aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAntoine Aubert <a.aubert@overkiz.com>2017-01-27 08:39:28 +0100
committerDaniel Stenberg <daniel@haxx.se>2017-01-29 11:37:22 +0100
commita90a5bccd47ba5425949a51e6d77b91a2a1e7fe6 (patch)
treea860289f28afee6e3112f871c44c2548566b67e6
parenta1a5dd14d7dd7957903d33f4d9a8f7ce22faa4a3 (diff)
mbedtls: implement CTR-DRBG and HAVEGE random generators
closes #1227
-rw-r--r--lib/vtls/mbedtls.c51
-rw-r--r--lib/vtls/mbedtls.h9
2 files changed, 54 insertions, 6 deletions
diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
index 213a58fca..748828023 100644
--- a/lib/vtls/mbedtls.c
+++ b/lib/vtls/mbedtls.c
@@ -6,7 +6,7 @@
* \___|\___/|_| \_\_____|
*
* Copyright (C) 2010 - 2011, Hoi-Ho Chan, <hoiho.chan@gmail.com>
- * Copyright (C) 2012 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 2012 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
@@ -734,6 +734,55 @@ size_t Curl_mbedtls_version(char *buffer, size_t size)
(version>>16)&0xff, (version>>8)&0xff);
}
+CURLcode Curl_mbedtls_random(struct Curl_easy *data, unsigned char *entropy,
+ size_t length)
+{
+#if defined(MBEDTLS_CTR_DRBG_C)
+ int ret = -1;
+ char errorbuf[128];
+ mbedtls_entropy_context ctr_entropy;
+ mbedtls_ctr_drbg_context ctr_drbg;
+ mbedtls_entropy_init(&ctr_entropy);
+ mbedtls_ctr_drbg_init(&ctr_drbg);
+ errorbuf[0]=0;
+
+ ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func,
+ &ctr_entropy, NULL, 0);
+
+ if(ret) {
+#ifdef MBEDTLS_ERROR_C
+ mbedtls_strerror(ret, errorbuf, sizeof(errorbuf));
+#endif /* MBEDTLS_ERROR_C */
+ failf(data, "Failed - mbedTLS: ctr_drbg_seed returned (-0x%04X) %s\n",
+ -ret, errorbuf);
+ }
+ else {
+ ret = mbedtls_ctr_drbg_random(&ctr_drbg, entropy, length);
+
+ if(ret) {
+#ifdef MBEDTLS_ERROR_C
+ mbedtls_strerror(ret, errorbuf, sizeof(errorbuf));
+#endif /* MBEDTLS_ERROR_C */
+ failf(data, "mbedTLS: ctr_drbg_init returned (-0x%04X) %s\n",
+ -ret, errorbuf);
+ }
+ }
+
+ mbedtls_ctr_drbg_free(&ctr_drbg);
+ mbedtls_entropy_free(&ctr_entropy);
+
+ return ret == 0 ? CURLE_OK : CURLE_FAILED_INIT;
+#elif defined(MBEDTLS_HAVEGE_C)
+ mbedtls_havege_state hs;
+ mbedtls_havege_init(&hs);
+ mbedtls_havege_random(&hs, entropy, length);
+ mbedtls_havege_free(&hs);
+ return CURLE_OK;
+#else
+ return CURLE_NOT_BUILT_IN;
+#endif
+}
+
static CURLcode
mbed_connect_common(struct connectdata *conn,
int sockindex,
diff --git a/lib/vtls/mbedtls.h b/lib/vtls/mbedtls.h
index 1021d5461..5b0bcf6d7 100644
--- a/lib/vtls/mbedtls.h
+++ b/lib/vtls/mbedtls.h
@@ -50,6 +50,9 @@ void Curl_mbedtls_session_free(void *ptr);
size_t Curl_mbedtls_version(char *buffer, size_t size);
int Curl_mbedtls_shutdown(struct connectdata *conn, int sockindex);
+CURLcode Curl_mbedtls_random(struct Curl_easy *data, unsigned char *entropy,
+ size_t length);
+
/* this backends supports CURLOPT_PINNEDPUBLICKEY */
#define have_curlssl_pinnedpubkey 1
@@ -70,11 +73,7 @@ int Curl_mbedtls_shutdown(struct connectdata *conn, int sockindex);
#define curlssl_data_pending(x,y) Curl_mbedtls_data_pending(x, y)
#define CURL_SSL_BACKEND CURLSSLBACKEND_MBEDTLS
#define curlssl_sha256sum(a,b,c,d) mbedtls_sha256(a,b,c,0)
-
-/* This might cause libcurl to use a weeker random!
- TODO: implement proper use of Polarssl's CTR-DRBG or HMAC-DRBG and use that
-*/
-#define curlssl_random(x,y,z) (x=x, y=y, z=z, CURLE_NOT_BUILT_IN)
+#define curlssl_random(x,y,z) Curl_mbedtls_random(x, y, z)
#endif /* USE_MBEDTLS */
#endif /* HEADER_CURL_MBEDTLS_H */