diff options
author | Nikos <nmav@crystal.(none)> | 2008-03-29 12:01:27 +0200 |
---|---|---|
committer | Nikos <nmav@crystal.(none)> | 2008-03-29 12:01:27 +0200 |
commit | 0b37eef0f6b6626d5e4b5936bbc6f012416ef61a (patch) | |
tree | 040f519310dab705ecb523f7553e5a7902b646fb | |
parent | c54d8ce49564b19b2a39995cf8b12cc41ebd9097 (diff) | |
download | gnutls-0b37eef0f6b6626d5e4b5936bbc6f012416ef61a.tar.gz |
Added interface to register random generators.
-rw-r--r-- | includes/gnutls/crypto.h | 14 | ||||
-rw-r--r-- | lib/Makefile.am | 4 | ||||
-rw-r--r-- | lib/auth_psk_passwd.c | 13 | ||||
-rw-r--r-- | lib/auth_rsa.c | 13 | ||||
-rw-r--r-- | lib/auth_srp_passwd.c | 23 | ||||
-rw-r--r-- | lib/crypto.c | 76 | ||||
-rw-r--r-- | lib/crypto.h | 1 | ||||
-rw-r--r-- | lib/gnutls_cipher.c | 14 | ||||
-rw-r--r-- | lib/gnutls_global.c | 13 | ||||
-rw-r--r-- | lib/gnutls_handshake.c | 13 | ||||
-rw-r--r-- | lib/gnutls_pk.c | 12 | ||||
-rw-r--r-- | lib/random.c | 86 | ||||
-rw-r--r-- | lib/random.h | 14 | ||||
-rw-r--r-- | lib/x509/pkcs12.c | 7 | ||||
-rw-r--r-- | lib/x509/privkey_pkcs8.c | 24 |
15 files changed, 274 insertions, 53 deletions
diff --git a/includes/gnutls/crypto.h b/includes/gnutls/crypto.h index b4f5a6ff50..8d44a0eac4 100644 --- a/includes/gnutls/crypto.h +++ b/includes/gnutls/crypto.h @@ -43,6 +43,19 @@ typedef struct gnutls_crypto_mac { void (*deinit)( void* ctx); } gnutls_crypto_mac_st; +typedef enum gnutls_rnd_level +{ + GNUTLS_RND_KEY = 0, + GNUTLS_RND_RANDOM = 1, /* unpredictable */ + GNUTLS_RND_NONCE = 2, +} gnutls_rnd_level_t; + +typedef struct gnutls_crypto_rnd { + int (*init)( void** ctx); + int (*rnd) ( void* ctx, int /* gnutls_rnd_level_t */ level, void* data, int datasize); + void (*deinit)( void* ctx); +} gnutls_crypto_rnd_st; + /* the same... setkey should be null */ typedef gnutls_crypto_mac_st gnutls_crypto_digest_st; @@ -51,5 +64,6 @@ typedef gnutls_crypto_mac_st gnutls_crypto_digest_st; int gnutls_crypto_cipher_register( gnutls_cipher_algorithm_t algorithm, int priority, gnutls_crypto_cipher_st* s); int gnutls_crypto_mac_register( gnutls_mac_algorithm_t algorithm, int priority, gnutls_crypto_mac_st* s); int gnutls_crypto_digest_register( gnutls_digest_algorithm_t algorithm, int priority, gnutls_crypto_digest_st* s); +int gnutls_crypto_rnd_register( int priority, gnutls_crypto_rnd_st* s); #endif diff --git a/lib/Makefile.am b/lib/Makefile.am index 96691bdbfb..21411415e2 100644 --- a/lib/Makefile.am +++ b/lib/Makefile.am @@ -85,7 +85,7 @@ COBJECTS = gnutls_record.c gnutls_compress.c debug.c gnutls_cipher.c \ gnutls_x509.c ext_cert_type.c gnutls_rsa_export.c \ auth_rsa_export.c ext_server_name.c auth_dh_common.c \ gnutls_helper.c ext_inner_application.c \ - gnutls_supplemental.c crypto.c + gnutls_supplemental.c crypto.c random.c if ENABLE_OPRFI COBJECTS += $(OPRFI_COBJECTS) @@ -106,7 +106,7 @@ HFILES = debug.h gnutls_compress.h defines.h gnutls_cipher.h \ ext_srp.h gnutls_srp.h auth_srp.h auth_srp_passwd.h \ gnutls_helper.h auth_psk.h auth_psk_passwd.h \ ext_inner_application.h gnutls_supplemental.h ext_oprfi.h \ - crypto.h + crypto.h random.h # Separate so we can create the documentation diff --git a/lib/auth_psk_passwd.c b/lib/auth_psk_passwd.c index 82d1a9b635..0c3281d3e1 100644 --- a/lib/auth_psk_passwd.c +++ b/lib/auth_psk_passwd.c @@ -38,6 +38,7 @@ #include <gnutls_str.h> #include <gnutls_datum.h> #include <gnutls_num.h> +#include <random.h> /* this function parses passwd.psk file. Format is: @@ -97,6 +98,8 @@ pwd_put_values (gnutls_datum_t * psk, char *str) static int _randomize_psk (gnutls_datum_t * psk) { + int ret; + psk->data = gnutls_malloc (16); if (psk->data == NULL) { @@ -105,12 +108,14 @@ _randomize_psk (gnutls_datum_t * psk) } psk->size = 16; - if (gc_nonce ((char *) psk->data, 16) != GC_OK) + + ret = _gnutls_rnd (RND_NONCE, (char *) psk->data, 16); + if ( ret < 0) { - gnutls_assert (); - return GNUTLS_E_RANDOM_FAILED; + gnutls_assert(); + return ret; } - + return 0; } diff --git a/lib/auth_rsa.c b/lib/auth_rsa.c index 59d12e465a..d4f34a000d 100644 --- a/lib/auth_rsa.c +++ b/lib/auth_rsa.c @@ -40,7 +40,7 @@ #include "debug.h" #include <gnutls_sig.h> #include <gnutls_x509.h> -#include <gc.h> +#include <random.h> int _gnutls_gen_rsa_client_kx (gnutls_session_t, opaque **); int _gnutls_proc_rsa_client_kx (gnutls_session_t, opaque *, size_t); @@ -290,10 +290,11 @@ _gnutls_proc_rsa_client_kx (gnutls_session_t session, opaque * data, /* we do not need strong random numbers here. */ - if (gc_nonce (session->key->key.data, session->key->key.size) != GC_OK) + ret = _gnutls_rnd (RND_NONCE, session->key->key.data, session->key->key.size); + if (ret < 0) { gnutls_assert (); - return GNUTLS_E_RANDOM_FAILED; + return ret; } } @@ -344,11 +345,11 @@ _gnutls_gen_rsa_client_kx (gnutls_session_t session, opaque ** data) return GNUTLS_E_MEMORY_ERROR; } - if (gc_pseudo_random (session->key->key.data, - session->key->key.size) != GC_OK) + ret = _gnutls_rnd( RND_RANDOM, session->key->key.data, session->key->key.size); + if ( ret < 0) { gnutls_assert (); - return GNUTLS_E_RANDOM_FAILED; + return ret; } ver = _gnutls_get_adv_version (session); diff --git a/lib/auth_srp_passwd.c b/lib/auth_srp_passwd.c index 45909fdd86..8f098315d3 100644 --- a/lib/auth_srp_passwd.c +++ b/lib/auth_srp_passwd.c @@ -39,7 +39,7 @@ #include <gnutls_str.h> #include <gnutls_datum.h> #include <gnutls_num.h> -#include <gc.h> +#include <random.h> static int _randomize_pwd_entry (SRP_PWD_ENTRY * entry); @@ -397,6 +397,7 @@ static int _randomize_pwd_entry (SRP_PWD_ENTRY * entry) { unsigned char rnd; + int ret; if (entry->g.size == 0 || entry->n.size == 0) { @@ -404,11 +405,13 @@ _randomize_pwd_entry (SRP_PWD_ENTRY * entry) return GNUTLS_E_INTERNAL_ERROR; } - if (gc_nonce (&rnd, 1) != GC_OK) + ret = _gnutls_rnd (RND_NONCE, &rnd, 1); + if (ret < 0) { gnutls_assert (); - return GNUTLS_E_RANDOM_FAILED; + return ret; } + entry->salt.size = (rnd % 10) + 9; entry->v.data = gnutls_malloc (20); @@ -419,10 +422,11 @@ _randomize_pwd_entry (SRP_PWD_ENTRY * entry) return GNUTLS_E_MEMORY_ERROR; } - if (gc_nonce (entry->v.data, 20) != GC_OK) + ret = _gnutls_rnd (RND_RANDOM, entry->v.data, 20); + if ( ret < 0) { gnutls_assert (); - return GNUTLS_E_RANDOM_FAILED; + return ret; } entry->salt.data = gnutls_malloc (entry->salt.size); @@ -432,12 +436,13 @@ _randomize_pwd_entry (SRP_PWD_ENTRY * entry) return GNUTLS_E_MEMORY_ERROR; } - if (gc_nonce (entry->salt.data, entry->salt.size) != GC_OK) + ret = _gnutls_rnd (RND_NONCE, entry->salt.data, entry->salt.size); + if (ret < 0) { - gnutls_assert (); - return GNUTLS_E_RANDOM_FAILED; + gnutls_assert(); + return ret; } - + return 0; } diff --git a/lib/crypto.c b/lib/crypto.c index fda2263699..830623157f 100644 --- a/lib/crypto.c +++ b/lib/crypto.c @@ -37,6 +37,7 @@ typedef struct algo_list { #define cipher_list algo_list #define mac_list algo_list #define digest_list algo_list +#define rnd_list algo_list static int _algo_register( algo_list* al, int algorithm, int priority, void* s) { @@ -101,8 +102,24 @@ cipher_list* cl; static cipher_list glob_cl = { GNUTLS_CIPHER_NULL, 0, NULL, NULL }; static mac_list glob_ml = { GNUTLS_MAC_NULL, 0, NULL, NULL }; static digest_list glob_dl = { GNUTLS_MAC_NULL, 0, NULL, NULL }; - - +static rnd_list glob_rnd = { 0, 0, NULL, NULL }; + + +/** + * gnutls_crypto_cipher_register - register a cipher algorithm + * @algorithm: is the gnutls algorithm identifier + * @priority: is the priority of the algorithm + * @s: is a structure holding new cipher's data + * + * This function will register a cipher algorithm to be used + * by gnutls. Any algorithm registered will override + * the included algorithms and by convention kernel implemented + * algorithms have priority of 90. The algorithm with the lowest + * priority will be used by gnutls. + * + * Returns: %GNUTLS_E_SUCCESS on success, otherwise an error. + * + **/ int gnutls_crypto_cipher_register( gnutls_cipher_algorithm_t algorithm, int priority, gnutls_crypto_cipher_st* s) { return _algo_register( &glob_cl, algorithm, priority, s); @@ -113,6 +130,45 @@ gnutls_crypto_cipher_st *_gnutls_get_crypto_cipher( gnutls_cipher_algorithm_t al return _get_algo( &glob_cl, algo); } +/** + * gnutls_crypto_rnd_register - register a random generator + * @priority: is the priority of the generator + * @s: is a structure holding new generator's data + * + * This function will register a random generator to be used + * by gnutls. Any generator registered will override + * the included generator and by convention kernel implemented + * generators have priority of 90. The generator with the lowest + * priority will be used by gnutls. + * + * Returns: %GNUTLS_E_SUCCESS on success, otherwise an error. + * + **/ +int gnutls_crypto_rnd_register( int priority, gnutls_crypto_rnd_st* s) +{ + return _algo_register( &glob_rnd, 1, priority, s); +} + +gnutls_crypto_rnd_st *_gnutls_get_crypto_rnd() +{ + return _get_algo( &glob_rnd, 1); +} + +/** + * gnutls_crypto_mac_register - register a MAC algorithm + * @algorithm: is the gnutls algorithm identifier + * @priority: is the priority of the algorithm + * @s: is a structure holding new algorithms's data + * + * This function will register a MAC algorithm to be used + * by gnutls. Any algorithm registered will override + * the included algorithms and by convention kernel implemented + * algorithms have priority of 90. The algorithm with the lowest + * priority will be used by gnutls. + * + * Returns: %GNUTLS_E_SUCCESS on success, otherwise an error. + * + **/ int gnutls_crypto_mac_register( gnutls_mac_algorithm_t