- Generalized external private key implementation handling (like PKCS#11) in SSL/TLS
This commit is contained in:
parent
321df6fb80
commit
eb2c658163
@ -40,6 +40,8 @@ Changes
|
||||
POLARSSL_MODE_CFB, to also handle different block size CFB modes.
|
||||
* Removed handling for SSLv2 Client Hello (as per RFC 5246 recommendation)
|
||||
* Revamped session resumption handling
|
||||
* Generalized external private key implementation handling (like PKCS#11)
|
||||
in SSL/TLS
|
||||
|
||||
Bugfix
|
||||
* Fixed handling error in mpi_cmp_mpi() on longer B values (found by
|
||||
|
@ -612,7 +612,7 @@
|
||||
/**
|
||||
* \def POLARSSL_PKCS11_C
|
||||
*
|
||||
* Enable support for PKCS#11 smartcard support.
|
||||
* Enable wrapper for PKCS#11 smartcard support.
|
||||
*
|
||||
* Module: library/ssl_srv.c
|
||||
* Caller: library/ssl_cli.c
|
||||
@ -620,7 +620,7 @@
|
||||
*
|
||||
* Requires: POLARSSL_SSL_TLS_C
|
||||
*
|
||||
* This module is required for SSL/TLS PKCS #11 smartcard support.
|
||||
* This module enables SSL/TLS PKCS #11 smartcard support.
|
||||
* Requires the presence of the PKCS#11 helper library (libpkcs11-helper)
|
||||
#define POLARSSL_PKCS11_C
|
||||
*/
|
||||
|
@ -37,6 +37,14 @@
|
||||
|
||||
#include <pkcs11-helper-1.0/pkcs11h-certificate.h>
|
||||
|
||||
#if defined(_MSC_VER) && !defined(inline)
|
||||
#define inline _inline
|
||||
#else
|
||||
#if defined(__ARMCC_VERSION) && !defined(inline)
|
||||
#define inline __inline
|
||||
#endif /* __ARMCC_VERSION */
|
||||
#endif /*_MSC_VER */
|
||||
|
||||
/**
|
||||
* Context for PKCS #11 private keys.
|
||||
*/
|
||||
@ -121,6 +129,33 @@ int pkcs11_sign( pkcs11_context *ctx,
|
||||
const unsigned char *hash,
|
||||
unsigned char *sig );
|
||||
|
||||
/**
|
||||
* SSL/TLS wrappers for PKCS#11 functions
|
||||
*/
|
||||
static inline int ssl_pkcs11_decrypt( void *ctx, int mode, size_t *olen,
|
||||
const unsigned char *input, unsigned char *output,
|
||||
unsigned int output_max_len )
|
||||
{
|
||||
return pkcs11_decrypt( (pkcs11_context *) ctx, mode, olen, input, output,
|
||||
output_max_len );
|
||||
}
|
||||
|
||||
static inline int ssl_pkcs11_sign( void *ctx,
|
||||
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
|
||||
int mode, int hash_id, unsigned int hashlen,
|
||||
const unsigned char *hash, unsigned char *sig )
|
||||
{
|
||||
((void) f_rng);
|
||||
((void) p_rng);
|
||||
return pkcs11_sign( (pkcs11_context *) ctx, mode, hash_id,
|
||||
hashlen, hash, sig );
|
||||
}
|
||||
|
||||
static inline size_t ssl_pkcs11_key_len( void *ctx )
|
||||
{
|
||||
return ( (pkcs11_context *) ctx )->len;
|
||||
}
|
||||
|
||||
#endif /* POLARSSL_PKCS11_C */
|
||||
|
||||
#endif /* POLARSSL_PKCS11_H */
|
||||
|
@ -42,10 +42,6 @@
|
||||
#include "dhm.h"
|
||||
#endif
|
||||
|
||||
#if defined(POLARSSL_PKCS11_C)
|
||||
#include "pkcs11.h"
|
||||
#endif
|
||||
|
||||
#if defined(POLARSSL_ZLIB_SUPPORT)
|
||||
#include "zlib.h"
|
||||
#endif
|
||||
@ -253,6 +249,20 @@
|
||||
|
||||
#define TLS_EXT_RENEGOTIATION_INFO 0xFF01
|
||||
|
||||
|
||||
/*
|
||||
* Generic function pointers for allowing external RSA private key
|
||||
* implementations.
