From 0736325d80954911fe7dac3224468bc87d40803a Mon Sep 17 00:00:00 2001 From: Jarno Lamsa Date: Fri, 27 Sep 2019 16:20:11 +0300 Subject: [PATCH 01/22] Add FI/SCA compliant versions of mem-functions Add FI/SCA compliant memset, memcmp and memcpy-functions to platform_util. Also add a stub implementation of a global RNG-function. --- include/mbedtls/platform_util.h | 8 ++++ library/platform_util.c | 65 +++++++++++++++++++++++++++++++++ 2 files changed, 73 insertions(+) diff --git a/include/mbedtls/platform_util.h b/include/mbedtls/platform_util.h index 7033af837..b3d0c915d 100644 --- a/include/mbedtls/platform_util.h +++ b/include/mbedtls/platform_util.h @@ -164,6 +164,14 @@ MBEDTLS_DEPRECATED typedef int mbedtls_deprecated_numeric_constant_t; */ void mbedtls_platform_zeroize( void *buf, size_t len ); +void mbedtls_platform_memset( void *ptr, int value, size_t num ); + +void mbedtls_platform_memcpy( void *dst, const void *src, size_t num ); + +int mbedtls_platform_memcmp( const void *buf1, const void *buf2, size_t num ); + +size_t mbedtls_random_in_range( size_t num ); + #if defined(MBEDTLS_HAVE_TIME_DATE) /** * \brief Platform-specific implementation of gmtime_r() diff --git a/library/platform_util.c b/library/platform_util.c index 6f6d8b67e..73759cdb1 100644 --- a/library/platform_util.c +++ b/library/platform_util.c @@ -79,6 +79,71 @@ void mbedtls_platform_zeroize( void *buf, size_t len ) } #endif /* MBEDTLS_PLATFORM_ZEROIZE_ALT */ +void mbedtls_platform_memset( void *ptr, int value, size_t num ) +{ + /* Randomize start offset. */ + size_t startOffset = mbedtls_random_in_range( num ); + /* Randomize data */ + size_t data = mbedtls_random_in_range( 0xff ); + + /* Perform a pair of memset operations from random locations with + * random data */ + memset( ( void * ) ( ptr + startOffset ), value, ( num - startOffset ) ); + memset( ( void * ) ptr, data, startOffset ); + + /* Perform the original memset */ + memset( ptr, value, num ); +} + +void mbedtls_platform_memcpy( void *dst, const void *src, size_t num ) +{ + /* Randomize start offset. */ + size_t startOffset = mbedtls_random_in_range( num ); + /* Randomize initial data to prevent leakage while copying */ + size_t data = mbedtls_random_in_range( 0xff ); + + memset( ( void * ) dst, data, num ); + memcpy( ( void * ) ( ( unsigned char * ) dst + startOffset ), + ( void * ) ( ( unsigned char * ) src + startOffset ), + ( num - startOffset ) ); + memcpy( ( void * ) dst, ( void * ) src, startOffset ); +} + +int mbedtls_platform_memcmp( const void *buf1, const void *buf2, size_t num ) +{ + volatile unsigned int equal = 0; + + size_t i = num; + + size_t startOffset = mbedtls_random_in_range( num ); + + for( i = startOffset; i < num; i++ ) + { + equal += ( ( ( unsigned char * ) buf1 )[i] == + ( ( unsigned char * ) buf2 )[i] ); + } + + for( i = 0; i < startOffset; i++ ) + { + equal += ( ( ( unsigned char * ) buf1 )[i] == + ( ( unsigned char * ) buf2 )[i] ); + } + + if ( equal == num ) + { + return 0; + } + + return 1; +} + +//TODO: This is a stub implementation of the global RNG function. +size_t mbedtls_random_in_range( size_t num ) +{ + (void) num; + return 0; +} + #if defined(MBEDTLS_HAVE_TIME_DATE) && !defined(MBEDTLS_PLATFORM_GMTIME_R_ALT) #include #if !defined(_WIN32) && (defined(unix) || \ From d82e559a48d2f922fe4406ebe54ecd74612c399a Mon Sep 17 00:00:00 2001 From: Jarno Lamsa Date: Tue, 1 Oct 2019 14:54:41 +0300 Subject: [PATCH 02/22] Add a config flag for the global RNG The global RNG should be provided by the application depending on the RNG used there. (I.e. TRNG) --- include/mbedtls/config.h | 8 ++++++++ library/platform_util.c | 3 ++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 1a057a4af..965efffcb 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -3683,6 +3683,14 @@ */ //#define MBEDTLS_PLATFORM_GMTIME_R_ALT +/** + * Uncomment the macro to let Mbed TLS use a platform implementation of + * global RNG. + * + * By default the global RNG function will be a no-op. + */ +//#define MBEDTLS_PLATFORM_GLOBAL_RNG + /* \} name SECTION: Customisation configuration options */ /** diff --git a/library/platform_util.c b/library/platform_util.c index 73759cdb1..a5ece50fc 100644 --- a/library/platform_util.c +++ b/library/platform_util.c @@ -137,12 +137,13 @@ int mbedtls_platform_memcmp( const void *buf1, const void *buf2, size_t num ) return 1; } -//TODO: This is a stub implementation of the global RNG function. +#if !defined(MBEDTLS_PLATFORM_GLOBAL_RNG) size_t mbedtls_random_in_range( size_t num ) { (void) num; return 0; } +#endif /* !MBEDTLS_PLATFORM_GLOBAL_RNG */ #if defined(MBEDTLS_HAVE_TIME_DATE) && !defined(MBEDTLS_PLATFORM_GMTIME_R_ALT) #include From 21d6a201ee84394da9e0373a3ec90242ae82051c Mon Sep 17 00:00:00 2001 From: Jarno Lamsa Date: Tue, 1 Oct 2019 15:20:13 +0300 Subject: [PATCH 03/22] Add missing typecast for memset --- library/platform_util.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/library/platform_util.c b/library/platform_util.c index a5ece50fc..e68a6bed9 100644 --- a/library/platform_util.c +++ b/library/platform_util.c @@ -88,7 +88,8 @@ void mbedtls_platform_memset( void *ptr, int value, size_t num ) /* Perform a pair of memset operations from random locations with * random data */ - memset( ( void * ) ( ptr + startOffset ), value, ( num - startOffset ) ); + memset( ( void * ) ( ( unsigned char * ) ptr + startOffset ), value, + ( num - startOffset ) ); memset( ( void * ) ptr, data, startOffset ); /* Perform the original memset */ From a19673222bb819477d80573dde7a35cf192e0daf Mon Sep 17 00:00:00 2001 From: Jarno Lamsa Date: Tue, 1 Oct 2019 15:31:08 +0300 Subject: [PATCH 04/22] Change the rng-function name Change the name to mbedtls_platform_random_in_range --- include/mbedtls/platform_util.h | 2 +- library/platform_util.c | 12 ++++++------ 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/include/mbedtls/platform_util.h b/include/mbedtls/platform_util.h index b3d0c915d..92283ad4c 100644 --- a/include/mbedtls/platform_util.h +++ b/include/mbedtls/platform_util.h @@ -170,7 +170,7 @@ void mbedtls_platform_memcpy( void *dst, const void *src, size_t num ); int mbedtls_platform_memcmp( const void *buf1, const void *buf2, size_t num ); -size_t mbedtls_random_in_range( size_t num ); +size_t mbedtls_platform_random_in_range( size_t num ); #if defined(MBEDTLS_HAVE_TIME_DATE) /** diff --git a/library/platform_util.c b/library/platform_util.c index e68a6bed9..21bd5e1f9 100644 --- a/library/platform_util.c +++ b/library/platform_util.c @@ -82,9 +82,9 @@ void mbedtls_platform_zeroize( void *buf, size_t len ) void mbedtls_platform_memset( void *ptr, int value, size_t num ) { /* Randomize start offset. */ - size_t startOffset = mbedtls_random_in_range( num ); + size_t startOffset = mbedtls_platform_random_in_range( num ); /* Randomize data */ - size_t data = mbedtls_random_in_range( 0xff ); + size_t data = mbedtls_platform_random_in_range( 0xff ); /* Perform a pair of memset operations from random locations with * random data */ @@ -99,9 +99,9 @@ void mbedtls_platform_memset( void *ptr, int value, size_t num ) void mbedtls_platform_memcpy( void *dst, const void *src, size_t num ) { /* Randomize start offset. */ - size_t startOffset = mbedtls_random_in_range( num ); + size_t startOffset = mbedtls_platform_random_in_range( num ); /* Randomize initial data to prevent leakage while copying */ - size_t data = mbedtls_random_in_range( 0xff ); + size_t data = mbedtls_platform_random_in_range( 0xff ); memset( ( void * ) dst, data, num ); memcpy( ( void * ) ( ( unsigned char * ) dst + startOffset ), @@ -116,7 +116,7 @@ int mbedtls_platform_memcmp( const void *buf1, const void *buf2, size_t num ) size_t i = num; - size_t startOffset = mbedtls_random_in_range( num ); + size_t startOffset = mbedtls_platform_random_in_range( num ); for( i = startOffset; i < num; i++ ) { @@ -139,7 +139,7 @@ int mbedtls_platform_memcmp( const void *buf1, const void *buf2, size_t num ) } #if !defined(MBEDTLS_PLATFORM_GLOBAL_RNG) -size_t mbedtls_random_in_range( size_t num ) +size_t mbedtls_platform_random_in_range( size_t num ) { (void) num; return 0; From 7d28155b3055ec4ef81de7f1a1aa7465f26dae83 