mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2025-08-01 19:54:40 +02:00
Fix issue with PSK max length by adding 1 for the null terminator on the strings and allowing up to 128 characters for the PSK. Improved the test.h example for PSK callbacks.
This commit is contained in:
David Garske
@@ -3307,8 +3307,9 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
|
||||
|
||||
#ifndef NO_PSK
|
||||
if (ctx->server_hint[0]) { /* set in CTX */
|
||||
XSTRNCPY(ssl->arrays->server_hint, ctx->server_hint,MAX_PSK_ID_LEN);
|
||||
ssl->arrays->server_hint[MAX_PSK_ID_LEN - 1] = '\0';
|
||||
XSTRNCPY(ssl->arrays->server_hint, ctx->server_hint,
|
||||
sizeof(ssl->arrays->server_hint));
|
||||
ssl->arrays->server_hint[MAX_PSK_ID_LEN] = '\0'; /* null term */
|
||||
}
|
||||
#endif /* NO_PSK */
|
||||
|
||||
@@ -15319,10 +15320,10 @@ static int DoServerKeyExchange(WOLFSSL* ssl, const byte* input,
|
||||
}
|
||||
|
||||
/* get PSK server hint from the wire */
|
||||
srvHintLen = min(length, MAX_PSK_ID_LEN - 1);
|
||||
srvHintLen = min(length, MAX_PSK_ID_LEN);
|
||||
XMEMCPY(ssl->arrays->server_hint, input + args->idx,
|
||||
srvHintLen);
|
||||
ssl->arrays->server_hint[srvHintLen] = 0;
|
||||
ssl->arrays->server_hint[srvHintLen] = '\0'; /* null term */
|
||||
args->idx += length;
|
||||
break;
|
||||
}
|
||||
@@ -15497,10 +15498,10 @@ static int DoServerKeyExchange(WOLFSSL* ssl, const byte* input,
|
||||
}
|
||||
|
||||
/* get PSK server hint from the wire */
|
||||
srvHintLen = min(length, MAX_PSK_ID_LEN - 1);
|
||||
srvHintLen = min(length, MAX_PSK_ID_LEN);
|
||||
XMEMCPY(ssl->arrays->server_hint, input + args->idx,
|
||||
srvHintLen);
|
||||
ssl->arrays->server_hint[srvHintLen] = 0;
|
||||
ssl->arrays->server_hint[srvHintLen] = '\0'; /* null term */
|
||||
args->idx += length;
|
||||
|
||||
/* p */
|
||||
@@ -15608,9 +15609,10 @@ static int DoServerKeyExchange(WOLFSSL* ssl, const byte* input,
|
||||
}
|
||||
|
||||
/* get PSK server hint from the wire */
|
||||
srvHintLen = min(length, MAX_PSK_ID_LEN - 1);
|
||||
XMEMCPY(ssl->arrays->server_hint, input + args->idx, srvHintLen);
|
||||
ssl->arrays->server_hint[srvHintLen] = 0;
|
||||
srvHintLen = min(length, MAX_PSK_ID_LEN);
|
||||
XMEMCPY(ssl->arrays->server_hint, input + args->idx,
|
||||
srvHintLen);
|
||||
ssl->arrays->server_hint[srvHintLen] = '\0'; /* null term */
|
||||
|
||||
args->idx += length;
|
||||
|
||||
@@ -21376,8 +21378,7 @@ int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
|
||||
input + args->idx, ci_sz);
|
||||
args->idx += ci_sz;
|
||||
|
||||
ssl->arrays->client_identity[
|
||||
min(ci_sz, MAX_PSK_ID_LEN-1)] = 0;
|
||||
ssl->arrays->client_identity[ci_sz] = '\0'; /* null term */
|
||||
ssl->arrays->psk_keySz = ssl->options.server_psk_cb(ssl,
|
||||
ssl->arrays->client_identity, ssl->arrays->psk_key,
|
||||
MAX_PSK_KEY_LEN);
|
||||
@@ -21583,8 +21584,7 @@ int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
|
||||
XMEMCPY(ssl->arrays->client_identity, input + args->idx,
|
||||
clientSz);
|
||||
args->idx += clientSz;
|
||||
ssl->arrays->client_identity[
|
||||
min(clientSz, MAX_PSK_ID_LEN-1)] = 0;
|
||||
ssl->arrays->client_identity[clientSz] = '\0'; /* null term */
|
||||
|
||||
/* Read in the DHE business */
|
||||
if ((args->idx - args->begin) + OPAQUE16_LEN > size) {
|
||||
@@ -21637,8 +21637,7 @@ int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
|
||||
XMEMCPY(ssl->arrays->client_identity,
|
||||
input + args->idx, clientSz);
|
||||
args->idx += clientSz;
|
||||
ssl->arrays->client_identity[
|
||||
min(clientSz, MAX_PSK_ID_LEN-1)] = 0;
|
||||
ssl->arrays->client_identity[clientSz] = '\0'; /* null term */
|
||||
|
||||
/* import peer ECC key */
|
||||
if ((args->idx - args->begin) + OPAQUE8_LEN > size) {
|
||||
|
||||
@@ -9836,8 +9836,8 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
|
||||
if (hint == 0)
|
||||
ctx->server_hint[0] = 0;
|
||||
