PSK callback added to SSL server

2024-11-25 17:35:37 +01:00 · 2013-09-18 17:29:31 +02:00 · 2013-09-18 17:29:31 +02:00 · 6db455e6e3
commit 6db455e6e3
parent ff29f9c825
5 changed files with 113 additions and 24 deletions
--- a/include/polarssl/error.h
+++ b/include/polarssl/error.h
@ -84,7 +84,7 @@
 * ECP       4   7 (Started from top)
 * MD        5   4
 * CIPHER    6   5
- * SSL       6   6 (Started from top)
+ * SSL       6   7 (Started from top)
 * SSL       7   31
 *
 * Module dependent error code (5 bits 0x.08.-0x.F8.)
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h
@ -126,6 +126,7 @@
 #define POLARSSL_ERR_SSL_BAD_HS_NEW_SESSION_TICKET         -0x6E00  /**< Processing of the NewSessionTicket handshake message failed. */
 #define POLARSSL_ERR_SSL_SESSION_TICKET_EXPIRED            -0x6D80  /**< Session ticket has expired. */
 #define POLARSSL_ERR_SSL_PK_TYPE_MISMATCH                  -0x6D00  /**< Public key type mismatch (eg, asked for RSA key exchange and presented EC key) */
+#define POLARSSL_ERR_SSL_UNKNOWN_IDENTITY                  -0x6C80  /**< Unkown identity received (eg, PSK identity) */

 /*
 * Various constants
@ -588,6 +589,11 @@ struct _ssl_context
    void *p_vrfy;               /*!< context for verification         */
 #endif

+#if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED)
+    int (*f_psk)(void *, ssl_context *, const unsigned char *, size_t);
+    void *p_psk;               /*!< context for PSK retrieval         */
+#endif
+
    /*
     * Session layer
     */
@ -689,9 +695,9 @@ struct _ssl_context
    /*
     * PSK values
     */
-    const unsigned char *psk;
+    unsigned char *psk;
    size_t         psk_len;
-    const unsigned char *psk_identity;
+    unsigned char *psk_identity;
    size_t         psk_identity_len;
 #endif

@ -1022,16 +1028,43 @@ int ssl_set_own_cert_alt( ssl_context *ssl, x509_crt *own_cert,
 #if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED)
 /**
 * \brief          Set the Pre Shared Key (PSK) and the identity name connected
- *                 to it. The PSK is used in all PSK-based ciphersuites.
+ *                 to it.
 *
 * \param ssl      SSL context
 * \param psk      pointer to the pre-shared key
 * \param psk_len  pre-shared key length
 * \param psk_identity      pointer to the pre-shared key identity
 * \param psk_identity_len  identity key length
+ *
+ * \return         0 if successful or POLARSSL_ERR_SSL_MALLOC_FAILED
 */
-void ssl_set_psk( ssl_context *ssl, const unsigned char *psk, size_t psk_len,
-                  const unsigned char *psk_identity, size_t psk_identity_len );
+int ssl_set_psk( ssl_context *ssl, const unsigned char *psk, size_t psk_len,
+                 const unsigned char *psk_identity, size_t psk_identity_len );
+
+/**
+ * \brief          Set the PSK callback (server-side only) (Optional).
+ *
+ *                 If set, the PSK callback is called for each
+ *                 handshake where a PSK ciphersuite was negotiated.
+ *                 The callback provides the identity received and wants to
+ *                 receive the actual PSK data and length.
+ *
+ *                 The callback has the following parameters: (void *parameter,
+ *                 ssl_context *ssl, const unsigned char *psk_identity,
+ *                 size_t identity_len)
+ *                 If a valid PSK identity is found, the callback should use
+ *                 ssl_set_psk() on the ssl context to set the correct PSK and
+ *                 identity and return 0.
+ *                 Any other return value will result in a denied PSK identity.
+ *
+ * \param ssl      SSL context
+ * \param f_psk    PSK identity function
+ * \param p_psk    PSK identity parameter
+ */
+void ssl_set_psk_cb( ssl_context *ssl,
+                     int (*f_psk)(void *, ssl_context *, const unsigned char *,
+                                  size_t),
+                     void *p_psk );
 #endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED */

 #if defined(POLARSSL_DHM_C)
--- a/library/error.c
+++ b/library/error.c
@ -409,6 +409,8 @@ void polarssl_strerror( int ret, char *buf, size_t buflen )
            snprintf( buf, buflen, "SSL - Session ticket has expired" );
        if( use_ret == -(POLARSSL_ERR_SSL_PK_TYPE_MISMATCH) )
            snprintf( buf, buflen, "SSL - Public key type mismatch (eg, asked for RSA key exchange and presented EC key)" );
+        if( use_ret == -(POLARSSL_ERR_SSL_UNKNOWN_IDENTITY) )
+            snprintf( buf, buflen, "SSL - Unkown identity received (eg, PSK identity)" );
 #endif /* POLARSSL_SSL_TLS_C */

 #if defined(POLARSSL_X509_USE_C) || defined(POLARSSL_X509_CREATE_C)
@ -437,7 +439,7 @@ void polarssl_strerror( int ret, char *buf, size_t buflen )
        if( use_ret == -(POLARSSL_ERR_X509_UNKNOWN_SIG_ALG) )
            snprintf( buf, buflen, "X509 - Signature algorithm (oid) is unsupported" );
        if( use_ret == -(POLARSSL_ERR_X509_SIG_MISMATCH) )
-            snprintf( buf, buflen, "X509 - Signature algorithms do not match. (see \\c ::x509_cert sig_oid)" );
+            snprintf( buf, buflen, "X509 - Signature algorithms do not match. (see \\c ::x509_crt sig_oid)" );
        if( use_ret == -(POLARSSL_ERR_X509_CERT_VERIFY_FAILED) )
            snprintf( buf, buflen, "X509 - Certificate verification failed, e.g. CRL, CA or signature check failed" );
        if( use_ret == -(POLARSSL_ERR_X509_CERT_UNKNOWN_FORMAT) )
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@ -2286,11 +2286,12 @@ static int ssl_parse_encrypted_pms_secret( ssl_context *ssl )
 static int ssl_parse_client_psk_identity( ssl_context *ssl, unsigned char **p,
                                          const unsigned char *end )
 {
-    int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
+    int ret = 0;
    size_t n;

