mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-29 09:14:14 +01:00
PSK callback added to SSL server
This commit is contained in:
parent
ff29f9c825
commit
6db455e6e3
@ -84,7 +84,7 @@
|
|||||||
* ECP 4 7 (Started from top)
|
* ECP 4 7 (Started from top)
|
||||||
* MD 5 4
|
* MD 5 4
|
||||||
* CIPHER 6 5
|
* CIPHER 6 5
|
||||||
* SSL 6 6 (Started from top)
|
* SSL 6 7 (Started from top)
|
||||||
* SSL 7 31
|
* SSL 7 31
|
||||||
*
|
*
|
||||||
* Module dependent error code (5 bits 0x.08.-0x.F8.)
|
* Module dependent error code (5 bits 0x.08.-0x.F8.)
|
||||||
|
@ -126,6 +126,7 @@
|
|||||||
#define POLARSSL_ERR_SSL_BAD_HS_NEW_SESSION_TICKET -0x6E00 /**< Processing of the NewSessionTicket handshake message failed. */
|
#define POLARSSL_ERR_SSL_BAD_HS_NEW_SESSION_TICKET -0x6E00 /**< Processing of the NewSessionTicket handshake message failed. */
|
||||||
#define POLARSSL_ERR_SSL_SESSION_TICKET_EXPIRED -0x6D80 /**< Session ticket has expired. */
|
#define POLARSSL_ERR_SSL_SESSION_TICKET_EXPIRED -0x6D80 /**< Session ticket has expired. */
|
||||||
#define POLARSSL_ERR_SSL_PK_TYPE_MISMATCH -0x6D00 /**< Public key type mismatch (eg, asked for RSA key exchange and presented EC key) */
|
#define POLARSSL_ERR_SSL_PK_TYPE_MISMATCH -0x6D00 /**< Public key type mismatch (eg, asked for RSA key exchange and presented EC key) */
|
||||||
|
#define POLARSSL_ERR_SSL_UNKNOWN_IDENTITY -0x6C80 /**< Unkown identity received (eg, PSK identity) */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Various constants
|
* Various constants
|
||||||
@ -588,6 +589,11 @@ struct _ssl_context
|
|||||||
void *p_vrfy; /*!< context for verification */
|
void *p_vrfy; /*!< context for verification */
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED)
|
||||||
|
int (*f_psk)(void *, ssl_context *, const unsigned char *, size_t);
|
||||||
|
void *p_psk; /*!< context for PSK retrieval */
|
||||||
|
#endif
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Session layer
|
* Session layer
|
||||||
*/
|
*/
|
||||||
@ -689,9 +695,9 @@ struct _ssl_context
|
|||||||
/*
|
/*
|
||||||
* PSK values
|
* PSK values
|
||||||
*/
|
*/
|
||||||
const unsigned char *psk;
|
unsigned char *psk;
|
||||||
size_t psk_len;
|
size_t psk_len;
|
||||||
const unsigned char *psk_identity;
|
unsigned char *psk_identity;
|
||||||
size_t psk_identity_len;
|
size_t psk_identity_len;
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
@ -1022,16 +1028,43 @@ int ssl_set_own_cert_alt( ssl_context *ssl, x509_crt *own_cert,
|
|||||||
#if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED)
|
#if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED)
|
||||||
/**
|
/**
|
||||||
* \brief Set the Pre Shared Key (PSK) and the identity name connected
|
* \brief Set the Pre Shared Key (PSK) and the identity name connected
|
||||||
* to it. The PSK is used in all PSK-based ciphersuites.
|
* to it.
|
||||||
*
|
*
|
||||||
* \param ssl SSL context
|
* \param ssl SSL context
|
||||||
* \param psk pointer to the pre-shared key
|
* \param psk pointer to the pre-shared key
|
||||||
* \param psk_len pre-shared key length
|
* \param psk_len pre-shared key length
|
||||||
* \param psk_identity pointer to the pre-shared key identity
|
* \param psk_identity pointer to the pre-shared key identity
|
||||||
* \param psk_identity_len identity key length
|
* \param psk_identity_len identity key length
|
||||||
|
*
|
||||||
|
* \return 0 if successful or POLARSSL_ERR_SSL_MALLOC_FAILED
|
||||||
*/
|
*/
|
||||||
void ssl_set_psk( ssl_context *ssl, const unsigned char *psk, size_t psk_len,
|
int ssl_set_psk( ssl_context *ssl, const unsigned char *psk, size_t psk_len,
|
||||||
const unsigned char *psk_identity, size_t psk_identity_len );
|
const unsigned char *psk_identity, size_t psk_identity_len );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Set the PSK callback (server-side only) (Optional).