Mon Sep 17 00:00:00 2001 From: Jarno Lamsa Date: Tue, 1 Oct 2019 15:56:17 +0300 Subject: [PATCH 05/22] Add doxygen for the platform-functions --- include/mbedtls/platform_util.h | 58 +++++++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) diff --git a/include/mbedtls/platform_util.h b/include/mbedtls/platform_util.h index 92283ad4c..a1ca785d4 100644 --- a/include/mbedtls/platform_util.h +++ b/include/mbedtls/platform_util.h @@ -164,12 +164,70 @@ MBEDTLS_DEPRECATED typedef int mbedtls_deprecated_numeric_constant_t; */ void mbedtls_platform_zeroize( void *buf, size_t len ); +/** + * \brief Secure memset + * + * This function is meant to provide a more secure way to do + * memset. It starts by initialising the given memory area + * from random tail location with random data. After tail is + * initialised, the remaining head of the buffer is initialised + * with random data. After initialisation, the original memset + * is performed + * + * \param ptr Buffer to be set. + * \param value Value to be used when setting the buffer. + * \param num The length of the buffer in bytes. + * + */ void mbedtls_platform_memset( void *ptr, int value, size_t num ); +/** + * \brief Secure memcpy + * + * This function is meant to provide a more secure way to do + * memcpy. It starts by initialising the given memory area + * with random data. After initialisation, the original memcpy + * is performed by starting first copying from random tail + * location of the buffer. After tail has been copied, the + * remaining head is copied as well. + * + * \param dst Destination buffer where the data is being copied to. + * \param src Source buffer where the data is being copied from. + * \param num The length of the buffers in bytes. + * + */ void mbedtls_platform_memcpy( void *dst, const void *src, size_t num ); +/** + * \brief Secure memcmp + * + * This function is meant to provide a more secure way to do + * memcmp. It starts comparing from a random offset and goes + * through the tail part of buffers first byte by byte. After + * that it starts going through the head part of buffer. In the + * end, the number of equal bytes is compared to the length of the + * buffers, thus making the function a fixed time memcmp. + * + * \param buf1 First buffer to compare. + * \param buf2 Second buffer to compare against. + * \param num The length of the buffers in bytes. + * + */ int mbedtls_platform_memcmp( const void *buf1, const void *buf2, size_t num ); +/** + * \brief A global RNG-function + * + * This function is meant to provide a global RNG to be used + * throughout Mbed TLS for hardening the library. It is used + * for generating a random delay, random data or random offset + * for utility functions. It is not meant to be a + * cryptographically secure RNG, but provide an RNG for utility + * functions. + * + * \param num Max-value for the generated random number. + * + */ size_t mbedtls_platform_random_in_range( size_t num ); #if defined(MBEDTLS_HAVE_TIME_DATE) From f65e9de57bbb297611b9d2fd72e198e6c37ce583 Mon Sep 17 00:00:00 2001 From: Jarno Lamsa Date: Tue, 1 Oct 2019 16:09:35 +0300 Subject: [PATCH 06/22] Change rng-function return-type --- include/mbedtls/platform_util.h | 2 +- library/platform_util.c | 12 ++++++------ 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/include/mbedtls/platform_util.h b/include/mbedtls/platform_util.h index a1ca785d4..64e6666d7 100644 --- a/include/mbedtls/platform_util.h +++ b/include/mbedtls/platform_util.h @@ -228,7 +228,7 @@ int mbedtls_platform_memcmp( const void *buf1, const void *buf2, size_t num ); * \param num Max-value for the generated random number. * */ -size_t mbedtls_platform_random_in_range( size_t num ); +uint32_t mbedtls_platform_random_in_range( size_t num ); #if defined(MBEDTLS_HAVE_TIME_DATE) /** diff --git a/library/platform_util.c b/library/platform_util.c index 21bd5e1f9..6868c33fa 100644 --- a/library/platform_util.c +++ b/library/platform_util.c @@ -82,9 +82,9 @@ void mbedtls_platform_zeroize( void *buf, size_t len ) void mbedtls_platform_memset( void *ptr, int value, size_t num ) { /* Randomize start offset. */ - size_t startOffset = mbedtls_platform_random_in_range( num ); + size_t startOffset = ( size_t ) mbedtls_platform_random_in_range( num ); /* Randomize data */ - size_t data = mbedtls_platform_random_in_range( 0xff ); + size_t data = ( size_t ) mbedtls_platform_random_in_range( 0xff ); /* Perform a pair of memset operations from random locations with * random data */ @@ -99,9 +99,9 @@ void mbedtls_platform_memset( void *ptr, int value, size_t num ) void mbedtls_platform_memcpy( void *dst, const void *src, size_t num ) { /* Randomize start offset. */ - size_t startOffset = mbedtls_platform_random_in_range( num ); + size_t startOffset = ( size_t ) mbedtls_platform_random_in_range( num ); /* Randomize initial data to prevent leakage while copying */ - size_t data = mbedtls_platform_random_in_range( 0xff ); + size_t data = ( size_t ) mbedtls_platform_random_in_range( 0xff ); memset( ( void * ) dst, data, num ); memcpy( ( void * ) ( ( unsigned char * ) dst + startOffset ), @@ -116,7 +116,7 @@ int mbedtls_platform_memcmp( const void *buf1, const void *buf2, size_t num ) size_t i = num; - size_t startOffset = mbedtls_platform_random_in_range( num ); + size_t startOffset = ( size_t ) mbedtls_platform_random_in_range( num ); for( i = startOffset; i < num; i++ ) { @@ -139,7 +139,7 @@ int mbedtls_platform_memcmp( const void *buf1, const void *buf2, size_t num ) } #if !defined(MBEDTLS_PLATFORM_GLOBAL_RNG) -size_t mbedtls_platform_random_in_range( size_t num ) +uint32_t mbedtls_platform_random_in_range( size_t num ) { (void) num; return 0; From 5aee8cab2a0e8cbdf1d6887a9e83a52d9dcf3656 Mon Sep 17 00:00:00 2001 From: Jarno Lamsa Date: Tue, 1 Oct 2019 16:10:03 +0300 Subject: [PATCH 07/22] Update query_config --- programs/ssl/query_config.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/programs/ssl/query_config.c b/programs/ssl/query_config.c index 0c2692179..f78592141 100644 --- a/programs/ssl/query_config.c +++ b/programs/ssl/query_config.c @@ -2666,6 +2666,14 @@ int query_config( const char *config ) } #endif /* MBEDTLS_PLATFORM_GMTIME_R_ALT */ +#if defined(MBEDTLS_PLATFORM_GLOBAL_RNG) + if( strcmp( "MBEDTLS_PLATFORM_GLOBAL_RNG", config ) == 0 ) + { + MACRO_EXPANSION_TO_STR( MBEDTLS_PLATFORM_GLOBAL_RNG ); + return( 0 ); + } +#endif /* MBEDTLS_PLATFORM_GLOBAL_RNG */ + #if defined(MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION) if( strcmp( "MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION", config ) == 0 ) { From 0ff7109b7cd84e31c548ff8ef40e21300c2846d2 Mon Sep 17 00:00:00 2001 From: Jarno Lamsa Date: Wed, 2 Oct 2019 08:18:29 +0300 Subject: [PATCH 08/22] Fix style issues --- include/mbedtls/platform_util.h | 2 +- library/platform_util.c | 38 ++++++++++++++++----------------- 2 files changed, 20 insertions(+), 20 deletions(-) diff --git a/include/mbedtls/platform_util.h b/include/mbedtls/platform_util.h index 64e6666d7..b6c50d574 100644 --- a/include/mbedtls/platform_util.h +++ b/include/mbedtls/platform_util.h @@ -177,7 +177,7 @@ void mbedtls_platform_zeroize( void *buf, size_t len ); * \param ptr Buffer to be set. * \param value Value to be used when setting the buffer. * \param num The length of the buffer in bytes. - * + * */ void mbedtls_platform_memset( void *ptr, int value, size_t num ); diff --git a/library/platform_util.c b/library/platform_util.c index 6868c33fa..13179216c 100644 --- a/library/platform_util.c +++ b/library/platform_util.c @@ -82,15 +82,15 @@ void mbedtls_platform_zeroize( void *buf, size_t len ) void mbedtls_platform_memset( void *ptr, int value, size_t num ) { /* Randomize start offset. */ - size_t startOffset = ( size_t ) mbedtls_platform_random_in_range( num ); + size_t start_offset = (size_t) mbedtls_platform_random_in_range( num ); /* Randomize data */ - size_t data = ( size_t ) mbedtls_platform_random_in_range( 0xff ); + size_t data = (size_t) mbedtls_platform_random_in_range( 0xff ); /* Perform a pair of memset operations from random locations with * random data */ - memset( ( void * ) ( ( unsigned char * ) ptr + startOffset ), value, - ( num - startOffset ) ); - memset( ( void * ) ptr, data, startOffset ); + memset( (void *) ( (unsigned char *) ptr + start_offset ), value, + ( num - start_offset ) ); + memset( (void *) ptr, data, start_offset ); /* Perform the original memset */ memset( ptr, value, num ); @@ -99,15 +99,15 @@ void mbedtls_platform_memset( void *ptr, int value, size_t num ) void mbedtls_platform_memcpy( void *dst, const void *src, size_t num ) { /* Randomize start offset. */ - size_t startOffset = ( size_t ) mbedtls_platform_random_in_range( num ); + size_t start_offset = (size_t) mbedtls_platform_random_in_range( num ); /* Randomize initial data to prevent leakage while copying */ - size_t data = ( size_t ) mbedtls_platform_random_in_range( 0xff ); + size_t data = (size_t) mbedtls_platform_random_in_range( 0xff ); - memset( ( void * ) dst, data, num ); - memcpy( ( void * ) ( ( unsigned char * ) dst + startOffset ), - ( void * ) ( ( unsigned char * ) src + startOffset ), - ( num - startOffset ) ); - memcpy( ( void * ) dst, ( void * ) src, startOffset ); + memset( (void *) dst, data, num ); + memcpy( (void *) ( (unsigned char *) dst + start_offset ), + (void *) ( (unsigned char *) src + start_offset ), + ( num - start_offset ) ); + memcpy( (void *) dst, (void *) src, start_offset ); } int mbedtls_platform_memcmp( const void *buf1, const void *buf2, size_t num ) @@ -116,18 +116,18 @@ int mbedtls_platform_memcmp( const void *buf1, const void *buf2, size_t num ) size_t i = num; - size_t startOffset = ( size_t ) mbedtls_platform_random_in_range( num ); + size_t start_offset = (size_t) mbedtls_platform_random_in_range( num ); - for( i = startOffset; i < num; i++ ) + for( i = start_offset; i < num; i++ ) { - equal += ( ( ( unsigned char * ) buf1 )[i] == - ( ( unsigned char * ) buf2 )[i] ); + equal += ( ( (unsigned char *) buf1 )[i] == + ( (unsigned char *) buf2 )[i] ); } - for( i = 0; i < startOffset; i++ ) + for( i = 0; i < start_offset; i++ ) { - equal += ( ( ( unsigned char * ) buf1 )[i] == - ( ( unsigned char * ) buf2 )[i] ); + equal += ( ( (unsigned char *) buf1 )[i] == + ( (unsigned char *) buf2 )[i] ); } if ( equal == num ) From f5ebe2a7ce7d9806e6b3f239d3ed6729196aa38d Mon Sep 17 00:00:00 2001 From: Jarno Lamsa Date: Wed, 2 Oct 2019 08:23:11 +0300 Subject: [PATCH 09/22] Make RNG exclude the given maximum value The RNG will give numbers in range of [0, num), so that the given maximum is excluded. --- include/mbedtls/platform_util.h | 5 +++-- library/platform_util.c | 4 ++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/include/mbedtls/platform_util.h b/include/mbedtls/platform_util.h index b6c50d574..a4fcf31d2 100644 --- a/include/mbedtls/platform_util.h +++ b/include/mbedtls/platform_util.h @@ -225,8 +225,9 @@ int mbedtls_platform_memcmp( const void *buf1, const void *buf2, size_t num ); * cryptographically secure RNG, but provide an RNG for utility * functions. * - * \param num Max-value for the generated random number. - * + * \param num Max-value for the generated random number, exclusive. + * The generated number will be on range [0, num). + * \return The generated random number. */ uint32_t mbedtls_platform_random_in_range( size_t num ); diff --git a/library/platform_util.c b/library/platform_util.c index 13179216c..f01103283 100644 --- a/library/platform_util.c +++ b/library/platform_util.c @@ -84,7 +84,7 @@ void mbedtls_platform_memset( void *ptr, int value, size_t num ) /* Randomize start offset. */ size_t start_offset = (size_t) mbedtls_platform_random_in_range( num ); /* Randomize data */ - size_t data = (size_t) mbedtls_platform_random_in_range( 0xff ); + size_t data = (size_t) mbedtls_platform_random_in_range( 256 ); /* Perform a pair of memset operations from random locations with * random data */ @@ -101,7 +101,7 @@ void mbedtls_platform_memcpy( void *dst, const void *src, size_t num ) /* Randomize start offset. */ size_t start_offset = (size_t) mbedtls_platform_random_in_range( num ); /* Randomize initial data to prevent leakage while copying */ - size_t data = (size_t) mbedtls_platform_random_in_range( 0xff ); + size_t data = (size_t) mbedtls_platform_random_in_range( 256 ); memset( (void *) dst, data, num ); memcpy( (void *) ( (unsigned char *) dst + start_offset ), From 32db9384636c0bea6a39e4dcab72377c9bfd7778 Mon Sep 17 00:00:00 2001 From: Jarno Lamsa Date: Wed, 2 Oct 2019 08:25:57 +0300 Subject: [PATCH 10/22] Fix buffer initalisation Initialise the buffer tail with random data instead of given value. --- library/platform_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/platform_util.c b/library/platform_util.c index f01103283..0eaca8304 100644 --- a/library/platform_util.c +++ b/library/platform_util.c @@ -88,7 +88,7 @@ void mbedtls_platform_memset( void *ptr, int value, size_t num ) /* Perform a pair of memset operations from random locations with * random data */ - memset( (void *) ( (unsigned char *) ptr + start_offset ), value, + memset( (void *) ( (unsigned char *) ptr + start_offset ), data, ( num - start_offset ) ); memset( (void *) ptr, data, start_offset ); From 7cb902737bb4bb96e5f7c396db79d1b85b9bfbaf Mon Sep 17 00:00:00 2001 From: Jarno Lamsa Date: Wed, 2 Oct 2019 08:32:51 +0300 Subject: [PATCH 11/22] Use bitwise comparison in memcmp It is safer than == operator. --- library/platform_util.c | 19 ++++++++----------- 1 file changed, 8 insertions(+), 11 deletions(-) diff --git a/library/platform_util.c b/library/platform_util.c index 0eaca8304..78f8e56f3 100644 --- a/library/platform_util.c +++ b/library/platform_util.c @@ -112,7 +112,9 @@ void mbedtls_platform_memcpy( void *dst, const void *src, size_t num ) int mbedtls_platform_memcmp( const void *buf1, const void *buf2, size_t num ) { - volatile unsigned int equal = 0; + volatile const unsigned char *A = (volatile const unsigned char *) buf1; + volatile const unsigned char *B = (volatile const unsigned char *) buf2; + volatile unsigned char diff = 0; size_t i = num; @@ -120,22 +122,17 @@ int mbedtls_platform_memcmp( const void *buf1, const void *buf2, size_t num ) for( i = start_offset; i < num; i++ ) { - equal += ( ( (unsigned char *) buf1 )[i] == - ( (unsigned char *) buf2 )[i] ); + unsigned char x = A[i], y = B[i]; + diff |= x ^ y; } for( i = 0; i < start_offset; i++ ) { - equal += ( ( (unsigned char *) buf1 )[i] == - ( (unsigned char *) buf2 )[i] ); + unsigned char x = A[i], y = B[i]; + diff |= x ^ y; } - if ( equal == num ) - { - return 0; - } - - return 1; + return( diff ); } #if !defined(MBEDTLS_PLATFORM_GLOBAL_RNG) From 77a0e07f807ecc91ad7284512bcf823f860c16b8 Mon Sep 17 00:00:00 2001 From: Jarno Lamsa Date: Wed, 2 Oct 2019 08:39:32 +0300 Subject: [PATCH 12/22] Add return value doxygen --- include/mbedtls/platform_util.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/include/mbedtls/platform_util.h b/include/mbedtls/platform_util.h index a4fcf31d2..95c13e1fe 100644 --- a/include/mbedtls/platform_util.h +++ b/include/mbedtls/platform_util.h @@ -212,6 +212,7 @@ void mbedtls_platform_memcpy( void *dst, const void *src, size_t num ); * \param buf2 Second buffer to compare against. * \param num The length of the buffers in bytes. * + * \return 0 if the buffers were equal. */ int mbedtls_platform_memcmp( const void *buf1, const void *buf2, size_t num ); @@ -227,6 +228,7 @@ int mbedtls_platform_memcmp( const void *buf1, const void *buf2, size_t num ); * * \param num Max-value for the generated random number, exclusive. * The generated number will be on range [0, num). + * * \return The generated random number. */ uint32_t mbedtls_platform_random_in_range( size_t num ); From a1e5054d9145db07616b3a69c5fa04ae0376df34 Mon Sep 17 00:00:00 2001 From: Jarno Lamsa Date: Wed, 2 Oct 2019 12:44:36 +0300 Subject: [PATCH 13/22] Fix issues in CI --- include/mbedtls/platform_util.h | 2 +- library/platform_util.