From 11303ab796d0f4821f2f5aeb17fac97058504357 Mon Sep 17 00:00:00 2001 From: David Garske Date: Tue, 5 Mar 2024 16:54:12 -0800 Subject: [PATCH] Support for Public Key (PK) callbacks with PSK in TLS v1.2 and TLS v1.3 (client and server). ZD 17383 --- src/internal.c | 153 ++++++++++++++++++++++++++----------------------- src/tls.c | 62 ++++++++++---------- src/tls13.c | 39 +++++++------ wolfssl/test.h | 65 ++++++++++++++++----- 4 files changed, 182 insertions(+), 137 deletions(-) diff --git a/src/internal.c b/src/internal.c index 157e44749..d889f3370 100644 --- a/src/internal.c +++ b/src/internal.c @@ -31464,23 +31464,13 @@ int SendClientKeyExchange(WOLFSSL* ssl) case psk_kea: { byte* pms = ssl->arrays->preMasterSecret; - int cbret = (int)ssl->options.client_psk_cb(ssl, + ssl->arrays->psk_keySz = ssl->options.client_psk_cb(ssl, ssl->arrays->server_hint, ssl->arrays->client_identity, MAX_PSK_ID_LEN, ssl->arrays->psk_key, MAX_PSK_KEY_LEN); - - if (cbret == 0 || cbret > MAX_PSK_KEY_LEN) { - if (cbret != USE_HW_PSK) { - ERROR_OUT(PSK_KEY_ERROR, exit_scke); - } - } - - if (cbret == USE_HW_PSK) { - /* USE_HW_PSK indicates that the hardware has the PSK - * and generates the premaster secret. */ - ssl->arrays->psk_keySz = 0; - } - else { - ssl->arrays->psk_keySz = (word32)cbret; + if (ssl->arrays->psk_keySz == 0 || + (ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN && + (int)ssl->arrays->psk_keySz != USE_HW_PSK)) { + ERROR_OUT(PSK_KEY_ERROR, exit_scke); } /* Ensure the buffer is null-terminated. */ @@ -31492,7 +31482,7 @@ int SendClientKeyExchange(WOLFSSL* ssl) XMEMCPY(args->encSecret, ssl->arrays->client_identity, args->encSz); ssl->options.peerAuthGood = 1; - if (cbret != USE_HW_PSK) { + if ((int)ssl->arrays->psk_keySz > 0) { /* CLIENT: Pre-shared Key for peer authentication. */ /* make psk pre master secret */ @@ -31508,8 +31498,8 @@ int SendClientKeyExchange(WOLFSSL* ssl) ssl->arrays->preMasterSz = (ssl->arrays->psk_keySz * 2) + (2 * OPAQUE16_LEN); ForceZero(ssl->arrays->psk_key, ssl->arrays->psk_keySz); - ssl->arrays->psk_keySz = 0; /* No further need */ } + ssl->arrays->psk_keySz = 0; /* No further need */ break; } #endif /* !NO_PSK */ @@ -31520,12 +31510,14 @@ int SendClientKeyExchange(WOLFSSL* ssl) args->output = args->encSecret; ssl->arrays->psk_keySz = ssl->options.client_psk_cb(ssl, - ssl->arrays->server_hint, ssl->arrays->client_identity, - MAX_PSK_ID_LEN, ssl->arrays->psk_key, MAX_PSK_KEY_LEN); + ssl->arrays->server_hint, ssl->arrays->client_identity, + MAX_PSK_ID_LEN, ssl->arrays->psk_key, MAX_PSK_KEY_LEN); if (ssl->arrays->psk_keySz == 0 || - ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN) { + (ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN && + (int)ssl->arrays->psk_keySz != USE_HW_PSK)) { ERROR_OUT(PSK_KEY_ERROR, exit_scke); } + ssl->arrays->client_identity[MAX_PSK_ID_LEN] = '\0'; /* null term */ esSz = (word32)XSTRLEN(ssl->arrays->client_identity); @@ -31601,12 +31593,14 @@ int SendClientKeyExchange(WOLFSSL* ssl) /* Send PSK client identity */ ssl->arrays->psk_keySz = ssl->options.client_psk_cb(ssl, - ssl->arrays->server_hint, ssl->arrays->client_identity, - MAX_PSK_ID_LEN, ssl->arrays->psk_key, MAX_PSK_KEY_LEN); + ssl->arrays->server_hint, ssl->arrays->client_identity, + MAX_PSK_ID_LEN, ssl->arrays->psk_key, MAX_PSK_KEY_LEN); if (ssl->arrays->psk_keySz == 0 || - ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN) { + (ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN && + (int)ssl->arrays->psk_keySz != USE_HW_PSK)) { ERROR_OUT(PSK_KEY_ERROR, exit_scke); } + ssl->arrays->client_identity[MAX_PSK_ID_LEN] = '\0'; /* null term */ esSz = (word32)XSTRLEN(ssl->arrays->client_identity); if (esSz > MAX_PSK_ID_LEN) { @@ -31626,7 +31620,7 @@ int SendClientKeyExchange(WOLFSSL* ssl) args->length = MAX_ENCRYPT_SZ; /* Create shared ECC key leaving room at the beginning - of buffer for size of shared key. */ + * of buffer for size of shared key. */ ssl->arrays->preMasterSz = ENCRYPT_LEN - OPAQUE16_LEN; #ifdef HAVE_CURVE25519 @@ -32017,13 +32011,15 @@ int SendClientKeyExchange(WOLFSSL* ssl) pms += ssl->arrays->preMasterSz; /* make psk pre master secret */ - /* length of key + length 0s + length of key + key */ - c16toa((word16)ssl->arrays->psk_keySz, pms); - pms += OPAQUE16_LEN; - XMEMCPY(pms, ssl->arrays->psk_key, ssl->arrays->psk_keySz); - ssl->arrays->preMasterSz += - ssl->arrays->psk_keySz + OPAQUE16_LEN; - ForceZero(ssl->arrays->psk_key, ssl->arrays->psk_keySz); + if ((int)ssl->arrays->psk_keySz > 0) { + /* length of key + length 0s + length of key + key */ + c16toa((word16)ssl->arrays->psk_keySz, pms); + pms += OPAQUE16_LEN; + XMEMCPY(pms, ssl->arrays->psk_key, ssl->arrays->psk_keySz); + ssl->arrays->preMasterSz += + ssl->arrays->psk_keySz + OPAQUE16_LEN; + ForceZero(ssl->arrays->psk_key, ssl->arrays->psk_keySz); + } ssl->arrays->psk_keySz = 0; /* No further need */ break; } @@ -32044,18 +32040,19 @@ int SendClientKeyExchange(WOLFSSL* ssl) args->encSz += args->length + OPAQUE8_LEN; /* Create pre master secret is the concatenation of - eccSize + eccSharedKey + pskSize + pskKey */ + * eccSize + eccSharedKey + pskSize + pskKey */ c16toa((word16)ssl->arrays->preMasterSz, pms); ssl->arrays->preMasterSz += OPAQUE16_LEN; pms += ssl->arrays->preMasterSz; - c16toa((word16)ssl->arrays->psk_keySz, pms); - pms += OPAQUE16_LEN; - XMEMCPY(pms, ssl->arrays->psk_key, ssl->arrays->psk_keySz); - ssl->arrays->preMasterSz += - ssl->arrays->psk_keySz + OPAQUE16_LEN; + if ((int)ssl->arrays->psk_keySz > 0) { + c16toa((word16)ssl->arrays->psk_keySz, pms); + pms += OPAQUE16_LEN; + XMEMCPY(pms, ssl->arrays->psk_key, ssl->arrays->psk_keySz); + ssl->arrays->preMasterSz += ssl->arrays->psk_keySz + OPAQUE16_LEN; - ForceZero(ssl->arrays->psk_key, ssl->arrays->psk_keySz); + ForceZero(ssl->arrays->psk_key, ssl->arrays->psk_keySz); + } ssl->arrays->psk_keySz = 0; /* No further need */ break; } @@ -38691,31 +38688,35 @@ static int DefTicketEncCb(WOLFSSL* ssl, byte key_name[WOLFSSL_TICKET_NAME_SZ], MAX_PSK_KEY_LEN); if (ssl->arrays->psk_keySz == 0 || - ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN) { - #if defined(WOLFSSL_EXTRA_ALERTS) || \ - defined(WOLFSSL_PSK_IDENTITY_ALERT) - SendAlert(ssl, alert_fatal, - unknown_psk_identity); - #endif + (ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN && + (int)ssl->arrays->psk_keySz != USE_HW_PSK)) { + #if defined(WOLFSSL_EXTRA_ALERTS) || \ + defined(WOLFSSL_PSK_IDENTITY_ALERT) + SendAlert(ssl, alert_fatal, + unknown_psk_identity); + #endif ERROR_OUT(PSK_KEY_ERROR, exit_dcke); } /* SERVER: Pre-shared Key for peer authentication. */ ssl->options.peerAuthGood = 1; /* make psk pre master secret */ - /* length of key + length 0s + length of key + key */ - c16toa((word16) ssl->arrays->psk_keySz, pms); - pms += OPAQUE16_LEN; + if ((int)ssl->arrays->psk_keySz > 0) { + /* length of key + length 0s + length of key + key */ + c16toa((word16) ssl->arrays->psk_keySz, pms); + pms += OPAQUE16_LEN; - XMEMSET(pms, 0, ssl->arrays->psk_keySz); - pms += ssl->arrays->psk_keySz; + XMEMSET(pms, 0, ssl->arrays->psk_keySz); + pms += ssl->arrays->psk_keySz; - c16toa((word16) ssl->arrays->psk_keySz, pms); - pms += OPAQUE16_LEN; + c16toa((word16) ssl->arrays->psk_keySz, pms); + pms += OPAQUE16_LEN; - XMEMCPY(pms, ssl->arrays->psk_key, ssl->arrays->psk_keySz); - ssl->arrays->preMasterSz = - (ssl->arrays->psk_keySz * 2) + (OPAQUE16_LEN * 2); + XMEMCPY(pms, ssl->arrays->psk_key, ssl->arrays->psk_keySz); + ssl->arrays->preMasterSz = (ssl->arrays->psk_keySz * 2) + + (OPAQUE16_LEN * 2); + } + ssl->arrays->psk_keySz = 0; /* no further need */ break; } #endif /* !NO_PSK */ @@ -39530,24 +39531,27 @@ static int DefTicketEncCb(WOLFSSL* ssl, byte key_name[WOLFSSL_TICKET_NAME_SZ], MAX_PSK_KEY_LEN); if (ssl->arrays->psk_keySz == 0 || - ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN) { - #if defined(WOLFSSL_EXTRA_ALERTS) || \ - defined(WOLFSSL_PSK_IDENTITY_ALERT) - SendAlert(ssl, alert_fatal, - unknown_psk_identity); - #endif + (ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN && + (int)ssl->arrays->psk_keySz != USE_HW_PSK)) { + #if defined(WOLFSSL_EXTRA_ALERTS) || \ + defined(WOLFSSL_PSK_IDENTITY_ALERT) + SendAlert(ssl, alert_fatal, + unknown_psk_identity); + #endif ERROR_OUT(PSK_KEY_ERROR, exit_dcke); } /* SERVER: Pre-shared Key for peer authentication. */ ssl->options.peerAuthGood = 1; - c16toa((word16) ssl->arrays->psk_keySz, pms); - pms += OPAQUE16_LEN; + if ((int)ssl->arrays->psk_keySz > 0) { + c16toa((word16) ssl->arrays->psk_keySz, pms); + pms += OPAQUE16_LEN; - XMEMCPY(pms, ssl->arrays->psk_key, - ssl->arrays->psk_keySz); - ssl->arrays->preMasterSz += ssl->arrays->psk_keySz + - OPAQUE16_LEN; + XMEMCPY(pms, ssl->arrays->psk_key, ssl->arrays->psk_keySz); + ssl->arrays->preMasterSz += ssl->arrays->psk_keySz + OPAQUE16_LEN; + ForceZero(ssl->arrays->psk_key, ssl->arrays->psk_keySz); + } + ssl->arrays->psk_keySz = 0; /* no further need */ break; } #endif /* !NO_DH && !NO_PSK */ @@ -39573,18 +39577,21 @@ static int DefTicketEncCb(WOLFSSL* ssl, byte key_name[WOLFSSL_TICKET_NAME_SZ], MAX_PSK_KEY_LEN); if (ssl->arrays->psk_keySz == 0 || - ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN) { + (ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN && + (int)ssl->arrays->psk_keySz != USE_HW_PSK)) { ERROR_OUT(PSK_KEY_ERROR, exit_dcke); } /* SERVER: Pre-shared Key for peer authentication. */ ssl->options.peerAuthGood = 1; + if ((int)ssl->arrays->psk_keySz > 0) { + c16toa((word16) ssl->arrays->psk_keySz, pms); + pms += OPAQUE16_LEN; - c16toa((word16) ssl->arrays->psk_keySz, pms); - pms += OPAQUE16_LEN; - - XMEMCPY(pms, ssl->arrays->psk_key, ssl->arrays->psk_keySz); - ssl->arrays->preMasterSz += - ssl->arrays->psk_keySz + OPAQUE16_LEN; + XMEMCPY(pms, ssl->arrays->psk_key, ssl->arrays->psk_keySz); + ssl->arrays->preMasterSz += ssl->arrays->psk_keySz + OPAQUE16_LEN; + ForceZero(ssl->arrays->psk_key, ssl->arrays->psk_keySz); + } + ssl->arrays->psk_keySz = 0; /* no further need */ break; } #endif /* (HAVE_ECC || CURVE25519 || CURVE448) && !NO_PSK */ diff --git a/src/tls.c b/src/tls.c index 57d0cc39f..65387dc6a 100644 --- a/src/tls.c +++ b/src/tls.c @@ -13327,7 +13327,7 @@ int TLSX_PopulateExtensions(WOLFSSL* ssl, byte isServer) else #endif if (ssl->options.client_psk_cb != NULL || - ssl->options.client_psk_tls13_cb != NULL) { + ssl->options.client_psk_tls13_cb != NULL) { /* Default cipher suite. */ byte cipherSuite0 = TLS13_BYTE; byte cipherSuite = WOLFSSL_DEF_PSK_CIPHER; @@ -13349,42 +13349,38 @@ int TLSX_PopulateExtensions(WOLFSSL* ssl, byte isServer) ssl->arrays->server_hint, ssl->arrays->client_identity, MAX_PSK_ID_LEN, ssl->arrays->psk_key, MAX_PSK_KEY_LEN); } - #if defined(OPENSSL_EXTRA) - /* OpenSSL treats 0 as a PSK key length of 0 - * and meaning no PSK available. - */ - if (ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN) { - return PSK_KEY_ERROR; + if ( + #ifndef OPENSSL_EXTRA + /* OpenSSL treats a PSK key length of 0 + * to indicate no PSK available. + */ + ssl->arrays->psk_keySz == 0 || + #endif + (ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN && + (int)ssl->arrays->psk_keySz != USE_HW_PSK)) { + ret = PSK_KEY_ERROR; } - if (ssl->arrays->psk_keySz > 0) { - #else - if (ssl->arrays->psk_keySz == 0 || - ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN) { - return PSK_KEY_ERROR; - } - #endif - ssl->arrays->client_identity[MAX_PSK_ID_LEN] = '\0'; + else { + ssl->arrays->client_identity[MAX_PSK_ID_LEN] = '\0'; - ssl->options.cipherSuite0 = cipherSuite0; - ssl->options.cipherSuite = cipherSuite; - (void)cipherSuiteFlags; - ret = SetCipherSpecs(ssl); + ssl->options.cipherSuite0 = cipherSuite0; + ssl->options.cipherSuite = cipherSuite; + (void)cipherSuiteFlags; + ret = SetCipherSpecs(ssl); + if (ret == 0) { + ret = TLSX_PreSharedKey_Use( + &ssl->extensions, + (byte*)ssl->arrays->client_identity, + (word16)XSTRLEN(ssl->arrays->client_identity), + 0, ssl->specs.mac_algorithm, + cipherSuite0, cipherSuite, 0, + NULL, ssl->heap); + } + if (ret == 0) + usingPSK = 1; + } if (ret != 0) return ret; - - ret = TLSX_PreSharedKey_Use(&ssl->extensions, - (byte*)ssl->arrays->client_identity, - (word16)XSTRLEN(ssl->arrays->client_identity), - 0, ssl->specs.mac_algorithm, - cipherSuite0, cipherSuite, 0, - NULL, ssl->heap); - if (ret != 0) - return ret; - - usingPSK = 1; - #if defined(OPENSSL_EXTRA) - } - #endif } #endif /* !NO_PSK */ #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) diff --git a/src/tls13.c b/src/tls13.c index cb27926d0..7b7e429b0 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -1118,6 +1118,12 @@ static int Tls13_HKDF_Extract(WOLFSSL *ssl, byte* prk, const byte* salt, ret = cb(prk, salt, saltLen, ikm, ikmLen, digest, cb_ctx); } else +#endif +#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) + if ((int)ssl->arrays->psk_keySz < 0) { + ret = PSK_KEY_ERROR; + } + else #endif { #if !defined(HAVE_FIPS) || \ @@ -3934,7 +3940,8 @@ static int SetupPskKey(WOLFSSL* ssl, PreSharedKey* psk, int clientHello) ssl->options.cipherSuite = WOLFSSL_DEF_PSK_CIPHER; } if (ssl->arrays->psk_keySz == 0 || - ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN) { + (ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN && + (int)ssl->arrays->psk_keySz != USE_HW_PSK)) { WOLFSSL_ERROR_VERBOSE(PSK_KEY_ERROR); return PSK_KEY_ERROR; } @@ -3947,7 +3954,7 @@ static int SetupPskKey(WOLFSSL* ssl, PreSharedKey* psk, int clientHello) #endif /* !WOLFSSL_PSK_ONE_ID */ if (!clientHello && (psk->cipherSuite0 != suite[0] || - psk->cipherSuite != suite[1])) { + psk->cipherSuite != suite[1])) { WOLFSSL_ERROR_VERBOSE(PSK_KEY_ERROR); return PSK_KEY_ERROR; } @@ -5830,7 +5837,8 @@ int FindPskSuite(const WOLFSSL* ssl, PreSharedKey* psk, byte* psk_key, *found = (*psk_keySz != 0); } if (*found) { - if (*psk_keySz > MAX_PSK_KEY_LEN) { + if (*psk_keySz > MAX_PSK_KEY_LEN && + *((int*)psk_keySz) != USE_HW_PSK) { WOLFSSL_MSG("Key len too long in FindPsk()"); ret = PSK_KEY_ERROR; WOLFSSL_ERROR_VERBOSE(ret); @@ -5885,29 +5893,27 @@ static int FindPsk(WOLFSSL* ssl, PreSharedKey* psk, const byte* suite, int* err) ret = FindPskSuite(ssl, psk, ssl->arrays->psk_key, &ssl->arrays->psk_keySz, suite, &found, foundSuite); if (ret == 0 && found) { - if ((ret == 0) && found) { - /* Default to ciphersuite if cb doesn't specify. */ - ssl->options.resuming = 0; - /* Don't send certificate request when using PSK. */ - ssl->options.verifyPeer = 0; + /* Default to ciphersuite if cb doesn't