From 0cfe54e4e07736a00e4f4810130bf994d1739552 Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Wed, 5 Mar 2025 15:49:08 +0000 Subject: [PATCH] remove RNG parameters from SSL API's Signed-off-by: Ben Taylor --- include/mbedtls/ssl_cookie.h | 4 +--- include/mbedtls/ssl_ticket.h | 5 ----- library/ssl_cookie.c | 6 +----- library/ssl_ticket.c | 22 +++++++++++++--------- programs/fuzz/fuzz_dtlsserver.c | 2 +- programs/fuzz/fuzz_server.c | 2 -- programs/ssl/dtls_server.c | 3 +-- programs/ssl/ssl_server2.c | 5 +---- 8 files changed, 18 insertions(+), 31 deletions(-) diff --git a/include/mbedtls/ssl_cookie.h b/include/mbedtls/ssl_cookie.h index afeb07b0fd..ec54f614d3 100644 --- a/include/mbedtls/ssl_cookie.h +++ b/include/mbedtls/ssl_cookie.h @@ -55,9 +55,7 @@ void mbedtls_ssl_cookie_init(mbedtls_ssl_cookie_ctx *ctx); /** * \brief Setup cookie context (generate keys) */ -int mbedtls_ssl_cookie_setup(mbedtls_ssl_cookie_ctx *ctx, - int (*f_rng)(void *, unsigned char *, size_t), - void *p_rng); +int mbedtls_ssl_cookie_setup(mbedtls_ssl_cookie_ctx *ctx); /** * \brief Set expiration delay for cookies diff --git a/include/mbedtls/ssl_ticket.h b/include/mbedtls/ssl_ticket.h index ef97e8f024..5a2e4876e5 100644 --- a/include/mbedtls/ssl_ticket.h +++ b/include/mbedtls/ssl_ticket.h @@ -68,8 +68,6 @@ typedef struct mbedtls_ssl_ticket_context { uint32_t MBEDTLS_PRIVATE(ticket_lifetime); /*!< lifetime of tickets in seconds */ /** Callback for getting (pseudo-)random numbers */ - int(*MBEDTLS_PRIVATE(f_rng))(void *, unsigned char *, size_t); - void *MBEDTLS_PRIVATE(p_rng); /*!< context for the RNG function */ #if defined(MBEDTLS_THREADING_C) mbedtls_threading_mutex_t MBEDTLS_PRIVATE(mutex); @@ -90,8 +88,6 @@ void mbedtls_ssl_ticket_init(mbedtls_ssl_ticket_context *ctx); * \brief Prepare context to be actually used * * \param ctx Context to be set up - * \param f_rng RNG callback function (mandatory) - * \param p_rng RNG callback context * \param alg AEAD cipher to use for ticket protection. * \param key_type Cryptographic key type to use. * \param key_bits Cryptographic key size to use in bits. @@ -116,7 +112,6 @@ void mbedtls_ssl_ticket_init(mbedtls_ssl_ticket_context *ctx); * or a specific MBEDTLS_ERR_XXX error code */ int mbedtls_ssl_ticket_setup(mbedtls_ssl_ticket_context *ctx, - int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, psa_algorithm_t alg, psa_key_type_t key_type, psa_key_bits_t key_bits, uint32_t lifetime); diff --git a/library/ssl_cookie.c b/library/ssl_cookie.c index 01b90e14b1..11811ee30f 100644 --- a/library/ssl_cookie.c +++ b/library/ssl_cookie.c @@ -81,16 +81,12 @@ void mbedtls_ssl_cookie_free(mbedtls_ssl_cookie_ctx *ctx) mbedtls_platform_zeroize(ctx, sizeof(mbedtls_ssl_cookie_ctx)); } -int mbedtls_ssl_cookie_setup(mbedtls_ssl_cookie_ctx *ctx, - int (*f_rng)(void *, unsigned char *, size_t), - void *p_rng) +int mbedtls_ssl_cookie_setup(mbedtls_ssl_cookie_ctx *ctx) { psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_algorithm_t alg; - (void) f_rng; - (void) p_rng; alg = mbedtls_md_psa_alg_from_type(COOKIE_MD); if (alg == 0) { diff --git a/library/ssl_ticket.c b/library/ssl_ticket.c index 8653e2ddda..c10d36fb59 100644 --- a/library/ssl_ticket.c +++ b/library/ssl_ticket.c @@ -75,11 +75,15 @@ static int ssl_ticket_gen_key(mbedtls_ssl_ticket_context *ctx, */ key->lifetime = ctx->ticket_lifetime; - if ((ret = ctx->f_rng(ctx->p_rng, key->name, sizeof(key->name))) != 0) { + if ((ret = psa_crypto_init()) != 0) { return ret; } - if ((ret = ctx->f_rng(ctx->p_rng, buf, sizeof(buf))) != 