espressif/esp-idf
1
0
Fork 1
mirror of https://github.com/espressif/esp-idf.git synced 2025-10-02 18:10:57 +02:00
Code Issues Packages Projects Releases Wiki Activity

change(wpa_supplicant): Replace use of mbedtls_ctr_drbg with esp_mbedtls_random()

Browse Source 
This way wpa_supplicant does not require ctr_drbg that saves some space
This commit is contained in:
Deomid rojer Ryabkov
2025-03-30 00:55:15 +02:00
committed by BOT
parent aa581523c9
commit f933e51ad9
5 changed files with 32 additions and 194 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
components/wpa_supplicant/esp_supplicant/src/crypto/crypto_mbedtls-bignum.c
View File

@@ -7,6 +7,7 @@
#ifdef ESP_PLATFORM
#include "esp_system.h"
#include "mbedtls/bignum.h"
#include "mbedtls/esp_random.h"
#endif
#include "utils/includes.h"
@@ -16,11 +17,6 @@
#include "sha256.h"
#include "mbedtls/pk.h"
static int crypto_rng_wrapper(void *ctx, unsigned char *buf, size_t len)
{
return random_get_bytes(buf, len);
}
struct crypto_bignum *crypto_bignum_init(void)
{
mbedtls_mpi *bn = os_zalloc(sizeof(mbedtls_mpi));
@@ -220,7 +216,7 @@ int crypto_bignum_is_odd(const struct crypto_bignum *a)
int crypto_bignum_rand(struct crypto_bignum *r, const struct crypto_bignum *m)
{
return ((mbedtls_mpi_random((mbedtls_mpi *) r, 0, (const mbedtls_mpi *) m,
crypto_rng_wrapper, NULL) != 0) ? -1 : 0);
mbedtls_esp_random, NULL) != 0) ? -1 : 0);
}
int crypto_bignum_legendre(const struct crypto_bignum *a,

95
components/wpa_supplicant/esp_supplicant/src/crypto/crypto_mbedtls-ec.c
View File

