diff --git a/src/internal.c b/src/internal.c index 0516b8efc..a5f3317fb 100644 --- a/src/internal.c +++ b/src/internal.c @@ -5775,16 +5775,22 @@ int InitSSL_Suites(WOLFSSL* ssl) return NO_PRIVATE_KEY; } - /* allow no private key if using PK callbacks and CB is set */ - #ifdef HAVE_PK_CALLBACKS - if (wolfSSL_CTX_IsPrivatePkSet(ssl->ctx)) { - WOLFSSL_MSG("Using PK for server private key"); - } - else - #endif if (!ssl->buffers.key || !ssl->buffers.key->buffer) { - WOLFSSL_MSG("Server missing private key"); - return NO_PRIVATE_KEY; + /* allow no private key if using existing key */ + #ifdef WOLF_PRIVATE_KEY_ID + if (ssl->devId != INVALID_DEVID + #ifdef HAVE_PK_CALLBACKS + || wolfSSL_CTX_IsPrivatePkSet(ssl->ctx) + #endif + ) { + WOLFSSL_MSG("Allowing no server private key (external)"); + } + else + #endif + { + WOLFSSL_MSG("Server missing private key"); + return NO_PRIVATE_KEY; + } } } #endif @@ -22380,19 +22386,24 @@ int DecodePrivateKey(WOLFSSL *ssl, word16* length) int keySz; word32 idx; -#ifdef HAVE_PK_CALLBACKS - /* allow no private key if using PK callbacks and CB is set */ - if (wolfSSL_IsPrivatePkSet(ssl)) { - *length = GetPrivateKeySigSize(ssl); - return 0; - } - else -#endif - /* make sure private key exists */ if (ssl->buffers.key == NULL || ssl->buffers.key->buffer == NULL) { - WOLFSSL_MSG("Private key missing!"); - ERROR_OUT(NO_PRIVATE_KEY, exit_dpk); + /* allow no private key if using external */ + #ifdef WOLF_PRIVATE_KEY_ID + if (ssl->devId != INVALID_DEVID + #ifdef HAVE_PK_CALLBACKS + || wolfSSL_CTX_IsPrivatePkSet(ssl->ctx) + #endif + ) { + *length = GetPrivateKeySigSize(ssl); + return 0; + } + else + #endif + { + WOLFSSL_MSG("Private key missing!"); + ERROR_OUT(NO_PRIVATE_KEY, exit_dpk); + } } #ifdef WOLF_PRIVATE_KEY_ID @@ -22479,8 +22490,12 @@ int DecodePrivateKey(WOLFSSL *ssl, word16* length) ret = wc_RsaPrivateKeyDecode(ssl->buffers.key->buffer, &idx, (RsaKey*)ssl->hsKey, ssl->buffers.key->length); #ifdef WOLF_PRIVATE_KEY_ID - /* if using crypto or PK callbacks allow using a public key */ - if (ret != 0 && ssl->devId != INVALID_DEVID) { + /* if using external key then allow using a public key */ + if (ret != 0 && (ssl->devId != INVALID_DEVID + #ifdef HAVE_PK_CALLBACKS + || wolfSSL_CTX_IsPrivatePkSet(ssl->ctx) + #endif + )) { WOLFSSL_MSG("Trying RSA public key with crypto callbacks"); idx = 0; ret = wc_RsaPublicKeyDecode(ssl->buffers.key->buffer, &idx, @@ -22534,8 +22549,12 @@ int DecodePrivateKey(WOLFSSL *ssl, word16* length) (ecc_key*)ssl->hsKey, ssl->buffers.key->length); #ifdef WOLF_PRIVATE_KEY_ID - /* if using crypto or PK callbacks allow using a public key */ - if (ret != 0 && ssl->devId != INVALID_DEVID) { + /* if using external key then allow using a public key */ + if (ret != 0 && (ssl->devId != INVALID_DEVID + #ifdef HAVE_PK_CALLBACKS + || wolfSSL_CTX_IsPrivatePkSet(ssl->ctx) + #endif + )) { WOLFSSL_MSG("Trying ECC public key with crypto callbacks"); idx = 0; ret = wc_EccPublicKeyDecode(ssl->buffers.key->buffer, &idx, @@ -22587,13 +22606,17 @@ int DecodePrivateKey(WOLFSSL *ssl, word16* length) (ed25519_key*)ssl->hsKey, ssl->buffers.key->length); #ifdef WOLF_PRIVATE_KEY_ID - /* if using crypto or PK callbacks allow using a public key */ - if (ret != 0 && ssl->devId != INVALID_DEVID) { + /* if using external key then allow using a public key */ + if (ret != 0 && (ssl->devId != INVALID_DEVID + #ifdef HAVE_PK_CALLBACKS + || wolfSSL_CTX_IsPrivatePkSet(ssl->ctx) + #endif + )) { WOLFSSL_MSG("Trying ED25519 public key with crypto callbacks"); idx = 0; ret = wc_Ed25519PublicKeyDecode(ssl->buffers.key->buffer, &idx, - (ed25519_key*)ssl->hsKey, - ssl->buffers.key->length); + (ed25519_key*)ssl->hsKey, + ssl->buffers.key->length); } #endif