Added new global rng, needed for MbedTLS optimisations

Author: Teppo Järvelin

features/lwipstack/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c

@@ -599,8 +599,15 @@ altcp_mbedtls_setup(void *conf, struct altcp_pcb *conn, struct altcp_pcb *inner_
     altcp_mbedtls_free(conf, state);
     return ERR_MEM;
   }
+  // Defines MBEDTLS_SSL_CONF_RECV/SEND/RECV_TIMEOUT define global functions which should be the same for all
+  // callers of mbedtls_ssl_set_bio_ctx and there should be only one ssl context. If these rules don't apply,
+  // these defines can't be used.
+#if !defined(MBEDTLS_SSL_CONF_RECV) && !defined(MBEDTLS_SSL_CONF_SEND) && !defined(MBEDTLS_SSL_CONF_RECV_TIMEOUT)
   /* tell mbedtls about our I/O functions */
   mbedtls_ssl_set_bio(&state->ssl_context, conn, altcp_mbedtls_bio_send, altcp_mbedtls_bio_recv, NULL);
+#else
+  mbedtls_ssl_set_bio_ctx(&state->ssl_context, conn);
+#endif /* !defined(MBEDTLS_SSL_CONF_RECV) && !defined(MBEDTLS_SSL_CONF_SEND) && !defined(MBEDTLS_SSL_CONF_RECV_TIMEOUT) */
 
   altcp_mbedtls_setup_callbacks(conn, inner_conn);
   conn->inner_conn = inner_conn;
@@ -734,7 +741,10 @@ altcp_tls_create_config(int is_server, int have_cert, int have_pkey, int have_ca
   }
   mbedtls_ssl_conf_authmode(&conf->conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
 
+#if !defined(MBEDTLS_SSL_CONF_RNG)
   mbedtls_ssl_conf_rng(&conf->conf, mbedtls_ctr_drbg_random, &conf->ctr_drbg);
+#endif
+
 #if ALTCP_MBEDTLS_DEBUG != LWIP_DBG_OFF
   mbedtls_ssl_conf_dbg(&conf->conf, altcp_mbedtls_debug, stdout);
 #endif

features/mbedtls/platform/inc/shared_rng.h

@@ -0,0 +1,93 @@
+/*
+ *  shared_rng.h
+ *
+ *  Copyright (C) 2019, Arm Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ */
+
+#ifndef SHARED_RNG_H
+#define SHARED_RNG_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_SSL_CONF_RNG)
+
+#define MBED_SHARED_RNG_NOT_INITIALIZED -1  /**< init_global_rng not called before global_rng */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#include "mbedtls/hmac_drbg.h"
+#include "mbedtls/entropy.h"
+
+/**
+ * \brief       Initializes hmac ready for rng
+ *
+ * \return      0 if successful, or
+ *              MBEDTLS_ERR_MD_BAD_INPUT_DATA, or
+ *              MBEDTLS_ERR_MD_ALLOC_FAILED, or
+ *              MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED.
+ */
+int init_global_rng();
+
+/**
+ * \brief       Global HMAC_DRBG generate random
+ *
+ * \note        Automatically reseeds if reseed_counter is reached or PR is enabled.
+ * \note        init_global_rng function must be called
+ *              before calling this function!
+ *
+ * \param ctx   DRBG context
+ * \param dst   Buffer to fill
+ * \param len   Length of the buffer
+ *
+ * \return      0 if successful, or
+ *              MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED, or
+ *              MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG or
+ *              MBED_SHARED_RNG_NOT_INITIALIZED
+ */
+int global_rng( void *ctx, unsigned char *dst, size_t len );
+
+/**
+ * \brief       Free allocated resources
+ */
+void free_global_rng();
+
+/**
+ * \brief       Getter function for global hmac context
+ *
+ * \return      global hmac context
+ */
+mbedtls_hmac_drbg_context *get_global_hmac_drbg();
+
+/**
+ * \brief       Getter function for global entropy context
+ *
+ * \return      global entropy context
+ */
+mbedtls_entropy_context *get_global_entropy();
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif // MBEDTLS_SSL_CONF_RNG
+#endif // SHARED_RNG_H