@@ -7,6 +7,7 @@
#ifdef ESP_PLATFORM
#include "esp_system.h"
#include "mbedtls/bignum.h"
#include "mbedtls/esp_random.h"
#endif
#include "utils/includes.h"
@@ -16,8 +17,6 @@
#include "random.h"
#include "mbedtls/ecp.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/pk.h"
#include "mbedtls/ecdh.h"
@@ -36,10 +35,6 @@
#endif
#ifdef CONFIG_ECC
static int crypto_rng_wrapper(void *ctx, unsigned char *buf, size_t len)
{
return random_get_bytes(buf, len);
}
struct crypto_ec *crypto_ec_init(int group)
{
@@ -294,24 +289,14 @@ int crypto_ec_point_mul(struct crypto_ec *e, const struct crypto_ec_point *p,
struct crypto_ec_point *res)
{
int ret;
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_entropy_init(&entropy);
mbedtls_ctr_drbg_init(&ctr_drbg);
MBEDTLS_MPI_CHK(mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy,
NULL, 0));
MBEDTLS_MPI_CHK(mbedtls_ecp_mul((mbedtls_ecp_group *)e,
(mbedtls_ecp_point *) res,
(const mbedtls_mpi *)b,
(const mbedtls_ecp_point *)p,
mbedtls_ctr_drbg_random,
&ctr_drbg));
mbedtls_esp_random,
NULL));
cleanup:
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_entropy_free(&entropy);
return ret ? -1 : 0;
}
@@ -491,23 +476,10 @@ int crypto_ec_point_cmp(const struct crypto_ec *e,
int crypto_ec_key_compare(struct crypto_ec_key *key1, struct crypto_ec_key *key2)
{
int ret = 0;
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_entropy_init(&entropy);
mbedtls_ctr_drbg_init(&ctr_drbg);
MBEDTLS_MPI_CHK(mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, NULL, 0));
if (mbedtls_pk_check_pair((mbedtls_pk_context *)key1, (mbedtls_pk_context *)key2, mbedtls_ctr_drbg_random, &ctr_drbg) < 0) {
goto cleanup;
if (mbedtls_pk_check_pair((mbedtls_pk_context *)key1, (mbedtls_pk_context *)key2, mbedtls_esp_random, NULL) < 0) {
return 0;
}
ret = 1;
cleanup:
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_entropy_free(&entropy);
return ret;
return 1;
}
void crypto_debug_print_point(const char *title, struct crypto_ec *e,
@@ -707,7 +679,7 @@ struct crypto_ec_key *crypto_ec_key_parse_priv(const u8 *privkey, size_t privkey
wpa_printf(MSG_ERROR, "memory allocation failed");
return NULL;
}
ret = mbedtls_pk_parse_key(kctx, privkey, privkey_len, NULL, 0, crypto_rng_wrapper, NULL);
ret = mbedtls_pk_parse_key(kctx, privkey, privkey_len, NULL, 0, mbedtls_esp_random, NULL);
if (ret < 0) {
//crypto_print_error_string(ret);
@@ -763,17 +735,8 @@ int crypto_ecdh(struct crypto_ec_key *key_own, struct crypto_ec_key *key_peer,
mbedtls_ecdh_context *ctx = NULL;
mbedtls_pk_context *own = (mbedtls_pk_context *)key_own;
mbedtls_pk_context *peer = (mbedtls_pk_context *)key_peer;
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
int ret = -1;
mbedtls_entropy_init(&entropy);
mbedtls_ctr_drbg_init(&ctr_drbg);
if (mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, NULL, 0) < 0) {
goto fail;
}
*secret_len = 0;
ctx = os_malloc(sizeof(*ctx));
if (!ctx) {
@@ -801,7 +764,7 @@ int crypto_ecdh(struct crypto_ec_key *key_own, struct crypto_ec_key *key_peer,
}
if (mbedtls_ecdh_calc_secret(ctx, secret_len, secret, DPP_MAX_SHARED_SECRET_LEN,
mbedtls_ctr_drbg_random, &ctr_drbg) < 0) {
mbedtls_esp_random, NULL) < 0) {
wpa_printf(MSG_ERROR, "failed to calculate secret");
goto fail;
}
@@ -814,8 +777,6 @@ int crypto_ecdh(struct crypto_ec_key *key_own, struct crypto_ec_key *key_peer,
