Add RNG params to private key parsing
This is necessary for the case where the public part of an EC keypair
needs to be computed from the private part - either because it was not
included (it's an optional component) or because it was compressed (a
format we can't parse).
This changes the API of two public functions: mbedtls_pk_parse_key() and
mbedtls_pk_parse_keyfile().
Tests and programs have been adapted. Some programs use a non-secure RNG
(from the test library) just to get things to compile and run; in a
future commit this should be improved in order to demonstrate best
practice.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
diff --git a/include/mbedtls/pk.h b/include/mbedtls/pk.h
index 5c7b2f6..dec5111 100644
--- a/include/mbedtls/pk.h
+++ b/include/mbedtls/pk.h
@@ -667,6 +667,8 @@
* The empty password is not supported.
* \param pwdlen Size of the password in bytes.
* Ignored if \p pwd is \c NULL.
+ * \param f_rng RNG function, must not be \c NULL. Used for blinding.
+ * \param p_rng RNG parameter
*
* \note On entry, ctx must be empty, either freshly initialised
* with mbedtls_pk_init() or reset with mbedtls_pk_free(). If you need a
@@ -677,8 +679,9 @@
* \return 0 if successful, or a specific PK or PEM error code
*/
int mbedtls_pk_parse_key( mbedtls_pk_context *ctx,
- const unsigned char *key, size_t keylen,
- const unsigned char *pwd, size_t pwdlen );
+ const unsigned char *key, size_t keylen,
+ const unsigned char *pwd, size_t pwdlen,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng );
/** \ingroup pk_module */
/**
@@ -718,6 +721,8 @@
* Pass a null-terminated string if expecting an encrypted
* key; a non-encrypted key will also be accepted.
* The empty password is not supported.
+ * \param f_rng RNG function, must not be \c NULL. Used for blinding.
+ * \param p_rng RNG parameter
*
* \note On entry, ctx must be empty, either freshly initialised
* with mbedtls_pk_init() or reset with mbedtls_pk_free(). If you need a
@@ -728,7 +733,8 @@
* \return 0 if successful, or a specific PK or PEM error code
*/
int mbedtls_pk_parse_keyfile( mbedtls_pk_context *ctx,
- const char *path, const char *password );
+ const char *path, const char *password,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng );
/** \ingroup pk_module */
/**
diff --git a/library/pkparse.c b/library/pkparse.c
index 3222ca2..5438ee4 100644
--- a/library/pkparse.c
+++ b/library/pkparse.c
@@ -123,7 +123,8 @@
* Load and parse a private key
*/
int mbedtls_pk_parse_keyfile( mbedtls_pk_context *ctx,
- const char *path, const char *pwd )
+ const char *path, const char *pwd,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t n;
@@ -136,10 +137,10 @@
return( ret );
if( pwd == NULL )
- ret = mbedtls_pk_parse_key( ctx, buf, n, NULL, 0 );
+ ret = mbedtls_pk_parse_key( ctx, buf, n, NULL, 0, f_rng, p_rng );
else
ret = mbedtls_pk_parse_key( ctx, buf, n,
- (const unsigned char *) pwd, strlen( pwd ) );
+ (const unsigned char *) pwd, strlen( pwd ), f_rng, p_rng );
mbedtls_platform_zeroize( buf, n );
mbedtls_free( buf );
@@ -859,8 +860,8 @@
* Parse a SEC1 encoded private EC key
*/
static int pk_parse_key_sec1_der( mbedtls_ecp_keypair *eck,
- const unsigned char *key,
- size_t keylen )
+ const unsigned char *key, size_t keylen,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
int version, pubkey_done;
@@ -967,7 +968,7 @@
if( ! pubkey_done &&
( ret = mbedtls_ecp_mul( &eck->grp, &eck->Q, &eck->d, &eck->grp.G,
- NULL, NULL ) ) != 0 )
