lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-08-01 10:06:53 +03:00
Code Activity

Add RNG params to private key parsing

Browse Source 
This is necessary for the case where the public part of an EC keypair
needs to be computed from the private part - either because it was not
included (it's an optional component) or because it was compressed (a
format we can't parse).

This changes the API of two public functions: mbedtls_pk_parse_key() and
mbedtls_pk_parse_keyfile().

Tests and programs have been adapted. Some programs use a non-secure RNG
(from the test library) just to get things to compile and run; in a
future commit this should be improved in order to demonstrate best
practice.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
This commit is contained in:
Manuel Pégourié-Gonnard
2021-06-15 11:29:26 +02:00
parent 39be1410fd
commit 84dea01f36
25 changed files with 175 additions and 121 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
programs/ssl/dtls_server.c
View File

@ -79,7 +79,9 @@ int main( void )
#include "mbedtls/error.h"
#include "mbedtls/debug.h"
#include "mbedtls/timing.h"
#include "test/certs.h"
#include "test/random.h"
#if defined(MBEDTLS_SSL_CACHE_C)
#include "mbedtls/ssl_cache.h"
@ -138,7 +140,23 @@ int main( void )
#endif
/*
* 1. Load the certificates and private RSA key
* 1. Seed the RNG
*/
printf( " . Seeding the random number generator..." );
fflush( stdout );
if( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, &entropy,
(const unsigned char *) pers,
strlen( pers ) ) ) != 0 )
{
printf( " failed\n ! mbedtls_ctr_drbg_seed returned %d\n", ret );
goto exit;
}
printf( " ok\n" );
/*
* 2. Load the certificates and private RSA key
*/
printf( "\n . Loading the server cert. and key..." );
fflush( stdout );
@ -165,7 +183,7 @@ int main( void )
}
ret = mbedtls_pk_parse_key( &pkey, (const unsigned char *) mbedtls_test_srv_key,
mbedtls_test_srv_key_len, NULL, 0 );
mbedtls_test_srv_key_len, NULL, 0, mbedtls_ctr_drbg_random, &ctr_drbg );
if( ret != 0 )
{
printf( " failed\n ! mbedtls_pk_parse_key returned %d\n\n", ret );
@ -175,7 +193,7 @@ int main( void )
printf( " ok\n" );
/*
* 2. Setup the "listening" UDP socket
* 3. Setup the "listening" UDP socket
*/
printf( " . Bind on udp/*/4433 ..." );
fflush( stdout );
@ -188,22 +206,6 @@ int main( void )
printf( " ok\n" );
/*
* 3. Seed the RNG
*/
printf( " . Seeding the random number generator..." );
fflush( stdout );
if( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, &entropy,
(const unsigned char *) pers,
strlen( pers ) ) ) != 0 )
{
printf( " failed\n ! mbedtls_ctr_drbg_seed returned %d\n", ret );
goto exit;
}
printf( " ok\n" );
/*
* 4. Setup stuff
*/

4
programs/ssl/ssl_client2.c
View File

@ -1548,12 +1548,12 @@ int main( int argc, char *argv[] )
else
#if defined(MBEDTLS_FS_IO)
if( strlen( opt.key_file ) )
ret = mbedtls_pk_parse_keyfile( &pkey, opt.key_file, opt.key_pwd );
ret = mbedtls_pk_parse_keyfile( &pkey, opt.key_file, opt.key_pwd, rng_get, &rng );
else
#endif
ret = mbedtls_pk_parse_key( &pkey,
(const unsigned char *) mbedtls_test_cli_key,
mbedtls_test_cli_key_len, NULL, 0 );
mbedtls_test_cli_key_len, NULL, 0, rng_get, &rng );
if( ret != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_pk_parse_key returned -0x%x\n\n",

3
programs/ssl/ssl_fork_server.c
View File

@ -166,7 +166,8 @@ int main( void )
}
ret = mbedtls_pk_parse_key( &pkey, (const unsigned char *) mbedtls_test_srv_key,
mbedtls_test_srv_key_len, NULL, 0 );
mbedtls_test_srv_key_len, NULL, 0,
mbedtls_ctr_drbg_random, &ctr_drbg );
if( ret != 0 )
{
mbedtls_printf( " failed! mbedtls_pk_parse_key returned %d\n\n", ret );

9
programs/ssl/ssl_mail_client.c
View File

@ -556,12 +556,17 @@ int main( int argc, char *argv[] )
#if defined(MBEDTLS_FS_IO)
if( strlen( opt.key_file ) )
ret = mbedtls_pk_parse_keyfile( &pkey, opt.key_file, "" );
{
ret = mbedtls_pk_parse_keyfile( &pkey, opt.key_file, "",
mbedtls_ctr_drbg_random, &ctr_drbg );
}
else
#endif
#if defined(MBEDTLS_PEM_PARSE_C)
{
ret = mbedtls_pk_parse_key( &pkey, (const unsigned char *) mbedtls_test_cli_key,
mbedtls_test_cli_key_len, NULL, 0 );
mbedtls_test_cli_key_len, NULL, 0, mbedtls_ctr_drbg_random, &ctr_drbg );
}
#else
{
mbedtls_printf("MBEDTLS_PEM_PARSE_C not defined.");

