diff options
| author | Matt Caswell <matt@openssl.org> | 2017-06-12 19:12:13 +0100 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2017-06-21 14:45:35 +0100 |
| commit | 5ffff5990caa42b8a2d55fc70e23edbe9397e4cb (patch) | |
| tree | 190ddc4604aabc4fd9331ceef0208cea5fdf1fc0 /apps/s_server.c | |
| parent | 5a43d5119eca14838759913d7235d450a5c1a2ed (diff) | |
Add the ability to set a TLSv1.3 PSK via just the key bytes
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3670)
Diffstat (limited to 'apps/s_server.c')
| -rw-r--r-- | apps/s_server.c | 49 |
1 files changed, 46 insertions, 3 deletions
diff --git a/apps/s_server.c b/apps/s_server.c index 20d2497e7b..d5e226ad7d 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -179,15 +179,55 @@ static unsigned int psk_server_cb(SSL *ssl, const char *identity, } #endif +#define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01") +#define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02") + static int psk_find_session_cb(SSL *ssl, const unsigned char *identity, size_t identity_len, SSL_SESSION **sess) { + SSL_SESSION *tmpsess = NULL; + unsigned char *key; + long key_len; + const SSL_CIPHER *cipher = NULL; + if (strlen(psk_identity) != identity_len || memcmp(psk_identity, identity, identity_len) != 0) return 0; - SSL_SESSION_up_ref(psksess); - *sess = psksess; + if (psksess != NULL) { + SSL_SESSION_up_ref(psksess); + *sess = psksess; + return 1; + } + + key = OPENSSL_hexstr2buf(psk_key, &key_len); + if (key == NULL) { + BIO_printf(bio_err, "Could not convert PSK key '%s' to buffer\n", + psk_key); + return 0; + } + + if (key_len == EVP_MD_size(EVP_sha256())) + cipher = SSL_CIPHER_find(ssl, TLS13_AES_128_GCM_SHA256_BYTES); + else if(key_len == EVP_MD_size(EVP_sha384())) + cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES); + + if (cipher == NULL) { + /* Doesn't look like a suitable TLSv1.3 key. Ignore it */ + OPENSSL_free(key); + return 0; + } + + tmpsess = SSL_SESSION_new(); + if (tmpsess == NULL + || !SSL_SESSION_set1_master_key(tmpsess, key, key_len) + || !SSL_SESSION_set_cipher(tmpsess, cipher) + || !SSL_SESSION_set_protocol_version(tmpsess, SSL_version(ssl))) { + OPENSSL_free(key); + return 0; + } + OPENSSL_free(key); + *sess = tmpsess; return 1; } @@ -1974,9 +2014,12 @@ int s_server_main(int argc, char *argv[]) ERR_print_errors(bio_err); goto end; } - SSL_CTX_set_psk_find_session_callback(ctx, psk_find_session_cb); + } + if (psk_key != NULL || psksess != NULL) + SSL_CTX_set_psk_find_session_callback(ctx, psk_find_session_cb); + SSL_CTX_set_verify(ctx, s_server_verify, verify_callback); if (!SSL_CTX_set_session_id_context(ctx, (void *)&s_server_session_id_context, |