diff --git a/include/libssh/libmbedcrypto.h b/include/libssh/libmbedcrypto.h index 7522cd14..559f1b16 100644 --- a/include/libssh/libmbedcrypto.h +++ b/include/libssh/libmbedcrypto.h @@ -101,8 +101,7 @@ int ssh_mbedcry_is_bit_set(bignum num, size_t pos); mbedtls_mpi_size(num)) #define bignum_cmp(num1, num2) mbedtls_mpi_cmp_mpi(num1, num2) -mbedtls_entropy_context ssh_mbedtls_entropy; -mbedtls_ctr_drbg_context ssh_mbedtls_ctr_drbg; +mbedtls_ctr_drbg_context *ssh_get_mbedtls_ctr_drbg_context(void); int ssh_mbedtls_random(void *where, int len, int strong); diff --git a/src/ecdh_mbedcrypto.c b/src/ecdh_mbedcrypto.c index aebc7bac..fa350028 100644 --- a/src/ecdh_mbedcrypto.c +++ b/src/ecdh_mbedcrypto.c @@ -79,9 +79,11 @@ int ssh_client_ecdh_init(ssh_session session) goto out; } - rc = mbedtls_ecp_gen_keypair(&grp, &session->next_crypto->ecdh_privkey->d, - &session->next_crypto->ecdh_privkey->Q, mbedtls_ctr_drbg_random, - &ssh_mbedtls_ctr_drbg); + rc = mbedtls_ecp_gen_keypair(&grp, + &session->next_crypto->ecdh_privkey->d, + &session->next_crypto->ecdh_privkey->Q, + mbedtls_ctr_drbg_random, + ssh_get_mbedtls_ctr_drbg_context()); if (rc != 0) { rc = SSH_ERROR; @@ -157,9 +159,12 @@ int ecdh_build_k(ssh_session session) mbedtls_mpi_init(session->next_crypto->k); - rc = mbedtls_ecdh_compute_shared(&grp, session->next_crypto->k, &pubkey, - &session->next_crypto->ecdh_privkey->d, mbedtls_ctr_drbg_random, - &ssh_mbedtls_ctr_drbg); + rc = mbedtls_ecdh_compute_shared(&grp, + session->next_crypto->k, + &pubkey, + &session->next_crypto->ecdh_privkey->d, + mbedtls_ctr_drbg_random, + ssh_get_mbedtls_ctr_drbg_context()); if (rc != 0) { rc = SSH_ERROR; goto out; @@ -213,9 +218,11 @@ int ssh_server_ecdh_init(ssh_session session, ssh_buffer packet) goto out; } - rc = mbedtls_ecp_gen_keypair(&grp, &session->next_crypto->ecdh_privkey->d, - &session->next_crypto->ecdh_privkey->Q, mbedtls_ctr_drbg_random, - &ssh_mbedtls_ctr_drbg); + rc = mbedtls_ecp_gen_keypair(&grp, + &session->next_crypto->ecdh_privkey->d, + &session->next_crypto->ecdh_privkey->Q, + mbedtls_ctr_drbg_random, + ssh_get_mbedtls_ctr_drbg_context()); if (rc != 0) { rc = SSH_ERROR; goto out; diff --git a/src/libmbedcrypto.c b/src/libmbedcrypto.c index 10a35270..aca9b35e 100644 --- a/src/libmbedcrypto.c +++ b/src/libmbedcrypto.c @@ -30,6 +30,9 @@ #ifdef HAVE_LIBMBEDCRYPTO #include +static mbedtls_entropy_context ssh_mbedtls_entropy; +static mbedtls_ctr_drbg_context ssh_mbedtls_ctr_drbg; + struct ssh_mac_ctx_struct { enum ssh_mac_e mac_type; mbedtls_md_context_t ctx; @@ -999,6 +1002,11 @@ int ssh_mbedtls_random(void *where, int len, int strong) return !rc; } +mbedtls_ctr_drbg_context *ssh_get_mbedtls_ctr_drbg_context(void) +{ + return &ssh_mbedtls_ctr_drbg; +} + void ssh_crypto_finalize(void) { if (!libmbedcrypto_initialized) { diff --git a/src/mbedcrypto_missing.c b/src/mbedcrypto_missing.c index 