-    if( ssl->psk == NULL || ssl->psk_identity == NULL ||
-        ssl->psk_identity_len == 0 || ssl->psk_len == 0 )
+    if( ssl->f_psk == NULL &&
+        ( ssl->psk == NULL || ssl->psk_identity == NULL ||
+          ssl->psk_identity_len == 0 || ssl->psk_len == 0 ) )
    {
        SSL_DEBUG_MSG( 1, ( "got no pre-shared key" ) );
        return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
@ -2314,11 +2315,32 @@ static int ssl_parse_client_psk_identity( ssl_context *ssl, unsigned char **p,
        return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
    }

-    if( n != ssl->psk_identity_len ||
-        memcmp( ssl->psk_identity, *p, n ) != 0 )
+    if( ssl->f_psk != NULL )
+    {
+        if( ( ret != ssl->f_psk( ssl->p_psk, ssl, *p, n ) ) != 0 )
+            ret = POLARSSL_ERR_SSL_UNKNOWN_IDENTITY;
+    }
+
+    if( ret == 0 )
+    {
+        if( n != ssl->psk_identity_len ||
+            memcmp( ssl->psk_identity, *p, n ) != 0 )
+        {
+            ret = POLARSSL_ERR_SSL_UNKNOWN_IDENTITY;
+        }
+    }
+
+    if( ret == POLARSSL_ERR_SSL_UNKNOWN_IDENTITY )
    {
        SSL_DEBUG_BUF( 3, "Unknown PSK identity", *p, n );
-        return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
+        if( ( ret = ssl_send_alert_message( ssl,
+                              SSL_ALERT_LEVEL_FATAL,
+                              SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY ) ) != 0 )
+        {
+            return( ret );
+        }
+
+        return( POLARSSL_ERR_SSL_UNKNOWN_IDENTITY );
    }

    *p += n;
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -3242,11 +3242,6 @@ int ssl_init( ssl_context *ssl )
    memset( ssl-> in_ctr, 0, SSL_BUFFER_LEN );
    memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );

-#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
-    ssl->hostname = NULL;
-    ssl->hostname_len = 0;
-#endif
-
 #if defined(POLARSSL_SSL_SESSION_TICKETS)
    ssl->ticket_lifetime = SSL_DEFAULT_TICKET_LIFETIME;
 #endif
@ -3529,13 +3524,38 @@ int ssl_set_own_cert_alt( ssl_context *ssl, x509_crt *own_cert,
 #endif /* POLARSSL_X509_CRT_PARSE_C */

 #if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED)
-void ssl_set_psk( ssl_context *ssl, const unsigned char *psk, size_t psk_len,
-                  const unsigned char *psk_identity, size_t psk_identity_len )
+int ssl_set_psk( ssl_context *ssl, const unsigned char *psk, size_t psk_len,
+                 const unsigned char *psk_identity, size_t psk_identity_len )
 {
-    ssl->psk     = psk;
+    if( psk == NULL || psk_identity == NULL )
+        return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
+
+    if( ssl->psk != NULL )
+    {
+        polarssl_free( ssl->psk );
+        polarssl_free( ssl->psk_identity );
+    }
+
    ssl->psk_len = psk_len;
-    ssl->psk_identity     = psk_identity;
    ssl->psk_identity_len = psk_identity_len;
+
+    ssl->psk = polarssl_malloc( ssl->psk_len );
+    ssl->psk_identity = polarssl_malloc( ssl->psk_identity_len );
+
+    if( ssl->psk == NULL || ssl->psk_identity == NULL )
+        return( POLARSSL_ERR_SSL_MALLOC_FAILED );
+
+    memcpy( ssl->psk, psk, ssl->psk_len );
+    memcpy( ssl->psk_identity, psk_identity, ssl->psk_identity_len );
+}
+
+void ssl_set_psk_cb( ssl_context *ssl,
+                     int (*f_psk)(void *, ssl_context *, const unsigned char *,
+                     size_t),
+                     void *p_psk )
+{
+    ssl->f_psk = f_psk;
+    ssl->p_psk = p_psk;
 }
 #endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED */

@ -4146,7 +4166,7 @@ void ssl_free( ssl_context *ssl )
 #endif

 #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
-    if ( ssl->hostname != NULL)
+    if ( ssl->hostname != NULL )
    {
        memset( ssl->hostname, 0, ssl->hostname_len );
        polarssl_free( ssl->hostname );
@ -4154,6 +4174,18 @@ void ssl_free( ssl_context *ssl )
    }
 #endif

+#if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED)
+    if( ssl->psk != NULL )
+    {
+        memset( ssl->psk, 0, ssl->psk_len );
+        memset( ssl->psk_identity, 0, ssl->psk_identity_len );
+        polarssl_free( ssl->psk );
+        polarssl_free( ssl->psk_identity );
+        ssl->psk_len = 0;
+        ssl->psk_identity_len = 0;
+    }
+#endif
+
    if( ssl->pk_key_own_alloc )
    {
        pk_free( ssl->pk_key );