|
||||||
|
*
|
||||||
|
* If set, the PSK callback is called for each
|
||||||
|
* handshake where a PSK ciphersuite was negotiated.
|
||||||
|
* The callback provides the identity received and wants to
|
||||||
|
* receive the actual PSK data and length.
|
||||||
|
*
|
||||||
|
* The callback has the following parameters: (void *parameter,
|
||||||
|
* ssl_context *ssl, const unsigned char *psk_identity,
|
||||||
|
* size_t identity_len)
|
||||||
|
* If a valid PSK identity is found, the callback should use
|
||||||
|
* ssl_set_psk() on the ssl context to set the correct PSK and
|
||||||
|
* identity and return 0.
|
||||||
|
* Any other return value will result in a denied PSK identity.
|
||||||
|
*
|
||||||
|
* \param ssl SSL context
|
||||||
|
* \param f_psk PSK identity function
|
||||||
|
* \param p_psk PSK identity parameter
|
||||||
|
*/
|
||||||
|
void ssl_set_psk_cb( ssl_context *ssl,
|
||||||
|
int (*f_psk)(void *, ssl_context *, const unsigned char *,
|
||||||
|
size_t),
|
||||||
|
void *p_psk );
|
||||||
#endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED */
|
#endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED */
|
||||||
|
|
||||||
#if defined(POLARSSL_DHM_C)
|
#if defined(POLARSSL_DHM_C)
|
||||||
|
@ -409,6 +409,8 @@ void polarssl_strerror( int ret, char *buf, size_t buflen )
|
|||||||
snprintf( buf, buflen, "SSL - Session ticket has expired" );
|
snprintf( buf, buflen, "SSL - Session ticket has expired" );
|
||||||
if( use_ret == -(POLARSSL_ERR_SSL_PK_TYPE_MISMATCH) )
|
if( use_ret == -(POLARSSL_ERR_SSL_PK_TYPE_MISMATCH) )
|
||||||
snprintf( buf, buflen, "SSL - Public key type mismatch (eg, asked for RSA key exchange and presented EC key)" );
|
snprintf( buf, buflen, "SSL - Public key type mismatch (eg, asked for RSA key exchange and presented EC key)" );
|
||||||
|
if( use_ret == -(POLARSSL_ERR_SSL_UNKNOWN_IDENTITY) )
|
||||||
|
snprintf( buf, buflen, "SSL - Unkown identity received (eg, PSK identity)" );
|
||||||
#endif /* POLARSSL_SSL_TLS_C */
|
#endif /* POLARSSL_SSL_TLS_C */
|
||||||
|
|
||||||
#if defined(POLARSSL_X509_USE_C) || defined(POLARSSL_X509_CREATE_C)
|
#if defined(POLARSSL_X509_USE_C) || defined(POLARSSL_X509_CREATE_C)
|
||||||
@ -437,7 +439,7 @@ void polarssl_strerror( int ret, char *buf, size_t buflen )
|
|||||||
if( use_ret == -(POLARSSL_ERR_X509_UNKNOWN_SIG_ALG) )
|
if( use_ret == -(POLARSSL_ERR_X509_UNKNOWN_SIG_ALG) )
|
||||||
snprintf( buf, buflen, "X509 - Signature algorithm (oid) is unsupported" );
|
snprintf( buf, buflen, "X509 - Signature algorithm (oid) is unsupported" );
|
||||||
if( use_ret == -(POLARSSL_ERR_X509_SIG_MISMATCH) )
|
if( use_ret == -(POLARSSL_ERR_X509_SIG_MISMATCH) )
|
||||||
snprintf( buf, buflen, "X509 - Signature algorithms do not match. (see \\c ::x509_cert sig_oid)" );
|
snprintf( buf, buflen, "X509 - Signature algorithms do not match. (see \\c ::x509_crt sig_oid)" );
|
||||||
if( use_ret == -(POLARSSL_ERR_X509_CERT_VERIFY_FAILED) )
|
if( use_ret == -(POLARSSL_ERR_X509_CERT_VERIFY_FAILED) )