ret = 0;
fail:
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_entropy_free(&entropy);
if (ctx) {
mbedtls_ecdh_free(ctx);
os_free(ctx);
@@ -840,7 +801,7 @@ int crypto_ecdsa_get_sign(unsigned char *hash,
goto fail;
}
ret = mbedtls_ecdsa_sign(&ctx->MBEDTLS_PRIVATE(grp), (mbedtls_mpi *)r, (mbedtls_mpi *)s,
&ctx->MBEDTLS_PRIVATE(d), hash, SHA256_MAC_LEN, crypto_rng_wrapper, NULL);
&ctx->MBEDTLS_PRIVATE(d), hash, SHA256_MAC_LEN, mbedtls_esp_random, NULL);
fail:
mbedtls_ecdsa_free(ctx);
@@ -939,7 +900,7 @@ struct crypto_ec_key * crypto_ec_key_gen(u16 ike_group)
}
mbedtls_ecp_gen_key(MBEDTLS_ECP_DP_SECP256R1, mbedtls_pk_ec(*kctx), //get this from argument
crypto_rng_wrapper, NULL);
mbedtls_esp_random, NULL);
return (struct crypto_ec_key *)kctx;
fail:
@@ -1124,8 +1085,6 @@ void crypto_ecdh_deinit(struct crypto_ecdh *ecdh)
struct crypto_ecdh * crypto_ecdh_init(int group)
{
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_entropy_context entropy;
mbedtls_ecdh_context *ctx;
ctx = os_zalloc(sizeof(*ctx));
@@ -1143,24 +1102,12 @@ struct crypto_ecdh * crypto_ecdh_init(int group)
goto fail;
}
/* Initialize CTR_DRBG context */
mbedtls_ctr_drbg_init(&ctr_drbg);
mbedtls_entropy_init(&entropy);
/* Seed and setup CTR_DRBG entropy source for future reseeds */
if (mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, NULL, 0) != 0) {
wpa_printf(MSG_ERROR, "Seeding entropy source failed");
goto fail;
}
/* Generates ECDH keypair on elliptic curve */
if (mbedtls_ecdh_gen_public(ACCESS_ECDH(&ctx, grp), ACCESS_ECDH(&ctx, d), ACCESS_ECDH(&ctx, Q), mbedtls_ctr_drbg_random, &ctr_drbg) != 0) {
if (mbedtls_ecdh_gen_public(ACCESS_ECDH(&ctx, grp), ACCESS_ECDH(&ctx, d), ACCESS_ECDH(&ctx, Q), mbedtls_esp_random, NULL) != 0) {
wpa_printf(MSG_ERROR, "ECDH keypair on curve failed");
goto fail;
}
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_entropy_free(&entropy);
return (struct crypto_ecdh *)ctx;
fail:
if (ctx) {
@@ -1168,8 +1115,6 @@ fail:
os_free(ctx);
ctx = NULL;
}
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_entropy_free(&entropy);
return NULL;
}
@@ -1217,18 +1162,6 @@ struct wpabuf * crypto_ecdh_set_peerkey(struct crypto_ecdh *ecdh, int inc_y,
return 0;
}
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_entropy_context entropy;
/* Initialize CTR_DRBG context */
mbedtls_ctr_drbg_init(&ctr_drbg);
mbedtls_entropy_init(&entropy);
/* Seed and setup CTR_DRBG entropy source for future reseeds */
if (mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, NULL, 0) != 0) {
wpa_printf(MSG_ERROR, "Seeding entropy source failed");
goto cleanup;
}
len_prime = ACCESS_ECDH(ctx, grp).pbits / 8;
bn_x = crypto_bignum_init_set(key, len);
@@ -1287,7 +1220,7 @@ struct wpabuf * crypto_ecdh_set_peerkey(struct crypto_ecdh *ecdh, int inc_y,
/* Calculate secret
z = F(DH(x,Y)) */
secret_key = mbedtls_ecdh_calc_secret(ctx, &olen, secret, len_prime, mbedtls_ctr_drbg_random, &ctr_drbg);
secret_key = mbedtls_ecdh_calc_secret(ctx, &olen, secret, len_prime, mbedtls_esp_random, NULL);
if (secret_key != 0) {
wpa_printf(MSG_ERROR, "Calculation of secret failed");
goto cleanup;
@@ -1302,8 +1235,6 @@ cleanup:
crypto_ec_key_deinit(pkey);
crypto_bignum_deinit(bn_x, 1);
crypto_ec_point_deinit(ec_pt, 1);
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_entropy_free(&entropy);
return sh_secret;
}

100
components/wpa_supplicant/esp_supplicant/src/crypto/crypto_mbedtls-rsa.c
View File

@@ -6,6 +6,7 @@
#ifdef ESP_PLATFORM
#include "mbedtls/bignum.h"
#include "mbedtls/esp_random.h"
#endif
#include "utils/includes.h"
@@ -14,9 +15,6 @@
#include "common/defs.h"
#ifdef CONFIG_CRYPTO_MBEDTLS
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include <mbedtls/error.h>
#include <mbedtls/x509_crt.h>
#include <mbedtls/platform.h>
@@ -38,11 +36,6 @@ static void crypto_dump_verify_info(u32 flags)
static void crypto_dump_verify_info(u32 flags) { }
#endif
static int crypto_rng_wrapper(void *ctx, unsigned char *buf, size_t len)
{
return os_get_random(buf, len);
}
int crypto_verify_cert(const u8 *cert_start, int certlen, const u8 *ca_cert_start, int ca_certlen)
{
int ret;
@@ -125,7 +118,7 @@ struct crypto_private_key * crypto_private_key_import(const u8 *key,
mbedtls_pk_init(pkey);
ret = mbedtls_pk_parse_key(pkey, key, len, (const unsigned char *)passwd,
passwd ? os_strlen(passwd) : 0, crypto_rng_wrapper, NULL);
passwd ? os_strlen(passwd) : 0, mbedtls_esp_random, NULL);
if (ret < 0) {
wpa_printf(MSG_ERROR, "failed to parse private key");
@@ -190,35 +183,13 @@ int crypto_public_key_encrypt_pkcs1_v15(struct crypto_public_key *key,
{
int ret;
mbedtls_pk_context *pkey = (mbedtls_pk_context *)key;
const char *pers = "rsa_encrypt";
mbedtls_entropy_context *entropy = os_zalloc(sizeof(*entropy));
mbedtls_ctr_drbg_context *ctr_drbg = os_zalloc(sizeof(*ctr_drbg));
if (!pkey || !entropy || !ctr_drbg) {
if (entropy) {
os_free(entropy);
}
if (ctr_drbg) {
os_free(ctr_drbg);
}
wpa_printf(MSG_ERROR, "failed to allocate memory");
if (!pkey) {
return -1;
}
mbedtls_entropy_init(entropy);
mbedtls_ctr_drbg_init(ctr_drbg);
ret = mbedtls_ctr_drbg_seed(ctr_drbg, mbedtls_entropy_func,
entropy, (const unsigned char *) pers,
strlen(pers));
if (ret != 0) {
wpa_printf(MSG_ERROR, " failed ! mbedtls_ctr_drbg_seed returned %d",
ret);
goto cleanup;
}
ret = mbedtls_rsa_pkcs1_encrypt(mbedtls_pk_rsa(*pkey), mbedtls_ctr_drbg_random,
ctr_drbg, inlen, in, out);
ret = mbedtls_rsa_pkcs1_encrypt(mbedtls_pk_rsa(*pkey), mbedtls_esp_random,
NULL, inlen, in, out);
if (ret != 0) {
wpa_printf(MSG_ERROR, " failed ! mbedtls_rsa_pkcs1_encrypt returned -0x%04x", -ret);
@@ -227,11 +198,6 @@ int crypto_public_key_encrypt_pkcs1_v15(struct crypto_public_key *key,
*outlen = mbedtls_rsa_get_len(mbedtls_pk_rsa(*pkey));
cleanup:
mbedtls_ctr_drbg_free(ctr_drbg);
mbedtls_entropy_free(entropy);
os_free(entropy);
os_free(ctr_drbg);
return ret;
}
@@ -242,40 +208,18 @@ int crypto_private_key_decrypt_pkcs1_v15(struct crypto_private_key *key,
int ret;
size_t i;
mbedtls_pk_context *pkey = (mbedtls_pk_context *)key;
const char *pers = "rsa_decrypt";
mbedtls_entropy_context *entropy = os_malloc(sizeof(*entropy));
mbedtls_ctr_drbg_context *ctr_drbg = os_malloc(sizeof(*ctr_drbg));
if (!pkey || !entropy || !ctr_drbg) {
if (entropy) {
os_free(entropy);
}
if (ctr_drbg) {
os_free(ctr_drbg);
}
if (!pkey) {
return -1;
}
mbedtls_ctr_drbg_init(ctr_drbg);
mbedtls_entropy_init(entropy);
ret = mbedtls_ctr_drbg_seed(ctr_drbg, mbedtls_entropy_func,
entropy, (const unsigned char *) pers,
strlen(pers));
if (ret < 0) {
goto cleanup;
}
i = mbedtls_rsa_get_len(mbedtls_pk_rsa(*pkey));
ret = mbedtls_rsa_rsaes_pkcs1_v15_decrypt(mbedtls_pk_rsa(*pkey), mbedtls_ctr_drbg_random,
ctr_drbg, &i, in, out, *outlen);
ret = mbedtls_rsa_rsaes_pkcs1_v15_decrypt(mbedtls_pk_rsa(*pkey), mbedtls_esp_random,
NULL, &i, in, out, *outlen);
*outlen = i;
cleanup:
mbedtls_ctr_drbg_free(ctr_drbg);
mbedtls_entropy_free(entropy);
os_free(entropy);
os_free(ctr_drbg);
if (ret == 0) {
*outlen = i;
}
return ret;
}
@@ -285,27 +229,13 @@ int crypto_private_key_sign_pkcs1(struct crypto_private_key *key,
u8 *out, size_t *outlen)
{
int ret;
const char *pers = "rsa_encrypt";
mbedtls_pk_context *pkey = (mbedtls_pk_context *)key;
mbedtls_entropy_context *entropy = os_malloc(sizeof(*entropy));
mbedtls_ctr_drbg_context *ctr_drbg = os_malloc(sizeof(*ctr_drbg));
if (!pkey || !entropy || !ctr_drbg) {
if (entropy) {
os_free(entropy);
}
if (ctr_drbg) {
os_free(ctr_drbg);
}
if (!pkey) {
return -1;
}
mbedtls_ctr_drbg_init(ctr_drbg);
mbedtls_entropy_init(entropy);
ret = mbedtls_ctr_drbg_seed(ctr_drbg, mbedtls_entropy_func,
entropy, (const unsigned char *) pers,
strlen(pers));
if ((ret = mbedtls_rsa_pkcs1_sign(mbedtls_pk_rsa(*pkey), mbedtls_ctr_drbg_random, ctr_drbg,
if ((ret = mbedtls_rsa_pkcs1_sign(mbedtls_pk_rsa(*pkey), mbedtls_esp_random, NULL,
(mbedtls_pk_rsa(*pkey))->MBEDTLS_PRIVATE(hash_id),
inlen, in, out)) != 0) {
wpa_printf(MSG_ERROR, " failed ! mbedtls_rsa_pkcs1_sign returned %d", ret);
@@ -314,10 +244,6 @@ int crypto_private_key_sign_pkcs1(struct crypto_private_key *key,
*outlen = mbedtls_rsa_get_len(mbedtls_pk_rsa(*pkey));
cleanup:
mbedtls_ctr_drbg_free(ctr_drbg);
mbedtls_entropy_free(entropy);
os_free(entropy);
os_free(ctr_drbg);
return ret;
}

