mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-03-08 16:13:51 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #8587 from yanrayw/issue/4911/ssl_setup-check-RNG-configuration

Browse Source 
TLS: check RNG when calling mbedtls_ssl_setup()
This commit is contained in:
Ronald Cron 2024-03-08 07:38:39 +00:00 committed by GitHub
commit 139a4185b1
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
8 changed files with 56 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
library/ssl_client.c
View File

@ -765,11 +765,6 @@ static int ssl_prepare_client_hello(mbedtls_ssl_context *ssl)
MBEDTLS_SSL_SESSION_TICKETS &&
MBEDTLS_HAVE_TIME */
if (ssl->conf->f_rng == NULL) {
MBEDTLS_SSL_DEBUG_MSG(1, ("no RNG provided"));
return MBEDTLS_ERR_SSL_NO_RNG;
}
/* Bet on the highest configured version if we are not in a TLS 1.2
* renegotiation or session resumption.
*/

5
library/ssl_tls.c
View File

@ -1361,6 +1361,11 @@ static int ssl_conf_check(const mbedtls_ssl_context *ssl)
}
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
if (ssl->conf->f_rng == NULL) {
MBEDTLS_SSL_DEBUG_MSG(1, ("no RNG provided"));
return MBEDTLS_ERR_SSL_NO_RNG;
}
/* Space for further checks */
return 0;

5
library/ssl_tls12_server.c
View File

@ -2178,11 +2178,6 @@ static int ssl_write_server_hello(mbedtls_ssl_context *ssl)
}
#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
if (ssl->conf->f_rng == NULL) {
MBEDTLS_SSL_DEBUG_MSG(1, ("no RNG provided"));
return MBEDTLS_ERR_SSL_NO_RNG;
}
/*
* 0 . 0 handshake type
* 1 . 3 handshake length

4
library/ssl_tls13_server.c
View File

@ -1973,10 +1973,6 @@ static int ssl_tls13_prepare_server_hello(mbedtls_ssl_context *ssl)
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
unsigned char *server_randbytes =
ssl->handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN;
if (ssl->conf->f_rng == NULL) {
MBEDTLS_SSL_DEBUG_MSG(1, ("no RNG provided"));
return MBEDTLS_ERR_SSL_NO_RNG;
}
if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, server_randbytes,
MBEDTLS_SERVER_HELLO_RANDOM_LEN)) != 0) {

7
tests/include/test/ssl_helpers.h
View File

@ -195,6 +195,13 @@ typedef struct mbedtls_test_ssl_endpoint {
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
/*
* Random number generator aimed for TLS unitary tests. Its main purpose is to
* simplify the set-up of a random number generator for TLS
* unitary tests: no need to set up a good entropy source for example.
*/
int mbedtls_test_random(void *p_rng, unsigned char *output, size_t output_len);
/*
* This function can be passed to mbedtls to receive output logs from it. In
* this case, it will count the instances of a mbedtls_test_ssl_log_pattern

9
tests/src/test_helpers/ssl_helpers.c
View File

@ -12,9 +12,7 @@
#include "mbedtls/psa_util.h"
#if defined(MBEDTLS_SSL_TLS_C)
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
static int rng_seed = 0xBEEF;
static int rng_get(void *p_rng, unsigned char *output, size_t output_len)
int mbedtls_test_random(void *p_rng, unsigned char *output, size_t output_len)
{
(void) p_rng;
for (size_t i = 0; i < output_len; i++) {
@ -23,7 +21,6 @@ static int rng_get(void *p_rng, unsigned char *output, size_t output_len)
return 0;
}
#endif
void mbedtls_test_ssl_log_analyzer(void *ctx, int level,
const char *file, int line,
@ -46,6 +43,8 @@ void mbedtls_test_init_handshake_options(
mbedtls_test_handshake_test_options *opts)
{
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
static int rng_seed = 0xBEEF;
srand(rng_seed);
rng_seed += 0xD0;
#endif
@ -755,7 +754,7 @@ int mbedtls_test_ssl_endpoint_init(
mbedtls_ssl_init(&(ep->ssl));
mbedtls_ssl_config_init(&(ep->conf));
mbedtls_ssl_conf_rng(&(ep->conf), rng_get, NULL);
mbedtls_ssl_conf_rng(&(ep->conf), mbedtls_test_random, NULL);
TEST_ASSERT(mbedtls_ssl_conf_get_user_data_p(&ep->conf) == NULL);
TEST_EQUAL(mbedtls_ssl_conf_get_user_data_n(&ep->conf), 0);

