Commit 684215aa authored by Greg Zaverucha's avatar Greg Zaverucha Committed by Phil Coval

[IOT-1619, IOT-1620] DRBG prediction resistance and init

Enable prediction resistance in the mbedtls DRBG.
Use a static personalization string when initializing the DRBG on all
platforms.

Change-Id: I49f14e395d4ce4e17d832aa9c94717dda066c45e
Signed-off-by: default avatarGreg Zaverucha <gregz@microsoft.com>
Reviewed-on: https://gerrit.iotivity.org/gerrit/15171Tested-by: default avatarjenkins-iotivity <jenkins-iotivity@opendaylight.org>
Reviewed-by: Randeep's avatarRandeep Singh <randeep.s@samsung.com>
Reviewed-by: default avatarKevin Kane <kkane@microsoft.com>
Bug: https://jira.iotivity.org/browse/IOT-1684Signed-off-by: default avatarPhilippe Coval <philippe.coval@osg.samsung.com>
Reviewed-on: https://gerrit.iotivity.org/gerrit/15857Reviewed-by: default avatarDmitriy Zhuravlev <d.zhuravlev@samsung.com>
Reviewed-by: George Nash's avatarGeorge Nash <george.nash@intel.com>
Reviewed-by: default avatarChul Lee <chuls.lee@samsung.com>
Reviewed-by: default avatarNivedita Singhvi <niveditasinghvi@gmail.com>
parent cbf1ccad
......@@ -69,11 +69,11 @@
* @brief mbedTLS version string length
*/
#define MBED_TLS_VERSION_LEN (16)
/**
* @def SEED
* @brief Seed for initialization RNG
/**
* @def PERSONALIZATION_STRING
* @brief Personalization string for the mbedtls RNG
*/
#define SEED "IOTIVITY_RND"
#define PERSONALIZATION_STRING "IOTIVITY_RND"
/**
* @def UUID_PREFIX
* @brief uuid prefix in certificate subject field
......@@ -1378,39 +1378,16 @@ CAResult_t CAinitSslAdapter()
mbedtls_entropy_init(&g_caSslContext->entropy);
mbedtls_ctr_drbg_init(&g_caSslContext->rnd);
#ifdef __unix__
unsigned char seed[sizeof(SEED)] = {0};
int urandomFd = -2;
urandomFd = open("/dev/urandom", O_RDONLY);
if(urandomFd == -1)
{
OIC_LOG(ERROR, NET_SSL_TAG, "Fails open /dev/urandom!");
oc_mutex_unlock(g_sslContextMutex);
CAdeinitSslAdapter();
return CA_STATUS_FAILED;
}
if(0 > read(urandomFd, seed, sizeof(seed)))
{
OIC_LOG(ERROR, NET_SSL_TAG, "Fails read from /dev/urandom!");
close(urandomFd);
oc_mutex_unlock(g_sslContextMutex);
CAdeinitSslAdapter();
return CA_STATUS_FAILED;
}
close(urandomFd);
#else
unsigned char * seed = (unsigned char*) SEED;
#endif
if(0 != mbedtls_ctr_drbg_seed(&g_caSslContext->rnd, mbedtls_entropy_func,
&g_caSslContext->entropy, seed, sizeof(SEED)))
&g_caSslContext->entropy,
(const unsigned char*) PERSONALIZATION_STRING, sizeof(PERSONALIZATION_STRING)))
{
OIC_LOG(ERROR, NET_SSL_TAG, "Seed initialization failed!");
oc_mutex_unlock(g_sslContextMutex);
CAdeinitSslAdapter();
return CA_STATUS_FAILED;
}
mbedtls_ctr_drbg_set_prediction_resistance(&g_caSslContext->rnd, MBEDTLS_CTR_DRBG_PR_OFF);
mbedtls_ctr_drbg_set_prediction_resistance(&g_caSslContext->rnd, MBEDTLS_CTR_DRBG_PR_ON);
#ifdef __WITH_TLS__
if (0 != InitConfig(&g_caSslContext->clientTlsConf,
......
......@@ -62,11 +62,10 @@ static OCByteString g_privateKey = {0, 0};
