feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Fixes for allowing server to have a public key set when using external key with PK callbacks.

Browse Source
This commit is contained in:
David Garske
2022-03-18 11:27:45 -07:00
parent c213c725d7
commit 59665a44b5
6 changed files with 128 additions and 62 deletions
Download Patch File Download Diff File Expand all files Collapse all files

95
src/internal.c
View File

@ -5775,16 +5775,22 @@ int InitSSL_Suites(WOLFSSL* ssl)
return NO_PRIVATE_KEY;
}
/* allow no private key if using PK callbacks and CB is set */
#ifdef HAVE_PK_CALLBACKS
if (wolfSSL_CTX_IsPrivatePkSet(ssl->ctx)) {
WOLFSSL_MSG("Using PK for server private key");
}
else
#endif
if (!ssl->buffers.key || !ssl->buffers.key->buffer) {
WOLFSSL_MSG("Server missing private key");
return NO_PRIVATE_KEY;
/* allow no private key if using existing key */
#ifdef WOLF_PRIVATE_KEY_ID
if (ssl->devId != INVALID_DEVID
#ifdef HAVE_PK_CALLBACKS
|| wolfSSL_CTX_IsPrivatePkSet(ssl->ctx)
#endif
) {
WOLFSSL_MSG("Allowing no server private key (external)");
}
else
#endif
{
WOLFSSL_MSG("Server missing private key");
return NO_PRIVATE_KEY;
}
}
}
#endif
@ -22380,19 +22386,24 @@ int DecodePrivateKey(WOLFSSL *ssl, word16* length)
int keySz;
word32 idx;
#ifdef HAVE_PK_CALLBACKS
/* allow no private key if using PK callbacks and CB is set */
if (wolfSSL_IsPrivatePkSet(ssl)) {
*length = GetPrivateKeySigSize(ssl);
return 0;
}
else
#endif
/* make sure private key exists */
if (ssl->buffers.key == NULL || ssl->buffers.key->buffer == NULL) {
WOLFSSL_MSG("Private key missing!");
ERROR_OUT(NO_PRIVATE_KEY, exit_dpk);
/* allow no private key if using external */
#ifdef WOLF_PRIVATE_KEY_ID
if (ssl->devId != INVALID_DEVID
#ifdef HAVE_PK_CALLBACKS
|| wolfSSL_CTX_IsPrivatePkSet(ssl->ctx)
#endif
) {
*length = GetPrivateKeySigSize(ssl);
return 0;
}
else
#endif
{
WOLFSSL_MSG("Private key missing!");
ERROR_OUT(NO_PRIVATE_KEY, exit_dpk);
}
}
#ifdef WOLF_PRIVATE_KEY_ID
@ -22479,8 +22490,12 @@ int DecodePrivateKey(WOLFSSL *ssl, word16* length)
ret = wc_RsaPrivateKeyDecode(ssl->buffers.key->buffer, &idx,
(RsaKey*)ssl->hsKey, ssl->buffers.key->length);
#ifdef WOLF_PRIVATE_KEY_ID
/* if using crypto or PK callbacks allow using a public key */
if (ret != 0 && ssl->devId != INVALID_DEVID) {
/* if using external key then allow using a public key */
if (ret != 0 && (ssl->devId != INVALID_DEVID
#ifdef HAVE_PK_CALLBACKS
|| wolfSSL_CTX_IsPrivatePkSet(ssl->ctx)
#endif
)) {
WOLFSSL_MSG("Trying RSA public key with crypto callbacks");
idx = 0;
ret = wc_RsaPublicKeyDecode(ssl->buffers.key->buffer, &idx,
@ -22534,8 +22549,12 @@ int DecodePrivateKey(WOLFSSL *ssl, word16* length)
(ecc_key*)ssl->hsKey,
ssl->buffers.key->length);
#ifdef WOLF_PRIVATE_KEY_ID
/* if using crypto or PK callbacks allow using a public key */
if (ret != 0 && ssl->devId != INVALID_DEVID) {
/* if using external key then allow using a public key */
if (ret != 0 && (ssl->devId != INVALID_DEVID
#ifdef HAVE_PK_CALLBACKS
|| wolfSSL_CTX_IsPrivatePkSet(ssl->ctx)
#endif
)) {
WOLFSSL_MSG("Trying ECC public key with crypto callbacks");
idx = 0;
ret = wc_EccPublicKeyDecode(ssl->buffers.key->buffer, &idx,
@ -22587,13 +22606,17 @@ int DecodePrivateKey(WOLFSSL *ssl, word16* length)
(ed25519_key*)ssl->hsKey,
ssl->buffers.key->length);
#ifdef WOLF_PRIVATE_KEY_ID
/* if using crypto or PK callbacks allow using a public key */
if (ret != 0 && ssl->devId != INVALID_DEVID) {
/* if using external key then allow using a public key */
if (ret != 0 && (ssl->devId != INVALID_DEVID
#ifdef HAVE_PK_CALLBACKS
|| wolfSSL_CTX_IsPrivatePkSet(ssl->ctx)
#endif
)) {
WOLFSSL_MSG("Trying ED25519 public key with crypto callbacks");
idx = 0;
ret = wc_Ed25519PublicKeyDecode(ssl->buffers.key->buffer, &idx,
(ed25519_key*)ssl->hsKey,
ssl->buffers.key->length);
(ed25519_key*)ssl->hsKey,
ssl->buffers.key->length);
}
#endif
if (ret == 0) {
@ -22640,6 +22663,20 @@ int DecodePrivateKey(WOLFSSL *ssl, word16* length)
ret = wc_Ed448PrivateKeyDecode(ssl->buffers.key->buffer, &idx,
(ed448_key*)ssl->hsKey,
ssl->buffers.key->length);
#ifdef WOLF_PRIVATE_KEY_ID
/* if using external key then allow using a public key */
if (ret != 0 && (ssl->devId != INVALID_DEVID
#ifdef HAVE_PK_CALLBACKS
|| wolfSSL_CTX_IsPrivatePkSet(ssl->ctx)
#endif
)) {
WOLFSSL_MSG("Trying ED25519 public key with crypto callbacks");
idx = 0;
ret = wc_Ed448PublicKeyDecode(ssl->buffers.key->buffer, &idx,
(ed448_key*)ssl->hsKey,
ssl->buffers.key->length);
}
#endif
if (ret == 0) {
WOLFSSL_MSG("Using ED448 private key");
@ -26876,7 +26913,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
#ifndef NO_CERTS
#ifdef HAVE_PK_CALLBACKS
#ifdef WOLF_PRIVATE_KEY_ID
int GetPrivateKeySigSize(WOLFSSL* ssl)
{
int sigSz = 0;