algorithm, int priority, gnutls_crypto_mac_st* s) { return _algo_register( &glob_ml, algorithm, priority, s); @@ -123,7 +179,21 @@ gnutls_crypto_mac_st *_gnutls_get_crypto_mac( gnutls_mac_algorithm_t algo) return _get_algo( &glob_ml, algo); } - +/** + * gnutls_crypto_digest_register - register a digest algorithm + * @algorithm: is the gnutls algorithm identifier + * @priority: is the priority of the algorithm + * @s: is a structure holding new algorithms's data + * + * This function will register a digest (hash) algorithm to be used + * by gnutls. Any algorithm registered will override + * the included algorithms and by convention kernel implemented + * algorithms have priority of 90. The algorithm with the lowest + * priority will be used by gnutls. + * + * Returns: %GNUTLS_E_SUCCESS on success, otherwise an error. + * + **/ int gnutls_crypto_digest_register( gnutls_digest_algorithm_t algorithm, int priority, gnutls_crypto_digest_st* s) { return _algo_register( &glob_dl, algorithm, priority, s); diff --git a/lib/crypto.h b/lib/crypto.h index eb695a8757..f52e403909 100644 --- a/lib/crypto.h +++ b/lib/crypto.h @@ -1,3 +1,4 @@ gnutls_crypto_cipher_st *_gnutls_get_crypto_cipher( gnutls_cipher_algorithm_t algo); gnutls_crypto_digest_st *_gnutls_get_crypto_digest( gnutls_digest_algorithm_t algo); gnutls_crypto_mac_st *_gnutls_get_crypto_mac( gnutls_mac_algorithm_t algo); +gnutls_crypto_rnd_st *_gnutls_get_crypto_rnd(); diff --git a/lib/gnutls_cipher.c b/lib/gnutls_cipher.c index cd3cdb1c27..ad192f46bd 100644 --- a/lib/gnutls_cipher.c +++ b/lib/gnutls_cipher.c @@ -39,6 +39,7 @@ #include "gnutls_kx.h" #include "gnutls_record.h" #include "gnutls_constate.h" +#include <random.h> #include <gc.h> inline static int @@ -236,7 +237,7 @@ calc_enc_length (gnutls_session_t session, int data_size, cipher_type_t block_algo, uint16_t blocksize) { uint8_t rnd; - int length; + int length, ret; *pad = 0; @@ -247,10 +248,11 @@ calc_enc_length (gnutls_session_t session, int data_size, break; case CIPHER_BLOCK: - if (gc_nonce (&rnd, 1) != GC_OK) + ret =_gnutls_rnd (RND_NONCE, &rnd, 1); + if ( ret < 0) { gnutls_assert (); - return GNUTLS_E_RANDOM_FAILED; + return ret; } /* make rnd a multiple of blocksize */ @@ -378,11 +380,13 @@ _gnutls_compressed2ciphertext (gnutls_session_t session, { /* copy the random IV. */ - if (gc_nonce (data_ptr, blocksize) != GC_OK) + ret = _gnutls_rnd (RND_NONCE, data_ptr, blocksize); + if (ret < 0) { gnutls_assert (); - return GNUTLS_E_RANDOM_FAILED; + return ret; } + data_ptr += blocksize; } diff --git a/lib/gnutls_global.c b/lib/gnutls_global.c index 683ee78279..e6089a8f26 100644 --- a/lib/gnutls_global.c +++ b/lib/gnutls_global.c @@ -26,6 +26,7 @@ #include <gnutls_errors.h> #include <libtasn1.h> #include <gnutls_dh.h> +#include <random.h> #ifdef HAVE_WINSOCK # include <winsock2.h> @@ -304,9 +305,14 @@ gnutls_global_init (void) result = _gnutls_asn2err (res); goto out; } - - /* Initialize the gcrypt (if used random generator) */ - gc_pseudo_random (&c, 1); + + /* Initialize the random generator */ + result = _gnutls_rnd_init(); + if (result < 0) + { + gnutls_assert(); + goto out; + } out: return result; @@ -330,6 +336,7 @@ gnutls_global_deinit (void) #if HAVE_WINSOCK WSACleanup (); #endif + _gnutls_rnd_deinit(); asn1_delete_structure (&_gnutls_gnutls_asn); asn1_delete_structure (&_gnutls_pkix1_asn); gc_done (); diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c index 71e6484afc..d9fa09c783 100644 --- a/lib/gnutls_handshake.c +++ b/lib/gnutls_handshake.c @@ -52,6 +52,7 @@ #include <auth_anon.h> /* for gnutls_anon_server_credentials_t */ #include <auth_psk.h> /* for gnutls_psk_server_credentials_t */ #include <gc.h> +#include <random.h> #ifdef HANDSHAKE_DEBUG #define ERR(x, y) _gnutls_handshake_log( "HSK[%x]: %s (%d)\n", session, x,y) @@ -253,6 +254,7 @@ int _gnutls_tls_create_random (opaque * dst) { uint32_t tim; + int ret; /* Use weak random numbers for the most of the * buffer except for the first 4 that are the @@ -263,10 +265,11 @@ _gnutls_tls_create_random (opaque * dst) /* generate server random value */ _gnutls_write_uint32 (tim, dst); - if (gc_nonce (&dst[4], TLS_RANDOM_SIZE - 4) != GC_OK) + ret = _gnutls_rnd (RND_NONCE, &dst[4], TLS_RANDOM_SIZE - 4); + if (ret < 0) { gnutls_assert (); - return GNUTLS_E_RANDOM_FAILED; + return ret; } return 0; @@ -2668,11 +2671,13 @@ int _gnutls_generate_session_id (opaque * session_id, uint8_t * len) { *len = TLS_MAX_SESSION_ID_SIZE; + int ret; - if (gc_nonce (session_id, *len) != GC_OK) + ret = _gnutls_rnd (RND_NONCE, session_id, *len); + if (ret < 0) { gnutls_assert (); - return GNUTLS_E_RANDOM_FAILED; + return ret; } return 0; diff --git a/lib/gnutls_pk.c b/lib/gnutls_pk.c index 3427083beb..f9f4d4d499 100644 --- a/lib/gnutls_pk.c +++ b/lib/gnutls_pk.c @@ -36,7 +36,7 @@ #include "debug.h" #include <x509/x509_int.h> #include <x509/common.h> -#include <gc.h> +#include <random.h> static int _gnutls_pk_encrypt (int algo, mpi_t * resarr, mpi_t data, mpi_t * pkey, int pkey_len); @@ -102,20 +102,22 @@ _gnutls_pkcs1_rsa_encrypt (gnutls_datum_t * ciphertext, return GNUTLS_E_INTERNAL_ERROR; } - if (gc_pseudo_random (ps, psize) != GC_OK) + ret = _gnutls_rnd (RND_RANDOM, ps, psize); + if ( ret < 0) { gnutls_assert (); gnutls_afree (edata); - return GNUTLS_E_RANDOM_FAILED; + return ret; } for (i = 0; i < psize; i++) while (ps[i] == 0) { - if (gc_pseudo_random (&ps[i], 1) != GC_OK) + ret = _gnutls_rnd (RND_RANDOM, &ps[i], 1); + if (ret < 0) { gnutls_assert (); gnutls_afree (edata); - return GNUTLS_E_RANDOM_FAILED; + return ret; } } break; diff --git a/lib/random.c b/lib/random.c new file mode 100644 index 0000000000..25353cabac --- /dev/null +++ b/lib/random.c @@ -0,0 +1,86 @@ +/* + * Copyright (C) 2008 Free Software Foundation + * + * Author: Nikos Mavrogiannopoulos + * + * This file is part of GNUTLS. + * + * The GNUTLS library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public License + * as published by the Free Software Foundation; either version 2.1 of + * the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, + * USA + * + */ + +/* This file handles all the internal functions that cope with random data. + */ + +#include <gnutls_int.h> +#include <gnutls_errors.h> +#include <random.h> + +static gnutls_crypto_rnd_st * cc = NULL; +static void * rnd_ctx; + +int +_gnutls_rnd_init () +{ + int result; + + /* check