#define MAX_STRING_LEN 254
/**
* @def SEED
* @brief Seed for initialization RNG
* @def PERSONALIZATION_STRING
* @brief Personalization string for the mbedtls RNG
*/
#define SEED "IOTIVITY_RND"
#define PERSONALIZATION_STRING "IOTIVITY_RND"
typedef struct
{
......@@ -111,40 +110,17 @@ static int ecdsaGenKeypair(mbedtls_pk_context * pk)
VERIFY_NON_NULL_RET(pk, TAG, "Param pk is NULL", -1);
// Entropy seeding
#ifdef __unix__
unsigned char seed[sizeof(SEED)] = {0};
int urandomFd = -2;
urandomFd = open("/dev/urandom", O_RDONLY);
if(urandomFd == -1)
{
OIC_LOG(ERROR, TAG, "Fails open /dev/urandom!");
OIC_LOG_V(DEBUG, TAG, "Out %s", __func__);
return -1;
}
if(0 > read(urandomFd, seed, sizeof(seed)))
{
OIC_LOG(ERROR, TAG, "Fails read from /dev/urandom!");
close(urandomFd);
OIC_LOG_V(DEBUG, TAG, "Out %s", __func__);
return -1;
}
close(urandomFd);
#else
unsigned char * seed = (unsigned char*) SEED;
#endif
// Initialize and seed DRBG context
// Initialize the DRBG context
mbedtls_ctr_drbg_init(&ctr_drbg);
mbedtls_entropy_init(&entropy);
if (0 != mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func,
&entropy, seed, sizeof(SEED)))
&entropy, PERSONALIZATION_STRING, sizeof(PERSONALIZATION_STRING)))
{
OIC_LOG(ERROR, TAG, "Seed initialization failed!");
OIC_LOG_V(DEBUG, TAG, "Out %s", __func__);
return -1;
}
mbedtls_ctr_drbg_set_prediction_resistance(&ctr_drbg, MBEDTLS_CTR_DRBG_PR_OFF);
mbedtls_ctr_drbg_set_prediction_resistance(&ctr_drbg, MBEDTLS_CTR_DRBG_PR_ON);
// Initialize l context
mbedtls_pk_init(pk);
if (0 > mbedtls_pk_setup(pk, mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY)))
......@@ -232,40 +208,17 @@ static int GenerateCSR(char *subject, OCByteString *csr)
return -1;
}
// Entropy seeding
#ifdef __unix__
unsigned char seed[sizeof(SEED)] = {0};
int urandomFd = -2;
urandomFd = open("/dev/urandom", O_RDONLY);
if(urandomFd == -1)
{
OIC_LOG(ERROR, TAG, "Fails open /dev/urandom!");
OIC_LOG_V(DEBUG, TAG, "Out %s", __func__);
return -1;
}
if(0 > read(urandomFd, seed, sizeof(seed)))
{
OIC_LOG(ERROR, TAG, "Fails read from /dev/urandom!");
close(urandomFd);
OIC_LOG_V(DEBUG, TAG, "Out %s", __func__);
return -1;
}
close(urandomFd);
#else
unsigned char * seed = (unsigned char *) SEED;
#endif
// Initialize and seed DRBG context
// Initialize the DRBG context
mbedtls_ctr_drbg_init(&ctr_drbg);
mbedtls_entropy_init(&entropy);
if (0 != mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func,
&entropy, seed, sizeof(SEED)))
&entropy, PERSONALIZATION_STRING, sizeof(PERSONALIZATION_STRING)))
{
OIC_LOG(ERROR, TAG, "Seed initialization failed!");
OIC_LOG_V(DEBUG, TAG, "Out %s", __func__);
return -1;
}
mbedtls_ctr_drbg_set_prediction_resistance(&ctr_drbg, MBEDTLS_CTR_DRBG_PR_OFF);
mbedtls_ctr_drbg_set_prediction_resistance(&ctr_drbg, MBEDTLS_CTR_DRBG_PR_ON);
// Create CSR
buf = (unsigned char *)OICMalloc(bufsize * sizeof(unsigned char));
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment