yuzu-emu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2024-11-22 18:15:40 +01:00
Code Issues Packages Projects Releases Wiki Activity

SSL test programs: support HMAC_DRBG

Browse Source 
Support HMAC_DRBG in ssl_client2 and ssl_server2, in addition to
CTR_DRBG. CTR_DRBG is still used if present, but it's now possible to
run the SSL test programs with CTR_DRBG disabled.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This commit is contained in:
Gilles Peskine 2021-01-13 20:02:03 +01:00
parent 535fb37870
commit ba74904c48
3 changed files with 63 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
programs/ssl/ssl_test_lib.c
View File

@ -63,7 +63,14 @@ static int dummy_entropy( void *data, unsigned char *output, size_t len )
void rng_init( rng_context_t *rng )
{
#if defined(MBEDTLS_CTR_DRBG_C)
mbedtls_ctr_drbg_init( &rng->drbg );
#elif defined(MBEDTLS_HMAC_DRBG_C)
mbedtls_hmac_drbg_init( &rng->drbg );
#else
#error "No DRBG available"
#endif
mbedtls_entropy_init( &rng->entropy );
}
@ -75,10 +82,28 @@ int rng_seed( rng_context_t *rng, int reproducible, const char *pers )
if ( reproducible )
srand( 1 );
#if defined(MBEDTLS_CTR_DRBG_C)
int ret = mbedtls_ctr_drbg_seed( &rng->drbg,
f_entropy, &rng->entropy,
(const unsigned char *) pers,
strlen( pers ) );
#elif defined(MBEDTLS_HMAC_DRBG_C)
#if defined(MBEDTLS_SHA256_C)
const mbedtls_md_type_t md_type = MBEDTLS_MD_SHA256;
#elif defined(MBEDTLS_SHA512_C)
const mbedtls_md_type_t md_type = MBEDTLS_MD_SHA512;
#else
#error "No message digest available for HMAC_DRBG"
#endif
int ret = mbedtls_hmac_drbg_seed( &rng->drbg,
mbedtls_md_info_from_type( md_type ),
f_entropy, &rng->entropy,
(const unsigned char *) pers,
strlen( pers ) );
#else
#error "No DRBG available"
#endif
if( ret != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ctr_drbg_seed returned -0x%x\n",
@ -91,14 +116,27 @@ int rng_seed( rng_context_t *rng, int reproducible, const char *pers )
void rng_free( rng_context_t *rng )
{
#if defined(MBEDTLS_CTR_DRBG_C)
mbedtls_ctr_drbg_free( &rng->drbg );
#elif defined(MBEDTLS_HMAC_DRBG_C)
mbedtls_hmac_drbg_free( &rng->drbg );
#else
#error "No DRBG available"
#endif
mbedtls_entropy_free( &rng->entropy );
}
int rng_get( void *p_rng, unsigned char *output, size_t output_len )
{
rng_context_t *rng = p_rng;
#if defined(MBEDTLS_CTR_DRBG_C)
return( mbedtls_ctr_drbg_random( &rng->drbg, output, output_len ) );
#elif defined(MBEDTLS_HMAC_DRBG_C)
return( mbedtls_hmac_drbg_random( &rng->drbg, output, output_len ) );
#else
#error "No DRBG available"
#endif
}
#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)

16
programs/ssl/ssl_test_lib.h
View File

@ -43,17 +43,20 @@
#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
#endif
#if !defined(MBEDTLS_CTR_DRBG_C) || \
!defined(MBEDTLS_ENTROPY_C) || \
#if !defined(MBEDTLS_ENTROPY_C) || \
!defined(MBEDTLS_NET_C) || \
!defined(MBEDTLS_SSL_TLS_C) || \
defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER)
#define MBEDTLS_SSL_TEST_IMPOSSIBLE \
"MBEDTLS_CTR_DRBG_C and/or " \
"MBEDTLS_ENTROPY_C and/or " \
"MBEDTLS_NET_C and/or " \
"MBEDTLS_SSL_TLS_C not defined, " \
"and/or MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER defined.\n"
#elif !( defined(MBEDTLS_CTR_DRBG_C) || \
defined(MBEDTLS_HMAC_DRBG_C) && ( defined(MBEDTLS_SHA256_C) || \
defined(MBEDTLS_SHA512_C) ) )
#define MBEDTLS_SSL_TEST_IMPOSSIBLE \
"Neither MBEDTLS_CTR_DRBG_C, nor MBEDTLS_HMAC_DRBG_C and a supported hash defined.\n"
#else
#undef MBEDTLS_SSL_TEST_IMPOSSIBLE
@ -65,6 +68,7 @@
#include "mbedtls/ssl.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/hmac_drbg.h"
#include "mbedtls/certs.h"
#include "mbedtls/x509.h"
#include "mbedtls/error.h"
@ -131,7 +135,13 @@ mbedtls_time_t dummy_constant_time( mbedtls_time_t* time );
typedef struct
{
mbedtls_entropy_context entropy;
#if defined(MBEDTLS_CTR_DRBG_C)
mbedtls_ctr_drbg_context drbg;
#elif defined(MBEDTLS_HMAC_DRBG_C)
mbedtls_hmac_drbg_context drbg;
#else
#error "No DRBG available"
#endif
} rng_context_t;
/** Initialize the RNG.

16
tests/scripts/all.sh
View File

@ -919,10 +919,17 @@ component_test_no_ctr_drbg () {
CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
make
msg "test: no CTR_DRBG"
msg "test: Full minus CTR_DRBG - main suites"
make test
# no ssl-opt.sh/compat.sh as they all depend on CTR_DRBG so far
# In this configuration, the TLS test programs use HMAC_DRBG.
# The SSL tests are slow, so run a small subset, just enough to get
# confidence that the SSL code copes with HMAC_DRBG.
msg "test: Full minus CTR_DRBG - ssl-opt.sh (subset)"
if_build_succeeded tests/ssl-opt.sh -f 'Default\|SSL async private.*delay=\|tickets enabled on server'
msg "test: Full minus CTR_DRBG - compat.sh (subset)"
if_build_succeeded tests/compat.sh -m tls1_2 -t 'ECDSA PSK' -V NO -p OpenSSL
}
component_test_no_hmac_drbg () {
@ -954,7 +961,7 @@ component_test_psa_external_rng_no_drbg () {
msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG"
make test
# No ssl-opt.sh/compat.sh because they require CTR_DRBG.
# no SSL tests as they all depend on having a DRBG
}
component_test_psa_external_rng_use_psa_crypto () {
@ -968,7 +975,8 @@ component_test_psa_external_rng_use_psa_crypto () {
msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG"
make test
# No ssl-opt.sh/compat.sh because they require CTR_DRBG.
msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG"
if_build_succeeded tests/ssl-opt.sh -f 'Default\|opaque'
}
component_test_ecp_no_internal_rng () {