+ f_rng, p_rng ) ) != 0 )
{
mbedtls_ecp_keypair_free( eck );
return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
@@ -997,9 +998,9 @@
*
*/
static int pk_parse_key_pkcs8_unencrypted_der(
- mbedtls_pk_context *pk,
- const unsigned char* key,
- size_t keylen )
+ mbedtls_pk_context *pk,
+ const unsigned char* key, size_t keylen,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
{
int ret, version;
size_t len;
@@ -1071,7 +1072,7 @@
if( pk_alg == MBEDTLS_PK_ECKEY || pk_alg == MBEDTLS_PK_ECKEY_DH )
{
if( ( ret = pk_use_ecparams( ¶ms, &mbedtls_pk_ec( *pk )->grp ) ) != 0 ||
- ( ret = pk_parse_key_sec1_der( mbedtls_pk_ec( *pk ), p, len ) ) != 0 )
+ ( ret = pk_parse_key_sec1_der( mbedtls_pk_ec( *pk ), p, len, f_rng, p_rng ) ) != 0 )
{
mbedtls_pk_free( pk );
return( ret );
@@ -1094,9 +1095,10 @@
*/
#if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C)
static int pk_parse_key_pkcs8_encrypted_der(
- mbedtls_pk_context *pk,
- unsigned char *key, size_t keylen,
- const unsigned char *pwd, size_t pwdlen )
+ mbedtls_pk_context *pk,
+ unsigned char *key, size_t keylen,
+ const unsigned char *pwd, size_t pwdlen,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
{
int ret, decrypted = 0;
size_t len;
@@ -1206,7 +1208,7 @@
if( decrypted == 0 )
return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE );
- return( pk_parse_key_pkcs8_unencrypted_der( pk, buf, len ) );
+ return( pk_parse_key_pkcs8_unencrypted_der( pk, buf, len, f_rng, p_rng ) );
}
#endif /* MBEDTLS_PKCS12_C || MBEDTLS_PKCS5_C */
@@ -1215,7 +1217,8 @@
*/
int mbedtls_pk_parse_key( mbedtls_pk_context *pk,
const unsigned char *key, size_t keylen,
- const unsigned char *pwd, size_t pwdlen )
+ const unsigned char *pwd, size_t pwdlen,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
const mbedtls_pk_info_t *pk_info;
@@ -1278,7 +1281,8 @@
if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 ||
( ret = pk_parse_key_sec1_der( mbedtls_pk_ec( *pk ),
- pem.buf, pem.buflen ) ) != 0 )
+ pem.buf, pem.buflen,
+ f_rng, p_rng ) ) != 0 )
{
mbedtls_pk_free( pk );
}
@@ -1305,7 +1309,7 @@
if( ret == 0 )
{
if( ( ret = pk_parse_key_pkcs8_unencrypted_der( pk,
- pem.buf, pem.buflen ) ) != 0 )
+ pem.buf, pem.buflen, f_rng, p_rng ) ) != 0 )
{
mbedtls_pk_free( pk );
}
@@ -1327,9 +1331,8 @@
key, NULL, 0, &len );
if( ret == 0 )
{
- if( ( ret = pk_parse_key_pkcs8_encrypted_der( pk,
- pem.buf, pem.buflen,
- pwd, pwdlen ) ) != 0 )
+ if( ( ret = pk_parse_key_pkcs8_encrypted_der( pk, pem.buf, pem.buflen,
+ pwd, pwdlen, f_rng, p_rng ) ) != 0 )
{
mbedtls_pk_free( pk );
}
@@ -1362,7 +1365,7 @@
memcpy( key_copy, key, keylen );
ret = pk_parse_key_pkcs8_encrypted_der( pk, key_copy, keylen,
- pwd, pwdlen );
+ pwd, pwdlen, f_rng, p_rng );
mbedtls_platform_zeroize( key_copy, keylen );
mbedtls_free( key_copy );
@@ -1380,8 +1383,11 @@
}
#endif /* MBEDTLS_PKCS12_C || MBEDTLS_PKCS5_C */
- if( ( ret = pk_parse_key_pkcs8_unencrypted_der( pk, key, keylen ) ) == 0 )
+ if( ( ret = pk_parse_key_pkcs8_unencrypted_der(
+ pk, key, keylen, f_rng, p_rng ) ) == 0 )
+ {
return( 0 );
+ }
mbedtls_pk_free( pk );
mbedtls_pk_init( pk );
@@ -1403,7 +1409,7 @@
pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_ECKEY );
if( mbedtls_pk_setup( pk, pk_info ) == 0 &&
pk_parse_key_sec1_der( mbedtls_pk_ec( *pk ),
- key, keylen ) == 0 )
+ key, keylen, f_rng, p_rng ) == 0 )
{
return( 0 );
}
diff --git a/library/psa_crypto_rsa.c b/library/psa_crypto_rsa.c
index f2e9a1c..ef2adc1 100644
