Allow compile-time configuration of PRNG in SSL module

Introduces MBEDTLS_SSL_CONF_RNG to allow configuring the RNG to be used by the SSL module at compile-time. Impact on code-size: | | GCC 8.2.1 | ARMC5 5.06 | ARMC6 6.12 | | --- | --- | --- | --- | | `libmbedtls.a` before | 23535 | 24089 | 27103 | | `libmbedtls.a` after | 23471 | 24077 | 27045 | | gain in Bytes | 64 | 12 | 58 |
2026-05-11 06:28:17 +02:00 · 2019-06-13 15:39:27 +01:00
parent 1841f84c79
commit ece325c8dd
12 changed files with 153 additions and 34 deletions
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -3601,6 +3601,13 @@
 //#define MBEDTLS_SSL_CONF_CID_LEN 0
 //#define MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID MBEDTLS_SSL_UNEXPECTED_CID_IGNORE

+/* The PRNG to use by the SSL module. If defined, this must
+ * evaluate to the name on externally defined function with signature
+ * int (*f_rng)(void *, unsigned char *, size_t),
+ * e.g. mbedtls_ctr_drbg_random or mbedtls_hmac_drbg_random.
+ */
+//#define MBEDTLS_SSL_CONF_RNG mbedtls_ctr_drbg_random
+
 /* ExtendedMasterSecret extension
 * The following two options must be set/unset simultaneously. */
 //#define MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET MBEDTLS_SSL_EXTENDED_MS_ENABLED
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -902,8 +902,10 @@ struct mbedtls_ssl_config
    void (*f_dbg)(void *, int, const char *, int, const char *);
    void *p_dbg;                    /*!< context for the debug function     */

+#if !defined(MBEDTLS_SSL_CONF_RNG)
    /** Callback for getting (pseudo-)random numbers                        */
    int  (*f_rng)(void *, unsigned char *, size_t);
+#endif /* !MBEDTLS_SSL_CONF_RNG */
    void *p_rng;                    /*!< context for the RNG function       */

 #if defined(MBEDTLS_SSL_SRV_C) && !defined(MBEDTLS_SSL_NO_SESSION_CACHE)
@@ -1462,9 +1464,16 @@ void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf,
                     void *p_vrfy );
 #endif /* MBEDTLS_X509_CRT_PARSE_C */

+#if !defined(MBEDTLS_SSL_CONF_RNG)
 /**
 * \brief          Set the random number generator callback
 *
+ * \note           On constrained systems, the RNG can also be
+ *                 configured at compile-time via the option
+ *                 MBEDTLS_SSL_CONF_RNG. In this case, the
+ *                 \p f_rng argument in this function has no
+ *                 effect.
+ *
 * \param conf     SSL configuration
 * \param f_rng    RNG function
 * \param p_rng    RNG parameter
@@ -1472,6 +1481,16 @@ void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf,
 void mbedtls_ssl_conf_rng( mbedtls_ssl_config *conf,
                  int (*f_rng)(void *, unsigned char *, size_t),
                  void *p_rng );
+#else
+/**
+ * \brief          Set the random number generator callback context.
+ *
+ * \param conf     SSL configuration
+ * \param p_rng    RNG parameter
+ */
+void mbedtls_ssl_conf_rng_ctx( mbedtls_ssl_config *conf,
+                               void *p_rng );
+#endif

 /**
 * \brief          Set the debug callback
--- a/include/mbedtls/ssl_internal.h
+++ b/include/mbedtls/ssl_internal.h
@@ -1289,6 +1289,27 @@ static inline unsigned int mbedtls_ssl_conf_get_anti_replay(
 #endif /* MBEDTLS_SSL_CONF_ANTI_REPLAY */
 #endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */

+typedef int (*mbedtls_frng_t)( void*, unsigned char*, size_t );
+
+#if !defined(MBEDTLS_SSL_CONF_RNG)
+static inline mbedtls_frng_t mbedtls_ssl_conf_get_frng(
+    mbedtls_ssl_config const *conf )
+{
+    return( conf->f_rng );
+}
+#else /* !MBEDTLS_SSL_CONF_RNG */
+
+#define mbedtls_ssl_conf_rng_func MBEDTLS_SSL_CONF_RNG
+extern int mbedtls_ssl_conf_rng_func( void*, unsigned char*, size_t );
+
+static inline mbedtls_frng_t mbedtls_ssl_conf_get_frng(
+    mbedtls_ssl_config const *conf )
+{
+    ((void) conf);
+    return ((mbedtls_frng_t*) mbedtls_ssl_conf_rng_func);
+}
+#endif /* MBEDTLS_SSL_CONF_RNG */
+
 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
 static inline unsigned int mbedtls_ssl_conf_get_ems(
    mbedtls_ssl_config const *conf )