if a digest has been registered + */ + cc = _gnutls_get_crypto_rnd(); + if (cc != NULL) { + if (cc->init(& rnd_ctx) < 0) { + gnutls_assert(); + return GNUTLS_E_RANDOM_FAILED; + } + } else { + char c; + gc_pseudo_random (&c, 1); + } + + return 0; +} + +void +_gnutls_rnd_deinit () +{ + if (cc != NULL) { + cc->deinit( rnd_ctx); + } + + return; +} + +int +_gnutls_rnd (int level, void *data, int len) +{ +int ret = GC_OK; + + if (len > 0) { + if (cc != NULL) { + return cc->rnd( rnd_ctx, level, data, len); + } + + if (level == RND_NONCE) + ret = gc_nonce (data, len); + else + ret = gc_pseudo_random( data, len); + + } + + if (ret == GC_OK) return 0; + else return GNUTLS_E_RANDOM_FAILED; +} + diff --git a/lib/random.h b/lib/random.h new file mode 100644 index 0000000000..c899c67a98 --- /dev/null +++ b/lib/random.h @@ -0,0 +1,14 @@ +#ifndef RANDOM_H +# define RANDOM_H + +#include <gnutls/crypto.h> + +#define RND_RANDOM GNUTLS_RND_RANDOM +#define RND_NONCE GNUTLS_RND_NONCE +#define RND_KEY GNUTLS_RND_KEY + +int _gnutls_rnd (int level, void *data, int len); +void _gnutls_rnd_deinit (); +int _gnutls_rnd_init (); + +#endif diff --git a/lib/x509/pkcs12.c b/lib/x509/pkcs12.c index e5e443c09f..15e13c36fb 100644 --- a/lib/x509/pkcs12.c +++ b/lib/x509/pkcs12.c @@ -37,7 +37,7 @@ #include <common.h> #include <x509_b64.h> #include "x509_int.h" -#include <gc.h> +#include <random.h> /* Decodes the PKCS #12 auth_safe, and returns the allocated raw data, @@ -869,10 +869,11 @@ gnutls_pkcs12_generate_mac (gnutls_pkcs12_t pkcs12, const char *pass) /* Generate the salt. */ - if (gc_nonce (salt, sizeof (salt)) != GC_OK) + result = _gnutls_rnd (RND_NONCE, salt, sizeof (salt)); + if (result < 0) { gnutls_assert (); - return GNUTLS_E_RANDOM_FAILED; + return result; } /* Write the salt into the structure. diff --git a/lib/x509/privkey_pkcs8.c b/lib/x509/privkey_pkcs8.c index 7304a7569f..ec5e7ea336 100644 --- a/lib/x509/privkey_pkcs8.c +++ b/lib/x509/privkey_pkcs8.c @@ -37,6 +37,7 @@ #include <gnutls_algorithms.h> #include <gnutls_num.h> #include <gc.h> +#include <random.h> #define PBES2_OID "1.2.840.113549.1.5.13" @@ -1752,10 +1753,11 @@ generate_key (schema_id schema, else if (schema == PKCS12_RC2_40_SHA1) enc_params->cipher = GNUTLS_CIPHER_RC2_40_CBC; - if (gc_pseudo_random (rnd, 2) != GC_OK) + ret = _gnutls_rnd( RND_RANDOM, rnd, 2); + if (ret < 0) { gnutls_assert (); - return GNUTLS_E_RANDOM_FAILED; + return ret; } /* generate salt */ @@ -1766,7 +1768,8 @@ generate_key (schema_id schema, else kdf_params->salt_size = 8; - if (gc_pseudo_random (kdf_params->salt, kdf_params->salt_size) != GC_OK) + ret = _gnutls_rnd ( RND_RANDOM, kdf_params->salt, kdf_params->salt_size); + if ( ret < 0) { gnutls_assert (); return GNUTLS_E_RANDOM_FAILED; @@ -1801,12 +1804,15 @@ generate_key (schema_id schema, return GNUTLS_E_ENCRYPTION_FAILED; } - if (enc_params->iv_size && - gc_nonce (enc_params->iv, enc_params->iv_size) != GC_OK) - { - gnutls_assert (); - return GNUTLS_E_RANDOM_FAILED; - } + if (enc_params->iv_size) + { + ret = _gnutls_rnd (RND_NONCE, enc_params->iv, enc_params->iv_size); + if (ret < 0) + { + gnutls_assert (); + return ret; + } + } } else { /* PKCS12 schemas */ |