--- a/library/psa_crypto_rsa.c
+++ b/library/psa_crypto_rsa.c
@@ -108,7 +108,8 @@
/* Parse the data. */
if( PSA_KEY_TYPE_IS_KEY_PAIR( type ) )
status = mbedtls_to_psa_error(
- mbedtls_pk_parse_key( &ctx, data, data_length, NULL, 0 ) );
+ mbedtls_pk_parse_key( &ctx, data, data_length, NULL, 0,
+ mbedtls_psa_get_random, MBEDTLS_PSA_RANDOM_STATE ) );
else
status = mbedtls_to_psa_error(
mbedtls_pk_parse_public_key( &ctx, data, data_length ) );
diff --git a/programs/fuzz/fuzz_dtlsserver.c b/programs/fuzz/fuzz_dtlsserver.c
index 34ff63e..a64eef9 100644
--- a/programs/fuzz/fuzz_dtlsserver.c
+++ b/programs/fuzz/fuzz_dtlsserver.c
@@ -6,6 +6,7 @@
#include "common.h"
#include "mbedtls/ssl.h"
#include "test/certs.h"
+#include "test/random.h"
#if defined(MBEDTLS_SSL_PROTO_DTLS)
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
@@ -55,7 +56,8 @@
mbedtls_test_cas_pem_len ) != 0)
return 1;
if (mbedtls_pk_parse_key( &pkey, (const unsigned char *) mbedtls_test_srv_key,
- mbedtls_test_srv_key_len, NULL, 0 ) != 0)
+ mbedtls_test_srv_key_len, NULL, 0,
+ mbedtls_test_rnd_std_rand, NULL ) != 0)
return 1;
#endif
dummy_init();
diff --git a/programs/fuzz/fuzz_privkey.c b/programs/fuzz/fuzz_privkey.c
index f76afd1..a061875 100644
--- a/programs/fuzz/fuzz_privkey.c
+++ b/programs/fuzz/fuzz_privkey.c
@@ -3,6 +3,7 @@
#include <stdint.h>
#include <stdlib.h>
#include "mbedtls/pk.h"
+#include "test/random.h"
//4 Kb should be enough for every bug ;-)
#define MAX_LEN 0x1000
@@ -19,7 +20,8 @@
}
mbedtls_pk_init( &pk );
- ret = mbedtls_pk_parse_key( &pk, Data, Size, NULL, 0 );
+ ret = mbedtls_pk_parse_key( &pk, Data, Size, NULL, 0,
+ mbedtls_test_rnd_std_rand, NULL );
if (ret == 0) {
#if defined(MBEDTLS_RSA_C)
if( mbedtls_pk_get_type( &pk ) == MBEDTLS_PK_RSA )
diff --git a/programs/fuzz/fuzz_server.c b/programs/fuzz/fuzz_server.c
index 5480e3e..d4480c5 100644
--- a/programs/fuzz/fuzz_server.c
+++ b/programs/fuzz/fuzz_server.c
@@ -66,7 +66,8 @@
mbedtls_test_cas_pem_len ) != 0)
return 1;
if (mbedtls_pk_parse_key( &pkey, (const unsigned char *) mbedtls_test_srv_key,
- mbedtls_test_srv_key_len, NULL, 0 ) != 0)
+ mbedtls_test_srv_key_len, NULL, 0,
+ mbedtls_ctr_drbg_random, &ctr_drbg ) != 0)
return 1;
#endif
diff --git a/programs/pkey/key_app.c b/programs/pkey/key_app.c
index 7bd93c7..0e30be4 100644
--- a/programs/pkey/key_app.c
+++ b/programs/pkey/key_app.c
@@ -40,6 +40,8 @@
#include "mbedtls/rsa.h"
#include "mbedtls/pk.h"
+#include "test/random.h"
+
#include <string.h>
#endif
@@ -181,7 +183,8 @@
mbedtls_printf( "\n . Loading the private key ..." );
fflush( stdout );
- ret = mbedtls_pk_parse_keyfile( &pk, opt.filename, opt.password );
+ ret = mbedtls_pk_parse_keyfile( &pk, opt.filename, opt.password,
+ mbedtls_test_rnd_std_rand, NULL );
if( ret != 0 )
{
diff --git a/programs/pkey/key_app_writer.c b/programs/pkey/key_app_writer.c
index 4b65262..c7f9741 100644
--- a/programs/pkey/key_app_writer.c
+++ b/programs/pkey/key_app_writer.c
@@ -39,6 +39,8 @@
#include "mbedtls/pk.h"
#include "mbedtls/error.h"
+#include "test/random.h"
+
#include <stdio.h>
#include <string.h>
#endif
@@ -292,8 +294,8 @@
mbedtls_printf( "\n . Loading the private key ..." );
fflush( stdout );
- ret = mbedtls_pk_parse_keyfile( &key, opt.filename, NULL );
-
+ ret = mbedtls_pk_parse_keyfile( &key, opt.filename, NULL,
+ mbedtls_test_rnd_std_rand, NULL );
if( ret != 0 )
{
mbedtls_strerror( ret, (char *) buf, sizeof(buf) );
diff --git a/programs/pkey/pk_decrypt.c b/programs/pkey/pk_decrypt.c
