PSK callback added to SSL server
diff --git a/library/error.c b/library/error.c
index 04ce28e..f674768 100644
--- a/library/error.c
+++ b/library/error.c
@@ -409,6 +409,8 @@
snprintf( buf, buflen, "SSL - Session ticket has expired" );
if( use_ret == -(POLARSSL_ERR_SSL_PK_TYPE_MISMATCH) )
snprintf( buf, buflen, "SSL - Public key type mismatch (eg, asked for RSA key exchange and presented EC key)" );
+ if( use_ret == -(POLARSSL_ERR_SSL_UNKNOWN_IDENTITY) )
+ snprintf( buf, buflen, "SSL - Unkown identity received (eg, PSK identity)" );
#endif /* POLARSSL_SSL_TLS_C */
#if defined(POLARSSL_X509_USE_C) || defined(POLARSSL_X509_CREATE_C)
@@ -437,7 +439,7 @@
if( use_ret == -(POLARSSL_ERR_X509_UNKNOWN_SIG_ALG) )
snprintf( buf, buflen, "X509 - Signature algorithm (oid) is unsupported" );
if( use_ret == -(POLARSSL_ERR_X509_SIG_MISMATCH) )
- snprintf( buf, buflen, "X509 - Signature algorithms do not match. (see \\c ::x509_cert sig_oid)" );
+ snprintf( buf, buflen, "X509 - Signature algorithms do not match. (see \\c ::x509_crt sig_oid)" );
if( use_ret == -(POLARSSL_ERR_X509_CERT_VERIFY_FAILED) )
snprintf( buf, buflen, "X509 - Certificate verification failed, e.g. CRL, CA or signature check failed" );
if( use_ret == -(POLARSSL_ERR_X509_CERT_UNKNOWN_FORMAT) )
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index 8d1b723..1b48a97 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -2286,11 +2286,12 @@
static int ssl_parse_client_psk_identity( ssl_context *ssl, unsigned char **p,
const unsigned char *end )
{
- int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
+ int ret = 0;
size_t n;
- if( ssl->psk == NULL || ssl->psk_identity == NULL ||
- ssl->psk_identity_len == 0 || ssl->psk_len == 0 )
+ if( ssl->f_psk == NULL &&
+ ( ssl->psk == NULL || ssl->psk_identity == NULL ||
+ ssl->psk_identity_len == 0 || ssl->psk_len == 0 ) )
{
SSL_DEBUG_MSG( 1, ( "got no pre-shared key" ) );
return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
@@ -2314,11 +2315,32 @@
return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
}
- if( n != ssl->psk_identity_len ||
- memcmp( ssl->psk_identity, *p, n ) != 0 )
+ if( ssl->f_psk != NULL )
+ {
+ if( ( ret != ssl->f_psk( ssl->p_psk, ssl, *p, n ) ) != 0 )
+ ret = POLARSSL_ERR_SSL_UNKNOWN_IDENTITY;
+ }
+
+ if( ret == 0 )
+ {
+ if( n != ssl->psk_identity_len ||
+ memcmp( ssl->psk_identity, *p, n ) != 0 )
+ {
+ ret = POLARSSL_ERR_SSL_UNKNOWN_IDENTITY;
+ }
+ }
+
+ if( ret == POLARSSL_ERR_SSL_UNKNOWN_IDENTITY )
{
SSL_DEBUG_BUF( 3, "Unknown PSK identity", *p, n );
- return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
+ if( ( ret = ssl_send_alert_message( ssl,
+ SSL_ALERT_LEVEL_FATAL,
+ SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY ) ) != 0 )
+ {
+ return( ret );
+ }
+
+ return( POLARSSL_ERR_SSL_UNKNOWN_IDENTITY );
}
*p += n;
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 774cb47..020d0e8 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -3242,11 +3242,6 @@
memset( ssl-> in_ctr, 0, SSL_BUFFER_LEN );
memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
-#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
- ssl->hostname = NULL;
- ssl->hostname_len = 0;
-#endif
-
#if defined(POLARSSL_SSL_SESSION_TICKETS)
ssl->ticket_lifetime = SSL_DEFAULT_TICKET_LIFETIME;
#endif
@@ -3529,13 +3524,38 @@
#endif /* POLARSSL_X509_CRT_PARSE_C */
#if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED)
-void ssl_set_psk( ssl_context *ssl, const unsigned char *psk, size_t psk_len,
- const unsigned char *psk_identity, size_t psk_identity_len )
+int ssl_set_psk( ssl_context *ssl, const unsigned char *psk, size_t psk_len,
+ const unsigned char *psk_identity, size_t psk_identity_len )
{
- ssl->psk = psk;
+ if( psk == NULL || psk_identity == NULL )
+ return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
+
+ if( ssl->psk != NULL )
+ {
+ polarssl_free( ssl->psk );
+ polarssl_free( ssl->psk_identity );
+ }
+
ssl->psk_len = psk_len;
- ssl->psk_identity = psk_identity;
ssl->psk_identity_len = psk_identity_len;
+
+ ssl->psk = polarssl_malloc( ssl->psk_len );
+ ssl->psk_identity = polarssl_malloc( ssl->psk_identity_len );
+
+ if( ssl->psk == NULL || ssl->psk_identity == NULL )
+ return( POLARSSL_ERR_SSL_MALLOC_FAILED );
+
+ memcpy( ssl->psk, psk, ssl->psk_len );
+ memcpy( ssl->psk_identity, psk_identity, ssl->psk_identity_len );
+}
+
+void ssl_set_psk_cb( ssl_context *ssl,
+ int (*f_psk)(void *, ssl_context *, const unsigned char *,
+ size_t),
+ void *p_psk )
+{
+ ssl->f_psk = f_psk;
+ ssl->p_psk = p_psk;
}
#endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED */
@@ -4146,7 +4166,7 @@
#endif
#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
- if ( ssl->hostname != NULL)
+ if ( ssl->hostname != NULL )
{
memset( ssl->hostname, 0, ssl->hostname_len );
polarssl_free( ssl->hostname );
@@ -4154,6 +4174,18 @@
}
#endif
+#if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED)
+ if( ssl->psk != NULL )
+ {
+ memset( ssl->psk, 0, ssl->psk_len );
+ memset( ssl->psk_identity, 0, ssl->psk_identity_len );
+ polarssl_free( ssl->psk );
+ polarssl_free( ssl->psk_identity );
+ ssl->psk_len = 0;
+ ssl->psk_identity_len = 0;
+ }
+#endif
+
if( ssl->pk_key_own_alloc )
{
pk_free( ssl->pk_key );