From 31e59400d2956de434e9960c7e5b0fe225bfa0ac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 12 Sep 2013 05:59:05 +0200 Subject: [PATCH] Add missing f_rng/p_rng arguments to x509write_crt --- include/polarssl/x509write.h | 22 +++++++- library/x509write.c | 14 +++-- programs/x509/cert_req.c | 12 +++-- programs/x509/cert_write.c | 60 ++++++++++++++++------ tests/suites/test_suite_x509write.function | 5 +- 5 files changed, 85 insertions(+), 28 deletions(-) diff --git a/include/polarssl/x509write.h b/include/polarssl/x509write.h index 3aa76c65a1..715a646069 100644 --- a/include/polarssl/x509write.h +++ b/include/polarssl/x509write.h @@ -373,11 +373,20 @@ void x509write_crt_free( x509write_cert *ctx ); * \param crt certificate to write away * \param buf buffer to write to * \param size size of the buffer + * \param f_rng RNG function (for signature, see note) + * \param p_rng RNG parameter * * \return length of data written if successful, or a specific * error code + * + * \note f_rng may be NULL if RSA is used for signature and the + * signature is made offline (otherwise f_rng is desirable + * for countermeasures against timing attacks). + * ECDSA signatures always require a non-NULL f_rng. */ -int x509write_crt_der( x509write_cert *ctx, unsigned char *buf, size_t size ); +int x509write_crt_der( x509write_cert *ctx, unsigned char *buf, size_t size, + int (*f_rng)(void *, unsigned char *, size_t), + void *p_rng ); /** * \brief Write a public key to a DER structure @@ -441,10 +450,19 @@ int x509write_csr_der( x509write_csr *ctx, unsigned char *buf, size_t size, * \param crt certificate to write away * \param buf buffer to write to * \param size size of the buffer + * \param f_rng RNG function (for signature, see note) + * \param p_rng RNG parameter * * \return 0 successful, or a specific error code + * + * \note f_rng may be NULL if RSA is used for signature and the + * signature is made offline (otherwise f_rng is desirable + * for countermeasures against timing attacks). + * ECDSA signatures always require a non-NULL f_rng. */ -int x509write_crt_pem( x509write_cert *ctx, unsigned char *buf, size_t size ); +int x509write_crt_pem( x509write_cert *ctx, unsigned char *buf, size_t size, + int (*f_rng)(void *, unsigned char *, size_t), + void *p_rng ); /** * \brief Write a public key to a PEM string diff --git a/library/x509write.c b/library/x509write.c index 2b1688b0e7..dffdf74544 100644 --- a/library/x509write.c +++ b/library/x509write.c @@ -905,7 +905,9 @@ int x509write_csr_der( x509write_csr *ctx, unsigned char *buf, size_t size, return( len ); } -int x509write_crt_der( x509write_cert *ctx, unsigned char *buf, size_t size ) +int x509write_crt_der( x509write_cert *ctx, unsigned char *buf, size_t size, + int (*f_rng)(void *, unsigned char *, size_t), + void *p_rng ) { int ret; const char *sig_oid; @@ -1007,7 +1009,7 @@ int x509write_crt_der( x509write_cert *ctx, unsigned char *buf, size_t size ) md( md_info_from_type( ctx->md_alg ), c, len, hash ); if( ( ret = pk_sign( ctx->issuer_key, ctx->md_alg, hash, 0, sig, &sig_len, - NULL, NULL ) ) != 0 ) + f_rng, p_rng ) ) != 0 ) { return( ret ); } @@ -1083,13 +1085,15 @@ static int