if (ret == 0) { @@ -22640,6 +22663,20 @@ int DecodePrivateKey(WOLFSSL *ssl, word16* length) ret = wc_Ed448PrivateKeyDecode(ssl->buffers.key->buffer, &idx, (ed448_key*)ssl->hsKey, ssl->buffers.key->length); + #ifdef WOLF_PRIVATE_KEY_ID + /* if using external key then allow using a public key */ + if (ret != 0 && (ssl->devId != INVALID_DEVID + #ifdef HAVE_PK_CALLBACKS + || wolfSSL_CTX_IsPrivatePkSet(ssl->ctx) + #endif + )) { + WOLFSSL_MSG("Trying ED25519 public key with crypto callbacks"); + idx = 0; + ret = wc_Ed448PublicKeyDecode(ssl->buffers.key->buffer, &idx, + (ed448_key*)ssl->hsKey, + ssl->buffers.key->length); + } + #endif if (ret == 0) { WOLFSSL_MSG("Using ED448 private key"); @@ -26876,7 +26913,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, #ifndef NO_CERTS -#ifdef HAVE_PK_CALLBACKS +#ifdef WOLF_PRIVATE_KEY_ID int GetPrivateKeySigSize(WOLFSSL* ssl) { int sigSz = 0; diff --git a/src/ssl.c b/src/ssl.c index 5cbd9332a..9f3fe33e1 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -5697,7 +5697,11 @@ static int ProcessBufferTryDecode(WOLFSSL_CTX* ctx, WOLFSSL* ssl, DerBuffer* der *idx = 0; ret = wc_RsaPrivateKeyDecode(der->buffer, idx, key, der->length); #ifdef WOLF_PRIVATE_KEY_ID - if (ret != 0 && devId != INVALID_DEVID) { + if (ret != 0 && (devId != INVALID_DEVID + #ifdef HAVE_PK_CALLBACKS + || wolfSSL_CTX_IsPrivatePkSet(ctx) + #endif + )) { /* if using crypto or PK callbacks, try public key decode */ *idx = 0; ret = wc_RsaPublicKeyDecode(der->buffer, idx, key, der->length); @@ -5769,7 +5773,11 @@ static int ProcessBufferTryDecode(WOLFSSL_CTX* ctx, WOLFSSL* ssl, DerBuffer* der *idx = 0; ret = wc_EccPrivateKeyDecode(der->buffer, idx, key, der->length); #ifdef WOLF_PRIVATE_KEY_ID - if (ret != 0 && devId != INVALID_DEVID) { + if (ret != 0 && (devId != INVALID_DEVID + #ifdef HAVE_PK_CALLBACKS + || wolfSSL_CTX_IsPrivatePkSet(ctx) + #endif + )) { /* if using crypto or PK callbacks, try public key decode */ *idx = 0; ret = wc_EccPublicKeyDecode(der->buffer, idx, key, der->length); @@ -5836,7 +5844,11 @@ static int ProcessBufferTryDecode(WOLFSSL_CTX* ctx, WOLFSSL* ssl, DerBuffer* der *idx = 0; ret = wc_Ed25519PrivateKeyDecode(der->buffer, idx, key, der->length); #ifdef WOLF_PRIVATE_KEY_ID - if (ret != 0 && devId != INVALID_DEVID) { + if (ret != 0 && (devId != INVALID_DEVID + #ifdef HAVE_PK_CALLBACKS + || wolfSSL_CTX_IsPrivatePkSet(ctx) + #endif + )) { /* if using crypto or PK callbacks, try public key decode */ *idx = 0; ret = wc_Ed25519PublicKeyDecode(der->buffer, idx, key, der->length); @@ -5905,6 +5917,17 @@ static int ProcessBufferTryDecode(WOLFSSL_CTX* ctx, WOLFSSL* ssl, DerBuffer* der if (ret == 0) { *idx = 0; ret = wc_Ed448PrivateKeyDecode(der->buffer, idx, key, der->length); + #ifdef WOLF_PRIVATE_KEY_ID + if (ret != 0 && (devId != INVALID_DEVID + #ifdef HAVE_PK_CALLBACKS + || wolfSSL_CTX_IsPrivatePkSet(ctx) + #endif + )) { + /* if using crypto or PK callbacks, try public key decode */ + *idx = 0; + ret = wc_Ed448PublicKeyDecode(der->buffer, idx, key, der->length); + } + #endif if (ret == 0) { /* check for minimum key size and then free */ int minKeySz = ssl ? ssl->options.minEccKeySz : @@ -14823,7 +14846,6 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, #ifndef NO_CERTS /* in case used set_accept_state after init */ - /* allow no private key if using PK callbacks and CB is set */ if (!havePSK && !haveAnon && !haveMcast) { #ifdef OPENSSL_EXTRA if (ssl->ctx->certSetupCb != NULL) { @@ -14842,17 +14864,23 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, return WOLFSSL_FATAL_ERROR; } - #ifdef