index 810d6fb..e01f5d5 100644
--- a/programs/pkey/pk_decrypt.c
+++ b/programs/pkey/pk_decrypt.c
@@ -106,7 +106,8 @@
mbedtls_printf( "\n . Reading private key from '%s'", argv[1] );
fflush( stdout );
- if( ( ret = mbedtls_pk_parse_keyfile( &pk, argv[1], "" ) ) != 0 )
+ if( ( ret = mbedtls_pk_parse_keyfile( &pk, argv[1], "",
+ mbedtls_ctr_drbg_random, &ctr_drbg ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_pk_parse_keyfile returned -0x%04x\n", (unsigned int) -ret );
goto exit;
diff --git a/programs/pkey/pk_sign.c b/programs/pkey/pk_sign.c
index 451e3de..422fa25 100644
--- a/programs/pkey/pk_sign.c
+++ b/programs/pkey/pk_sign.c
@@ -101,7 +101,8 @@
mbedtls_printf( "\n . Reading private key from '%s'", argv[1] );
fflush( stdout );
- if( ( ret = mbedtls_pk_parse_keyfile( &pk, argv[1], "" ) ) != 0 )
+ if( ( ret = mbedtls_pk_parse_keyfile( &pk, argv[1], "",
+ mbedtls_ctr_drbg_random, &ctr_drbg ) ) != 0 )
{
mbedtls_printf( " failed\n ! Could not parse '%s'\n", argv[1] );
goto exit;
diff --git a/programs/pkey/rsa_sign_pss.c b/programs/pkey/rsa_sign_pss.c
index 26056dd..bbbe0a9 100644
--- a/programs/pkey/rsa_sign_pss.c
+++ b/programs/pkey/rsa_sign_pss.c
@@ -102,7 +102,8 @@
mbedtls_printf( "\n . Reading private key from '%s'", argv[1] );
fflush( stdout );
- if( ( ret = mbedtls_pk_parse_keyfile( &pk, argv[1], "" ) ) != 0 )
+ if( ( ret = mbedtls_pk_parse_keyfile( &pk, argv[1], "",
+ mbedtls_ctr_drbg_random, &ctr_drbg ) ) != 0 )
{
mbedtls_printf( " failed\n ! Could not read key from '%s'\n", argv[1] );
mbedtls_printf( " ! mbedtls_pk_parse_public_keyfile returned %d\n\n", ret );
diff --git a/programs/ssl/dtls_server.c b/programs/ssl/dtls_server.c
index de47aab..857671f 100644
--- a/programs/ssl/dtls_server.c
+++ b/programs/ssl/dtls_server.c
@@ -79,7 +79,9 @@
#include "mbedtls/error.h"
#include "mbedtls/debug.h"
#include "mbedtls/timing.h"
+
#include "test/certs.h"
+#include "test/random.h"
#if defined(MBEDTLS_SSL_CACHE_C)
#include "mbedtls/ssl_cache.h"
@@ -138,7 +140,23 @@
#endif
/*
- * 1. Load the certificates and private RSA key
+ * 1. Seed the RNG
+ */
+ printf( " . Seeding the random number generator..." );
+ fflush( stdout );
+
+ if( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, &entropy,
+ (const unsigned char *) pers,
+ strlen( pers ) ) ) != 0 )
+ {
+ printf( " failed\n ! mbedtls_ctr_drbg_seed returned %d\n", ret );
+ goto exit;
+ }
+
+ printf( " ok\n" );
+
+ /*
+ * 2. Load the certificates and private RSA key
*/
printf( "\n . Loading the server cert. and key..." );
fflush( stdout );
@@ -165,7 +183,7 @@
}
ret = mbedtls_pk_parse_key( &pkey, (const unsigned char *) mbedtls_test_srv_key,
- mbedtls_test_srv_key_len, NULL, 0 );
+ mbedtls_test_srv_key_len, NULL, 0, mbedtls_ctr_drbg_random, &ctr_drbg );
if( ret != 0 )
{
printf( " failed\n ! mbedtls_pk_parse_key returned %d\n\n", ret );
@@ -175,7 +193,7 @@
printf( " ok\n" );
/*
- * 2. Setup the "listening" UDP socket
+ * 3. Setup the "listening" UDP socket
*/
printf( " . Bind on udp/*/4433 ..." );
fflush( stdout );
@@ -189,22 +207,6 @@
printf( " ok\n" );
/*
- * 3. Seed the RNG
- */
- printf( " . Seeding the random number generator..." );
- fflush( stdout );
-
- if( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, &entropy,
- (const unsigned char *) pers,
- strlen( pers ) ) ) != 0 )
- {
- printf( " failed\n ! mbedtls_ctr_drbg_seed returned %d\n", ret );
- goto exit;
- }
-
- printf( " ok\n" );
-
- /*
* 4. Setup stuff
*/
