mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2025-08-02 04:04:39 +02:00
Merge pull request #870 from kaleb-himes/PSK-UPDATE
Update PSK identity length per RFC 4279 - section 5.3
This commit is contained in:
toddouska
GitHub
@@ -3307,8 +3307,9 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
|
|||||||
|
|
||||||
#ifndef NO_PSK
|
#ifndef NO_PSK
|
||||||
if (ctx->server_hint[0]) { /* set in CTX */
|
if (ctx->server_hint[0]) { /* set in CTX */
|
||||||
XSTRNCPY(ssl->arrays->server_hint, ctx->server_hint,MAX_PSK_ID_LEN);
|
XSTRNCPY(ssl->arrays->server_hint, ctx->server_hint,
|
||||||
ssl->arrays->server_hint[MAX_PSK_ID_LEN - 1] = '\0';
|
sizeof(ssl->arrays->server_hint));
|
||||||
|
ssl->arrays->server_hint[MAX_PSK_ID_LEN] = '\0'; /* null term */
|
||||||
}
|
}
|
||||||
#endif /* NO_PSK */
|
#endif /* NO_PSK */
|
||||||
|
|
||||||
@@ -15312,10 +15313,10 @@ static int DoServerKeyExchange(WOLFSSL* ssl, const byte* input,
|
|||||||
}
|
}
|
||||||
|
|
||||||
/* get PSK server hint from the wire */
|
/* get PSK server hint from the wire */
|
||||||
srvHintLen = min(length, MAX_PSK_ID_LEN - 1);
|
srvHintLen = min(length, MAX_PSK_ID_LEN);
|
||||||
XMEMCPY(ssl->arrays->server_hint, input + args->idx,
|
XMEMCPY(ssl->arrays->server_hint, input + args->idx,
|
||||||
srvHintLen);
|
srvHintLen);
|
||||||
ssl->arrays->server_hint[srvHintLen] = 0;
|
ssl->arrays->server_hint[srvHintLen] = '\0'; /* null term */
|
||||||
args->idx += length;
|
args->idx += length;
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
@@ -15490,10 +15491,10 @@ static int DoServerKeyExchange(WOLFSSL* ssl, const byte* input,
|
|||||||
}
|
}
|
||||||
|
|
||||||
/* get PSK server hint from the wire */
|
/* get PSK server hint from the wire */
|
||||||
srvHintLen = min(length, MAX_PSK_ID_LEN - 1);
|
srvHintLen = min(length, MAX_PSK_ID_LEN);
|
||||||
XMEMCPY(ssl->arrays->server_hint, input + args->idx,
|
XMEMCPY(ssl->arrays->server_hint, input + args->idx,
|
||||||
srvHintLen);
|
srvHintLen);
|
||||||
ssl->arrays->server_hint[srvHintLen] = 0;
|
ssl->arrays->server_hint[srvHintLen] = '\0'; /* null term */
|
||||||
args->idx += length;
|
args->idx += length;
|
||||||
|
|
||||||
/* p */
|
/* p */
|
||||||
@@ -15601,9 +15602,10 @@ static int DoServerKeyExchange(WOLFSSL* ssl, const byte* input,
|
|||||||
}
|
}
|
||||||
|
|
||||||
/* get PSK server hint from the wire */
|
/* get PSK server hint from the wire */
|
||||||
srvHintLen = min(length, MAX_PSK_ID_LEN - 1);
|
srvHintLen = min(length, MAX_PSK_ID_LEN);
|
||||||
XMEMCPY(ssl->arrays->server_hint, input + args->idx, srvHintLen);
|
XMEMCPY(ssl->arrays->server_hint, input + args->idx,
|
||||||
ssl->arrays->server_hint[srvHintLen] = 0;
|
srvHintLen);
|
||||||
|
ssl->arrays->server_hint[srvHintLen] = '\0'; /* null term */
|
||||||
|
|
||||||
args->idx += length;
|
args->idx += length;
|
||||||
|
|
||||||
@@ -16768,6 +16770,7 @@ int SendClientKeyExchange(WOLFSSL* ssl)
|
|||||||
ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN) {
|
ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN) {
|
||||||
ERROR_OUT(PSK_KEY_ERROR, exit_scke);
|
ERROR_OUT(PSK_KEY_ERROR, exit_scke);
|
||||||
}
|
}
|
||||||
|
ssl->arrays->client_identity[MAX_PSK_ID_LEN] = '\0'; /* null term */
|
||||||
args->encSz = (word32)XSTRLEN(ssl->arrays->client_identity);
|
args->encSz = (word32)XSTRLEN(ssl->arrays->client_identity);
|
||||||
if (args->encSz > MAX_PSK_ID_LEN) {
|
if (args->encSz > MAX_PSK_ID_LEN) {
|
||||||
ERROR_OUT(CLIENT_ID_ERROR, exit_scke);
|
ERROR_OUT(CLIENT_ID_ERROR, exit_scke);
|
||||||
@@ -16804,6 +16807,7 @@ int SendClientKeyExchange(WOLFSSL* ssl)
|
|||||||
ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN) {
|
ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN) {
|
||||||
ERROR_OUT(PSK_KEY_ERROR, exit_scke);
|
ERROR_OUT(PSK_KEY_ERROR, exit_scke);
|
||||||
}
|
}
|
||||||
|
ssl->arrays->client_identity[MAX_PSK_ID_LEN] = '\0'; /* null term */
|
||||||
esSz = (word32)XSTRLEN(ssl->arrays->client_identity);
|
esSz = (word32)XSTRLEN(ssl->arrays->client_identity);
|
||||||
|
|
||||||
if (esSz > MAX_PSK_ID_LEN) {
|
if (esSz > MAX_PSK_ID_LEN) {
|
||||||
@@ -16861,7 +16865,7 @@ int SendClientKeyExchange(WOLFSSL* ssl)
|
|||||||
ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN) {
|
ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN) {
|
||||||
ERROR_OUT(PSK_KEY_ERROR, exit_scke);
|
ERROR_OUT(PSK_KEY_ERROR, exit_scke);
|
||||||
}
|
}
|
||||||
|
ssl->arrays->client_identity[MAX_PSK_ID_LEN] = '\0'; /* null term */
|
||||||
esSz = (word32)XSTRLEN(ssl->arrays->client_identity);
|
esSz = (word32)XSTRLEN(ssl->arrays->client_identity);
|
||||||
if (esSz > MAX_PSK_ID_LEN) {
|
if (esSz > MAX_PSK_ID_LEN) {
|
||||||
ERROR_OUT(CLIENT_ID_ERROR, exit_scke);
|
ERROR_OUT(CLIENT_ID_ERROR, exit_scke);
|
||||||
@@ -21364,8 +21368,7 @@ int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
|
|||||||
input + args->idx, ci_sz);
|
input + args->idx, ci_sz);
|
||||||
args->idx += ci_sz;
|
args->idx += ci_sz;
|
||||||
|
|
||||||
ssl->arrays->client_identity[
|
ssl->arrays->client_identity[ci_sz] = '\0'; /* null term */
|
||||||
min(ci_sz, MAX_PSK_ID_LEN-1)] = 0;
|
|
||||||
ssl->arrays->psk_keySz = ssl->options.server_psk_cb(ssl,
|
ssl->arrays->psk_keySz = ssl->options.server_psk_cb(ssl,
|
||||||
ssl->arrays->client_identity, ssl->arrays->psk_key,
|
ssl->arrays->client_identity, ssl->arrays->psk_key,
|
||||||
MAX_PSK_KEY_LEN);
|
MAX_PSK_KEY_LEN);
|
||||||
@@ -21571,8 +21574,7 @@ int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
|
|||||||
XMEMCPY(ssl->arrays->client_identity, input + args->idx,
|
XMEMCPY(ssl->arrays->client_identity, input + args->idx,
|
||||||
clientSz);
|
clientSz);
|
||||||
args->idx += clientSz;
|
args->idx += clientSz;
|
||||||
ssl->arrays->client_identity[
|
ssl->arrays->client_identity[clientSz] = '\0'; /* null term */
|
||||||
min(clientSz, MAX_PSK_ID_LEN-1)] = 0;
|
|
||||||
|
|
||||||
/* Read in the DHE business */
|
/* Read in the DHE business */
|
||||||
if ((args->idx - args->begin) + OPAQUE16_LEN > size) {
|