56
src/ssl.c
View File

@ -5697,7 +5697,11 @@ static int ProcessBufferTryDecode(WOLFSSL_CTX* ctx, WOLFSSL* ssl, DerBuffer* der
*idx = 0;
ret = wc_RsaPrivateKeyDecode(der->buffer, idx, key, der->length);
#ifdef WOLF_PRIVATE_KEY_ID
if (ret != 0 && devId != INVALID_DEVID) {
if (ret != 0 && (devId != INVALID_DEVID
#ifdef HAVE_PK_CALLBACKS
|| wolfSSL_CTX_IsPrivatePkSet(ctx)
#endif
)) {
/* if using crypto or PK callbacks, try public key decode */
*idx = 0;
ret = wc_RsaPublicKeyDecode(der->buffer, idx, key, der->length);
@ -5769,7 +5773,11 @@ static int ProcessBufferTryDecode(WOLFSSL_CTX* ctx, WOLFSSL* ssl, DerBuffer* der
*idx = 0;
ret = wc_EccPrivateKeyDecode(der->buffer, idx, key, der->length);
#ifdef WOLF_PRIVATE_KEY_ID
if (ret != 0 && devId != INVALID_DEVID) {
if (ret != 0 && (devId != INVALID_DEVID
#ifdef HAVE_PK_CALLBACKS
|| wolfSSL_CTX_IsPrivatePkSet(ctx)
#endif
)) {
/* if using crypto or PK callbacks, try public key decode */
*idx = 0;
ret = wc_EccPublicKeyDecode(der->buffer, idx, key, der->length);
@ -5836,7 +5844,11 @@ static int ProcessBufferTryDecode(WOLFSSL_CTX* ctx, WOLFSSL* ssl, DerBuffer* der
*idx = 0;
ret = wc_Ed25519PrivateKeyDecode(der->buffer, idx, key, der->length);
#ifdef WOLF_PRIVATE_KEY_ID
if (ret != 0 && devId != INVALID_DEVID) {
if (ret != 0 && (devId != INVALID_DEVID
#ifdef HAVE_PK_CALLBACKS
|| wolfSSL_CTX_IsPrivatePkSet(ctx)
#endif
)) {
/* if using crypto or PK callbacks, try public key decode */
*idx = 0;
ret = wc_Ed25519PublicKeyDecode(der->buffer, idx, key, der->length);
@ -5905,6 +5917,17 @@ static int ProcessBufferTryDecode(WOLFSSL_CTX* ctx, WOLFSSL* ssl, DerBuffer* der
if (ret == 0) {
*idx = 0;
ret = wc_Ed448PrivateKeyDecode(der->buffer, idx, key, der->length);
#ifdef WOLF_PRIVATE_KEY_ID
if (ret != 0 && (devId != INVALID_DEVID
#ifdef HAVE_PK_CALLBACKS
|| wolfSSL_CTX_IsPrivatePkSet(ctx)
#endif
)) {
/* if using crypto or PK callbacks, try public key decode */
*idx = 0;
ret = wc_Ed448PublicKeyDecode(der->buffer, idx, key, der->length);
}
#endif
if (ret == 0) {
/* check for minimum key size and then free */
int minKeySz = ssl ? ssl->options.minEccKeySz :
@ -14823,7 +14846,6 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl,
#ifndef NO_CERTS
/* in case used set_accept_state after init */
/* allow no private key if using PK callbacks and CB is set */
if (!havePSK && !haveAnon && !haveMcast) {
#ifdef OPENSSL_EXTRA
if (ssl->ctx->certSetupCb != NULL) {
@ -14842,17 +14864,23 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl,
return WOLFSSL_FATAL_ERROR;
}
#ifdef HAVE_PK_CALLBACKS
if (wolfSSL_CTX_IsPrivatePkSet(ssl->ctx)) {
WOLFSSL_MSG("Using PK for server private key");
}
else
#endif
if (!ssl->buffers.key || !ssl->buffers.key->buffer) {
WOLFSSL_MSG("accept error: server key required");
ssl->error = NO_PRIVATE_KEY;
WOLFSSL_ERROR(ssl->error);
return WOLFSSL_FATAL_ERROR;
/* allow no private key if using existing key */
#ifdef WOLF_PRIVATE_KEY_ID
if (ssl->devId != INVALID_DEVID
#ifdef HAVE_PK_CALLBACKS
|| wolfSSL_CTX_IsPrivatePkSet(ssl->ctx)
#endif
) {
WOLFSSL_MSG("Allowing no server private key (external)");
}
else
#endif
{
WOLFSSL_MSG("accept error: server key required");
WOLFSSL_ERROR(ssl->error = NO_PRIVATE_KEY);
return WOLFSSL_FATAL_ERROR;
}
}
}
}