x509write_pemify( const char *begin_str, const char *end_str, return( 0 ); } -int x509write_crt_pem( x509write_cert *crt, unsigned char *buf, size_t size ) +int x509write_crt_pem( x509write_cert *crt, unsigned char *buf, size_t size, + int (*f_rng)(void *, unsigned char *, size_t), + void *p_rng ) { int ret; unsigned char output_buf[4096]; - if( ( ret = x509write_crt_der( crt, output_buf, - sizeof(output_buf) ) ) < 0 ) + if( ( ret = x509write_crt_der( crt, output_buf, sizeof(output_buf), + f_rng, p_rng ) ) < 0 ) { return( ret ); } diff --git a/programs/x509/cert_req.c b/programs/x509/cert_req.c index b98f23368b..e65fb97e61 100644 --- a/programs/x509/cert_req.c +++ b/programs/x509/cert_req.c @@ -34,19 +34,21 @@ #include "polarssl/config.h" #include "polarssl/x509write.h" -#include "polarssl/error.h" #include "polarssl/entropy.h" #include "polarssl/ctr_drbg.h" +#include "polarssl/error.h" -#if !defined(POLARSSL_X509_PARSE_C) || !defined(POLARSSL_FS_IO) || \ - !defined(POLARSSL_ENTROPY_C) || !defined(POLARSSL_CTR_DRBG_C) || \ +#if !defined(POLARSSL_X509_WRITE_C) || !defined(POLARSSL_X509_PARSE_C) || \ + !defined(POLARSSL_FS_IO) || \ + !defined(POLARSSL_ENTROPY_C) || !defined(POLARSSL_CTR_DRBG_C) || \ !defined(POLARSSL_ERROR_C) int main( int argc, char *argv[] ) { ((void) argc); ((void) argv); - printf( "POLARSSL_X509_PARSE_C and/or POLARSSL_FS_IO and/or " + printf( "POLARSSL_X509_WRITE_C and/or POLARSSL_X509_PARSE_C and/or " + "POLARSSL_FS_IO and/or " "POLARSSL_ENTROPY_C and/or POLARSSL_CTR_DRBG_C and/or " "POLARSSL_ERROR_C not defined.\n"); return( 0 ); @@ -333,6 +335,6 @@ exit: return( ret ); } -#endif /* POLARSSL_X509_PARSE_C && POLARSSL_FS_IO && +#endif /* POLARSSL_X509_WRITE_C && POLARSSL_X509_PARSE_C && POLARSSL_FS_IO && POLARSSL_ENTROPY_C && POLARSSL_CTR_DRBG_C && POLARSSL_ERROR_C */ diff --git a/programs/x509/cert_write.c b/programs/x509/cert_write.c index 8943493e9b..37cea589ef 100644 --- a/programs/x509/cert_write.c +++ b/programs/x509/cert_write.c @@ -33,24 +33,24 @@ #include "polarssl/config.h" -#include "polarssl/error.h" -#include "polarssl/rsa.h" -#include "polarssl/x509.h" -#include "polarssl/base64.h" #include "polarssl/x509write.h" -#include "polarssl/oid.h" +#include "polarssl/entropy.h" +#include "polarssl/ctr_drbg.h" +#include "polarssl/error.h" -#if !defined(POLARSSL_BIGNUM_C) || !defined(POLARSSL_RSA_C) || \ - !defined(POLARSSL_X509_WRITE_C) || !defined(POLARSSL_FS_IO) || \ +#if !defined(POLARSSL_X509_WRITE_C) || !defined(POLARSSL_X509_PARSE_C) || \ + !defined(POLARSSL_FS_IO) || \ + !defined(POLARSSL_ENTROPY_C) || !defined(POLARSSL_CTR_DRBG_C) || \ !defined(POLARSSL_ERROR_C) int main( int argc, char *argv[] ) { ((void) argc); ((void) argv); - printf("POLARSSL_BIGNUM_C and/or POLARSSL_RSA_C and/or " - "POLARSSL_X509_WRITE_C and/or POLARSSL_FS_IO and/or " - "POLARSSL_ERROR_C not defined.\n"); + printf( "POLARSSL_X509_WRITE_C and/or POLARSSL_X509_PARSE_C and/or " + "POLARSSL_FS_IO and/or " + "POLARSSL_ENTROPY_C and/or POLARSSL_CTR_DRBG_C and/or " + "POLARSSL_ERROR_C not defined.