|
||||
*/
|
||||
typedef int (*rsa_decrypt_func)( void *ctx, int mode, size_t *olen,
|
||||
const unsigned char *input, unsigned char *output,
|
||||
size_t output_max_len );
|
||||
typedef int (*rsa_sign_func)( void *ctx,
|
||||
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
|
||||
int mode, int hash_id, unsigned int hashlen,
|
||||
const unsigned char *hash, unsigned char *sig );
|
||||
typedef size_t (*rsa_key_len_func)( void *ctx );
|
||||
|
||||
/*
|
||||
* SSL state machine
|
||||
*/
|
||||
@ -446,10 +456,11 @@ struct _ssl_context
|
||||
/*
|
||||
* PKI layer
|
||||
*/
|
||||
rsa_context *rsa_key; /*!< own RSA private key */
|
||||
#if defined(POLARSSL_PKCS11_C)
|
||||
pkcs11_context *pkcs11_key; /*!< own PKCS#11 RSA private key */
|
||||
#endif
|
||||
void *rsa_key; /*!< own RSA private key */
|
||||
rsa_decrypt_func rsa_decrypt; /*!< function for RSA decrypt*/
|
||||
rsa_sign_func rsa_sign; /*!< function for RSA sign */
|
||||
rsa_key_len_func rsa_key_len; /*!< function for RSA key len*/
|
||||
|
||||
x509_cert *own_cert; /*!< own X.509 certificate */
|
||||
x509_cert *ca_chain; /*!< own trusted CA chain */
|
||||
x509_crl *ca_crl; /*!< trusted CA CRLs */
|
||||
@ -722,17 +733,26 @@ void ssl_set_ca_chain( ssl_context *ssl, x509_cert *ca_chain,
|
||||
void ssl_set_own_cert( ssl_context *ssl, x509_cert *own_cert,
|
||||
rsa_context *rsa_key );
|
||||
|
||||
#if defined(POLARSSL_PKCS11_C)
|
||||
/**
|
||||
* \brief Set own certificate and PKCS#11 private key
|
||||
* \brief Set own certificate and alternate non-PolarSSL private
|
||||
* key and handling callbacks, such as the PKCS#11 wrappers
|
||||
* or any other external private key handler.
|
||||
* (see the respective RSA functions in rsa.h for documentation
|
||||
* of the callback parameters, with the only change being
|
||||
* that the rsa_context * is a void * in the callbacks)
|
||||
*
|
||||
* \param ssl SSL context
|
||||
* \param own_cert own public certificate
|
||||
* \param pkcs11_key own PKCS#11 RSA key
|
||||
* \param rsa_key alternate implementation private RSA key
|
||||
* \param rsa_decrypt_func alternate implementation of \c rsa_pkcs1_decrypt()
|
||||
* \param rsa_sign_func alternate implementation of \c rsa_pkcs1_sign()
|
||||
* \param rsa_key_len_func function returning length of RSA key in bytes
|
||||
*/
|
||||
void ssl_set_own_cert_pkcs11( ssl_context *ssl, x509_cert *own_cert,
|
||||
pkcs11_context *pkcs11_key );
|
||||
#endif
|
||||
void ssl_set_own_cert_alt( ssl_context *ssl, x509_cert *own_cert,
|
||||
void *rsa_key,
|
||||
rsa_decrypt_func rsa_decrypt,
|
||||
rsa_sign_func rsa_sign,
|
||||
rsa_key_len_func rsa_key_len );
|
||||
|
||||
#if defined(POLARSSL_DHM_C)
|
||||
/**
|
||||
|
@ -30,10 +30,6 @@
|
||||
#include "polarssl/debug.h"
|
