[tls] Use ANS X9.82 Approved RBG as source of random data for TLS
Signed-off-by: Michael Brown <mcb30@ipxe.org>
This commit is contained in:
Michael Brown
parent
4fb60435c9
commit
75090f2abf
|
|
@ -40,6 +40,7 @@ FILE_LICENCE ( GPL2_OR_LATER );
|
|||
#include <ipxe/open.h>
|
||||
#include <ipxe/asn1.h>
|
||||
#include <ipxe/x509.h>
|
||||
#include <ipxe/rbg.h>
|
||||
#include <ipxe/tls.h>
|
||||
|
||||
static int tls_send_plaintext ( struct tls_session *tls, unsigned int type,
|
||||
|
|
@ -121,12 +122,25 @@ static void tls_close ( struct tls_session *tls, int rc ) {
|
|||
/**
|
||||
* Generate random data
|
||||
*
|
||||
* @v tls TLS session
|
||||
* @v data Buffer to fill
|
||||
* @v len Length of buffer
|
||||
* @ret rc Return status code
|
||||
*/
|
||||
static void tls_generate_random ( void *data, size_t len ) {
|
||||
/* FIXME: Some real random data source would be nice... */
|
||||
memset ( data, 0x01, len );
|
||||
static int tls_generate_random ( struct tls_session *tls,
|
||||
void *data, size_t len ) {
|
||||
int rc;
|
||||
|
||||
/* Generate random bits with no additional input and without
|
||||
* prediction resistance
|
||||
*/
|
||||
if ( ( rc = rbg_generate ( NULL, 0, 0, data, len ) ) != 0 ) {
|
||||
DBGC ( tls, "TLS %p could not generate random data: %s\n",
|
||||
tls, strerror ( rc ) );
|
||||
return rc;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
@ -1782,11 +1796,14 @@ static struct process_descriptor tls_process_desc =
|
|||
|
||||
int add_tls ( struct interface *xfer, struct interface **next ) {
|
||||
struct tls_session *tls;
|
||||
int rc;
|
||||
|
||||
/* Allocate and initialise TLS structure */
|
||||
tls = malloc ( sizeof ( *tls ) );
|
||||
if ( ! tls )
|
||||
return -ENOMEM;
|
||||
if ( ! tls ) {
|
||||
rc = -ENOMEM;
|
||||
goto err_alloc;
|
||||
}
|
||||
memset ( tls, 0, sizeof ( *tls ) );
|
||||
ref_init ( &tls->refcnt, free_tls );
|
||||
intf_init ( &tls->plainstream, &tls_plainstream_desc, &tls->refcnt );
|
||||
|
|
@ -1796,11 +1813,15 @@ int add_tls ( struct interface *xfer, struct interface **next ) {
|
|||
tls_clear_cipher ( tls, &tls->rx_cipherspec );
|
||||
tls_clear_cipher ( tls, &tls->rx_cipherspec_pending );
|
||||
tls->client_random.gmt_unix_time = 0;
|
||||
tls_generate_random ( &tls->client_random.random,
|
||||
( sizeof ( tls->client_random.random ) ) );
|
||||
if ( ( rc = tls_generate_random ( tls, &tls->client_random.random,
|
||||
( sizeof ( tls->client_random.random ) ) ) ) != 0 ) {
|
||||
goto err_random;
|
||||
}
|
||||
tls->pre_master_secret.version = htons ( TLS_VERSION_TLS_1_0 );
|
||||
tls_generate_random ( &tls->pre_master_secret.random,
|
||||
( sizeof ( tls->pre_master_secret.random ) ) );
|
||||
if ( ( rc = tls_generate_random ( tls, &tls->pre_master_secret.random,
|
||||
( sizeof ( tls->pre_master_secret.random ) ) ) ) != 0 ) {
|
||||
goto err_random;
|
||||
}
|
||||
digest_init ( &md5_algorithm, tls->handshake_md5_ctx );
|
||||
digest_init ( &sha1_algorithm, tls->handshake_sha1_ctx );
|
||||
process_init_stopped ( &tls->process, &tls_process_desc, &tls->refcnt );
|
||||
|
|
@ -1811,4 +1832,9 @@ int add_tls ( struct interface *xfer, struct interface **next ) {
|
|||
*next = &tls->cipherstream;
|
||||
ref_put ( &tls->refcnt );
|
||||
return 0;
|
||||
|
||||
err_random:
|
||||
ref_put ( &tls->refcnt );
|
||||
err_alloc:
|
||||
return rc;
|
||||
}
|
||||
|
|
|
|||
Reference in New Issue