From ee7b67e13538bf67a1613650986d4520281808df Mon Sep 17 00:00:00 2001 From: Fabio Alessandrelli Date: Tue, 8 Feb 2022 10:34:43 +0100 Subject: [PATCH] [Crypto] Implement CryptoCore::RandomGenerator. As a cryptographically secure random generator. Internally it uses mbedTLS CTR-DRBG implementation which gets re-seeded with entropy from OS::get_entropy when needed. CryptoCore now additionally depends on `ctr_drbg.c` and `entropy.c` thirdparty mbedtls files. --- core/crypto/SCsub | 2 + core/crypto/crypto_core.cpp | 43 +++++++++++++++++++ core/crypto/crypto_core.h | 23 ++++++++-- .../include/godot_core_mbedtls_config.h | 5 +++ 4 files changed, 69 insertions(+), 4 deletions(-) diff --git a/core/crypto/SCsub b/core/crypto/SCsub index 1fe2fa5b238..9b7953fdc5f 100644 --- a/core/crypto/SCsub +++ b/core/crypto/SCsub @@ -31,6 +31,8 @@ if not has_module: "aes.c", "base64.c", "constant_time.c", + "ctr_drbg.c", + "entropy.c", "md5.c", "sha1.c", "sha256.c", diff --git a/core/crypto/crypto_core.cpp b/core/crypto/crypto_core.cpp index 9f000c5aebd..3cf7b6c3109 100644 --- a/core/crypto/crypto_core.cpp +++ b/core/crypto/crypto_core.cpp @@ -30,12 +30,55 @@ #include "crypto_core.h" +#include "core/os/os.h" + #include #include +#include +#include #include #include #include +// RandomGenerator +CryptoCore::RandomGenerator::RandomGenerator() { + entropy = memalloc(sizeof(mbedtls_entropy_context)); + mbedtls_entropy_init((mbedtls_entropy_context *)entropy); + mbedtls_entropy_add_source((mbedtls_entropy_context *)entropy, &CryptoCore::RandomGenerator::_entropy_poll, nullptr, 256, MBEDTLS_ENTROPY_SOURCE_STRONG); + ctx = memalloc(sizeof(mbedtls_ctr_drbg_context)); + mbedtls_ctr_drbg_init((mbedtls_ctr_drbg_context *)ctx); +} + +CryptoCore::RandomGenerator::~RandomGenerator() { + mbedtls_ctr_drbg_free((mbedtls_ctr_drbg_context *)ctx); + memfree(ctx); + mbedtls_entropy_free((mbedtls_entropy_context *)entropy); + memfree(entropy); +} + +int CryptoCore::RandomGenerator::_entropy_poll(void *p_data, unsigned char *r_buffer, size_t p_len, size_t *r_len) { + *r_len = 0; + Error err = OS::get_singleton()->get_entropy(r_buffer, p_len); + ERR_FAIL_COND_V(err, MBEDTLS_ERR_ENTROPY_SOURCE_FAILED); + *r_len = p_len; + return 0; +} + +Error CryptoCore::RandomGenerator::init() { + int ret = mbedtls_ctr_drbg_seed((mbedtls_ctr_drbg_context *)ctx, mbedtls_entropy_func, (mbedtls_entropy_context *)entropy, nullptr, 0); + if (ret) { + ERR_FAIL_COND_V_MSG(ret, FAILED, " failed\n ! mbedtls_ctr_drbg_seed returned an error" + itos(ret)); + } + return OK; +} + +Error CryptoCore::RandomGenerator::get_random_bytes(uint8_t *r_buffer, size_t p_bytes) { + ERR_FAIL_COND_V(!ctx, ERR_UNCONFIGURED); + int ret = mbedtls_ctr_drbg_random((mbedtls_ctr_drbg_context *)ctx, r_buffer, p_bytes); + ERR_FAIL_COND_V_MSG(ret, FAILED, " failed\n ! mbedtls_ctr_drbg_seed returned an error" + itos(ret)); + return OK; +} + // MD5 CryptoCore::MD5Context::MD5Context() { ctx = memalloc(sizeof(mbedtls_md5_context)); diff --git a/core/crypto/crypto_core.h b/core/crypto/crypto_core.h index 355f4a2404b..eacef268cca 100644 --- a/core/crypto/crypto_core.h +++ b/core/crypto/crypto_core.h @@ -35,9 +35,24 @@ class CryptoCore { public: + class RandomGenerator { + private: + void *entropy = nullptr; + void *ctx = nullptr; + + static int _entropy_poll(void *p_data, unsigned char *r_buffer, size_t p_len, size_t *r_len); + + public: + RandomGenerator(); + ~RandomGenerator(); + + Error init(); + Error get_random_bytes(uint8_t *r_buffer, size_t p_bytes); + }; + class MD5Context { private: - void *ctx = nullptr; // To include, or not to include... + void *ctx = nullptr; public: MD5Context(); @@ -50,7 +65,7 @@ public: class SHA1Context { private: - void *ctx = nullptr; // To include, or not to include... + void *ctx = nullptr; public: SHA1Context(); @@ -63,7 +78,7 @@ public: class SHA256Context { private: - void *ctx = nullptr; // To include, or not to include... + void *ctx = nullptr; public: SHA256Context(); @@ -76,7 +91,7 @@ public: class AESContext { private: - void *ctx = nullptr; // To include, or not to include... + void *ctx = nullptr; public: AESContext(); diff --git a/thirdparty/mbedtls/include/godot_core_mbedtls_config.h b/thirdparty/mbedtls/include/godot_core_mbedtls_config.h index 0e90a988863..9e7b2742a7b 100644 --- a/thirdparty/mbedtls/include/godot_core_mbedtls_config.h +++ b/thirdparty/mbedtls/include/godot_core_mbedtls_config.h @@ -7,7 +7,12 @@ #define MBEDTLS_AES_C #define MBEDTLS_BASE64_C +#define MBEDTLS_CTR_DRBG_C +#define MBEDTLS_ENTROPY_C #define MBEDTLS_MD5_C #define MBEDTLS_SHA1_C #define MBEDTLS_SHA256_C #define MBEDTLS_PLATFORM_ZEROIZE_ALT +#define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES + +#include