Added new global rng, needed for MbedTLS optimisations

pull/12729/head
Teppo Järvelin 2020-02-20 10:56:20 +02:00 committed by Antti Kauppila
parent 793837cafe
commit 17e513891b
6 changed files with 184 additions and 0 deletions

View File

@ -599,8 +599,15 @@ altcp_mbedtls_setup(void *conf, struct altcp_pcb *conn, struct altcp_pcb *inner_
altcp_mbedtls_free(conf, state);
return ERR_MEM;
}
// Defines MBEDTLS_SSL_CONF_RECV/SEND/RECV_TIMEOUT define global functions which should be the same for all
// callers of mbedtls_ssl_set_bio_ctx and there should be only one ssl context. If these rules don't apply,
// these defines can't be used.
#if !defined(MBEDTLS_SSL_CONF_RECV) && !defined(MBEDTLS_SSL_CONF_SEND) && !defined(MBEDTLS_SSL_CONF_RECV_TIMEOUT)
/* tell mbedtls about our I/O functions */
mbedtls_ssl_set_bio(&state->ssl_context, conn, altcp_mbedtls_bio_send, altcp_mbedtls_bio_recv, NULL);
#else
mbedtls_ssl_set_bio_ctx(&state->ssl_context, conn);
#endif /* !defined(MBEDTLS_SSL_CONF_RECV) && !defined(MBEDTLS_SSL_CONF_SEND) && !defined(MBEDTLS_SSL_CONF_RECV_TIMEOUT) */
altcp_mbedtls_setup_callbacks(conn, inner_conn);
conn->inner_conn = inner_conn;
@ -734,7 +741,10 @@ altcp_tls_create_config(int is_server, int have_cert, int have_pkey, int have_ca
}
mbedtls_ssl_conf_authmode(&conf->conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
#if !defined(MBEDTLS_SSL_CONF_RNG)
mbedtls_ssl_conf_rng(&conf->conf, mbedtls_ctr_drbg_random, &conf->ctr_drbg);
#endif
#if ALTCP_MBEDTLS_DEBUG != LWIP_DBG_OFF
mbedtls_ssl_conf_dbg(&conf->conf, altcp_mbedtls_debug, stdout);
#endif

View File

@ -0,0 +1,93 @@
/*
* shared_rng.h
*
* Copyright (C) 2019, Arm Limited, All Rights Reserved
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
*/
#ifndef SHARED_RNG_H
#define SHARED_RNG_H
#if !defined(MBEDTLS_CONFIG_FILE)
#include "config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif
#if defined(MBEDTLS_SSL_CONF_RNG)
#define MBED_SHARED_RNG_NOT_INITIALIZED -1 /**< init_global_rng not called before global_rng */
#ifdef __cplusplus
extern "C" {
#endif
#include "mbedtls/hmac_drbg.h"
#include "mbedtls/entropy.h"
/**
* \brief Initializes hmac ready for rng
*
* \return 0 if successful, or
* MBEDTLS_ERR_MD_BAD_INPUT_DATA, or
* MBEDTLS_ERR_MD_ALLOC_FAILED, or
* MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED.
*/
int init_global_rng();
/**
* \brief Global HMAC_DRBG generate random
*
* \note Automatically reseeds if reseed_counter is reached or PR is enabled.
* \note init_global_rng function must be called
* before calling this function!
*
* \param ctx DRBG context
* \param dst Buffer to fill
* \param len Length of the buffer
*
* \return 0 if successful, or
* MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED, or
* MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG or
* MBED_SHARED_RNG_NOT_INITIALIZED
*/
int global_rng( void *ctx, unsigned char *dst, size_t len );
/**
* \brief Free allocated resources
*/
void free_global_rng();
/**
* \brief Getter function for global hmac context
*
* \return global hmac context
*/
mbedtls_hmac_drbg_context *get_global_hmac_drbg();
/**
* \brief Getter function for global entropy context
*
* \return global entropy context
*/
mbedtls_entropy_context *get_global_entropy();
#ifdef __cplusplus
}
#endif
#endif // MBEDTLS_SSL_CONF_RNG
#endif // SHARED_RNG_H

View File

@ -0,0 +1,75 @@
/*
* shared_rng.cpp
*
* Copyright (C) 2019, Arm Limited, All Rights Reserved
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
*/
#include "shared_rng.h"
#if defined(MBEDTLS_SSL_CONF_RNG)
#include "mbed_trace.h"
mbedtls_hmac_drbg_context global_hmac_drbg;
mbedtls_entropy_context global_entropy;
static bool is_initialized = false;
int init_global_rng()
{
mbedtls_entropy_init(&global_entropy);
mbedtls_hmac_drbg_init(&global_hmac_drbg);
int ret = mbedtls_hmac_drbg_seed(&global_hmac_drbg, mbedtls_md_info_from_type(MBEDTLS_MD_SHA256),
mbedtls_entropy_func, &global_entropy, NULL, 0);
if (ret != 0) {
tr_error(" init_global_rng failed! mbedtls_hmac_drbg_seed returned -0x%x", -ret);
free_global_rng();
} else {
is_initialized = true;
}
return ret;
This conversation was marked as resolved by jarvte
}
void free_global_rng()
{
mbedtls_entropy_free(&global_entropy);
mbedtls_hmac_drbg_free(&global_hmac_drbg);
is_initialized = false;
}
int global_rng( void *ctx, unsigned char *dst, size_t len )
{
if (!is_initialized) {
return MBED_SHARED_RNG_NOT_INITIALIZED;
}
return mbedtls_hmac_drbg_random(&global_hmac_drbg, dst, len);
}
mbedtls_hmac_drbg_context *get_global_hmac_drbg()
{
return &global_hmac_drbg;
}
mbedtls_entropy_context *get_global_entropy()
{
return &global_entropy;
}
#endif // MBEDTLS_SSL_CONF_RNG

View File

@ -396,7 +396,9 @@ int coap_security_handler_connect_non_blocking(coap_security_t *sec, bool is_ser
mbedtls_ssl_conf_handshake_timeout(&sec->_conf, timeout_min, timeout_max);
}
#if !defined(MBEDTLS_SSL_CONF_RNG)
mbedtls_ssl_conf_rng(&sec->_conf, mbedtls_ctr_drbg_random, &sec->_ctr_drbg);
#endif
if ((mbedtls_ssl_setup(&sec->_ssl, &sec->_conf)) != 0) {
return -1;

View File

@ -327,8 +327,10 @@ int8_t tls_sec_prot_lib_connect(tls_security_t *sec, bool is_server, const sec_p
return -1;
}
#if !defined(MBEDTLS_SSL_CONF_RNG)
// Configure random number generator
mbedtls_ssl_conf_rng(&sec->conf, mbedtls_ctr_drbg_random, &sec->ctr_drbg);
#endif
#ifdef MBEDTLS_ECP_RESTARTABLE
// Set ECC calculation maximum operations (affects only client)

View File

@ -184,7 +184,9 @@ nsapi_error_t TLSSocketWrapper::start_handshake(bool first_call)
return NSAPI_ERROR_AUTH_FAILURE;
}
#if !defined(MBEDTLS_SSL_CONF_RNG)
mbedtls_ssl_conf_rng(get_ssl_config(), mbedtls_ctr_drbg_random, &_ctr_drbg);
#endif
#if MBED_CONF_TLS_SOCKET_DEBUG_LEVEL > 0