37
programs/ssl/ssl_pthread_server.c
View File

@ -360,7 +360,23 @@ int main( void )
mbedtls_entropy_init( &entropy );
/*
* 1. Load the certificates and private RSA key
* 1a. Seed the random number generator
*/
mbedtls_printf( " . Seeding the random number generator..." );
if( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, &entropy,
(const unsigned char *) pers,
strlen( pers ) ) ) != 0 )
{
mbedtls_printf( " failed: mbedtls_ctr_drbg_seed returned -0x%04x\n",
( unsigned int ) -ret );
goto exit;
}
mbedtls_printf( " ok\n" );
/*
* 1b. Load the certificates and private RSA key
*/
mbedtls_printf( "\n . Loading the server cert. and key..." );
fflush( stdout );
@ -388,7 +404,8 @@ int main( void )
mbedtls_pk_init( &pkey );
ret = mbedtls_pk_parse_key( &pkey, (const unsigned char *) mbedtls_test_srv_key,
mbedtls_test_srv_key_len, NULL, 0 );
mbedtls_test_srv_key_len, NULL, 0,
mbedtls_ctr_drbg_random, &ctr_drbg );
if( ret != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_pk_parse_key returned %d\n\n", ret );
@ -397,22 +414,6 @@ int main( void )
mbedtls_printf( " ok\n" );
/*
* 1b. Seed the random number generator
*/
mbedtls_printf( " . Seeding the random number generator..." );
if( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, &entropy,
(const unsigned char *) pers,
strlen( pers ) ) ) != 0 )
{
mbedtls_printf( " failed: mbedtls_ctr_drbg_seed returned -0x%04x\n",
( unsigned int ) -ret );
goto exit;
}
mbedtls_printf( " ok\n" );
/*
* 1c. Prepare SSL configuration
*/

39
programs/ssl/ssl_server.c
View File

@ -125,7 +125,23 @@ int main( void )
#endif
/*
* 1. Load the certificates and private RSA key
* 1. Seed the RNG
*/
mbedtls_printf( " . Seeding the random number generator..." );
fflush( stdout );
if( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, &entropy,
(const unsigned char *) pers,
strlen( pers ) ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ctr_drbg_seed returned %d\n", ret );
goto exit;
}
mbedtls_printf( " ok\n" );
/*
* 2. Load the certificates and private RSA key
*/
mbedtls_printf( "\n . Loading the server cert. and key..." );
fflush( stdout );
@ -152,7 +168,8 @@ int main( void )
}
ret = mbedtls_pk_parse_key( &pkey, (const unsigned char *) mbedtls_test_srv_key,
mbedtls_test_srv_key_len, NULL, 0 );
mbedtls_test_srv_key_len, NULL, 0,
mbedtls_ctr_drbg_random, &ctr_drbg );
if( ret != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_pk_parse_key returned %d\n\n", ret );
@ -162,7 +179,7 @@ int main( void )
mbedtls_printf( " ok\n" );
/*
* 2. Setup the listening TCP socket
* 3. Setup the listening TCP socket
*/
mbedtls_printf( " . Bind on https://localhost:4433/ ..." );
fflush( stdout );
@ -175,22 +192,6 @@ int main( void )
mbedtls_printf( " ok\n" );
/*
* 3. Seed the RNG
*/
mbedtls_printf( " . Seeding the random number generator..." );
fflush( stdout );
if( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, &entropy,
(const unsigned char *) pers,
strlen( pers ) ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ctr_drbg_seed returned %d\n", ret );
goto exit;
}
mbedtls_printf( " ok\n" );
/*
* 4. Setup stuff
*/

14
programs/ssl/ssl_server2.c
View File

@ -20,6 +20,7 @@
#define MBEDTLS_ALLOW_PRIVATE_ACCESS
#include "ssl_test_lib.h"
#include "test/random.h"
#if defined(MBEDTLS_SSL_TEST_IMPOSSIBLE)
int main( void )
@ -727,7 +728,8 @@ sni_entry *sni_parse( char *sni_string )
mbedtls_pk_init( new->key );
if( mbedtls_x509_crt_parse_file( new->cert, crt_file ) != 0 ||
mbedtls_pk_parse_keyfile( new->key, key_file, "" ) != 0 )
mbedtls_pk_parse_keyfile( new->key, key_file, "",
mbedtls_test_rnd_std_rand, NULL ) != 0 )
goto error;
if( strcmp( ca_file, "-" ) != 0 )
@ -2257,7 +2259,7 @@ int main( int argc, char *argv[] )
{
key_cert_init++;
if( ( ret = mbedtls_pk_parse_keyfile( &pkey, opt.key_file,
opt.key_pwd ) ) != 0 )
opt.key_pwd, rng_get, &rng ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_pk_parse_keyfile returned -0x%x\n\n", (unsigned int) -ret );
goto exit;
@ -2283,7 +2285,7 @@ int main( int argc, char *argv[] )
{
key_cert_init2++;
if( ( ret = mbedtls_pk_parse_keyfile( &pkey2, opt.key_file2,
opt.key_pwd2 ) ) != 0 )
opt.key_pwd2, rng_get, &rng ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_pk_parse_keyfile(2) returned -0x%x\n\n",
(unsigned int) -ret );
@ -2314,7 +2316,8 @@ int main( int argc, char *argv[] )
}
if( ( ret = mbedtls_pk_parse_key( &pkey,
(const unsigned char *) mbedtls_test_srv_key_rsa,
mbedtls_test_srv_key_rsa_len, NULL, 0 ) ) != 0 )
mbedtls_test_srv_key_rsa_len, NULL, 0,
rng_get, &rng ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_pk_parse_key returned -0x%x\n\n",
(unsigned int) -ret );
@ -2333,7 +2336,8 @@ int main( int argc, char *argv[] )
}
if( ( ret = mbedtls_pk_parse_key( &pkey2,
(const unsigned char *) mbedtls_test_srv_key_ec,
mbedtls_test_srv_key_ec_len, NULL, 0 ) ) != 0 )
mbedtls_test_srv_key_ec_len, NULL, 0,
rng_get, &rng ) ) != 0 )
{
mbedtls_printf( " failed\n ! pk_parse_key2 returned -0x%x\n\n",
(unsigned int) -ret );