printf( " . Setting up the DTLS data..." );
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index 98a3048..6501c49 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -1548,12 +1548,12 @@
else
#if defined(MBEDTLS_FS_IO)
if( strlen( opt.key_file ) )
- ret = mbedtls_pk_parse_keyfile( &pkey, opt.key_file, opt.key_pwd );
+ ret = mbedtls_pk_parse_keyfile( &pkey, opt.key_file, opt.key_pwd, rng_get, &rng );
else
#endif
ret = mbedtls_pk_parse_key( &pkey,
(const unsigned char *) mbedtls_test_cli_key,
- mbedtls_test_cli_key_len, NULL, 0 );
+ mbedtls_test_cli_key_len, NULL, 0, rng_get, &rng );
if( ret != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_pk_parse_key returned -0x%x\n\n",
diff --git a/programs/ssl/ssl_fork_server.c b/programs/ssl/ssl_fork_server.c
index 5732108..7419010 100644
--- a/programs/ssl/ssl_fork_server.c
+++ b/programs/ssl/ssl_fork_server.c
@@ -166,7 +166,8 @@
}
ret = mbedtls_pk_parse_key( &pkey, (const unsigned char *) mbedtls_test_srv_key,
- mbedtls_test_srv_key_len, NULL, 0 );
+ mbedtls_test_srv_key_len, NULL, 0,
+ mbedtls_ctr_drbg_random, &ctr_drbg );
if( ret != 0 )
{
mbedtls_printf( " failed! mbedtls_pk_parse_key returned %d\n\n", ret );
diff --git a/programs/ssl/ssl_mail_client.c b/programs/ssl/ssl_mail_client.c
index 09bbc3d..f223977 100644
--- a/programs/ssl/ssl_mail_client.c
+++ b/programs/ssl/ssl_mail_client.c
@@ -556,12 +556,17 @@
#if defined(MBEDTLS_FS_IO)
if( strlen( opt.key_file ) )
- ret = mbedtls_pk_parse_keyfile( &pkey, opt.key_file, "" );
+ {
+ ret = mbedtls_pk_parse_keyfile( &pkey, opt.key_file, "",
+ mbedtls_ctr_drbg_random, &ctr_drbg );
+ }
else
#endif
#if defined(MBEDTLS_PEM_PARSE_C)
+ {
ret = mbedtls_pk_parse_key( &pkey, (const unsigned char *) mbedtls_test_cli_key,
- mbedtls_test_cli_key_len, NULL, 0 );
+ mbedtls_test_cli_key_len, NULL, 0, mbedtls_ctr_drbg_random, &ctr_drbg );
+ }
#else
{
mbedtls_printf("MBEDTLS_PEM_PARSE_C not defined.");
diff --git a/programs/ssl/ssl_pthread_server.c b/programs/ssl/ssl_pthread_server.c
index 93eab46..a083e4b 100644
--- a/programs/ssl/ssl_pthread_server.c
+++ b/programs/ssl/ssl_pthread_server.c
@@ -360,7 +360,23 @@
mbedtls_entropy_init( &entropy );
/*
- * 1. Load the certificates and private RSA key
+ * 1a. Seed the random number generator
+ */
+ mbedtls_printf( " . Seeding the random number generator..." );
+
+ if( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, &entropy,
+ (const unsigned char *) pers,
+ strlen( pers ) ) ) != 0 )
+ {
+ mbedtls_printf( " failed: mbedtls_ctr_drbg_seed returned -0x%04x\n",
+ ( unsigned int ) -ret );
+ goto exit;
+ }
+
+ mbedtls_printf( " ok\n" );
+
+ /*
+ * 1b. Load the certificates and private RSA key
*/
mbedtls_printf( "\n . Loading the server cert. and key..." );
fflush( stdout );
@@ -388,7 +404,8 @@
mbedtls_pk_init( &pkey );
ret = mbedtls_pk_parse_key( &pkey, (const unsigned char *) mbedtls_test_srv_key,
- mbedtls_test_srv_key_len, NULL, 0 );
+ mbedtls_test_srv_key_len, NULL, 0,
+ mbedtls_ctr_drbg_random, &ctr_drbg );
if( ret != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_pk_parse_key returned %d\n\n", ret );
@@ -398,22 +415,6 @@
mbedtls_printf( " ok\n" );
/*
- * 1b. Seed the random number generator
- */
- mbedtls_printf( " . Seeding the random number generator..." );
-
- if( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, &entropy,
- (const unsigned char *) pers,
- strlen( pers ) ) ) != 0 )
- {
- mbedtls_printf( " failed: mbedtls_ctr_drbg_seed returned -0x%04x\n",