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/include/mbedtls/platform_util.h b/include/mbedtls/platform_util.h index 95c13e1fe..f2aeffceb 100644 --- a/include/mbedtls/platform_util.h +++ b/include/mbedtls/platform_util.h @@ -230,7 +230,7 @@ int mbedtls_platform_memcmp( const void *buf1, const void *buf2, size_t num ); * The generated number will be on range [0, num). * * \return The generated random number. - */ + */ uint32_t mbedtls_platform_random_in_range( size_t num ); #if defined(MBEDTLS_HAVE_TIME_DATE) diff --git a/library/platform_util.c b/library/platform_util.c index 78f8e56f3..dad83762f 100644 --- a/library/platform_util.c +++ b/library/platform_util.c @@ -84,7 +84,7 @@ void mbedtls_platform_memset( void *ptr, int value, size_t num ) /* Randomize start offset. */ size_t start_offset = (size_t) mbedtls_platform_random_in_range( num ); /* Randomize data */ - size_t data = (size_t) mbedtls_platform_random_in_range( 256 ); + uint32_t data = mbedtls_platform_random_in_range( 256 ); /* Perform a pair of memset operations from random locations with * random data */ @@ -101,7 +101,7 @@ void mbedtls_platform_memcpy( void *dst, const void *src, size_t num ) /* Randomize start offset. */ size_t start_offset = (size_t) mbedtls_platform_random_in_range( num ); /* Randomize initial data to prevent leakage while copying */ - size_t data = (size_t) mbedtls_platform_random_in_range( 256 ); + uint32_t data = mbedtls_platform_random_in_range( 256 ); memset( (void *) dst, data, num ); memcpy( (void *) ( (unsigned char *) dst + start_offset ), From 51f65e4b86f59c7976168eeb61dbe16bbda88356 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 2 Oct 2019 16:01:14 +0200 Subject: [PATCH 14/22] Standardize prototypes of platform_memcpy/memset As replacements of standard library functions, they should have the same prototype, including return type. While it doesn't usually matter when used directly, it does when the address of the function is taken, as done with memset_func, used for implementing mbedtls_platform_zeroize(). --- include/mbedtls/platform_util.h | 6 ++++-- library/platform_util.c | 8 ++++---- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/include/mbedtls/platform_util.h b/include/mbedtls/platform_util.h index f2aeffceb..67a7877eb 100644 --- a/include/mbedtls/platform_util.h +++ b/include/mbedtls/platform_util.h @@ -178,8 +178,9 @@ void mbedtls_platform_zeroize( void *buf, size_t len ); * \param value Value to be used when setting the buffer. * \param num The length of the buffer in bytes. * + * \return The value of \p ptr. */ -void mbedtls_platform_memset( void *ptr, int value, size_t num ); +void *mbedtls_platform_memset( void *ptr, int value, size_t num ); /** * \brief Secure memcpy @@ -195,8 +196,9 @@ void mbedtls_platform_memset( void *ptr, int value, size_t num ); * \param src Source buffer where the data is being copied from. * \param num The length of the buffers in bytes. * + * \return The value of \p dst. */ -void mbedtls_platform_memcpy( void *dst, const void *src, size_t num ); +void *mbedtls_platform_memcpy( void *dst, const void *src, size_t num ); /** * \brief Secure memcmp diff --git a/library/platform_util.c b/library/platform_util.c index dad83762f..349146d48 100644 --- a/library/platform_util.c +++ b/library/platform_util.c @@ -79,7 +79,7 @@ void mbedtls_platform_zeroize( void *buf, size_t len ) } #endif /* MBEDTLS_PLATFORM_ZEROIZE_ALT */ -void mbedtls_platform_memset( void *ptr, int value, size_t num ) +void *mbedtls_platform_memset( void *ptr, int value, size_t num ) { /* Randomize start offset. */ size_t start_offset = (size_t) mbedtls_platform_random_in_range( num ); @@ -93,10 +93,10 @@ void mbedtls_platform_memset( void *ptr, int value, size_t num ) memset( (void *) ptr, data, start_offset ); /* Perform the original memset */ - memset( ptr, value, num ); + return( memset( ptr, value, num ) ); } -void mbedtls_platform_memcpy( void *dst, const void *src, size_t num ) +void *mbedtls_platform_memcpy( void *dst, const void *src, size_t num ) { /* Randomize start offset. */ size_t start_offset = (size_t) mbedtls_platform_random_in_range( num ); @@ -107,7 +107,7 @@ void mbedtls_platform_memcpy( void *dst, const void *src, size_t num ) memcpy( (void *) ( (unsigned char *) dst + start_offset ), (void *) ( (unsigned char *) src + start_offset ), ( num - start_offset ) ); - memcpy( (void *) dst, (void *) src, start_offset ); + return( memcpy( (void *) dst, (void *) src, start_offset ) ); } int mbedtls_platform_memcmp( const void *buf1, const void *buf2, size_t num ) From e29e8a49b84f4dc8c15c51107fa87f5241344350 Mon Sep 17 00:00:00 2001 From: Jarno Lamsa Date: Thu, 3 Oct 2019 11:06:35 +0300 Subject: [PATCH 15/22] Use MBEDTLS_ENTROPY_HARDWARE_ALT Use MBEDTLS_ENTROPY_HARDWARE_ALT instead of a new global RNG flag. When this flag is enabled, the platform provides the RNG. When running unit tests, rnd_std_rand should be used by overriding the mbedtls_hardware_poll. --- include/mbedtls/config.h | 8 -------- library/platform_util.c | 15 +++++++++++++-- programs/ssl/query_config.c | 8 -------- 3 files changed, 13 insertions(+), 18 deletions(-) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 965efffcb..1a057a4af 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -3683,14 +3683,6 @@ */ //#define MBEDTLS_PLATFORM_GMTIME_R_ALT -/** - * Uncomment the macro to let Mbed TLS use a platform implementation of - * global RNG. - * - * By default the global RNG function will be a no-op. - */ -//#define MBEDTLS_PLATFORM_GLOBAL_RNG - /* \} name SECTION: Customisation configuration options */ /** diff --git a/library/platform_util.c b/library/platform_util.c index 349146d48..6ba4112fb 100644 --- a/library/platform_util.c +++ b/library/platform_util.c @@ -38,6 +38,10 @@ #include "mbedtls/platform.h" #include "mbedtls/threading.h" +#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT) +#include "mbedtls/entropy_poll.h" +#endif + #include #include @@ -135,13 +139,20 @@ int mbedtls_platform_memcmp( const void *buf1, const void *buf2, size_t num ) return( diff ); } -#if !defined(MBEDTLS_PLATFORM_GLOBAL_RNG) uint32_t mbedtls_platform_random_in_range( size_t num ) { +#if !defined(MBEDTLS_ENTROPY_HARDWARE_ALT) (void) num; return 0; +#else + uint32_t result = 0; + size_t olen = 0; + + mbedtls_hardware_poll( NULL, (unsigned char *) &result, sizeof( result ), + &olen ); + return( result % num ); +#endif } -#endif /* !MBEDTLS_PLATFORM_GLOBAL_RNG */ #if defined(MBEDTLS_HAVE_TIME_DATE) && !defined(MBEDTLS_PLATFORM_GMTIME_R_ALT) #include diff --git a/programs/ssl/query_config.c b/programs/ssl/query_config.c index f78592141..0c2692179 100644 --- a/programs/ssl/query_config.c +++ b/programs/ssl/query_config.c @@ -2666,14 +2666,6 @@ int query_config( const char *config ) } #endif /* MBEDTLS_PLATFORM_GMTIME_R_ALT */ -#if defined(MBEDTLS_PLATFORM_GLOBAL_RNG) - if( strcmp( "MBEDTLS_PLATFORM_GLOBAL_RNG", config ) == 0 ) - { - MACRO_EXPANSION_TO_STR( MBEDTLS_PLATFORM_GLOBAL_RNG ); - return( 0 ); - } -#endif /* MBEDTLS_PLATFORM_GLOBAL_RNG */ - #if defined(MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION) if( strcmp( "MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION", config ) == 0 ) { From 436d18dcaa1d34d9508be7242d4e0ca7398bbfe0 Mon Sep 17 00:00:00 2001 From: Jarno Lamsa Date: Thu, 3 Oct 2019 11:46:30 +0300 Subject: [PATCH 16/22] Prevent a 0-modulus If given range for a random is [0, 0), return 0. Modulus 0 is undefined behaviour. --- library/platform_util.