diff options
| author | Michael Brown <mcb30@ipxe.org> | 2012-02-21 11:46:48 +0000 |
|---|---|---|
| committer | Michael Brown <mcb30@ipxe.org> | 2012-02-21 12:42:54 +0000 |
| commit | 75090f2abf2528b73a05b299bd4cc64c7b31ed92 (patch) | |
| tree | 0e2903f3a03a53f5fc686a4d7946469b48c605d4 /src/net/tls.c | |
| parent | 4fb60435c9a4bad8a84d1176b8eac7aa3670c43a (diff) | |
| download | ipxe-75090f2abf2528b73a05b299bd4cc64c7b31ed92.tar.gz | |
[tls] Use ANS X9.82 Approved RBG as source of random data for TLS
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Diffstat (limited to 'src/net/tls.c')
| -rw-r--r-- | src/net/tls.c | 44 |
1 files changed, 35 insertions, 9 deletions
diff --git a/src/net/tls.c b/src/net/tls.c index ace719c11..9acc5c3dc 100644 --- a/src/net/tls.c +++ b/src/net/tls.c @@ -40,6 +40,7 @@ FILE_LICENCE ( GPL2_OR_LATER ); #include <ipxe/open.h> #include <ipxe/asn1.h> #include <ipxe/x509.h> +#include <ipxe/rbg.h> #include <ipxe/tls.h> static int tls_send_plaintext ( struct tls_session *tls, unsigned int type, @@ -121,12 +122,25 @@ static void tls_close ( struct tls_session *tls, int rc ) { /** * Generate random data * + * @v tls TLS session * @v data Buffer to fill * @v len Length of buffer + * @ret rc Return status code */ -static void tls_generate_random ( void *data, size_t len ) { - /* FIXME: Some real random data source would be nice... */ - memset ( data, 0x01, len ); +static int tls_generate_random ( struct tls_session *tls, + void *data, size_t len ) { + int rc; + + /* Generate random bits with no additional input and without + * prediction resistance + */ + if ( ( rc = rbg_generate ( NULL, 0, 0, data, len ) ) != 0 ) { + DBGC ( tls, "TLS %p could not generate random data: %s\n", + tls, strerror ( rc ) ); + return rc; + } + + return 0; } /** @@ -1782,11 +1796,14 @@ static struct process_descriptor tls_process_desc = int add_tls ( struct interface *xfer, struct interface **next ) { struct tls_session *tls; + int rc; /* Allocate and initialise TLS structure */ tls = malloc ( sizeof ( *tls ) ); - if ( ! tls ) - return -ENOMEM; + if ( ! tls ) { + rc = -ENOMEM; + goto err_alloc; + } memset ( tls, 0, sizeof ( *tls ) ); ref_init ( &tls->refcnt, free_tls ); intf_init ( &tls->plainstream, &tls_plainstream_desc, &tls->refcnt ); @@ -1796,11 +1813,15 @@ int add_tls ( struct interface *xfer, struct interface **next ) { tls_clear_cipher ( tls, &tls->rx_cipherspec ); tls_clear_cipher ( tls, &tls->rx_cipherspec_pending ); tls->client_random.gmt_unix_time = 0; - tls_generate_random ( &tls->client_random.random, - ( sizeof ( tls->client_random.random ) ) ); + if ( ( rc = tls_generate_random ( tls, &tls->client_random.random, + ( sizeof ( tls->client_random.random ) ) ) ) != 0 ) { + goto err_random; + } tls->pre_master_secret.version = htons ( TLS_VERSION_TLS_1_0 ); - tls_generate_random ( &tls->pre_master_secret.random, - ( sizeof ( tls->pre_master_secret.random ) ) ); + if ( ( rc = tls_generate_random ( tls, &tls->pre_master_secret.random, + ( sizeof ( tls->pre_master_secret.random ) ) ) ) != 0 ) { + goto err_random; + } digest_init ( &md5_algorithm, tls->handshake_md5_ctx ); digest_init ( &sha1_algorithm, tls->handshake_sha1_ctx ); process_init_stopped ( &tls->process, &tls_process_desc, &tls->refcnt ); @@ -1811,4 +1832,9 @@ int add_tls ( struct interface *xfer, struct interface **next ) { *next = &tls->cipherstream; ref_put ( &tls->refcnt ); return 0; + + err_random: + ref_put ( &tls->refcnt ); + err_alloc: + return rc; } |