if ((args->idx - args->begin) + OPAQUE16_LEN > size) {
|
||||||
@@ -21625,8 +21627,7 @@ int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
|
|||||||
XMEMCPY(ssl->arrays->client_identity,
|
XMEMCPY(ssl->arrays->client_identity,
|
||||||
input + args->idx, clientSz);
|
input + args->idx, clientSz);
|
||||||
args->idx += clientSz;
|
args->idx += clientSz;
|
||||||
ssl->arrays->client_identity[
|
ssl->arrays->client_identity[clientSz] = '\0'; /* null term */
|
||||||
min(clientSz, MAX_PSK_ID_LEN-1)] = 0;
|
|
||||||
|
|
||||||
/* import peer ECC key */
|
/* import peer ECC key */
|
||||||
if ((args->idx - args->begin) + OPAQUE8_LEN > size) {
|
if ((args->idx - args->begin) + OPAQUE8_LEN > size) {
|
||||||
|
|||||||
@@ -9839,8 +9839,8 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
|
|||||||
if (hint == 0)
|
if (hint == 0)
|
||||||
ctx->server_hint[0] = 0;
|
ctx->server_hint[0] = 0;
|
||||||
else {
|
else {
|
||||||
XSTRNCPY(ctx->server_hint, hint, MAX_PSK_ID_LEN);
|
XSTRNCPY(ctx->server_hint, hint, sizeof(ctx->server_hint));
|
||||||
ctx->server_hint[MAX_PSK_ID_LEN - 1] = '\0';
|
ctx->server_hint[MAX_PSK_ID_LEN] = '\0'; /* null term */
|
||||||
}
|
}
|
||||||
return SSL_SUCCESS;
|
return SSL_SUCCESS;
|
||||||
}
|
}
|
||||||
@@ -9856,8 +9856,9 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
|
|||||||
if (hint == 0)
|
if (hint == 0)
|
||||||
ssl->arrays->server_hint[0] = 0;
|
ssl->arrays->server_hint[0] = 0;
|
||||||
else {
|
else {
|
||||||
XSTRNCPY(ssl->arrays->server_hint, hint, MAX_PSK_ID_LEN);
|
XSTRNCPY(ssl->arrays->server_hint, hint,
|
||||||
ssl->arrays->server_hint[MAX_PSK_ID_LEN - 1] = '\0';
|
sizeof(ssl->arrays->server_hint));
|
||||||
|
ssl->arrays->server_hint[MAX_PSK_ID_LEN] = '\0'; /* null term */
|
||||||
}
|
}
|
||||||
return SSL_SUCCESS;
|
return SSL_SUCCESS;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -1055,6 +1055,7 @@ enum Misc {
|
|||||||
DTLS_TIMEOUT_MULTIPLIER = 2, /* default timeout multiplier for DTLS recv */
|
DTLS_TIMEOUT_MULTIPLIER = 2, /* default timeout multiplier for DTLS recv */
|
||||||
|
|
||||||
MAX_PSK_ID_LEN = 128, /* max psk identity/hint supported */
|
MAX_PSK_ID_LEN = 128, /* max psk identity/hint supported */
|
||||||
|
NULL_TERM_LEN = 1, /* length of null '\0' termination character */
|
||||||
MAX_PSK_KEY_LEN = 64, /* max psk key supported */
|
MAX_PSK_KEY_LEN = 64, /* max psk key supported */
|
||||||
|
|
||||||
MAX_WOLFSSL_FILE_SIZE = 1024 * 1024 * 4, /* 4 mb file size alloc limit */
|
MAX_WOLFSSL_FILE_SIZE = 1024 * 1024 * 4, /* 4 mb file size alloc limit */
|
||||||
@@ -2015,7 +2016,7 @@ struct WOLFSSL_CTX {
|
|||||||
byte havePSK; /* psk key set by user */
|
byte havePSK; /* psk key set by user */
|
||||||
wc_psk_client_callback client_psk_cb; /* client callback */
|
wc_psk_client_callback client_psk_cb; /* client callback */
|
||||||
wc_psk_server_callback server_psk_cb; /* server callback */
|
wc_psk_server_callback server_psk_cb; /* server callback */
|
||||||
char server_hint[MAX_PSK_ID_LEN];
|