||||
#include "polarssl/ssl.h"
|
||||
|
||||
#if defined(POLARSSL_PKCS11_C)
|
||||
#include "polarssl/pkcs11.h"
|
||||
#endif /* defined(POLARSSL_PKCS11_C) */
|
||||
|
||||
#include <stdlib.h>
|
||||
#include <stdio.h>
|
||||
#include <time.h>
|
||||
@ -1115,15 +1111,8 @@ static int ssl_write_certificate_verify( ssl_context *ssl )
|
||||
|
||||
if( ssl->rsa_key == NULL )
|
||||
{
|
||||
#if defined(POLARSSL_PKCS11_C)
|
||||
if( ssl->pkcs11_key == NULL )
|
||||
{
|
||||
#endif /* defined(POLARSSL_PKCS11_C) */
|
||||
SSL_DEBUG_MSG( 1, ( "got no private key" ) );
|
||||
return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
|
||||
#if defined(POLARSSL_PKCS11_C)
|
||||
}
|
||||
#endif /* defined(POLARSSL_PKCS11_C) */
|
||||
SSL_DEBUG_MSG( 1, ( "got no private key" ) );
|
||||
return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
|
||||
}
|
||||
|
||||
/*
|
||||
@ -1132,11 +1121,7 @@ static int ssl_write_certificate_verify( ssl_context *ssl )
|
||||
ssl->handshake->calc_verify( ssl, hash );
|
||||
|
||||
if ( ssl->rsa_key )
|
||||
n = ssl->rsa_key->len;
|
||||
#if defined(POLARSSL_PKCS11_C)
|
||||
else
|
||||
n = ssl->pkcs11_key->len;
|
||||
#endif /* defined(POLARSSL_PKCS11_C) */
|
||||
n = ssl->rsa_key_len ( ssl->rsa_key );
|
||||
|
||||
if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
|
||||
{
|
||||
@ -1164,14 +1149,9 @@ static int ssl_write_certificate_verify( ssl_context *ssl )
|
||||
|
||||
if( ssl->rsa_key )
|
||||
{
|
||||
ret = rsa_pkcs1_sign( ssl->rsa_key, ssl->f_rng, ssl->p_rng,
|
||||
RSA_PRIVATE, hash_id,
|
||||
hashlen, hash, ssl->out_msg + 6 + offset );
|
||||
} else {
|
||||
#if defined(POLARSSL_PKCS11_C)
|
||||
ret = pkcs11_sign( ssl->pkcs11_key, RSA_PRIVATE, hash_id,
|
||||
hashlen, hash, ssl->out_msg + 6 + offset );
|
||||
#endif /* defined(POLARSSL_PKCS11_C) */
|
||||
ret = ssl->rsa_sign( ssl->rsa_key, ssl->f_rng, ssl->p_rng,
|
||||
RSA_PRIVATE, hash_id,
|
||||
hashlen, hash, ssl->out_msg + 6 + offset );
|
||||
}
|
||||
|
||||
if (ret != 0)
|
||||
|
@ -30,10 +30,6 @@
|
||||
#include "polarssl/debug.h"
|
||||
#include "polarssl/ssl.h"
|
||||
|
||||
#if defined(POLARSSL_PKCS11_C)
|
||||
#include "polarssl/pkcs11.h"
|
||||
#endif /* defined(POLARSSL_PKCS11_C) */
|
||||
|
||||
#include <stdlib.h>
|
||||
#include <stdio.h>
|
||||
#include <time.h>
|
||||
@ -644,15 +640,8 @@ static int ssl_write_server_key_exchange( ssl_context *ssl )
|
||||
|
||||
if( ssl->rsa_key == NULL )
|
||||
{
|
||||
#if defined(POLARSSL_PKCS11_C)
|
||||
if( ssl->pkcs11_key == NULL )
|
||||
{
|
||||
#endif /* defined(POLARSSL_PKCS11_C) */
|
||||
SSL_DEBUG_MSG( 1, ( "got no private key" ) );
|
||||
return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
|
||||
#if defined(POLARSSL_PKCS11_C)
|
||||
}
|
||||
