diff options
-rw-r--r-- | .gitignore | 1 | ||||
-rw-r--r-- | BUILD.gn | 1 | ||||
-rwxr-xr-x | bootstrap.sh | 3 | ||||
-rw-r--r-- | src/mbedtls_ops.c | 11 | ||||
-rw-r--r-- | third_party/mbedtls/0001-Mark-basic-constraints-critical-as-appropriate.patch | 27 | ||||
-rw-r--r-- | third_party/mbedtls/BUILD.gn | 3 | ||||
-rw-r--r-- | third_party/mbedtls/custom_config.h | 1 | ||||
m--------- | third_party/mbedtls/src | 0 |
8 files changed, 15 insertions, 32 deletions
@@ -1,3 +1,4 @@ .clangd +.cache compile_commands.json out @@ -74,6 +74,7 @@ pw_static_library("dice_with_boringssl_ops") { config("mbedtls_ops_config") { include_dirs = [ "//include//dice/config/mbedtls_ecdsa_p256" ] + defines = [ "MBEDTLS_ALLOW_PRIVATE_ACCESS" ] } pw_static_library("dice_with_mbedtls_ops") { diff --git a/bootstrap.sh b/bootstrap.sh index 3404d07..b599594 100755 --- a/bootstrap.sh +++ b/bootstrap.sh @@ -25,9 +25,6 @@ # manually. git submodule update --init -# Apply local submodule patches. -git -C third_party/mbedtls/src am ../0001-Mark-basic-constraints-critical-as-appropriate.patch - # Bootstrap the pigweed environment. . third_party/pigweed/src/bootstrap.sh diff --git a/src/mbedtls_ops.c b/src/mbedtls_ops.c index 4085481..4dbf2dd 100644 --- a/src/mbedtls_ops.c +++ b/src/mbedtls_ops.c @@ -439,11 +439,18 @@ DiceResult DiceGenerateCertificate( } // This implementation is deterministic and assumes entropy is not available. // If this code is run where entropy is available, however, f_rng and p_rng - // should be set appropriately. + // should be set to use that entropy. As is, we'll provide a DRBG for blinding + // but it will be ineffective. + mbedtls_hmac_drbg_context drbg; + mbedtls_hmac_drbg_init(&drbg); + mbedtls_hmac_drbg_seed_buf(&drbg, + mbedtls_md_info_from_type(MBEDTLS_MD_SHA512), + subject_key_id, subject_key_id_size); uint8_t tmp_buffer[DICE_MAX_CERTIFICATE_SIZE]; int length_or_error = mbedtls_x509write_crt_der(&cert_context, tmp_buffer, sizeof(tmp_buffer), - /*f_rng=*/NULL, /*p_rng=*/NULL); + mbedtls_hmac_drbg_random, &drbg); + mbedtls_hmac_drbg_free(&drbg); if (length_or_error < 0) { result = kDiceResultPlatformError; goto out; diff --git a/third_party/mbedtls/0001-Mark-basic-constraints-critical-as-appropriate.patch b/third_party/mbedtls/0001-Mark-basic-constraints-critical-as-appropriate.patch deleted file mode 100644 index 097eb17..0000000 --- a/third_party/mbedtls/0001-Mark-basic-constraints-critical-as-appropriate.patch +++ /dev/null @@ -1,27 +0,0 @@ -From d5cbe3484248ee5f44543b1b50604bcd5739cc85 Mon Sep 17 00:00:00 2001 -From: Darren Krahn <dkrahn@google.com> -Date: Fri, 10 Jul 2020 17:03:57 -0700 -Subject: [PATCH] Mark basic constraints critical as appropriate. - -Per RFC 5280 4.2.1.9 if the 'cA' field is set to true, the extension -must be marked critical. ---- - library/x509write_crt.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/library/x509write_crt.c b/library/x509write_crt.c -index 32c655096..498b8b0a0 100644 ---- a/library/x509write_crt.c -+++ b/library/x509write_crt.c -@@ -163,7 +163,7 @@ int mbedtls_x509write_crt_set_basic_constraints( mbedtls_x509write_cert *ctx, - return( - mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_BASIC_CONSTRAINTS, - MBEDTLS_OID_SIZE( MBEDTLS_OID_BASIC_CONSTRAINTS ), -- 0, buf + sizeof(buf) - len, len ) ); -+ is_ca, buf + sizeof(buf) - len, len ) ); - } - - #if defined(MBEDTLS_SHA1_C) --- -2.29.0.rc1.297.gfa9743e501-goog - diff --git a/third_party/mbedtls/BUILD.gn b/third_party/mbedtls/BUILD.gn index e77c1b2..7e6d0f7 100644 --- a/third_party/mbedtls/BUILD.gn +++ b/third_party/mbedtls/BUILD.gn @@ -31,9 +31,12 @@ pw_static_library("mbedcrypto") { "src/library/asn1parse.c", "src/library/asn1write.c", "src/library/bignum.c", + "src/library/bignum_core.c", + "src/library/constant_time.c", "src/library/ecdsa.c", "src/library/ecp.c", "src/library/ecp_curves.c", + "src/library/hash_info.c", "src/library/hkdf.c", "src/library/hmac_drbg.c", "src/library/md.c", diff --git a/third_party/mbedtls/custom_config.h b/third_party/mbedtls/custom_config.h index ff71785..24d5418 100644 --- a/third_party/mbedtls/custom_config.h +++ b/third_party/mbedtls/custom_config.h @@ -32,6 +32,7 @@ #define MBEDTLS_MD_C #define MBEDTLS_OID_C #define MBEDTLS_PK_C +#define MBEDTLS_PK_PARSE_C #define MBEDTLS_PK_WRITE_C #define MBEDTLS_SHA512_C #define MBEDTLS_X509_CREATE_C diff --git a/third_party/mbedtls/src b/third_party/mbedtls/src -Subproject 1c54b5410fd48d6bcada97e30cac417c5c7eea6 +Subproject 8c89224991adff88d53cd380f42a2baa36f9145 |