char server_hint[MAX_PSK_ID_LEN + NULL_TERM_LEN];
|
||||||
#endif /* NO_PSK */
|
#endif /* NO_PSK */
|
||||||
#ifdef HAVE_ANON
|
#ifdef HAVE_ANON
|
||||||
byte haveAnon; /* User wants to allow Anon suites */
|
byte haveAnon; /* User wants to allow Anon suites */
|
||||||
@@ -2523,8 +2524,8 @@ typedef struct Arrays {
|
|||||||
word32 pendingMsgOffset; /* current offset into defrag buffer */
|
word32 pendingMsgOffset; /* current offset into defrag buffer */
|
||||||
#ifndef NO_PSK
|
#ifndef NO_PSK
|
||||||
word32 psk_keySz; /* actual size */
|
word32 psk_keySz; /* actual size */
|
||||||
char client_identity[MAX_PSK_ID_LEN];
|
char client_identity[MAX_PSK_ID_LEN + NULL_TERM_LEN];
|
||||||
char server_hint[MAX_PSK_ID_LEN];
|
char server_hint[MAX_PSK_ID_LEN + NULL_TERM_LEN];
|
||||||
byte psk_key[MAX_PSK_KEY_LEN];
|
byte psk_key[MAX_PSK_KEY_LEN];
|
||||||
#endif
|
#endif
|
||||||
byte clientRandom[RAN_LEN];
|
byte clientRandom[RAN_LEN];
|
||||||
|
|||||||
@@ -1008,6 +1008,9 @@ static INLINE void tcp_set_nonblocking(SOCKET_T* sockfd)
|
|||||||
|
|
||||||
#ifndef NO_PSK
|
#ifndef NO_PSK
|
||||||
|
|
||||||
|
/* identity is OpenSSL testing default for openssl s_client, keep same */
|
||||||
|
static const char* kIdentityStr = "Client_identity";
|
||||||
|
|
||||||
static INLINE unsigned int my_psk_client_cb(WOLFSSL* ssl, const char* hint,
|
static INLINE unsigned int my_psk_client_cb(WOLFSSL* ssl, const char* hint,
|
||||||
char* identity, unsigned int id_max_len, unsigned char* key,
|
char* identity, unsigned int id_max_len, unsigned char* key,
|
||||||
unsigned int key_max_len)
|
unsigned int key_max_len)
|
||||||
@@ -1016,9 +1019,8 @@ static INLINE unsigned int my_psk_client_cb(WOLFSSL* ssl, const char* hint,
|
|||||||
(void)hint;
|
(void)hint;
|
||||||
(void)key_max_len;
|
(void)key_max_len;
|
||||||
|
|
||||||
/* identity is OpenSSL testing default for openssl s_client, keep same */
|
/* see internal.h MAX_PSK_ID_LEN for PSK identity limit */
|
||||||
strncpy(identity, "Client_identity", id_max_len);
|
strncpy(identity, kIdentityStr, id_max_len);
|
||||||
|
|
||||||
|
|
||||||
/* test key in hex is 0x1a2b3c4d , in decimal 439,041,101 , we're using
|
/* test key in hex is 0x1a2b3c4d , in decimal 439,041,101 , we're using
|
||||||
unsigned binary */
|
unsigned binary */
|
||||||
@@ -1037,8 +1039,8 @@ static INLINE unsigned int my_psk_server_cb(WOLFSSL* ssl, const char* identity,
|
|||||||
(void)ssl;
|
(void)ssl;
|
||||||
(void)key_max_len;
|
(void)key_max_len;
|
||||||
|
|
||||||
/* identity is OpenSSL testing default for openssl s_client, keep same */
|
/* see internal.h MAX_PSK_ID_LEN for PSK identity limit */
|
||||||
if (strncmp(identity, "Client_identity", 15) != 0)
|
if (strncmp(identity, kIdentityStr, strlen(kIdentityStr)) != 0)
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
/* test key in hex is 0x1a2b3c4d , in decimal 439,041,101 , we're using
|
/* test key in hex is 0x1a2b3c4d , in decimal 439,041,101 , we're using
|
||||||
|
|||||||
Reference in New Issue
Block a user