yuzu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2024-10-18 12:21:04 +00:00
Code Issues Packages Projects Releases Wiki Activity

- Generalized external private key implementation handling (like PKCS#11) in SSL/TLS

Browse source
This commit is contained in:
Paul Bakker 2012-09-27 19:15:01 +00:00
parent 321df6fb80
commit eb2c658163
7 changed files with 130 additions and 102 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
ChangeLog
View file

@ -40,6 +40,8 @@ Changes
POLARSSL_MODE_CFB, to also handle different block size CFB modes. POLARSSL_MODE_CFB, to also handle different block size CFB modes.
* Removed handling for SSLv2 Client Hello (as per RFC 5246 recommendation) * Removed handling for SSLv2 Client Hello (as per RFC 5246 recommendation)
* Revamped session resumption handling * Revamped session resumption handling
* Generalized external private key implementation handling (like PKCS#11)
in SSL/TLS
Bugfix Bugfix
* Fixed handling error in mpi_cmp_mpi() on longer B values (found by * Fixed handling error in mpi_cmp_mpi() on longer B values (found by

4
include/polarssl/config.h
View file

@ -612,7 +612,7 @@
/** /**
* \def POLARSSL_PKCS11_C * \def POLARSSL_PKCS11_C
* *
* Enable support for PKCS#11 smartcard support. * Enable wrapper for PKCS#11 smartcard support.
* *
* Module: library/ssl_srv.c * Module: library/ssl_srv.c
* Caller: library/ssl_cli.c * Caller: library/ssl_cli.c
@ -620,7 +620,7 @@
* *
* Requires: POLARSSL_SSL_TLS_C * Requires: POLARSSL_SSL_TLS_C
* *
* This module is required for SSL/TLS PKCS #11 smartcard support. * This module enables SSL/TLS PKCS #11 smartcard support.
* Requires the presence of the PKCS#11 helper library (libpkcs11-helper) * Requires the presence of the PKCS#11 helper library (libpkcs11-helper)
#define POLARSSL_PKCS11_C #define POLARSSL_PKCS11_C
*/ */

35
include/polarssl/pkcs11.h
View file

@ -37,6 +37,14 @@
#include <pkcs11-helper-1.0/pkcs11h-certificate.h> #include <pkcs11-helper-1.0/pkcs11h-certificate.h>
#if defined(_MSC_VER) && !defined(inline)
#define inline _inline
#else
#if defined(__ARMCC_VERSION) && !defined(inline)
#define inline __inline
#endif /* __ARMCC_VERSION */
#endif /*_MSC_VER */
/** /**
* Context for PKCS #11 private keys. * Context for PKCS #11 private keys.
*/ */
@ -121,6 +129,33 @@ int pkcs11_sign( pkcs11_context *ctx,
const unsigned char *hash, const unsigned char *hash,
unsigned char *sig ); unsigned char *sig );
/**
* SSL/TLS wrappers for PKCS#11 functions
*/
static inline int ssl_pkcs11_decrypt( void *ctx, int mode, size_t *olen,
const unsigned char *input, unsigned char *output,
unsigned int output_max_len )
{
return pkcs11_decrypt( (pkcs11_context *) ctx, mode, olen, input, output,
output_max_len );
}
static inline int ssl_pkcs11_sign( void *ctx,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
int mode, int hash_id, unsigned int hashlen,
const unsigned char *hash, unsigned char *sig )
{
((void) f_rng);
((void) p_rng);
return pkcs11_sign( (pkcs11_context *) ctx, mode, hash_id,
hashlen, hash, sig );
}
static inline size_t ssl_pkcs11_key_len( void *ctx )
{
return ( (pkcs11_context *) ctx )->len;
}
#endif /* POLARSSL_PKCS11_C */ #endif /* POLARSSL_PKCS11_C */
#endif /* POLARSSL_PKCS11_H */ #endif /* POLARSSL_PKCS11_H */