\n"); return( 0 ); } #else @@ -97,7 +97,9 @@ struct options unsigned char ns_cert_type; /* NS cert type */ } opt; -int write_certificate( x509write_cert *crt, char *output_file ) +int write_certificate( x509write_cert *crt, char *output_file, + int (*f_rng)(void *, unsigned char *, size_t), + void *p_rng ) { int ret; FILE *f; @@ -105,7 +107,7 @@ int write_certificate( x509write_cert *crt, char *output_file ) size_t len = 0; memset( output_buf, 0, 4096 ); - if( ( ret = x509write_crt_pem( crt, output_buf, 4096 ) ) < 0 ) + if( ( ret = x509write_crt_pem( crt, output_buf, 4096, f_rng, p_rng ) ) < 0 ) return( ret ); len = strlen( (char *) output_buf ); @@ -183,6 +185,9 @@ int main( int argc, char *argv[] ) x509_csr csr; x509write_cert crt; mpi serial; + entropy_context entropy; + ctr_drbg_context ctr_drbg; + const char *pers = "crt example app"; /* * Set to sane values @@ -350,8 +355,29 @@ int main( int argc, char *argv[] ) printf("\n"); + /* + * 0. Seed the PRNG + */ + printf( " . Seeding the random number generator..." ); + fflush( stdout ); + + entropy_init( &entropy ); + if( ( ret = ctr_drbg_init( &ctr_drbg, entropy_func, &entropy, + (const unsigned char *) pers, + strlen( pers ) ) ) != 0 ) + { + error_strerror( ret, buf, 1024 ); + printf( " failed\n ! ctr_drbg_init returned %d - %s\n", ret, buf ); + goto exit; + } + + printf( " ok\n" ); + // Parse serial to MPI // + printf( " . Reading serial number..." ); + fflush( stdout ); + if( ( ret = mpi_read_string( &serial, 10, opt.serial ) ) != 0 ) { error_strerror( ret, buf, 1024 ); @@ -359,6 +385,8 @@ int main( int argc, char *argv[] ) goto exit; } + printf( " ok\n" ); + // Parse issuer certificate if present // if( !opt.selfsign && strlen( opt.issuer_crt ) ) @@ -597,7 +625,8 @@ int main( int argc, char *argv[] ) printf( " . Writing the certificate..." ); fflush( stdout ); - if( ( ret = write_certificate( &crt, opt.output_file ) ) != 0 ) + if( ( ret = write_certificate( &crt, opt.output_file, + ctr_drbg_random, &ctr_drbg ) ) != 0 ) { error_strerror( ret, buf, 1024 ); printf( " failed\n ! write_certifcate -0x%02x - %s\n\n", -ret, buf ); @@ -619,5 +648,6 @@ exit: return( ret ); } -#endif /* POLARSSL_BIGNUM_C && POLARSSL_RSA_C && - POLARSSet_serial_X509_WRITE_C && POLARSSL_FS_IO */ +#endif /* POLARSSL_X509_WRITE_C && POLARSSL_X509_PARSE_C && POLARSSL_FS_IO && + POLARSSL_ENTROPY_C && POLARSSL_CTR_DRBG_C && + POLARSSL_ERROR_C */ diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function index f916b1cf20..9352c9ea2f 100644 --- a/tests/suites/test_suite_x509write.function +++ b/tests/suites/test_suite_x509write.function @@ -76,7 +76,9 @@ void x509_crt_check( char *subject_key_file, char *subject_pwd, int ret; size_t olen = sizeof( check_buf ); FILE *f; + rnd_pseudo_info rnd_info; + memset( &rnd_info, 0x2a, sizeof( rnd_pseudo_info ) ); mpi_init( &serial ); pk_init( &subject_key ); pk_init( &issuer_key ); @@ -101,7 +103,8 @@ void x509_crt_check( char *subject_key_file, char *subject_pwd, TEST_ASSERT( x509write_crt_set_subject_key_identifier( &crt ) == 0 ); TEST_ASSERT( x509write_crt_set_authority_key_identifier( &crt ) == 0 ); - ret = x509write_crt_der( &crt, buf, sizeof(buf) ); + ret = x509write_crt_der( &crt, buf, sizeof(buf), + rnd_pseudo_rand, &rnd_info ); TEST_ASSERT( ret >= 0 ); c = buf + sizeof( buf ) - ret;