HAVE_PK_CALLBACKS - if (wolfSSL_CTX_IsPrivatePkSet(ssl->ctx)) { - WOLFSSL_MSG("Using PK for server private key"); - } - else - #endif if (!ssl->buffers.key || !ssl->buffers.key->buffer) { - WOLFSSL_MSG("accept error: server key required"); - ssl->error = NO_PRIVATE_KEY; - WOLFSSL_ERROR(ssl->error); - return WOLFSSL_FATAL_ERROR; + /* allow no private key if using existing key */ + #ifdef WOLF_PRIVATE_KEY_ID + if (ssl->devId != INVALID_DEVID + #ifdef HAVE_PK_CALLBACKS + || wolfSSL_CTX_IsPrivatePkSet(ssl->ctx) + #endif + ) { + WOLFSSL_MSG("Allowing no server private key (external)"); + } + else + #endif + { + WOLFSSL_MSG("accept error: server key required"); + WOLFSSL_ERROR(ssl->error = NO_PRIVATE_KEY); + return WOLFSSL_FATAL_ERROR; + } } } } diff --git a/src/tls13.c b/src/tls13.c index b92a0c882..7c467c6fe 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -9520,7 +9520,6 @@ int wolfSSL_accept_TLSv13(WOLFSSL* ssl) #endif /* WOLFSSL_WOLFSENTRY_HOOKS */ #ifndef NO_CERTS - /* allow no private key if using PK callbacks and CB is set */ #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) if (!havePSK) #endif @@ -9542,16 +9541,23 @@ int wolfSSL_accept_TLSv13(WOLFSSL* ssl) return WOLFSSL_FATAL_ERROR; } - #ifdef HAVE_PK_CALLBACKS - if (wolfSSL_CTX_IsPrivatePkSet(ssl->ctx)) { - WOLFSSL_MSG("Using PK for server private key"); - } - else - #endif if (!ssl->buffers.key || !ssl->buffers.key->buffer) { - WOLFSSL_MSG("accept error: server key required"); - WOLFSSL_ERROR(ssl->error = NO_PRIVATE_KEY); - return WOLFSSL_FATAL_ERROR; + /* allow no private key if using existing key */ + #ifdef WOLF_PRIVATE_KEY_ID + if (ssl->devId != INVALID_DEVID + #ifdef HAVE_PK_CALLBACKS + || wolfSSL_CTX_IsPrivatePkSet(ssl->ctx) + #endif + ) { + WOLFSSL_MSG("Allowing no server private key (external)"); + } + else + #endif + { + WOLFSSL_MSG("accept error: server key required"); + WOLFSSL_ERROR(ssl->error = NO_PRIVATE_KEY); + return WOLFSSL_FATAL_ERROR; + } } } } diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 6a38d0c48..6964957bc 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -19802,7 +19802,7 @@ int PemToDer(const unsigned char* buff, long longSz, int type, } #endif else { - #if defined(WOLF_CRYPTO_CB) || defined(HAVE_PK_CALLBACKS) + #ifdef WOLF_PRIVATE_KEY_ID /* allow loading a public key for use with crypto or PK callbacks */ type = PUBLICKEY_TYPE; header = BEGIN_PUB_KEY; @@ -19926,7 +19926,7 @@ int PemToDer(const unsigned char* buff, long longSz, int type, *keyFormat = DSAk; #endif } - #if defined(WOLF_CRYPTO_CB) || defined(HAVE_PK_CALLBACKS) + #ifdef WOLF_PRIVATE_KEY_ID else if (type == PUBLICKEY_TYPE) { #ifndef NO_RSA if (header == BEGIN_RSA_PUB) diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 652d5dfea..bea8af6e0 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -1735,7 +1735,7 @@ WOLFSSL_LOCAL int CreateDevPrivateKey(void** pkey, byte* data, word32 length, void* heap, int devId); #endif WOLFSSL_LOCAL int DecodePrivateKey(WOLFSSL *ssl, word16* length); -#ifdef HAVE_PK_CALLBACKS +#ifdef WOLF_PRIVATE_KEY_ID WOLFSSL_LOCAL int GetPrivateKeySigSize(WOLFSSL* ssl); #ifndef NO_ASN WOLFSSL_LOCAL int InitSigPkCb(WOLFSSL* ssl, SignatureCtx* sigCtx); diff --git a/wolfssl/test.h b/wolfssl/test.h index d0abe2dfd..4edc4c312 100644 --- a/wolfssl/test.h +++ b/wolfssl/test.h @@ -3729,14 +3729,9 @@ typedef struct PkCbInfo { #ifdef TEST_PK_PRIVKEY union { #ifdef HAVE_ECC + /* only ECC PK callback with TLS v1.2 needs this */ ecc_key ecc; #endif - #ifdef HAVE_CURVE25519 - curve25519_key curve; - #endif - #ifdef HAVE_CURVE448 - curve448_key curve; - #endif } keyGen; int hasKeyGen; #endif