|
||||||
snprintf( buf, buflen, "X509 - Certificate verification failed, e.g. CRL, CA or signature check failed" );
|
snprintf( buf, buflen, "X509 - Certificate verification failed, e.g. CRL, CA or signature check failed" );
|
||||||
if( use_ret == -(POLARSSL_ERR_X509_CERT_UNKNOWN_FORMAT) )
|
if( use_ret == -(POLARSSL_ERR_X509_CERT_UNKNOWN_FORMAT) )
|
||||||
|
@ -2286,11 +2286,12 @@ static int ssl_parse_encrypted_pms_secret( ssl_context *ssl )
|
|||||||
static int ssl_parse_client_psk_identity( ssl_context *ssl, unsigned char **p,
|
static int ssl_parse_client_psk_identity( ssl_context *ssl, unsigned char **p,
|
||||||
const unsigned char *end )
|
const unsigned char *end )
|
||||||
{
|
{
|
||||||
int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
|
int ret = 0;
|
||||||
size_t n;
|
size_t n;
|
||||||
|
|
||||||
if( ssl->psk == NULL || ssl->psk_identity == NULL ||
|
if( ssl->f_psk == NULL &&
|
||||||
ssl->psk_identity_len == 0 || ssl->psk_len == 0 )
|
( ssl->psk == NULL || ssl->psk_identity == NULL ||
|
||||||
|
ssl->psk_identity_len == 0 || ssl->psk_len == 0 ) )
|
||||||
{
|
{
|
||||||
SSL_DEBUG_MSG( 1, ( "got no pre-shared key" ) );
|
SSL_DEBUG_MSG( 1, ( "got no pre-shared key" ) );
|
||||||
return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
|
return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
|
||||||
@ -2314,11 +2315,32 @@ static int ssl_parse_client_psk_identity( ssl_context *ssl, unsigned char **p,
|
|||||||
return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
|
return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if( ssl->f_psk != NULL )
|
||||||
|
{
|
||||||
|
if( ( ret != ssl->f_psk( ssl->p_psk, ssl, *p, n ) ) != 0 )
|
||||||
|
ret = POLARSSL_ERR_SSL_UNKNOWN_IDENTITY;
|
||||||
|
}
|
||||||
|
|
||||||
|
if( ret == 0 )
|
||||||
|
{
|
||||||
if( n != ssl->psk_identity_len ||
|
if( n != ssl->psk_identity_len ||
|
||||||
memcmp( ssl->psk_identity, *p, n ) != 0 )
|
memcmp( ssl->psk_identity, *p, n ) != 0 )
|
||||||
|
{
|
||||||
|
ret = POLARSSL_ERR_SSL_UNKNOWN_IDENTITY;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if( ret == POLARSSL_ERR_SSL_UNKNOWN_IDENTITY )
|
||||||
{
|
{
|
||||||
SSL_DEBUG_BUF( 3, "Unknown PSK identity", *p, n );
|
SSL_DEBUG_BUF( 3, "Unknown PSK identity", *p, n );
|
||||||
return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
|
if( ( ret = ssl_send_alert_message( ssl,
|
||||||
|
SSL_ALERT_LEVEL_FATAL,
|
||||||
|
SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY ) ) != 0 )
|
||||||
|
{
|
||||||
|
return( ret );
|
||||||
|
}
|
||||||
|
|
||||||
|
return( POLARSSL_ERR_SSL_UNKNOWN_IDENTITY );
|
||||||
}
|
}
|
||||||
|
|
||||||
*p += n;
|
*p += n;
|
||||||
|
@ -3242,11 +3242,6 @@ int ssl_init( ssl_context *ssl )
|
|||||||
memset( ssl-> in_ctr, 0, SSL_BUFFER_LEN );
|
memset( ssl-> in_ctr, 0, SSL_BUFFER_LEN );
|
||||||
memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
|
memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
|
||||||
|
|
||||||
#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