- ( unsigned int ) -ret );
- goto exit;
- }
-
- mbedtls_printf( " ok\n" );
-
- /*
* 1c. Prepare SSL configuration
*/
mbedtls_printf( " . Setting up the SSL data...." );
diff --git a/programs/ssl/ssl_server.c b/programs/ssl/ssl_server.c
index 42196ff..aaccb58 100644
--- a/programs/ssl/ssl_server.c
+++ b/programs/ssl/ssl_server.c
@@ -125,7 +125,23 @@
#endif
/*
- * 1. Load the certificates and private RSA key
+ * 1. Seed the RNG
+ */
+ mbedtls_printf( " . Seeding the random number generator..." );
+ fflush( stdout );
+
+ if( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, &entropy,
+ (const unsigned char *) pers,
+ strlen( pers ) ) ) != 0 )
+ {
+ mbedtls_printf( " failed\n ! mbedtls_ctr_drbg_seed returned %d\n", ret );
+ goto exit;
+ }
+
+ mbedtls_printf( " ok\n" );
+
+ /*
+ * 2. Load the certificates and private RSA key
*/
mbedtls_printf( "\n . Loading the server cert. and key..." );
fflush( stdout );
@@ -152,7 +168,8 @@
}
ret = mbedtls_pk_parse_key( &pkey, (const unsigned char *) mbedtls_test_srv_key,
- mbedtls_test_srv_key_len, NULL, 0 );
+ mbedtls_test_srv_key_len, NULL, 0,
+ mbedtls_ctr_drbg_random, &ctr_drbg );
if( ret != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_pk_parse_key returned %d\n\n", ret );
@@ -162,7 +179,7 @@
mbedtls_printf( " ok\n" );
/*
- * 2. Setup the listening TCP socket
+ * 3. Setup the listening TCP socket
*/
mbedtls_printf( " . Bind on https://localhost:4433/ ..." );
fflush( stdout );
@@ -176,22 +193,6 @@
mbedtls_printf( " ok\n" );
/*
- * 3. Seed the RNG
- */
- mbedtls_printf( " . Seeding the random number generator..." );
- fflush( stdout );
-
- if( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, &entropy,
- (const unsigned char *) pers,
- strlen( pers ) ) ) != 0 )
- {
- mbedtls_printf( " failed\n ! mbedtls_ctr_drbg_seed returned %d\n", ret );
- goto exit;
- }
-
- mbedtls_printf( " ok\n" );
-
- /*
* 4. Setup stuff
*/
mbedtls_printf( " . Setting up the SSL data...." );
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index de4eb6d..37f4348 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -20,6 +20,7 @@
#define MBEDTLS_ALLOW_PRIVATE_ACCESS
#include "ssl_test_lib.h"
+#include "test/random.h"
#if defined(MBEDTLS_SSL_TEST_IMPOSSIBLE)
int main( void )
@@ -727,7 +728,8 @@
mbedtls_pk_init( new->key );
if( mbedtls_x509_crt_parse_file( new->cert, crt_file ) != 0 ||
- mbedtls_pk_parse_keyfile( new->key, key_file, "" ) != 0 )
+ mbedtls_pk_parse_keyfile( new->key, key_file, "",
+ mbedtls_test_rnd_std_rand, NULL ) != 0 )
goto error;
if( strcmp( ca_file, "-" ) != 0 )
@@ -2257,7 +2259,7 @@
{
key_cert_init++;
if( ( ret = mbedtls_pk_parse_keyfile( &pkey, opt.key_file,
- opt.key_pwd ) ) != 0 )
+ opt.key_pwd, rng_get, &rng ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_pk_parse_keyfile returned -0x%x\n\n", (unsigned int) -ret );
goto exit;
@@ -2283,7 +2285,7 @@
{
key_cert_init2++;
if( ( ret = mbedtls_pk_parse_keyfile( &pkey2, opt.key_file2,
- opt.key_pwd2 ) ) != 0 )
+ opt.key_pwd2, rng_get, &rng ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_pk_parse_keyfile(2) returned -0x%x\n\n",
(unsigned int) -ret );
@@ -2314,7 +2316,8 @@
}
if( ( ret = mbedtls_pk_parse_key( &pkey,
(const unsigned char *) mbedtls_test_srv_key_rsa,
- mbedtls_test_srv_key_rsa_len, NULL, 0 ) ) != 0 )
+ mbedtls_test_srv_key_rsa_len, NULL, 0,
+ rng_get, &rng ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_pk_parse_key returned -0x%x\n\n",
(unsigned int) -ret );