#endif /* defined(POLARSSL_PKCS11_C) */
|
||||
SSL_DEBUG_MSG( 1, ( "got no private key" ) );
|
||||
return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
|
||||
}
|
||||
|
||||
/*
|
||||
@ -738,11 +727,7 @@ static int ssl_write_server_key_exchange( ssl_context *ssl )
|
||||
SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen );
|
||||
|
||||
if ( ssl->rsa_key )
|
||||
rsa_key_len = ssl->rsa_key->len;
|
||||
#if defined(POLARSSL_PKCS11_C)
|
||||
else
|
||||
rsa_key_len = ssl->pkcs11_key->len;
|
||||
#endif /* defined(POLARSSL_PKCS11_C) */
|
||||
rsa_key_len = ssl->rsa_key_len( ssl->rsa_key );
|
||||
|
||||
if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
|
||||
{
|
||||
@ -758,16 +743,11 @@ static int ssl_write_server_key_exchange( ssl_context *ssl )
|
||||
|
||||
if ( ssl->rsa_key )
|
||||
{
|
||||
ret = rsa_pkcs1_sign( ssl->rsa_key, ssl->f_rng, ssl->p_rng,
|
||||
RSA_PRIVATE,
|
||||
hash_id, hashlen, hash, ssl->out_msg + 6 + n );
|
||||
ret = ssl->rsa_sign( ssl->rsa_key, ssl->f_rng, ssl->p_rng,
|
||||
RSA_PRIVATE,
|
||||
hash_id, hashlen, hash,
|
||||
ssl->out_msg + 6 + n );
|
||||
}
|
||||
#if defined(POLARSSL_PKCS11_C)
|
||||
else {
|
||||
ret = pkcs11_sign( ssl->pkcs11_key, RSA_PRIVATE,
|
||||
hash_id, hashlen, hash, ssl->out_msg + 6 + n );
|
||||
}
|
||||
#endif /* defined(POLARSSL_PKCS11_C) */
|
||||
|
||||
if( ret != 0 )
|
||||
{
|
||||
@ -898,15 +878,8 @@ static int ssl_parse_client_key_exchange( ssl_context *ssl )
|
||||
{
|
||||
if( ssl->rsa_key == NULL )
|
||||
{
|
||||
#if defined(POLARSSL_PKCS11_C)
|
||||
if( ssl->pkcs11_key == NULL )
|
||||
{
|
||||
#endif
|
||||
SSL_DEBUG_MSG( 1, ( "got no private key" ) );
|
||||
return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
|
||||
#if defined(POLARSSL_PKCS11_C)
|
||||
}
|
||||
#endif
|
||||
SSL_DEBUG_MSG( 1, ( "got no private key" ) );
|
||||
return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
|
||||
}
|
||||
|
||||
/*
|
||||
@ -914,11 +887,7 @@ static int ssl_parse_client_key_exchange( ssl_context *ssl )
|
||||
*/
|
||||
i = 4;
|
||||
if( ssl->rsa_key )
|
||||
n = ssl->rsa_key->len;
|
||||
#if defined(POLARSSL_PKCS11_C)
|
||||
else
|
||||
n = ssl->pkcs11_key->len;
|
||||
#endif
|
||||
n = ssl->rsa_key_len( ssl->rsa_key );
|
||||
ssl->handshake->pmslen = 48;
|
||||
|
||||
if( ssl->minor_ver != SSL_MINOR_VERSION_0 )
|
||||
@ -939,21 +908,12 @@ static int ssl_parse_client_key_exchange( ssl_context *ssl )
|
||||
}
|
||||
|
||||
if( ssl->rsa_key ) {
|
||||
ret = rsa_pkcs1_decrypt( ssl->rsa_key, RSA_PRIVATE,
|
||||
&ssl->handshake->pmslen,
|
||||
ssl->in_msg + i,
|
||||
ssl->handshake->premaster,
|
||||
sizeof(ssl->handshake->premaster) );
|
||||
ret = ssl->rsa_decrypt( ssl->rsa_key, RSA_PRIVATE,
|
||||
&ssl->handshake->pmslen,
|
||||
ssl->in_msg + i,
|
||||