|
|
||||||
ssl->hostname = NULL;
|
|
||||||
ssl->hostname_len = 0;
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#if defined(POLARSSL_SSL_SESSION_TICKETS)
|
#if defined(POLARSSL_SSL_SESSION_TICKETS)
|
||||||
ssl->ticket_lifetime = SSL_DEFAULT_TICKET_LIFETIME;
|
ssl->ticket_lifetime = SSL_DEFAULT_TICKET_LIFETIME;
|
||||||
#endif
|
#endif
|
||||||
@ -3529,13 +3524,38 @@ int ssl_set_own_cert_alt( ssl_context *ssl, x509_crt *own_cert,
|
|||||||
#endif /* POLARSSL_X509_CRT_PARSE_C */
|
#endif /* POLARSSL_X509_CRT_PARSE_C */
|
||||||
|
|
||||||
#if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED)
|
#if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED)
|
||||||
void ssl_set_psk( ssl_context *ssl, const unsigned char *psk, size_t psk_len,
|
int ssl_set_psk( ssl_context *ssl, const unsigned char *psk, size_t psk_len,
|
||||||
const unsigned char *psk_identity, size_t psk_identity_len )
|
const unsigned char *psk_identity, size_t psk_identity_len )
|
||||||
{
|
{
|
||||||
ssl->psk = psk;
|
if( psk == NULL || psk_identity == NULL )
|
||||||
|
return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
|
||||||
|
|
||||||
|
if( ssl->psk != NULL )
|
||||||
|
{
|
||||||
|
polarssl_free( ssl->psk );
|
||||||
|
polarssl_free( ssl->psk_identity );
|
||||||
|
}
|
||||||
|
|
||||||
ssl->psk_len = psk_len;
|
ssl->psk_len = psk_len;
|
||||||
ssl->psk_identity = psk_identity;
|
|
||||||
ssl->psk_identity_len = psk_identity_len;
|
ssl->psk_identity_len = psk_identity_len;
|
||||||
|
|
||||||
|
ssl->psk = polarssl_malloc( ssl->psk_len );
|
||||||
|
ssl->psk_identity = polarssl_malloc( ssl->psk_identity_len );
|
||||||
|
|
||||||
|
if( ssl->psk == NULL || ssl->psk_identity == NULL )
|
||||||
|
return( POLARSSL_ERR_SSL_MALLOC_FAILED );
|
||||||
|
|
||||||
|
memcpy( ssl->psk, psk, ssl->psk_len );
|
||||||
|
memcpy( ssl->psk_identity, psk_identity, ssl->psk_identity_len );
|
||||||
|
}
|
||||||
|
|
||||||
|
void ssl_set_psk_cb( ssl_context *ssl,
|
||||||
|
int (*f_psk)(void *, ssl_context *, const unsigned char *,
|
||||||
|
size_t),
|
||||||
|
void *p_psk )
|
||||||
|
{
|
||||||
|
ssl->f_psk = f_psk;
|
||||||
|
ssl->p_psk = p_psk;
|
||||||
}
|
}
|
||||||
#endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED */
|
#endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED */
|
||||||
|
|
||||||
@ -4154,6 +4174,18 @@ void ssl_free( ssl_context *ssl )
|
|||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED)
|
||||||
|
if( ssl->psk != NULL )
|
||||||
|
{
|
||||||
|
memset( ssl->psk, 0, ssl->psk_len );
|
||||||
|
memset( ssl->psk_identity, 0, ssl->psk_identity_len );
|
||||||
|
polarssl_free( ssl->psk );
|
||||||
|
polarssl_free( ssl->psk_identity );
|
||||||
|
ssl->psk_len = 0;
|
||||||
|
ssl->psk_identity_len = 0;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
if( ssl->pk_key_own_alloc )
|
if( ssl->pk_key_own_alloc )
|
||||||
{
|
{
|
||||||
pk_free( ssl->pk_key );
|
pk_free( ssl->pk_key );
|
||||||
|
Loading…
Reference in New Issue
Block a user