0) { + if ((ret = psa_generate_random(key->name, sizeof(key->name))) != 0) { + return ret; + } + + if ((ret = psa_generate_random(buf, sizeof(buf))) != 0) { return ret; } @@ -185,7 +189,6 @@ int mbedtls_ssl_ticket_rotate(mbedtls_ssl_ticket_context *ctx, * Setup context for actual use */ int mbedtls_ssl_ticket_setup(mbedtls_ssl_ticket_context *ctx, - int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, psa_algorithm_t alg, psa_key_type_t key_type, psa_key_bits_t key_bits, uint32_t lifetime) { @@ -199,9 +202,6 @@ int mbedtls_ssl_ticket_setup(mbedtls_ssl_ticket_context *ctx, return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; } - ctx->f_rng = f_rng; - ctx->p_rng = p_rng; - ctx->ticket_lifetime = lifetime; ctx->keys[0].alg = alg; @@ -254,7 +254,7 @@ int mbedtls_ssl_ticket_write(void *p_ticket, *tlen = 0; - if (ctx == NULL || ctx->f_rng == NULL) { + if (ctx == NULL) { return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; } @@ -278,7 +278,11 @@ int mbedtls_ssl_ticket_write(void *p_ticket, memcpy(key_name, key->name, TICKET_KEY_NAME_BYTES); - if ((ret = ctx->f_rng(ctx->p_rng, iv, TICKET_IV_BYTES)) != 0) { + if ((ret = psa_crypto_init()) != 0) { + goto cleanup; + } + + if ((ret = psa_generate_random(iv, TICKET_IV_BYTES)) != 0) { goto cleanup; } @@ -355,7 +359,7 @@ int mbedtls_ssl_ticket_parse(void *p_ticket, psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; - if (ctx == NULL || ctx->f_rng == NULL) { + if (ctx == NULL) { return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; } diff --git a/programs/fuzz/fuzz_dtlsserver.c b/programs/fuzz/fuzz_dtlsserver.c index c2dbef86c6..d215f7ac7f 100644 --- a/programs/fuzz/fuzz_dtlsserver.c +++ b/programs/fuzz/fuzz_dtlsserver.c @@ -108,7 +108,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) } #endif - if (mbedtls_ssl_cookie_setup(&cookie_ctx, dummy_random, &ctr_drbg) != 0) { + if (mbedtls_ssl_cookie_setup(&cookie_ctx) != 0) { goto exit; } diff --git a/programs/fuzz/fuzz_server.c b/programs/fuzz/fuzz_server.c index 28f9e336ca..09436542e6 100644 --- a/programs/fuzz/fuzz_server.c +++ b/programs/fuzz/fuzz_server.c @@ -132,8 +132,6 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_TICKET_C) if (options & 0x4) { if (mbedtls_ssl_ticket_setup(&ticket_ctx, //context - dummy_random, //f_rng - &ctr_drbg, //p_rng PSA_ALG_GCM, //alg PSA_KEY_TYPE_AES, //key_type 256, //key_bits diff --git a/programs/ssl/dtls_server.c b/programs/ssl/dtls_server.c index 6430ed2a2f..e881c91aee 100644 --- a/programs/ssl/dtls_server.c +++ b/programs/ssl/dtls_server.c @@ -216,8 +216,7 @@ int main(void) goto exit; } - if ((ret = mbedtls_ssl_cookie_setup(&cookie_ctx, - mbedtls_ctr_drbg_random, &ctr_drbg)) != 0) { + if ((ret = mbedtls_ssl_cookie_setup(&cookie_ctx)) != 0) { printf(" failed\n ! mbedtls_ssl_cookie_setup returned %d\n\n", ret); goto exit; } diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index dc7ca8f51c..a81cc88c0c 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -2971,8 +2971,6 @@ usage: #endif /* MBEDTLS_HAVE_TIME */ { if ((ret = mbedtls_ssl_ticket_setup(&ticket_ctx, - rng_get, - &rng, opt.ticket_alg, opt.ticket_key_type, opt.ticket_key_bits, @@ -3014,8 +3012,7 @@ usage: if (opt.transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { #if defined(MBEDTLS_SSL_COOKIE_C) if (opt.cookies > 0) { - if ((ret = mbedtls_ssl_cookie_setup(&cookie_ctx, - rng_get, &rng)) != 0) { + if ((ret = mbedtls_ssl_cookie_setup(&cookie_ctx)) != 0) { mbedtls_printf(" failed\n ! mbedtls_ssl_cookie_setup returned %d\n\n", ret); goto exit; }