features/mbedtls/platform/src/shared_rng.cpp

@@ -0,0 +1,75 @@
+/*
+ *  shared_rng.cpp
+ *
+ *  Copyright (C) 2019, Arm Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ */
+
+#include "shared_rng.h"
+
+#if defined(MBEDTLS_SSL_CONF_RNG)
+
+#include "mbed_trace.h"
+
+mbedtls_hmac_drbg_context global_hmac_drbg;
+mbedtls_entropy_context global_entropy;
+static bool is_initialized = false;
+
+int init_global_rng()
+{
+    mbedtls_entropy_init(&global_entropy);
+    mbedtls_hmac_drbg_init(&global_hmac_drbg);
+
+    int ret = mbedtls_hmac_drbg_seed(&global_hmac_drbg, mbedtls_md_info_from_type(MBEDTLS_MD_SHA256),
+                                 mbedtls_entropy_func, &global_entropy, NULL, 0);
+
+    if (ret != 0) {
+        tr_error(" init_global_rng failed! mbedtls_hmac_drbg_seed returned -0x%x", -ret);
+        free_global_rng();
+    } else {
+        is_initialized = true;
+    }
+
+    return ret;
+This conversation was marked as resolved by jarvte
+}
+
+void free_global_rng()
+{
+    mbedtls_entropy_free(&global_entropy);
+    mbedtls_hmac_drbg_free(&global_hmac_drbg);
+    is_initialized = false;
+}
+
+int global_rng( void *ctx, unsigned char *dst, size_t len )
+{
+    if (!is_initialized) {
+        return MBED_SHARED_RNG_NOT_INITIALIZED;
+    }
+    return mbedtls_hmac_drbg_random(&global_hmac_drbg, dst, len);
+}
+
+mbedtls_hmac_drbg_context *get_global_hmac_drbg()
+{
+    return &global_hmac_drbg;
+}
+
+mbedtls_entropy_context *get_global_entropy()
+{
+    return &global_entropy;
+}
+
+#endif // MBEDTLS_SSL_CONF_RNG

features/nanostack/coap-service/source/coap_security_handler.c

@@ -396,7 +396,9 @@ int coap_security_handler_connect_non_blocking(coap_security_t *sec, bool is_ser
         mbedtls_ssl_conf_handshake_timeout(&sec->_conf, timeout_min, timeout_max);
     }
 
+#if !defined(MBEDTLS_SSL_CONF_RNG)
     mbedtls_ssl_conf_rng(&sec->_conf, mbedtls_ctr_drbg_random, &sec->_ctr_drbg);
+#endif
 
     if ((mbedtls_ssl_setup(&sec->_ssl, &sec->_conf)) != 0) {
         return -1;

features/nanostack/sal-stack-nanostack/source/Security/protocols/tls_sec_prot/tls_sec_prot_lib.c

@@ -327,8 +327,10 @@ int8_t tls_sec_prot_lib_connect(tls_security_t *sec, bool is_server, const sec_p
         return -1;
     }
 
+#if !defined(MBEDTLS_SSL_CONF_RNG)
     // Configure random number generator
     mbedtls_ssl_conf_rng(&sec->conf, mbedtls_ctr_drbg_random, &sec->ctr_drbg);
+#endif
 
 #ifdef MBEDTLS_ECP_RESTARTABLE
     // Set ECC calculation maximum operations (affects only client)

features/netsocket/TLSSocketWrapper.cpp

@@ -190,7 +190,9 @@ nsapi_error_t TLSSocketWrapper::start_handshake(bool first_call)
         return NSAPI_ERROR_AUTH_FAILURE;
     }
 
+#if !defined(MBEDTLS_SSL_CONF_RNG)
     mbedtls_ssl_conf_rng(get_ssl_config(), mbedtls_ctr_drbg_random, &_ctr_drbg);
+#endif
 
 
 #if MBED_CONF_TLS_SOCKET_DEBUG_LEVEL > 0