else {
|
||||
XSTRNCPY(ctx->server_hint, hint, MAX_PSK_ID_LEN);
|
||||
ctx->server_hint[MAX_PSK_ID_LEN - 1] = '\0';
|
||||
XSTRNCPY(ctx->server_hint, hint, sizeof(ctx->server_hint));
|
||||
ctx->server_hint[MAX_PSK_ID_LEN] = '\0'; /* null term */
|
||||
}
|
||||
return SSL_SUCCESS;
|
||||
}
|
||||
@@ -9853,8 +9853,9 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
|
||||
if (hint == 0)
|
||||
ssl->arrays->server_hint[0] = 0;
|
||||
else {
|
||||
XSTRNCPY(ssl->arrays->server_hint, hint, MAX_PSK_ID_LEN);
|
||||
ssl->arrays->server_hint[MAX_PSK_ID_LEN - 1] = '\0';
|
||||
XSTRNCPY(ssl->arrays->server_hint, hint,
|
||||
sizeof(ssl->arrays->server_hint));
|
||||
ssl->arrays->server_hint[MAX_PSK_ID_LEN] = '\0'; /* null term */
|
||||
}
|
||||
return SSL_SUCCESS;
|
||||
}
|
||||
|
||||
@@ -1054,7 +1054,8 @@ enum Misc {
|
||||
DTLS_TIMEOUT_MAX = 64, /* default max timeout for DTLS receive */
|
||||
DTLS_TIMEOUT_MULTIPLIER = 2, /* default timeout multiplier for DTLS recv */
|
||||
|
||||
MAX_PSK_ID_LEN = 129, /* max psk identity/hint supported */
|
||||
MAX_PSK_ID_LEN = 128, /* max psk identity/hint supported */
|
||||
NULL_TERM_LEN = 1, /* length of null '\0' termination character */
|
||||
MAX_PSK_KEY_LEN = 64, /* max psk key supported */
|
||||
|
||||
MAX_WOLFSSL_FILE_SIZE = 1024 * 1024 * 4, /* 4 mb file size alloc limit */
|
||||
@@ -2015,7 +2016,7 @@ struct WOLFSSL_CTX {
|
||||
byte havePSK; /* psk key set by user */
|
||||
wc_psk_client_callback client_psk_cb; /* client callback */
|
||||
wc_psk_server_callback server_psk_cb; /* server callback */
|
||||
char server_hint[MAX_PSK_ID_LEN];
|
||||
char server_hint[MAX_PSK_ID_LEN + NULL_TERM_LEN];
|
||||
#endif /* NO_PSK */
|
||||
#ifdef HAVE_ANON
|
||||
byte haveAnon; /* User wants to allow Anon suites */
|
||||
@@ -2523,8 +2524,8 @@ typedef struct Arrays {
|
||||
word32 pendingMsgOffset; /* current offset into defrag buffer */
|
||||
#ifndef NO_PSK
|
||||
word32 psk_keySz; /* actual size */
|
||||
char client_identity[MAX_PSK_ID_LEN];
|
||||
char server_hint[MAX_PSK_ID_LEN];
|
||||
char client_identity[MAX_PSK_ID_LEN + NULL_TERM_LEN];
|
||||
char server_hint[MAX_PSK_ID_LEN + NULL_TERM_LEN];
|
||||
byte psk_key[MAX_PSK_KEY_LEN];
|
||||
#endif
|
||||
byte clientRandom[RAN_LEN];
|
||||
|
||||
@@ -1008,6 +1008,9 @@ static INLINE void tcp_set_nonblocking(SOCKET_T* sockfd)
|
||||
|
||||
#ifndef NO_PSK
|
||||
|
||||
/* identity is OpenSSL testing default for openssl s_client, keep same */
|
||||
static const char* kIdentityStr = "Client_identity";
|
||||
|
||||
static INLINE unsigned int my_psk_client_cb(WOLFSSL* ssl, const char* hint,
|
||||
char* identity, unsigned int id_max_len, unsigned char* key,
|
||||
unsigned int key_max_len)
|
||||
@@ -1016,9 +1019,9 @@ static INLINE unsigned int my_psk_client_cb(WOLFSSL* ssl, const char* hint,
|
||||
(void)hint;
|
||||
(void)key_max_len;
|
||||
|
||||
/* identity is OpenSSL testing default for openssl s_client, keep same */
|
||||
strncpy(identity, "Client_identity", id_max_len);
|
||||
|
||||
/* id_max_len allows + 1 for null termination */
|
||||
/* see internal.h MAX_PSK_ID_LEN for PSK identity limit */
|
||||
strncpy(identity, kIdentityStr, id_max_len + 1);
|
||||
|
||||
/* test key in hex is 0x1a2b3c4d , in decimal 439,041,101 , we're using
|
||||
unsigned binary */
|
||||
@@ -1037,8 +1040,8 @@ static INLINE unsigned int my_psk_server_cb(WOLFSSL* ssl, const char* identity,
|
||||
(void)ssl;
|
||||
(void)key_max_len;
|
||||
|
||||
/* identity is OpenSSL testing default for openssl s_client, keep same */
|
||||
if (strncmp(identity, "Client_identity", 15) != 0)
|
||||
/* see internal.h MAX_PSK_ID_LEN for PSK identity limit */
|
||||
if (strncmp(identity, kIdentityStr, strlen(kIdentityStr) + 1) != 0)
|
||||
return 0;
|
||||
|
||||
/* test key in hex is 0x1a2b3c4d , in decimal 439,041,101 , we're using
|
||||
|
||||
Reference in New Issue
Block a user