@@ -2333,7 +2336,8 @@
}
if( ( ret = mbedtls_pk_parse_key( &pkey2,
(const unsigned char *) mbedtls_test_srv_key_ec,
- mbedtls_test_srv_key_ec_len, NULL, 0 ) ) != 0 )
+ mbedtls_test_srv_key_ec_len, NULL, 0,
+ rng_get, &rng ) ) != 0 )
{
mbedtls_printf( " failed\n ! pk_parse_key2 returned -0x%x\n\n",
(unsigned int) -ret );
diff --git a/programs/x509/cert_req.c b/programs/x509/cert_req.c
index e8241a3..0941458 100644
--- a/programs/x509/cert_req.c
+++ b/programs/x509/cert_req.c
@@ -346,7 +346,8 @@
mbedtls_printf( " . Loading the private key ..." );
fflush( stdout );
- ret = mbedtls_pk_parse_keyfile( &key, opt.filename, opt.password );
+ ret = mbedtls_pk_parse_keyfile( &key, opt.filename, opt.password,
+ mbedtls_ctr_drbg_random, &ctr_drbg );
if( ret != 0 )
{
diff --git a/programs/x509/cert_write.c b/programs/x509/cert_write.c
index 041f459..4b8fba9 100644
--- a/programs/x509/cert_write.c
+++ b/programs/x509/cert_write.c
@@ -577,7 +577,7 @@
fflush( stdout );
ret = mbedtls_pk_parse_keyfile( &loaded_subject_key, opt.subject_key,
- opt.subject_pwd );
+ opt.subject_pwd, mbedtls_ctr_drbg_random, &ctr_drbg );
if( ret != 0 )
{
mbedtls_strerror( ret, buf, 1024 );
@@ -593,7 +593,7 @@
fflush( stdout );
ret = mbedtls_pk_parse_keyfile( &loaded_issuer_key, opt.issuer_key,
- opt.issuer_pwd );
+ opt.issuer_pwd, mbedtls_ctr_drbg_random, &ctr_drbg );
if( ret != 0 )
{
mbedtls_strerror( ret, buf, 1024 );
diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function
index b46cf05..5ccb072 100644
--- a/tests/suites/test_suite_pk.function
+++ b/tests/suites/test_suite_pk.function
@@ -279,7 +279,8 @@
MBEDTLS_ERR_PK_BAD_INPUT_DATA );
#if defined(MBEDTLS_PK_PARSE_C)
- TEST_ASSERT( mbedtls_pk_parse_key( &pk, NULL, 0, NULL, 1 ) ==
+ TEST_ASSERT( mbedtls_pk_parse_key( &pk, NULL, 0, NULL, 1,
+ mbedtls_test_rnd_std_rand, NULL ) ==
MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
TEST_ASSERT( mbedtls_pk_parse_public_key( &pk, NULL, 0 ) ==
@@ -296,8 +297,8 @@
/* For the write tests to be effective, we need a valid key pair. */
mbedtls_pk_init( &pk );
TEST_ASSERT( mbedtls_pk_parse_key( &pk,
- key_data->x, key_data->len,
- NULL, 0 ) == 0 );
+ key_data->x, key_data->len, NULL, 0,
+ mbedtls_test_rnd_std_rand, NULL ) == 0 );
TEST_ASSERT( mbedtls_pk_write_key_der( &pk, NULL, 0 ) ==
MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
@@ -349,7 +350,9 @@
mbedtls_pk_init( &alt );
TEST_ASSERT( mbedtls_pk_parse_public_keyfile( &pub, pub_file ) == 0 );
- TEST_ASSERT( mbedtls_pk_parse_keyfile( &prv, prv_file, NULL ) == 0 );
+ TEST_ASSERT( mbedtls_pk_parse_keyfile( &prv, prv_file, NULL,
+ mbedtls_test_rnd_std_rand, NULL )
+ == 0 );
TEST_ASSERT( mbedtls_pk_check_pair( &pub, &prv,
mbedtls_test_rnd_std_rand, NULL )
diff --git a/tests/suites/test_suite_pkparse.function b/tests/suites/test_suite_pkparse.function
index 4650d33..4c7f3d2 100644
--- a/tests/suites/test_suite_pkparse.function
+++ b/tests/suites/test_suite_pkparse.function
@@ -21,7 +21,8 @@
if( strcmp( pwd, "NULL" ) == 0 )
pwd = NULL;
- res = mbedtls_pk_parse_keyfile( &ctx, key_file, pwd );
+ res = mbedtls_pk_parse_keyfile( &ctx, key_file, pwd,
+ mbedtls_test_rnd_std_rand, NULL );
TEST_ASSERT( res == result );
@@ -96,7 +97,8 @@
mbedtls_pk_init( &ctx );
- res = mbedtls_pk_parse_keyfile( &ctx, key_file, password );
+ res = mbedtls_pk_parse_keyfile( &ctx, key_file, password,
+ mbedtls_test_rnd_std_rand, NULL );
TEST_ASSERT( res == result );
@@ -120,7 +122,8 @@
mbedtls_pk_init( &pk );
