of this function! - * - * @param[in] where The buffer to fill with random bytes - * - * @param[in] len The size of the buffer to fill. - * - * @param[in] strong Use a strong or private RNG source. - * - * @return 1 on success, 0 on error. - */ -int ssh_get_random(void *where, int len, int strong) -{ -#ifdef HAVE_OPENSSL_RAND_PRIV_BYTES - if (strong) { - /* Returns -1 when not supported, 0 on error, 1 on success */ - return !!RAND_priv_bytes(where, len); - } -#else - (void)strong; -#endif /* HAVE_RAND_PRIV_BYTES */ - - /* Returns -1 when not supported, 0 on error, 1 on success */ - return !!RAND_bytes(where, len); -} - SHACTX sha1_init(void) { int rc; diff --git a/src/libgcrypt.c b/src/libgcrypt.c index 4fa04890..d1660418 100644 --- a/src/libgcrypt.c +++ b/src/libgcrypt.c @@ -69,17 +69,6 @@ static int alloc_key(struct ssh_cipher_struct *cipher) { void ssh_reseed(void){ } -int ssh_get_random(void *where, int len, int strong) -{ - /* variable not used in gcrypt */ - (void) strong; - - /* not using GCRY_VERY_STRONG_RANDOM which is a bit overkill */ - gcry_randomize(where,len,GCRY_STRONG_RANDOM); - - return 1; -} - SHACTX sha1_init(void) { SHACTX ctx = NULL; gcry_md_open(&ctx, GCRY_MD_SHA1, 0); diff --git a/src/libmbedcrypto.c b/src/libmbedcrypto.c index 6b8ecf6d..cbd2bfb6 100644 --- a/src/libmbedcrypto.c +++ b/src/libmbedcrypto.c @@ -42,7 +42,7 @@ #endif /* MBEDTLS_GCM_C */ static mbedtls_entropy_context ssh_mbedtls_entropy; -static mbedtls_ctr_drbg_context ssh_mbedtls_ctr_drbg; +extern mbedtls_ctr_drbg_context ssh_mbedtls_ctr_drbg; static int libmbedcrypto_initialized = 0; @@ -51,11 +51,6 @@ void ssh_reseed(void) mbedtls_ctr_drbg_reseed(&ssh_mbedtls_ctr_drbg, NULL, 0); } -int ssh_get_random(void *where, int len, int strong) -{ - return ssh_mbedtls_random(where, len, strong); -} - SHACTX sha1_init(void) { SHACTX ctx = NULL; @@ -1438,22 +1433,6 @@ int ssh_crypto_init(void) return SSH_OK; } -int ssh_mbedtls_random(void *where, int len, int strong) -{ - int rc = 0; - if (strong) { - mbedtls_ctr_drbg_set_prediction_resistance(&ssh_mbedtls_ctr_drbg, - MBEDTLS_CTR_DRBG_PR_ON); - rc = mbedtls_ctr_drbg_random(&ssh_mbedtls_ctr_drbg, where, len); - mbedtls_ctr_drbg_set_prediction_resistance(&ssh_mbedtls_ctr_drbg, - MBEDTLS_CTR_DRBG_PR_OFF); - } else { - rc = mbedtls_ctr_drbg_random(&ssh_mbedtls_ctr_drbg, where, len); - } - - return !rc; -} - mbedtls_ctr_drbg_context *ssh_get_mbedtls_ctr_drbg_context(void) { return &ssh_mbedtls_ctr_drbg; diff --git a/tests/external_override/CMakeLists.txt b/tests/external_override/CMakeLists.txt index a0d584e3..90990ab8 100644 --- a/tests/external_override/CMakeLists.txt +++ b/tests/external_override/CMakeLists.txt @@ -34,14 +34,42 @@ set(ED25519_OVERRIDE_LIBRARY ${libssh_BINARY_DIR}/lib/${CMAKE_SHARED_LIBRARY_PREFIX}ed25519_override${CMAKE_SHARED_LIBRARY_SUFFIX}) # curve25519_override -add_library(curve25519_override SHARED - curve25519_override.c - ${libssh_SOURCE_DIR}/src/external/curve25519_ref.c - ${libssh_SOURCE_DIR}/src/external/fe25519.c - ${libssh_SOURCE_DIR}/src/external/ge25519.c - ${libssh_SOURCE_DIR}/src/external/sc25519.c - ${libssh_SOURCE_DIR}/src/external/ed25519.c - ) +set (curve25519_override_src + curve25519_override.c + ${libssh_SOURCE_DIR}/src/external/curve25519_ref.c + ${libssh_SOURCE_DIR}/src/external/fe25519.c + ${libssh_SOURCE_DIR}/src/external/ge25519.c + ${libssh_SOURCE_DIR}/src/external/sc25519.c + ${libssh_SOURCE_DIR}/src/external/ed25519.c +) +if (WITH_GCRYPT) + set (curve25519_override_src + ${curve25519_override_src} + ${libssh_SOURCE_DIR}/src/getrandom_gcrypt.c + ) + set(curve25519_override_libs + ${GCRYPT_LIBRARIES} + ) +elseif (WITH_MBEDTLS) + set (curve25519_override_src + ${curve25519_override_src} + ${libssh_SOURCE_DIR}/src/getrandom_mbedcrypto.c + ) + set(curve25519_override_libs + ${MBEDTLS_CRYPTO_LIBRARY} + ) +else () + set (curve25519_override_src + ${curve25519_override_src} + ${libssh_SOURCE_DIR}/src/getrandom_crypto.c + ) + set(curve25519_override_libs + ${OPENSSL_CRYPTO_LIBRARIES} + ) +endif (WITH_GCRYPT) +add_library(curve25519_override SHARED ${curve25519_override_src}) +target_link_libraries(curve25519_override + PRIVATE ${curve25519_override_libs}) set(CURVE25519_OVERRIDE_LIBRARY ${libssh_BINARY_DIR}/lib/${CMAKE_SHARED_LIBRARY_PREFIX}curve25519_override${CMAKE_SHARED_LIBRARY_SUFFIX})