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/library/platform_util.c b/library/platform_util.c index 6ba4112fb..9461a9c73 100644 --- a/library/platform_util.c +++ b/library/platform_util.c @@ -150,7 +150,17 @@ uint32_t mbedtls_platform_random_in_range( size_t num ) mbedtls_hardware_poll( NULL, (unsigned char *) &result, sizeof( result ), &olen ); - return( result % num ); + + if( num == 0 ) + { + result = 0; + } + else + { + result %= num; + } + + return( result ); #endif } From 39a9d40f842a8a9c9314d33901c23aa78c64e03b Mon Sep 17 00:00:00 2001 From: Jarno Lamsa Date: Thu, 3 Oct 2019 13:36:06 +0300 Subject: [PATCH 17/22] Update documentation for the RNG-function --- include/mbedtls/platform_util.h | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/include/mbedtls/platform_util.h b/include/mbedtls/platform_util.h index 67a7877eb..35e39768c 100644 --- a/include/mbedtls/platform_util.h +++ b/include/mbedtls/platform_util.h @@ -219,7 +219,7 @@ void *mbedtls_platform_memcpy( void *dst, const void *src, size_t num ); int mbedtls_platform_memcmp( const void *buf1, const void *buf2, size_t num ); /** - * \brief A global RNG-function + * \brief RNG-function for getting a random in given range. * * This function is meant to provide a global RNG to be used * throughout Mbed TLS for hardening the library. It is used @@ -228,6 +228,12 @@ int mbedtls_platform_memcmp( const void *buf1, const void *buf2, size_t num ); * cryptographically secure RNG, but provide an RNG for utility * functions. * + * \note Currently the function is dependent of hardware providing an + * rng with MBEDTLS_ENTROPY_HARDWARE_ALT. By default, 0 is + * returned. + * + * \note If the given range is [0, 0), 0 is returned. + * * \param num Max-value for the generated random number, exclusive. * The generated number will be on range [0, num). * From f098b26b83649e940fe303750cca91f1fca83632 Mon Sep 17 00:00:00 2001 From: Jarno Lamsa Date: Fri, 4 Oct 2019 12:51:45 +0300 Subject: [PATCH 18/22] Add rng for the test suites --- tests/suites/helpers.function | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/tests/suites/helpers.function b/tests/suites/helpers.function index 6ead2d349..43426f5ae 100644 --- a/tests/suites/helpers.function +++ b/tests/suites/helpers.function @@ -561,6 +561,16 @@ static int uecc_rng_wrapper( uint8_t *dest, unsigned int size ) } #endif /* MBEDTLS_USE_TINYCRYPT */ +#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT) +int mbedtls_hardware_poll( void *data, unsigned char *output, + size_t len, size_t *olen ) +{ + (void) data; + *olen = len; + return( rnd_std_rand( NULL, output, len ) ); +} +#endif + /** * This function only returns zeros * From 642596e931036fd51d9e1546146b8ad2425041de Mon Sep 17 00:00:00 2001 From: Jarno Lamsa Date: Fri, 4 Oct 2019 12:52:42 +0300 Subject: [PATCH 19/22] Adapt the example programs Adapt the example programs if MBEDTLS_ENTROPY_HARDWARE_ALT is defined. --- programs/aes/aescrypt2.c | 12 ++++++++++++ programs/aes/crypt_and_hash.c | 12 ++++++++++++ programs/hash/generic_sum.c | 12 ++++++++++++ programs/hash/hello.c | 12 ++++++++++++ programs/pkey/dh_client.c | 12 ++++++++++++ programs/pkey/dh_genprime.c | 12 ++++++++++++ programs/pkey/dh_server.c | 12 ++++++++++++ programs/pkey/ecdsa.c | 12 ++++++++++++ programs/pkey/gen_key.c | 12 ++++++++++++ programs/pkey/key_app.c | 12 ++++++++++++ programs/pkey/key_app_writer.c | 12 ++++++++++++ programs/pkey/mpi_demo.c | 12 ++++++++++++ programs/pkey/pk_decrypt.c | 12 ++++++++++++ programs/pkey/pk_encrypt.c | 12 ++++++++++++ programs/pkey/pk_sign.c | 12 ++++++++++++ programs/pkey/pk_verify.c | 12 ++++++++++++ programs/pkey/rsa_decrypt.c | 12 ++++++++++++ programs/pkey/rsa_encrypt.c | 12 ++++++++++++ programs/pkey/rsa_genkey.c | 12 ++++++++++++ programs/pkey/rsa_sign.c | 12 ++++++++++++ programs/pkey/rsa_sign_pss.c | 12 ++++++++++++ programs/pkey/rsa_verify.c | 12 ++++++++++++ programs/pkey/rsa_verify_pss.c | 12 ++++++++++++ programs/random/gen_entropy.c | 12 ++++++++++++ programs/random/gen_random_ctr_drbg.c | 12 ++++++++++++ programs/ssl/dtls_client.c | 13 +++++++++++++ programs/ssl/dtls_server.c | 13 +++++++++++++ programs/ssl/mini_client.c | 13 +++++++++++++ programs/ssl/ssl_client1.c | 13 +++++++++++++ programs/ssl/ssl_client2.c | 13 +++++++++++++ programs/ssl/ssl_fork_server.c | 13 +++++++++++++ programs/ssl/ssl_mail_client.c | 13 +++++++++++++ programs/ssl/ssl_server.c | 13 +++++++++++++ programs/ssl/ssl_server2.c | 13 +++++++++++++ programs/test/benchmark.c | 12 ++++++++++++ programs/test/selftest.c | 13 +++++++++++++ programs/test/zeroize.c | 13 +++++++++++++ programs/x509/cert_app.c | 13 +++++++++++++ programs/x509/cert_req.c | 13 +++++++++++++ programs/x509/cert_write.c | 13 +++++++++++++ programs/x509/crl_app.c | 13 +++++++++++++ programs/x509/req_app.c | 13 +++++++++++++ 42 files changed, 520 insertions(+) diff --git a/programs/aes/aescrypt2.c b/programs/aes/aescrypt2.c index 8242ea7c9..70f0a1eaf 100644 --- a/programs/aes/aescrypt2.c +++ b/programs/aes/aescrypt2.c @@ -80,6 +80,18 @@ int main( void ) } #else +#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT) +int mbedtls_hardware_poll( void *data, unsigned char *output, + size_t len, size_t *olen ) +{ + size_t i; + (void) data; + for( i = 0; i < len; ++i ) + output[i] = rand(); + *olen = len; + return( 0 ); +} +#endif int main( int argc, char *argv[] ) { diff --git a/programs/aes/crypt_and_hash.c b/programs/aes/crypt_and_hash.c index 8d671abf2..f9cf6b2bb 100644 --- a/programs/aes/crypt_and_hash.c +++ b/programs/aes/crypt_and_hash.c @@ -82,6 +82,18 @@ int main( void ) } #else +#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT) +int mbedtls_hardware_poll( void *data, unsigned char *output, + size_t len, size_t *olen ) +{ + size_t i; + (void) data; + for( i = 0; i < len; ++i ) + output[i] = rand(); + *olen = len; + return( 0 ); +} +#endif int main( int argc, char *argv[] ) { diff --git a/programs/hash/generic_sum.c b/programs/hash/generic_sum.c index ed5357f08..d154e5956 100644 --- a/programs/hash/generic_sum.c +++ b/programs/hash/generic_sum.c @@ -52,6 +52,18 @@ int main( void ) } #else +#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT) +int mbedtls_hardware_poll( void *data, unsigned char *output, + size_t len, size_t *olen ) +{ + size_t i; + (void) data; + for( i = 0; i < len; ++i ) + output[i] = rand(); + *olen = len; + return( 0 ); +} +#endif static int generic_wrapper( mbedtls_md_handle_t md_info, char *filename, unsigned char *sum ) { diff --git a/programs/hash/hello.c b/programs/hash/hello.c index 55a0c7e74..7e3b20e26 100644 --- a/programs/hash/hello.c +++ b/programs/hash/hello.c @@ -48,6 +48,18 @@ int main( void ) } #else +#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT) +int mbedtls_hardware_poll( void *data, unsigned char *output, + size_t len, size_t *olen ) +{ + size_t i; + (void) data; + for( i = 0; i < len; ++i ) + output[i] = rand(); + *olen = len; + return( 0 ); +} +#endif int main( void ) { diff --git a/programs/pkey/dh_client.c b/programs/pkey/dh_client.c index 86b260ca0..12f4de704 100644 --- a/programs/pkey/dh_client.c +++ b/programs/pkey/dh_client.c @@ -72,6 +72,18 @@ int main( void ) } #else +#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT) +int mbedtls_hardware_poll( void *data, unsigned char *output, + size_t len, size_t *olen ) +{ + size_t i; + (void) data; + for( i = 0; i < len; ++i ) + output[i] = rand(); + *olen = len; + return( 0 ); +} +#endif int main( void ) { diff --git a/programs/pkey/dh_genprime.c b/programs/pkey/dh_genprime.c index bf5482ed0..8431ae6d1 100644 --- a/programs/pkey/dh_genprime.c +++ b/programs/pkey/dh_genprime.c @@ -69,6 +69,18 @@ int main( void ) */ #define GENERATOR "4" +#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT) +int mbedtls_hardware_poll( void *data, unsigned char *output, + size_t len, size_t *olen ) +{ + size_t i; + (void) data; + for( i = 0; i < len; ++i ) + output[i] = rand(); + *olen = len; + return( 0 ); +} +#endif int main( int argc, char **argv ) { diff --git a/programs/pkey/dh_server.c b/programs/pkey/dh_server.c index c01177485..78efba17b 100644 --- a/programs/pkey/dh_server.c +++ b/programs/pkey/dh_server.c @@ -72,6 +72,18 @@ int main( void ) } #else +#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT) +int mbedtls_hardware_poll( void *data, unsigned char *output, + size_t len, size_t *olen ) +{ + size_t i; + (void) data; + for( i = 0; i < len; ++i ) + output[i] = rand(); + *olen = len; + return( 0 ); +} +#endif int main( void ) { diff --git a/programs/pkey/ecdsa.c b/programs/pkey/ecdsa.c index b851c3173..4cde07056 100644 --- a/programs/pkey/ecdsa.c +++ b/programs/pkey/ecdsa.c @@ -100,6 +100,18 @@ static void dump_pubkey( const char *title, mbedtls_ecdsa_context *key ) #define dump_pubkey( a, b ) #endif +#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT) +int mbedtls_hardware_poll( void *data, unsigned char *output, + size_t len, size_t *olen ) +{ + size_t i; + (void) data; + for( i = 0; i < len; ++i ) + output[i] = rand(); + *olen = len; + return( 0 ); +} +#endif int main( int argc, char *argv[] ) { diff --git a/programs/pkey/gen_key.c b/programs/pkey/gen_key.c index 23e4e145c..8fcfeb4d7 100644 --- a/programs/pkey/gen_key.c +++ b/programs/pkey/gen_key.c @@ -137,6 +137,18 @@ int main( void ) } #else +#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT) +int mbedtls_hardware_poll( void *data, unsigned char *output, + size_t len, size_t *olen ) +{ + size_t i; + (void) data; + for( i = 0; i < len; ++i ) + output[i] = rand(); + *olen = len; + return( 0 ); +} +#endif /* * global options diff --git a/programs/pkey/key_app.c b/programs/pkey/key_app.c index 793930991..a106dbb19 100644 --- a/programs/pkey/key_app.c +++ b/programs/pkey/key_app.c @@ -74,6 +74,18 @@ int main( void ) } #else +#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT) +int mbedtls_hardware_poll( void *data, unsigned char *output, + size_t len, size_t *olen ) +{ + size_t i; + (void) data; + for( i = 0; i < len; ++i ) + output[i] = rand(); + *olen = len; + return( 0 ); +} +#endif /* * global options diff --git a/programs/pkey/key_app_writer.c b/programs/pkey/key_app_writer.c index 16dd1b6a2..315810d96 100644 --- a/programs/pkey/key_app_writer.c +++ b/programs/pkey/key_app_writer.c @@ -99,6 +99,18 @@ int main( void ) } #else +#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT) +int mbedtls_hardware_poll( void *data, unsigned char *output, + size_t len, size_t *olen ) +{ + size_t i; + (void) data; + for( i = 0; i < len; ++i ) + output[i] = rand(); + *olen = len; + return( 0 ); +} +#endif /* * global options diff --git a/programs/pkey/mpi_demo.c b/programs/pkey/mpi_demo.c index ecdcd329a..2ae441ca3 100644 --- a/programs/pkey/mpi_demo.c +++ b/programs/pkey/mpi_demo.c @@ -50,6 +50,18 @@ int main( void ) } #else +#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT) +int mbedtls_hardware_poll( void *data, unsigned char *output, + size_t len, size_t *olen ) +{ + size_t i; + (void) data; + for( i = 0; i < len; ++i ) + output[i] = rand(); + *olen = len; + return( 0 ); +} +#endif int main( void ) { diff --git a/programs/pkey/pk_decrypt.c b/programs/pkey/pk_decrypt.c index bf425079e..19ec2dac1 100644 --- a/programs/pkey/pk_decrypt.c +++ b/programs/pkey/pk_decrypt.c @@ -60,6 +60,18 @@ int main( void ) } #else +#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT) +int mbedtls_hardware_poll( void *data, unsigned char *output, + size_t len, size_t *olen ) +{ + size_t i; + (void) data; + for( i = 0; i < len; ++i ) + output[i] = rand(); + *olen = len; + return( 0 ); +} +#endif int main( int argc, char *argv[] ) { diff --git a/programs/pkey/pk_encrypt.c b/programs/pkey/pk_encrypt.c index a32b14761..4ab2cac62 100644 --- a/programs/pkey/pk_encrypt.c +++ b/programs/pkey/pk_encrypt.c @@ -61,6 +61,18 @@ int main( void ) } #else +#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT) +int mbedtls_hardware_poll( void *data, unsigned char *output, + size_t len, size_t *olen ) +{ + size_t i; + (void) data; + for( i = 0; i < len; ++i ) + output[i] = rand(); + *olen = len; + return( 0 ); +} +#endif int main( int argc, char *argv[] ) { diff --git a/programs/pkey/pk_sign.c b/programs/pkey/pk_sign.c index ba4f779c8..84a613b94 100644 --- a/programs/pkey/pk_sign.c +++ b/programs/pkey/pk_sign.c @@ -61,6 +61,18 @@ int main( void ) #include #include +#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT) +int mbedtls_hardware_poll( void *data, unsigned char *output, + size_t len, size_t *olen ) +{ + size_t i; + (void) data; + for( i = 0; i < len; ++i ) + output[i] = rand(); + *olen = len; + return( 0 ); +} +#endif /* * For the currently used signature algorithms the buffer to store any signature diff --git a/programs/pkey/pk_verify.c b/programs/pkey/pk_verify.c index f80bf640e..ccfc149fc 100644 --- a/programs/pkey/pk_verify.c +++ b/programs/pkey/pk_verify.c @@ -57,6 +57,18 @@ int main( void ) #include #include +#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT) +int mbedtls_hardware_poll( void *data, unsigned char *output, + size_t len, size_t *olen ) +{ + size_t i; + (void) data; + for( i = 0; i < len; ++i ) + output[i] = rand(); + *olen = len; + return( 0 ); +} +#endif int main( int argc, char *argv[] ) { diff --git a/programs/pkey/rsa_decrypt.c b/programs/pkey/rsa_decrypt.c index ff71bd055..cde5f2468 100644 --- a/programs/pkey/rsa_decrypt.c +++ b/programs/pkey/rsa_decrypt.c @@ -59,6 +59,18 @@ int main( void ) } #else +#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT) +int mbedtls_hardware_poll( void *data, unsigned char *output, + size_t len, size_t *olen ) +{ + size_t i; + (void) data; + for( i = 0; i < len; ++i ) + output[i] = rand(); + *olen = len; + return( 0 ); +} +#endif int main( int argc, char *argv[] ) { diff --git a/programs/pkey/rsa_encrypt.c b/programs/pkey/rsa_encrypt.c index 4a71c15dd..721057879 100644 --- a/programs/pkey/rsa_encrypt.c +++ b/programs/pkey/rsa_encrypt.c @@ -59,6 +59,18 @@ int main( void ) } #else +#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT) +int mbedtls_hardware_poll( void *data, unsigned char *output, + size_t len, size_t *olen ) +{ + size_t i; + (void) data; + for( i = 0; i < len; ++i ) + output[i] = rand(); + *olen = len; + return( 0 ); +} +#endif int main( int argc, char *argv[] ) { diff --git a/programs/pkey/rsa_genkey.c b/programs/pkey/rsa_genkey.c index d556c1902..a8d5f05af 100644 --- a/programs/pkey/rsa_genkey.c +++ b/programs/pkey/rsa_genkey.c @@ -64,6 +64,18 @@ int main( void ) } #else +#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT) +int mbedtls_hardware_poll( void *data, unsigned char *output, + size_t len, size_t *olen ) +{ + size_t i; + (void) data; + for( i = 0; i < len; ++i ) + output[i] = rand(); + *olen = len; + return( 0 ); +} +#endif int main( void ) { diff --git a/programs/pkey/rsa_sign.c b/programs/pkey/rsa_sign.c index 9bcd7a627..4db052881 100644 --- a/programs/pkey/rsa_sign.c +++ b/programs/pkey/rsa_sign.c @@ -56,6 +56,18 @@ int main( void ) #include #include +#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT) +int mbedtls_hardware_poll( void *data, unsigned char *output, + size_t len, size_t *olen ) +{ + size_t i; + (void) data; + for( i = 0; i < len; ++i ) + output[i] = rand(); + *olen = len; + return( 0 ); +} +#endif int main( int argc, char *argv[] ) { diff --git a/programs/pkey/rsa_sign_pss.c b/programs/pkey/rsa_sign_pss.c index 42209e27c..2e25163d8 100644 --- a/programs/pkey/rsa_sign_pss.c +++ b/programs/pkey/rsa_sign_pss.c @@ -60,6 +60,18 @@ int main( void ) #include #include +#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT) +int mbedtls_hardware_poll( void *data, unsigned char *output, + size_t len, size_t *olen ) +{ + size_t i; + (void) data; + for( i = 0; i < len; ++i ) + output[i] = rand(); + *olen = len; + return( 0 ); +} +#endif int main( int argc, char *argv[] ) { diff --git a/programs/pkey/rsa_verify.c b/programs/pkey/rsa_verify.c index 94f0ef9ce..73f547344 100644 --- a/programs/pkey/rsa_verify.c +++ b/programs/pkey/rsa_verify.c @@ -55,6 +55,18 @@ int main( void ) #include #include +#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT) +int mbedtls_hardware_poll( void *data, unsigned char *output, + size_t len, size_t *olen ) +{ + size_t i; + (void) data; + for( i = 0; i < len; ++i ) + output[i] = rand(); + *olen = len; + return( 0 ); +} +#endif int main( int argc, char *argv[] ) { diff --git a/programs/pkey/rsa_verify_pss.c b/programs/pkey/rsa_verify_pss.c index 148cd5110..27533a806 100644 --- a/programs/pkey/rsa_verify_pss.c +++ b/programs/pkey/rsa_verify_pss.c @@ -60,6 +60,18 @@ int main( void ) #include #include +#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT) +int mbedtls_hardware_poll( void *data, unsigned char *output, + size_t len, size_t *olen ) +{ + size_t i; + (void) data; + for( i = 0; i < len; ++i ) + output[i] = rand(); + *olen = len; + return( 0 ); +} +#endif int main( int argc, char *argv[] ) { diff --git a/programs/random/gen_entropy.c b/programs/random/gen_entropy.c index 6ae63b725..f2596f92b 100644 --- a/programs/random/gen_entropy.c +++ b/programs/random/gen_entropy.c @@ -51,6 +51,18 @@ int main( void ) } #else +#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT) +int mbedtls_hardware_poll( void *data, unsigned char *output, + size_t len, size_t *olen ) +{ + size_t i; + (void) data; + for( i = 0; i < len; ++i ) + output[i] = rand(); + *olen = len; + return( 0 ); +} +#endif int main( int argc, char *argv[] ) { diff --git a/programs/random/gen_random_ctr_drbg.c b/programs/random/gen_random_ctr_drbg.c index 59df34b66..4fc8086d5 100644 --- a/programs/random/gen_random_ctr_drbg.c +++ b/programs/random/gen_random_ctr_drbg.c @@ -54,6 +54,18 @@ int main( void ) } #else +#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT) +int mbedtls_hardware_poll( void *data, unsigned char *output, + size_t len, size_t *olen ) +{ + size_t i; + (void) data; + for( i = 0; i < len; ++i ) + output[i] = rand(); + *olen = len; + return( 0 ); +} +#endif int main( int argc, char *argv[] ) { diff --git a/programs/ssl/dtls_client.c b/programs/ssl/dtls_client.c index b31090f13..336d6958c 100644 --- a/programs/ssl/dtls_client.c +++ b/programs/ssl/dtls_client.c @@ -109,6 +109,19 @@ int rng_wrap( void *ctx, unsigned char *dst, size_t len ) } #endif /* MBEDTLS_SSL_CONF_RNG */ +#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT) +int mbedtls_hardware_poll( void *data, unsigned char *output, + size_t len, size_t *olen ) +{ + size_t i; + (void) data; + for( i = 0; i < len; ++i ) + output[i] = rand(); + *olen = len; + return( 0 ); +} +#endif + int main( int argc, char *argv[] ) { int ret, len; diff --git a/programs/ssl/dtls_server.c b/programs/ssl/dtls_server.c index 1dddf8e1f..8190f1e52 100644 --- a/programs/ssl/dtls_server.c +++ b/programs/ssl/dtls_server.c @@ -118,6 +118,19 @@ int rng_wrap( void *ctx, unsigned char *dst, size_t len ) } #endif /* MBEDTLS_SSL_CONF_RNG */ +#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT) +int mbedtls_hardware_poll( void *data, unsigned char *output, + size_t len, size_t *olen ) +{ + size_t i; + (void) data; + for( i = 0; i < len; ++i ) + output[i] = rand(); + *olen = len; + return( 0 ); +} +#endif + int main( void ) { int ret, len; diff --git a/programs/ssl/mini_client.c b/programs/ssl/mini_client.c index 7d868549a..3d15c6004 100644 --- a/programs/ssl/mini_client.c +++ b/programs/ssl/mini_client.c @@ -180,6 +180,19 @@ int rng_wrap( void *ctx, unsigned char *dst, size_t len ) } #endif /* MBEDTLS_SSL_CONF_RNG */ +#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT) +int mbedtls_hardware_poll( void *data, unsigned char *output, + size_t len, size_t *olen ) +{ + size_t i; + (void) data; + for( i = 0; i < len; ++i ) + output[i] = rand(); + *olen = len; + return( 0 ); +} +#endif + int main( void ) { int ret = exit_ok; diff --git a/programs/ssl/ssl_client1.c b/programs/ssl/ssl_client1.c index 9922a7e32..1ab2e10c6 100644 --- a/programs/ssl/ssl_client1.c +++ b/programs/ssl/ssl_client1.c @@ -99,6 +99,19 @@ int rng_wrap( void *ctx, unsigned char *dst, size_t len ) } #endif /* MBEDTLS_SSL_CONF_RNG */ +#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT) +int mbedtls_hardware_poll( void *data, unsigned char *output, + size_t len, size_t *olen ) +{ + size_t i; + (void) data; + for( i = 0; i < len; ++i ) + output[i] = rand(); + *olen = len; + return( 0 ); +} +#endif + int main( void ) { int ret = 1, len; diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 1a07c9dea..e470f3bc9 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -925,6 +925,19 @@ int rng_wrap( void *ctx, unsigned char *dst, size_t len ) } #endif /* MBEDTLS_SSL_CONF_RNG */ +#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT) +int mbedtls_hardware_poll( void *data, unsigned char *output, + size_t len, size_t *olen ) +{ + size_t i; + (void) data; + for( i = 0; i < len; ++i ) + output[i] = rand(); + *olen = len; + return( 0 ); +} +#endif + int main( int argc, char *argv[] ) { int ret = 0, len, tail_len, i, written, frags, retry_left; diff --git a/programs/ssl/ssl_fork_server.c b/programs/ssl/ssl_fork_server.c index 7033b86ce..e9c220c29 100644 --- a/programs/ssl/ssl_fork_server.c +++ b/programs/ssl/ssl_fork_server.c @@ -116,6 +116,19 @@ int rng_wrap( void *ctx, unsigned char *dst, size_t len ) } #endif /* MBEDTLS_SSL_CONF_RNG */ +#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT) +int mbedtls_hardware_poll( void *data, unsigned char *output, + size_t len, size_t *olen ) +{ + size_t i; + (void) data; + for( i = 0; i < len; ++i ) + output[i] = rand(); + *olen = len; + return( 0 ); +} +#endif + int main( void ) { int ret = 1, len, cnt = 0, pid; diff --git a/programs/ssl/ssl_mail_client.c b/programs/ssl/ssl_mail_client.c index 24000a2ed..6e728dce7 100644 --- a/programs/ssl/ssl_mail_client.c +++ b/programs/ssl/ssl_mail_client.c @@ -375,6 +375,19 @@ int rng_wrap( void *ctx, unsigned char *dst, size_t len ) } #endif /* MBEDTLS_SSL_CONF_RNG */ +#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT) +int mbedtls_hardware_poll( void *data, unsigned char *output, + size_t len, size_t *olen ) +{ + size_t i; + (void) data; + for( i = 0; i < len; ++i ) + output[i] = rand(); + *olen = len; + return( 0 ); +} +#endif + int main( int argc, char *argv[] ) { int ret = 1, len; diff --git a/programs/ssl/ssl_server.c b/programs/ssl/ssl_server.c index e13af918f..0ad63b107 100644 --- a/programs/ssl/ssl_server.c +++ b/programs/ssl/ssl_server.c @@ -111,6 +111,19 @@ int rng_wrap( void *ctx, unsigned char *dst, size_t len ) } #endif /* MBEDTLS_SSL_CONF_RNG */ +#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT) +int mbedtls_hardware_poll( void *data, unsigned char *output, + size_t len, size_t *olen ) +{ + size_t i; + (void) data; + for( i = 0; i < len; ++i ) + output[i] = rand(); + *olen = len; + return( 0 ); +} +#endif + int main( void ) { int ret, len; diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index c0476dc59..0470bf32f 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -1536,6 +1536,19 @@ int rng_wrap( void *ctx, unsigned char *dst, size_t len ) } #endif /* MBEDTLS_SSL_CONF_RNG */ +#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT) +int mbedtls_hardware_poll( void *data, unsigned char *output, + size_t len, size_t *olen ) +{ + size_t i; + (void) data; + for( i = 0; i < len; ++i ) + output[i] = rand(); + *olen = len; + return( 0 ); +} +#endif + int main( int argc, char *argv[] ) { int ret = 0, len, written, frags, exchanges_left; diff --git a/programs/test/benchmark.c b/programs/test/benchmark.c index 88e3290d0..9c6aafb4f 100644 --- a/programs/test/benchmark.c +++ b/programs/test/benchmark.c @@ -258,6 +258,18 @@ typedef struct { rsa, dhm, ecdsa, ecdh; } todo_list; +#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT) +int mbedtls_hardware_poll( void *data, unsigned char *output, + size_t len, size_t *olen ) +{ + size_t i; + (void) data; + for( i = 0; i < len; ++i ) + output[i] = rand(); + *olen = len; + return( 0 ); +} +#endif int main( int argc, char *argv[] ) { diff --git a/programs/test/selftest.c b/programs/test/selftest.c index 727054ee6..82f08fa1b 100644 --- a/programs/test/selftest.c +++ b/programs/test/selftest.c @@ -279,6 +279,19 @@ const selftest_t selftests[] = }; #endif /* MBEDTLS_SELF_TEST */ +#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT) +int mbedtls_hardware_poll( void *data, unsigned char *output, + size_t len, size_t *olen ) +{ + size_t i; + (void) data; + for( i = 0; i < len; ++i ) + output[i] = rand(); + *olen = len; + return( 0 ); +} +#endif + int main( int argc, char *argv[] ) { #if defined(MBEDTLS_SELF_TEST) diff --git a/programs/test/zeroize.c b/programs/test/zeroize.c index 29cc0ac3c..6e7db4e54 100644 --- a/programs/test/zeroize.c +++ b/programs/test/zeroize.c @@ -59,6 +59,19 @@ void usage( void ) mbedtls_printf( " zeroize \n" ); } +#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT) +int mbedtls_hardware_poll( void *data, unsigned char *output, + size_t len, size_t *olen ) +{ + size_t i; + (void) data; + for( i = 0; i < len; ++i ) + output[i] = rand(); + *olen = len; + return( 0 ); +} +#endif + int main( int argc, char** argv ) { int exit_code = MBEDTLS_EXIT_FAILURE; diff --git a/programs/x509/cert_app.c b/programs/x509/cert_app.c index b82f83f8f..bdc20172c 100644 --- a/programs/x509/cert_app.c +++ b/programs/x509/cert_app.c @@ -165,6 +165,19 @@ int rng_wrap( void *ctx, unsigned char *dst, size_t len ) } #endif /* MBEDTLS_SSL_CONF_RNG */ +#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT) +int