- TEST_ASSERT( mbedtls_pk_parse_key( &pk, buf->x, buf->len, NULL, 0 ) == result );
+ TEST_ASSERT( mbedtls_pk_parse_key( &pk, buf->x, buf->len, NULL, 0,
+ mbedtls_test_rnd_std_rand, NULL ) == result );
exit:
mbedtls_pk_free( &pk );
diff --git a/tests/suites/test_suite_pkwrite.function b/tests/suites/test_suite_pkwrite.function
index 2bad4ed..d1e029a 100644
--- a/tests/suites/test_suite_pkwrite.function
+++ b/tests/suites/test_suite_pkwrite.function
@@ -63,7 +63,8 @@
memset( check_buf, 0, sizeof( check_buf ) );
mbedtls_pk_init( &key );
- TEST_ASSERT( mbedtls_pk_parse_keyfile( &key, key_file, NULL ) == 0 );
+ TEST_ASSERT( mbedtls_pk_parse_keyfile( &key, key_file, NULL,
+ mbedtls_test_rnd_std_rand, NULL ) == 0 );
ret = mbedtls_pk_write_key_pem( &key, buf, sizeof( buf ));
TEST_ASSERT( ret == 0 );
diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function
index c555d74..d4aad60 100644
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@@ -800,7 +800,8 @@
ret = mbedtls_pk_parse_key( &( cert->pkey ),
(const unsigned char*) mbedtls_test_srv_key_rsa_der,
- mbedtls_test_srv_key_rsa_der_len, NULL, 0 );
+ mbedtls_test_srv_key_rsa_der_len, NULL, 0,
+ mbedtls_test_rnd_std_rand, NULL );
TEST_ASSERT( ret == 0 );
}
else
@@ -812,7 +813,8 @@
ret = mbedtls_pk_parse_key( &( cert->pkey ),
(const unsigned char*) mbedtls_test_srv_key_ec_der,
- mbedtls_test_srv_key_ec_der_len, NULL, 0 );
+ mbedtls_test_srv_key_ec_der_len, NULL, 0,
+ mbedtls_test_rnd_std_rand, NULL );
TEST_ASSERT( ret == 0 );
}
}
@@ -827,7 +829,8 @@
ret = mbedtls_pk_parse_key( &( cert->pkey ),
(const unsigned char *) mbedtls_test_cli_key_rsa_der,
- mbedtls_test_cli_key_rsa_der_len, NULL, 0 );
+ mbedtls_test_cli_key_rsa_der_len, NULL, 0,
+ mbedtls_test_rnd_std_rand, NULL );
TEST_ASSERT( ret == 0 );
}
else
@@ -839,7 +842,8 @@
ret = mbedtls_pk_parse_key( &( cert->pkey ),
(const unsigned char *) mbedtls_test_cli_key_ec_der,
- mbedtls_test_cli_key_ec_der_len, NULL, 0 );
+ mbedtls_test_cli_key_ec_der_len, NULL, 0,
+ mbedtls_test_rnd_std_rand, NULL );
TEST_ASSERT( ret == 0 );
}
}
diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function
index 44f846f..c9b7cf9 100644
--- a/tests/suites/test_suite_x509write.function
+++ b/tests/suites/test_suite_x509write.function
@@ -94,7 +94,8 @@
memset( &rnd_info, 0x2a, sizeof( mbedtls_test_rnd_pseudo_info ) );
mbedtls_pk_init( &key );
- TEST_ASSERT( mbedtls_pk_parse_keyfile( &key, key_file, NULL ) == 0 );
+ TEST_ASSERT( mbedtls_pk_parse_keyfile( &key, key_file, NULL,
+ mbedtls_test_rnd_std_rand, NULL ) == 0 );
mbedtls_x509write_csr_init( &req );
mbedtls_x509write_csr_set_md_alg( &req, md_type );
@@ -163,7 +164,8 @@
TEST_ASSERT( md_alg_psa != MBEDTLS_MD_NONE );
mbedtls_pk_init( &key );
- TEST_ASSERT( mbedtls_pk_parse_keyfile( &key, key_file, NULL ) == 0 );
+ TEST_ASSERT( mbedtls_pk_parse_keyfile( &key, key_file, NULL,
+ mbedtls_test_rnd_std_rand, NULL ) == 0 );
TEST_ASSERT( mbedtls_pk_wrap_as_opaque( &key, &key_id, md_alg_psa ) == 0 );
mbedtls_x509write_csr_init( &req );
@@ -225,10 +227,10 @@
mbedtls_x509write_crt_init( &crt );
TEST_ASSERT( mbedtls_pk_parse_keyfile( &subject_key, subject_key_file,
- subject_pwd ) == 0 );
+ subject_pwd, mbedtls_test_rnd_std_rand, NULL ) == 0 );
TEST_ASSERT( mbedtls_pk_parse_keyfile( &issuer_key, issuer_key_file,
- issuer_pwd ) == 0 );
+ issuer_pwd, mbedtls_test_rnd_std_rand, NULL ) == 0 );
#if defined(MBEDTLS_RSA_C)
/* For RSA PK contexts, create a copy as an alternative RSA context. */