26
src/tls13.c
View File

@ -9520,7 +9520,6 @@ int wolfSSL_accept_TLSv13(WOLFSSL* ssl)
#endif /* WOLFSSL_WOLFSENTRY_HOOKS */
#ifndef NO_CERTS
/* allow no private key if using PK callbacks and CB is set */
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
if (!havePSK)
#endif
@ -9542,16 +9541,23 @@ int wolfSSL_accept_TLSv13(WOLFSSL* ssl)
return WOLFSSL_FATAL_ERROR;
}
#ifdef HAVE_PK_CALLBACKS
if (wolfSSL_CTX_IsPrivatePkSet(ssl->ctx)) {
WOLFSSL_MSG("Using PK for server private key");
}
else
#endif
if (!ssl->buffers.key || !ssl->buffers.key->buffer) {
WOLFSSL_MSG("accept error: server key required");
WOLFSSL_ERROR(ssl->error = NO_PRIVATE_KEY);
return WOLFSSL_FATAL_ERROR;
/* allow no private key if using existing key */
#ifdef WOLF_PRIVATE_KEY_ID
if (ssl->devId != INVALID_DEVID
#ifdef HAVE_PK_CALLBACKS
|| wolfSSL_CTX_IsPrivatePkSet(ssl->ctx)
#endif
) {
WOLFSSL_MSG("Allowing no server private key (external)");
}
else
#endif
{
WOLFSSL_MSG("accept error: server key required");
WOLFSSL_ERROR(ssl->error = NO_PRIVATE_KEY);
return WOLFSSL_FATAL_ERROR;
}
}
}
}

4
wolfcrypt/src/asn.c
View File

@ -19802,7 +19802,7 @@ int PemToDer(const unsigned char* buff, long longSz, int type,
}
#endif
else {
#if defined(WOLF_CRYPTO_CB) || defined(HAVE_PK_CALLBACKS)
#ifdef WOLF_PRIVATE_KEY_ID
/* allow loading a public key for use with crypto or PK callbacks */
type = PUBLICKEY_TYPE;
header = BEGIN_PUB_KEY;
@ -19926,7 +19926,7 @@ int PemToDer(const unsigned char* buff, long longSz, int type,
*keyFormat = DSAk;
#endif
}
#if defined(WOLF_CRYPTO_CB) || defined(HAVE_PK_CALLBACKS)
#ifdef WOLF_PRIVATE_KEY_ID
else if (type == PUBLICKEY_TYPE) {
#ifndef NO_RSA
if (header == BEGIN_RSA_PUB)

2
wolfssl/internal.h
View File

@ -1735,7 +1735,7 @@ WOLFSSL_LOCAL int CreateDevPrivateKey(void** pkey, byte* data, word32 length,
void* heap, int devId);
#endif
WOLFSSL_LOCAL int DecodePrivateKey(WOLFSSL *ssl, word16* length);
#ifdef HAVE_PK_CALLBACKS
#ifdef WOLF_PRIVATE_KEY_ID
WOLFSSL_LOCAL int GetPrivateKeySigSize(WOLFSSL* ssl);
#ifndef NO_ASN
WOLFSSL_LOCAL int InitSigPkCb(WOLFSSL* ssl, SignatureCtx* sigCtx);

7
wolfssl/test.h
View File

@ -3729,14 +3729,9 @@ typedef struct PkCbInfo {
#ifdef TEST_PK_PRIVKEY
union {
#ifdef HAVE_ECC
/* only ECC PK callback with TLS v1.2 needs this */
ecc_key ecc;
#endif
#ifdef HAVE_CURVE25519
curve25519_key curve;
#endif
#ifdef HAVE_CURVE448
curve448_key curve;
#endif
} keyGen;
int hasKeyGen;
#endif