mbedtls_hardware_poll( void *data, unsigned char *output, + size_t len, size_t *olen ) +{ + size_t i; + (void) data; + for( i = 0; i < len; ++i ) + output[i] = rand(); + *olen = len; + return( 0 ); +} +#endif + int main( int argc, char *argv[] ) { int ret = 1; diff --git a/programs/x509/cert_req.c b/programs/x509/cert_req.c index f3d915750..33e4078db 100644 --- a/programs/x509/cert_req.c +++ b/programs/x509/cert_req.c @@ -154,6 +154,19 @@ int write_certificate_request( mbedtls_x509write_csr *req, const char *output_fi return( 0 ); } +#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT) +int mbedtls_hardware_poll( void *data, unsigned char *output, + size_t len, size_t *olen ) +{ + size_t i; + (void) data; + for( i = 0; i < len; ++i ) + output[i] = rand(); + *olen = len; + return( 0 ); +} +#endif + int main( int argc, char *argv[] ) { int ret = 1; diff --git a/programs/x509/cert_write.c b/programs/x509/cert_write.c index ef40447be..a0ef2dd8f 100644 --- a/programs/x509/cert_write.c +++ b/programs/x509/cert_write.c @@ -214,6 +214,19 @@ int write_certificate( mbedtls_x509write_cert *crt, const char *output_file, return( 0 ); } +#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT) +int mbedtls_hardware_poll( void *data, unsigned char *output, + size_t len, size_t *olen ) +{ + size_t i; + (void) data; + for( i = 0; i < len; ++i ) + output[i] = rand(); + *olen = len; + return( 0 ); +} +#endif + int main( int argc, char *argv[] ) { int ret = 1; diff --git a/programs/x509/crl_app.c b/programs/x509/crl_app.c index fc2218800..87793f7fb 100644 --- a/programs/x509/crl_app.c +++ b/programs/x509/crl_app.c @@ -72,6 +72,19 @@ struct options const char *filename; /* filename of the certificate file */ } opt; +#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT) +int mbedtls_hardware_poll( void *data, unsigned char *output, + size_t len, size_t *olen ) +{ + size_t i; + (void) data; + for( i = 0; i < len; ++i ) + output[i] = rand(); + *olen = len; + return( 0 ); +} +#endif + int main( int argc, char *argv[] ) { int ret = 1; diff --git a/programs/x509/req_app.c b/programs/x509/req_app.c index ed8015574..ddde3f66c 100644 --- a/programs/x509/req_app.c +++ b/programs/x509/req_app.c @@ -72,6 +72,19 @@ struct options const char *filename; /* filename of the certificate request */ } opt; +#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT) +int mbedtls_hardware_poll( void *data, unsigned char *output, + size_t len, size_t *olen ) +{ + size_t i; + (void) data; + for( i = 0; i < len; ++i ) + output[i] = rand(); + *olen = len; + return( 0 ); +} +#endif + int main( int argc, char *argv[] ) { int ret = 1; From 990135eb4e9938422e33561ae8c166cd2f1e5b69 Mon Sep 17 00:00:00 2001 From: Jarno Lamsa Date: Fri, 4 Oct 2019 13:09:10 +0300 Subject: [PATCH 20/22] Add all.sh entry --- tests/scripts/all.sh | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 817c60e6d..373da8af8 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1561,6 +1561,16 @@ component_test_baremetal () { if_build_succeeded tests/ssl-opt.sh --filter "^Default, DTLS$" } +component_test_hardware_entropy () { + msg "build: default config + MBEDTLS_ENTROPY_HARDWARE_ALT" + scripts/config.pl set MBEDTLS_ENTROPY_HARDWARE_ALT + make CFLAGS='-Werror -O1' + + msg "test: default config + MBEDTLS_ENTROPY_HARDWARE_ALT" + if_build_succeeded make test + if_build_succeeded tests/ssl-opt.sh --filter "^Default, DTLS$" +} + component_test_allow_sha1 () { msg "build: allow SHA1 in certificates by default" scripts/config.pl set MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES From 1881ef53b746021b4c449cb2ba56111f6d9f107a Mon Sep 17 00:00:00 2001 From: Jarno Lamsa Date: Fri, 4 Oct 2019 15:02:57 +0300 Subject: [PATCH 21/22] Move the definition of function in zeroize There is a static dependency in the test system for this file. To prevent the issue from happening, move the definition to the end of file so that the last return in the main remains in the same line. --- programs/test/zeroize.c | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/programs/test/zeroize.c b/programs/test/zeroize.c index 6e7db4e54..54f7c628d 100644 --- a/programs/test/zeroize.c +++ b/programs/test/zeroize.c @@ -59,19 +59,6 @@ void usage( void ) mbedtls_printf( " zeroize \n" ); } -#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT) -int mbedtls_hardware_poll( void *data, unsigned char *output, - size_t len, size_t *olen ) -{ - size_t i; - (void) data; - for( i = 0; i < len; ++i ) - output[i] = rand(); - *olen = len; - return( 0 ); -} -#endif - int main( int argc, char** argv ) { int exit_code = MBEDTLS_EXIT_FAILURE; @@ -112,3 +99,16 @@ int main( int argc, char** argv ) return( exit_code ); } + +#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT) +int mbedtls_hardware_poll( void *data, unsigned char *output, + size_t len, size_t *olen ) +{ + size_t i; + (void) data; + for( i = 0; i < len; ++i ) + output[i] = rand(); + *olen = len; + return( 0 ); +} +#endif From c4315e6d5e73320dffadeccfa4837ca83dd778a2 Mon Sep 17 00:00:00 2001 From: Jarno Lamsa Date: Fri, 4 Oct 2019 15:42:39 +0300 Subject: [PATCH 22/22] Address review comments for documentation --- include/mbedtls/platform_util.h | 35 +++++++++++++++------------------ 1 file changed, 16 insertions(+), 19 deletions(-) diff --git a/include/mbedtls/platform_util.h b/include/mbedtls/platform_util.h index 35e39768c..586f0d9ee 100644 --- a/include/mbedtls/platform_util.h +++ b/include/mbedtls/platform_util.h @@ -167,12 +167,11 @@ void mbedtls_platform_zeroize( void *buf, size_t len ); /** * \brief Secure memset * - * This function is meant to provide a more secure way to do - * memset. It starts by initialising the given memory area - * from random tail location with random data. After tail is - * initialised, the remaining head of the buffer is initialised - * with random data. After initialisation, the original memset - * is performed + * This is a constant-time version of memset(). If + * MBEDTLS_ENTROPY_HARDWARE_ALT is defined, the buffer is + * initialised with random data and the order is also + * randomised using the hardware RNG in order to further harden + * against side-channel attacks. * * \param ptr Buffer to be set. * \param value Value to be used when setting the buffer. @@ -185,12 +184,11 @@ void *mbedtls_platform_memset( void *ptr, int value, size_t num ); /** * \brief Secure memcpy * - * This function is meant to provide a more secure way to do - * memcpy. It starts by initialising the given memory area - * with random data. After initialisation, the original memcpy - * is performed by starting first copying from random tail - * location of the buffer. After tail has been copied, the - * remaining head is copied as well. + * This is a constant-time version of memcpy(). If + * MBEDTLS_ENTROPY_HARDWARE_ALT is defined, the buffer is + * initialised with random data and the order is also + * randomised using the hardware RNG in order to further harden + * against side-channel attacks. * * \param dst Destination buffer where the data is being copied to. * \param src Source buffer where the data is being copied from. @@ -203,18 +201,17 @@ void *mbedtls_platform_memcpy( void *dst, const void *src, size_t num ); /** * \brief Secure memcmp * - * This function is meant to provide a more secure way to do - * memcmp. It starts comparing from a random offset and goes - * through the tail part of buffers first byte by byte. After - * that it starts going through the head part of buffer. In the - * end, the number of equal bytes is compared to the length of the - * buffers, thus making the function a fixed time memcmp. + * This is a constant-time version of memcmp(). If + * MBEDTLS_ENTROPY_HARDWARE_ALT is defined, the order is also + * randomised using the hardware RNG in order to further harden + * against side-channel attacks. * * \param buf1 First buffer to compare. * \param buf2 Second buffer to compare against. * \param num The length of the buffers in bytes. * - * \return 0 if the buffers were equal. + * \return 0 if the buffers were equal or an unspecified non-zero value + * otherwise. */ int mbedtls_platform_memcmp( const void *buf1, const void *buf2, size_t num );