specify. */ + ssl->options.resuming = 0; + /* Don't send certificate request when using PSK. */ + ssl->options.verifyPeer = 0; - /* PSK age is always zero. */ - if (psk->ticketAge != 0) { - ret = PSK_KEY_ERROR; - WOLFSSL_ERROR_VERBOSE(ret); - } + /* PSK age is always zero. */ + if (psk->ticketAge != 0) { + ret = PSK_KEY_ERROR; + WOLFSSL_ERROR_VERBOSE(ret); } - if ((ret == 0) && found) { + if (ret == 0) { /* Set PSK ciphersuite into SSL. */ ssl->options.cipherSuite0 = foundSuite[0]; ssl->options.cipherSuite = foundSuite[1]; ret = SetCipherSpecs(ssl); } - if ((ret == 0) && found) { + if (ret == 0) { /* Derive the early secret using the PSK. */ ret = DeriveEarlySecret(ssl); } - if ((ret == 0) && found) { + if (ret == 0) { /* PSK negotiation has succeeded */ ssl->options.isPSK = 1; /* SERVER: using PSK for peer authentication. */ @@ -7126,6 +7132,7 @@ int DoTls13ClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx, #ifdef HAVE_SESSION_TICKET if (ssl->options.resuming) { ssl->options.resuming = 0; + ssl->arrays->psk_keySz = 0; XMEMSET(ssl->arrays->psk_key, 0, ssl->specs.hash_size); } #endif diff --git a/wolfssl/test.h b/wolfssl/test.h index 52ec4921a..d0b961a83 100644 --- a/wolfssl/test.h +++ b/wolfssl/test.h @@ -289,6 +289,14 @@ #endif #endif + +#if defined(DEBUG_PK_CB) || defined(TEST_PK_PRIVKEY) || defined(TEST_PK_PSK) + #define WOLFSSL_PKMSG(...) printf(__VA_ARGS__) +#else + #define WOLFSSL_PKMSG(...) WC_DO_NOTHING +#endif + + #ifndef MY_EX_USAGE #define MY_EX_USAGE 2 #endif @@ -1807,7 +1815,6 @@ static WC_INLINE void tcp_set_blocking(SOCKET_T* sockfd) #endif } - #ifndef NO_PSK /* identity is OpenSSL testing default for openssl s_client, keep same */ @@ -1817,6 +1824,8 @@ static WC_INLINE unsigned int my_psk_client_cb(WOLFSSL* ssl, const char* hint, char* identity, unsigned int id_max_len, unsigned char* key, unsigned int key_max_len) { + unsigned int ret; + (void)ssl; (void)hint; (void)key_max_len; @@ -1826,13 +1835,13 @@ static WC_INLINE unsigned int my_psk_client_cb(WOLFSSL* ssl, const char* hint, if (wolfSSL_GetVersion(ssl) < WOLFSSL_TLSV1_3) { /* test key in hex is 0x1a2b3c4d , in decimal 439,041,101 , we're using - unsigned binary */ + * unsigned binary */ key[0] = 0x1a; key[1] = 0x2b; key[2] = 0x3c; key[3] = 0x4d; - return 4; /* length of key in octets or 0 for error */ + ret = 4; /* length of key in octets or 0 for error */ } else { int i; @@ -1844,14 +1853,23 @@ static WC_INLINE unsigned int my_psk_client_cb(WOLFSSL* ssl, const char* hint, key[i] = b; } - return 32; /* length of key in octets or 0 for error */ + ret = 32; /* length of key in octets or 0 for error */ } + +#if defined(HAVE_PK_CALLBACKS) && defined(TEST_PK_PSK) + WOLFSSL_PKMSG("PSK Client using HW (Len %d, Hint %s)\n", ret, hint); + ret = (unsigned int)USE_HW_PSK; +#endif + + return ret; } static WC_INLINE unsigned int my_psk_server_cb(WOLFSSL* ssl, const