2
components/wpa_supplicant/esp_supplicant/src/crypto/crypto_mbedtls.c
View File

@@ -15,8 +15,6 @@
#include "sha256.h"
#include "mbedtls/ecp.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/md.h"
#include "mbedtls/aes.h"
#include "mbedtls/bignum.h"

21
components/wpa_supplicant/esp_supplicant/src/crypto/tls_mbedtls.c
View File

@@ -13,6 +13,8 @@
#include "crypto/sha256.h"
#include "crypto/sha384.h"
#include "mbedtls/esp_random.h"
/* TODO: Remove this once the appropriate solution is found
*
* ssl_misc.h header uses private elements from
@@ -24,8 +26,6 @@
// located at mbedtls/library/ssl_misc.h
#include "ssl_misc.h"
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/entropy.h"
#include "mbedtls/debug.h"
#include "mbedtls/oid.h"
#ifdef ESPRESSIF_USE
@@ -75,8 +75,6 @@ struct tls_data {
typedef struct tls_context {
mbedtls_ssl_context ssl; /*!< TLS/SSL context */
mbedtls_entropy_context entropy; /*!< mbedTLS entropy context structure */
mbedtls_ctr_drbg_context ctr_drbg; /*!< mbedTLS ctr drbg context structure */
mbedtls_ssl_config conf; /*!< TLS/SSL config to be shared structures */
mbedtls_x509_crt cacert; /*!< Container for X.509 CA certificate */
mbedtls_x509_crt *cacert_ptr; /*!< Pointer to the cacert being used. */
@@ -105,9 +103,7 @@ static void tls_mbedtls_cleanup(tls_context_t *tls)
mbedtls_x509_crt_free(&tls->cacert);
mbedtls_x509_crt_free(&tls->clientcert);
mbedtls_pk_free(&tls->clientkey);
mbedtls_entropy_free(&tls->entropy);
mbedtls_ssl_config_free(&tls->conf);
mbedtls_ctr_drbg_free(&tls->ctr_drbg);
mbedtls_ssl_free(&tls->ssl);
}
@@ -181,7 +177,7 @@ static int set_pki_context(tls_context_t *tls, const struct tls_connection_param
ret = mbedtls_pk_parse_key(&tls->clientkey, cfg->private_key_blob, cfg->private_key_blob_len,
(const unsigned char *)cfg->private_key_passwd,
cfg->private_key_passwd ? os_strlen(cfg->private_key_passwd) : 0, mbedtls_ctr_drbg_random, &tls->ctr_drbg);
cfg->private_key_passwd ? os_strlen(cfg->private_key_passwd) : 0, mbedtls_esp_random, NULL);
if (ret < 0) {
wpa_printf(MSG_ERROR, "mbedtls_pk_parse_keyfile returned -0x%x", -ret);
return ret;
@@ -599,9 +595,7 @@ static int tls_create_mbedtls_handle(struct tls_connection *conn,
assert(tls != NULL);
mbedtls_ssl_init(&tls->ssl);
mbedtls_ctr_drbg_init(&tls->ctr_drbg);
mbedtls_ssl_config_init(&tls->conf);
mbedtls_entropy_init(&tls->entropy);
ret = set_client_config(params, tls);
if (ret != 0) {
@@ -609,14 +603,7 @@ static int tls_create_mbedtls_handle(struct tls_connection *conn,
goto exit;
}
ret = mbedtls_ctr_drbg_seed(&tls->ctr_drbg, mbedtls_entropy_func,
&tls->entropy, NULL, 0);
if (ret != 0) {
wpa_printf(MSG_ERROR, "mbedtls_ctr_drbg_seed returned -0x%x", -ret);
goto exit;
}
mbedtls_ssl_conf_rng(&tls->conf, mbedtls_ctr_drbg_random, &tls->ctr_drbg);
mbedtls_ssl_conf_rng(&tls->conf, mbedtls_esp_random, NULL);
#if defined(CONFIG_MBEDTLS_SSL_PROTO_TLS1_3) && !defined(CONFIG_TLSV13)
/* Disable TLSv1.3 even when enabled in MbedTLS and not enabled in WiFi config.