56
tests/suites/test_suite_debug.function
View File

@ -2,6 +2,7 @@
#include "debug_internal.h"
#include "string.h"
#include "mbedtls/pk.h"
#include <test/ssl_helpers.h>
struct buffer_data {
char buf[2000];
@ -65,11 +66,12 @@ void debug_print_msg_threshold(int threshold, int level, char *file,
memset(buffer.buf, 0, 2000);
buffer.ptr = buffer.buf;
mbedtls_ssl_config_defaults(&conf,
MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT);
TEST_EQUAL(mbedtls_ssl_config_defaults(&conf,
MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT),
0);
mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL);
mbedtls_ssl_conf_dbg(&conf, string_debug, &buffer);
TEST_ASSERT(mbedtls_ssl_setup(&ssl, &conf) == 0);
@ -103,11 +105,12 @@ void mbedtls_debug_print_ret(char *file, int line, char *text, int value,
memset(buffer.buf, 0, 2000);
buffer.ptr = buffer.buf;
mbedtls_ssl_config_defaults(&conf,
MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT);
TEST_EQUAL(mbedtls_ssl_config_defaults(&conf,
MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT),
0);
mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL);
mbedtls_ssl_conf_dbg(&conf, string_debug, &buffer);
TEST_ASSERT(mbedtls_ssl_setup(&ssl, &conf) == 0);
@ -138,11 +141,12 @@ void mbedtls_debug_print_buf(char *file, int line, char *text,
memset(buffer.buf, 0, 2000);
buffer.ptr = buffer.buf;
mbedtls_ssl_config_defaults(&conf,
MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT);
TEST_EQUAL(mbedtls_ssl_config_defaults(&conf,
MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT),
0);
mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL);
mbedtls_ssl_conf_dbg(&conf, string_debug, &buffer);
TEST_ASSERT(mbedtls_ssl_setup(&ssl, &conf) == 0);
@ -175,11 +179,12 @@ void mbedtls_debug_print_crt(char *crt_file, char *file, int line,
memset(buffer.buf, 0, 2000);
buffer.ptr = buffer.buf;
mbedtls_ssl_config_defaults(&conf,
MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT);
TEST_EQUAL(mbedtls_ssl_config_defaults(&conf,
MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT),
0);
mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL);
mbedtls_ssl_conf_dbg(&conf, string_debug, &buffer);
TEST_ASSERT(mbedtls_ssl_setup(&ssl, &conf) == 0);
@ -214,11 +219,12 @@ void mbedtls_debug_print_mpi(char *value, char *file, int line,
memset(buffer.buf, 0, 2000);
buffer.ptr = buffer.buf;
mbedtls_ssl_config_defaults(&conf,
MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT);
TEST_EQUAL(mbedtls_ssl_config_defaults(&conf,
MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT),
0);
mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL);
mbedtls_ssl_conf_dbg(&conf, string_debug, &buffer);
TEST_ASSERT(mbedtls_ssl_setup(&ssl, &conf) == 0);

9
tests/suites/test_suite_ssl.function
View File

@ -1131,6 +1131,8 @@ void ssl_dtls_replay(data_t *prevs, data_t *new, int ret)
MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_DATAGRAM,
MBEDTLS_SSL_PRESET_DEFAULT) == 0);
mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL);
TEST_ASSERT(mbedtls_ssl_setup(&ssl, &conf) == 0);
/* Read previous record numbers */
@ -2879,6 +2881,7 @@ void conf_version(int endpoint, int transport,
mbedtls_ssl_conf_transport(&conf, transport);
mbedtls_ssl_conf_min_tls_version(&conf, min_tls_version);
mbedtls_ssl_conf_max_tls_version(&conf, max_tls_version);
mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL);
TEST_ASSERT(mbedtls_ssl_setup(&ssl, &conf) == expected_ssl_setup_result);
TEST_EQUAL(mbedtls_ssl_conf_get_endpoint(
@ -2920,6 +2923,8 @@ void conf_curve()
mbedtls_ssl_init(&ssl);
MD_OR_USE_PSA_INIT();
mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL);
TEST_ASSERT(mbedtls_ssl_setup(&ssl, &conf) == 0);
TEST_ASSERT(ssl.handshake != NULL && ssl.handshake->group_list != NULL);
@ -2951,6 +2956,7 @@ void conf_group()
mbedtls_ssl_config conf;
mbedtls_ssl_config_init(&conf);
mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL);
mbedtls_ssl_conf_max_tls_version(&conf, MBEDTLS_SSL_VERSION_TLS1_2);
mbedtls_ssl_conf_min_tls_version(&conf, MBEDTLS_SSL_VERSION_TLS1_2);
@ -3059,6 +3065,7 @@ void cookie_parsing(data_t *cookie, int exp_ret)
MBEDTLS_SSL_TRANSPORT_DATAGRAM,
MBEDTLS_SSL_PRESET_DEFAULT),
0);
mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL);
TEST_EQUAL(mbedtls_ssl_setup(&ssl, &conf), 0);
TEST_EQUAL(mbedtls_ssl_check_dtls_clihlo_cookie(&ssl, ssl.cli_id,
@ -3113,6 +3120,7 @@ void cid_sanity()
MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT)
== 0);
mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL);
TEST_ASSERT(mbedtls_ssl_setup(&ssl, &conf) == 0);
@ -3371,6 +3379,7 @@ void ssl_ecjpake_set_password(int use_opaque_arg)
MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT), 0);
mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL);
TEST_EQUAL(mbedtls_ssl_setup(&ssl, &conf), 0);