char* identity, unsigned char* key, unsigned int key_max_len) { + unsigned int ret; + (void)ssl; (void)key_max_len; @@ -1861,13 +1879,13 @@ static WC_INLINE unsigned int my_psk_server_cb(WOLFSSL* ssl, const char* identit if (wolfSSL_GetVersion(ssl) < WOLFSSL_TLSV1_3) { /* test key in hex is 0x1a2b3c4d , in decimal 439,041,101 , we're using - unsigned binary */ + * unsigned binary */ key[0] = 0x1a; key[1] = 0x2b; key[2] = 0x3c; key[3] = 0x4d; - return 4; /* length of key in octets or 0 for error */ + ret = 4; /* length of key in octets or 0 for error */ } else { int i; @@ -1879,8 +1897,14 @@ static WC_INLINE unsigned int my_psk_server_cb(WOLFSSL* ssl, const char* identit key[i] = b; } - return 32; /* length of key in octets or 0 for error */ + ret = 32; /* length of key in octets or 0 for error */ } +#if defined(HAVE_PK_CALLBACKS) && defined(TEST_PK_PSK) + WOLFSSL_PKMSG("PSK Server using HW (Len %d, Hint %s)\n", ret, identity); + ret = (unsigned int)USE_HW_PSK; +#endif + + return ret; } #ifdef WOLFSSL_TLS13 @@ -1888,6 +1912,7 @@ static WC_INLINE unsigned int my_psk_client_tls13_cb(WOLFSSL* ssl, const char* hint, char* identity, unsigned int id_max_len, unsigned char* key, unsigned int key_max_len, const char** ciphersuite) { + unsigned int ret; int i; int b = 0x01; const char* userCipher = (const char*)wolfSSL_get_psk_callback_ctx(ssl); @@ -1907,7 +1932,14 @@ static WC_INLINE unsigned int my_psk_client_tls13_cb(WOLFSSL* ssl, *ciphersuite = userCipher ? userCipher : "TLS13-AES128-GCM-SHA256"; - return 32; /* length of key in octets or 0 for error */ + ret = 32; /* length of key in octets or 0 for error */ + +#if defined(HAVE_PK_CALLBACKS) && defined(TEST_PK_PSK) + WOLFSSL_PKMSG("PSK Client TLS 1.3 using HW (Len %d, Hint %s)\n", ret, hint); + ret = (unsigned int)USE_HW_PSK; +#endif + + return ret; } @@ -1915,6 +1947,7 @@ static WC_INLINE unsigned int my_psk_server_tls13_cb(WOLFSSL* ssl, const char* identity, unsigned char* key, unsigned int key_max_len, const char** ciphersuite) { + unsigned int ret; int i; int b = 0x01; int kIdLen = (int)XSTRLEN(kIdentityStr); @@ -1938,7 +1971,15 @@ static WC_INLINE unsigned int my_psk_server_tls13_cb(WOLFSSL* ssl, *ciphersuite = userCipher ? userCipher : "TLS13-AES128-GCM-SHA256"; - return 32; /* length of key in octets or 0 for error */ + ret = 32; /* length of key in octets or 0 for error */ + +#if defined(HAVE_PK_CALLBACKS) && defined(TEST_PK_PSK) + WOLFSSL_PKMSG("PSK Server TLS 1.3 using HW (Len %d, Hint %s)\n", + ret, identity); + ret = (unsigned int)USE_HW_PSK; +#endif + + return ret; } #endif @@ -3086,12 +3127,6 @@ typedef struct PkCbInfo { #endif } PkCbInfo; -#if defined(DEBUG_PK_CB) || defined(TEST_PK_PRIVKEY) - #define WOLFSSL_PKMSG(...) printf(__VA_ARGS__) -#else - #define WOLFSSL_PKMSG(...) WC_DO_NOTHING -#endif - #ifdef HAVE_ECC static WC_INLINE int myEccKeyGen(WOLFSSL* ssl, ecc_key* key, word32 keySz,