ssl->handshake->premaster,
|
||||
sizeof(ssl->handshake->premaster) );
|
||||
}
|
||||
#if defined(POLARSSL_PKCS11_C)
|
||||
else {
|
||||
ret = pkcs11_decrypt( ssl->pkcs11_key, RSA_PRIVATE,
|
||||
&ssl->handshake->pmslen,
|
||||
ssl->in_msg + i,
|
||||
ssl->handshake->premaster,
|
||||
sizeof(ssl->handshake->premaster) );
|
||||
}
|
||||
#endif /* defined(POLARSSL_PKCS11_C) */
|
||||
|
||||
if( ret != 0 || ssl->handshake->pmslen != 48 ||
|
||||
ssl->handshake->premaster[0] != ssl->max_major_ver ||
|
||||
|
@ -65,6 +65,28 @@ int (*ssl_hw_record_read)(ssl_context *ssl) = NULL;
|
||||
int (*ssl_hw_record_finish)(ssl_context *ssl) = NULL;
|
||||
#endif
|
||||
|
||||
static int ssl_rsa_decrypt( void *ctx, int mode, size_t *olen,
|
||||
const unsigned char *input, unsigned char *output,
|
||||
size_t output_max_len )
|
||||
{
|
||||
return rsa_pkcs1_decrypt( (rsa_context *) ctx, mode, olen, input, output,
|
||||
output_max_len );
|
||||
}
|
||||
|
||||
static int ssl_rsa_sign( void *ctx,
|
||||
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
|
||||
int mode, int hash_id, unsigned int hashlen,
|
||||
const unsigned char *hash, unsigned char *sig )
|
||||
{
|
||||
return rsa_pkcs1_sign( (rsa_context *) ctx, f_rng, p_rng, mode, hash_id,
|
||||
hashlen, hash, sig );
|
||||
}
|
||||
|
||||
static size_t ssl_rsa_key_len( void *ctx )
|
||||
{
|
||||
return ( (rsa_context *) ctx )->len;
|
||||
}
|
||||
|
||||
/*
|
||||
* Key material generation
|
||||
*/
|
||||
@ -2826,6 +2848,10 @@ int ssl_init( ssl_context *ssl )
|
||||
|
||||
memset( ssl, 0, sizeof( ssl_context ) );
|
||||
|
||||
ssl->rsa_decrypt = ssl_rsa_decrypt;
|
||||
ssl->rsa_sign = ssl_rsa_sign;
|
||||
ssl->rsa_key_len = ssl_rsa_key_len;
|
||||
|
||||
ssl->in_ctr = (unsigned char *) malloc( len );
|
||||
ssl->in_hdr = ssl->in_ctr + 8;
|
||||
ssl->in_msg = ssl->in_ctr + 13;
|
||||
@ -3002,14 +3028,19 @@ void ssl_set_own_cert( ssl_context *ssl, x509_cert *own_cert,
|
||||
ssl->rsa_key = rsa_key;
|
||||
}
|
||||
|
||||
#if defined(POLARSSL_PKCS11_C)
|
||||
void ssl_set_own_cert_pkcs11( ssl_context *ssl, x509_cert *own_cert,
|
||||
pkcs11_context *pkcs11_key )
|
||||
void ssl_set_own_cert_alt( ssl_context *ssl, x509_cert *own_cert,
|
||||
void *rsa_key,
|
||||
rsa_decrypt_func rsa_decrypt,
|
||||
rsa_sign_func rsa_sign,
|
||||
rsa_key_len_func rsa_key_len )
|
||||
{
|
||||
ssl->own_cert = own_cert;
|
||||
ssl->pkcs11_key = pkcs11_key;
|
||||
ssl->rsa_key = rsa_key;
|
||||
ssl->rsa_decrypt = rsa_decrypt;
|
||||
ssl->rsa_sign = rsa_sign;
|
||||
ssl->rsa_key_len = rsa_key_len;
|
||||
}
|
||||
#endif
|
||||
|
||||
|
||||
#if defined(POLARSSL_DHM_C)
|
||||
int ssl_set_dh_param( ssl_context *ssl, const char *dhm_P, const char *dhm_G )
|
||||
|
Loading…
Reference in New Issue
Block a user