44ac7ddc..2c10d5c0 100644 --- a/src/mbedcrypto_missing.c +++ b/src/mbedcrypto_missing.c @@ -81,8 +81,10 @@ int ssh_mbedcry_rand(bignum rnd, int bits, int top, int bottom) } len = bits / 8 + 1; - rc = mbedtls_mpi_fill_random(rnd, len, mbedtls_ctr_drbg_random, - &ssh_mbedtls_ctr_drbg); + rc = mbedtls_mpi_fill_random(rnd, + len, + mbedtls_ctr_drbg_random, + ssh_get_mbedtls_ctr_drbg_context()); if (rc != 0) { return 0; } diff --git a/src/pki_mbedcrypto.c b/src/pki_mbedcrypto.c index 3263db47..6dbaa56f 100644 --- a/src/pki_mbedcrypto.c +++ b/src/pki_mbedcrypto.c @@ -398,8 +398,11 @@ int pki_key_generate_rsa(ssh_key key, int parameter) } if (mbedtls_pk_can_do(key->rsa, MBEDTLS_PK_RSA)) { - rc = mbedtls_rsa_gen_key(mbedtls_pk_rsa(*key->rsa), mbedtls_ctr_drbg_random, - &ssh_mbedtls_ctr_drbg, parameter, 65537); + rc = mbedtls_rsa_gen_key(mbedtls_pk_rsa(*key->rsa), + mbedtls_ctr_drbg_random, + ssh_get_mbedtls_ctr_drbg_context(), + parameter, + 65537); if (rc != 0) { mbedtls_pk_free(key->rsa); return SSH_ERROR; @@ -980,8 +983,14 @@ static ssh_string rsa_do_sign(const unsigned char *digest, int dlen, return NULL; } - ok = mbedtls_pk_sign(privkey, MBEDTLS_MD_SHA1, digest, dlen, sig, &slen, - mbedtls_ctr_drbg_random, &ssh_mbedtls_ctr_drbg); + ok = mbedtls_pk_sign(privkey, + MBEDTLS_MD_SHA1, + digest, + dlen, + sig, + &slen, + mbedtls_ctr_drbg_random, + ssh_get_mbedtls_ctr_drbg_context()); if (ok != 0) { SAFE_FREE(sig); @@ -1036,9 +1045,14 @@ ssh_signature pki_do_sign(const ssh_key privkey, const unsigned char *hash, return NULL; } - rc = mbedtls_ecdsa_sign(&privkey->ecdsa->grp, sig->ecdsa_sig.r, - sig->ecdsa_sig.s, &privkey->ecdsa->d, hash, hlen, - mbedtls_ctr_drbg_random, &ssh_mbedtls_ctr_drbg); + rc = mbedtls_ecdsa_sign(&privkey->ecdsa->grp, + sig->ecdsa_sig.r, + sig->ecdsa_sig.s, + &privkey->ecdsa->d, + hash, + hlen, + mbedtls_ctr_drbg_random, + ssh_get_mbedtls_ctr_drbg_context()); if (rc != 0) { ssh_signature_free(sig); return NULL; @@ -1094,9 +1108,14 @@ ssh_signature pki_do_sign_sessionid(const ssh_key key, const unsigned char return NULL; } - rc = mbedtls_ecdsa_sign(&key->ecdsa->grp, sig->ecdsa_sig.r, - sig->ecdsa_sig.s, &key->ecdsa->d, hash, hlen, - mbedtls_ctr_drbg_random, &ssh_mbedtls_ctr_drbg); + rc = mbedtls_ecdsa_sign(&key->ecdsa->grp, + sig->ecdsa_sig.r, + sig->ecdsa_sig.s, + &key->ecdsa->d, + hash, + hlen, + mbedtls_ctr_drbg_random, + ssh_get_mbedtls_ctr_drbg_context()); if (rc != 0) { ssh_signature_free(sig); return NULL; @@ -1247,8 +1266,10 @@ int pki_key_generate_ecdsa(ssh_key key, int parameter) mbedtls_ecdsa_init(key->ecdsa); - ok = mbedtls_ecdsa_genkey(key->ecdsa, pki_key_ecdsa_nid_to_mbed_gid(nid), - mbedtls_ctr_drbg_random, &ssh_mbedtls_ctr_drbg); + ok = mbedtls_ecdsa_genkey(key->ecdsa, + pki_key_ecdsa_nid_to_mbed_gid(nid), + mbedtls_ctr_drbg_random, + ssh_get_mbedtls_ctr_drbg_context()); if (ok != 0) { mbedtls_ecdsa_free(key->ecdsa);