48
include/polarssl/ssl.h
View file

@ -42,10 +42,6 @@
#include "dhm.h" #include "dhm.h"
#endif #endif
#if defined(POLARSSL_PKCS11_C)
#include "pkcs11.h"
#endif
#if defined(POLARSSL_ZLIB_SUPPORT) #if defined(POLARSSL_ZLIB_SUPPORT)
#include "zlib.h" #include "zlib.h"
#endif #endif
@ -253,6 +249,20 @@
#define TLS_EXT_RENEGOTIATION_INFO 0xFF01 #define TLS_EXT_RENEGOTIATION_INFO 0xFF01
/*
* Generic function pointers for allowing external RSA private key
* implementations.
*/
typedef int (*rsa_decrypt_func)( void *ctx, int mode, size_t *olen,
const unsigned char *input, unsigned char *output,
size_t output_max_len );
typedef int (*rsa_sign_func)( void *ctx,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
int mode, int hash_id, unsigned int hashlen,
const unsigned char *hash, unsigned char *sig );
typedef size_t (*rsa_key_len_func)( void *ctx );
/* /*
* SSL state machine * SSL state machine
*/ */
@ -446,10 +456,11 @@ struct _ssl_context
/* /*
* PKI layer * PKI layer
*/ */
rsa_context *rsa_key; /*!< own RSA private key */ void *rsa_key; /*!< own RSA private key */
#if defined(POLARSSL_PKCS11_C) rsa_decrypt_func rsa_decrypt; /*!< function for RSA decrypt*/
pkcs11_context *pkcs11_key; /*!< own PKCS#11 RSA private key */ rsa_sign_func rsa_sign; /*!< function for RSA sign */
#endif rsa_key_len_func rsa_key_len; /*!< function for RSA key len*/
x509_cert *own_cert; /*!< own X.509 certificate */ x509_cert *own_cert; /*!< own X.509 certificate */
x509_cert *ca_chain; /*!< own trusted CA chain */ x509_cert *ca_chain; /*!< own trusted CA chain */
x509_crl *ca_crl; /*!< trusted CA CRLs */ x509_crl *ca_crl; /*!< trusted CA CRLs */
@ -722,17 +733,26 @@ void ssl_set_ca_chain( ssl_context *ssl, x509_cert *ca_chain,
void ssl_set_own_cert( ssl_context *ssl, x509_cert *own_cert, void ssl_set_own_cert( ssl_context *ssl, x509_cert *own_cert,
rsa_context *rsa_key ); rsa_context *rsa_key );
#if defined(POLARSSL_PKCS11_C)
/** /**
* \brief Set own certificate and PKCS#11 private key * \brief Set own certificate and alternate non-PolarSSL private
* key and handling callbacks, such as the PKCS#11 wrappers
* or any other external private key handler.
* (see the respective RSA functions in rsa.h for documentation
* of the callback parameters, with the only change being
* that the rsa_context * is a void * in the callbacks)
* *
* \param ssl SSL context * \param ssl SSL context
* \param own_cert own public certificate * \param own_cert own public certificate
* \param pkcs11_key own PKCS#11 RSA key * \param rsa_key alternate implementation private RSA key
* \param rsa_decrypt_func alternate implementation of \c rsa_pkcs1_decrypt()
* \param rsa_sign_func alternate implementation of \c rsa_pkcs1_sign()
* \param rsa_key_len_func function returning length of RSA key in bytes
*/ */
void ssl_set_own_cert_pkcs11( ssl_context *ssl, x509_cert *own_cert, void ssl_set_own_cert_alt( ssl_context *ssl, x509_cert *own_cert,
pkcs11_context *pkcs11_key ); void *rsa_key,
#endif rsa_decrypt_func rsa_decrypt,
rsa_sign_func rsa_sign,
rsa_key_len_func rsa_key_len );
#if defined(POLARSSL_DHM_C) #if defined(POLARSSL_DHM_C)
/** /**

32
library/ssl_cli.c
View file

@ -30,10 +30,6 @@
#include "polarssl/debug.h" #include "polarssl/debug.h"
#include "polarssl/ssl.h" #include "polarssl/ssl.h"
#if defined(POLARSSL_PKCS11_C)
#include "polarssl/pkcs11.h"
#endif /* defined(POLARSSL_PKCS11_C) */
#include <stdlib.h> #include <stdlib.h>
#include <stdio.h> #include <stdio.h>
#include <time.h> #include <time.h>
@ -1115,15 +1111,8 @@ static int ssl_write_certificate_verify( ssl_context *ssl )
if( ssl->rsa_key == NULL ) if( ssl->rsa_key == NULL )
{ {
#if defined(POLARSSL_PKCS11_C) SSL_DEBUG_MSG( 1, ( "got no private key" ) );
if( ssl->pkcs11_key == NULL ) return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
{
#endif /* defined(POLARSSL_PKCS11_C) */
SSL_DEBUG_MSG( 1, ( "got no private key" ) );
return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
#if defined(POLARSSL_PKCS11_C)
}
#endif /* defined(POLARSSL_PKCS11_C) */
} }
/* /*
@ -1132,11 +1121,7 @@ static int ssl_write_certificate_verify( ssl_context *ssl )
ssl->handshake->calc_verify( ssl, hash ); ssl->handshake->calc_verify( ssl, hash );
if ( ssl->rsa_key ) if ( ssl->rsa_key )
n = ssl->rsa_key->len; n = ssl->rsa_key_len ( ssl->rsa_key );
#if defined(POLARSSL_PKCS11_C)
else
n = ssl->pkcs11_key->len;
#endif /* defined(POLARSSL_PKCS11_C) */
if( ssl->minor_ver == SSL_MINOR_VERSION_3 ) if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
{ {
@ -1164,14 +1149,9 @@ static int ssl_write_certificate_verify( ssl_context *ssl )
if( ssl->rsa_key ) if( ssl->rsa_key )
{ {
ret = rsa_pkcs1_sign( ssl->rsa_key, ssl->f_rng, ssl->p_rng, ret = ssl->rsa_sign( ssl->rsa_key, ssl->f_rng, ssl->p_rng,
RSA_PRIVATE, hash_id, RSA_PRIVATE, hash_id,
hashlen, hash, ssl->out_msg + 6 + offset ); hashlen, hash, ssl->out_msg + 6 + offset );
} else {
#if defined(POLARSSL_PKCS11_C)
ret = pkcs11_sign( ssl->pkcs11_key, RSA_PRIVATE, hash_id,
hashlen, hash, ssl->out_msg + 6 + offset );
#endif /* defined(POLARSSL_PKCS11_C) */
} }
if (ret != 0) if (ret != 0)

70
library/ssl_srv.c
View file

@ -30,10 +30,6 @@
#include "polarssl/debug.h" #include "polarssl/debug.h"
#include "polarssl/ssl.h" #include "polarssl/ssl.h"
#if defined(POLARSSL_PKCS11_C)
#include "polarssl/pkcs11.h"
#endif /* defined(POLARSSL_PKCS11_C) */
#include <stdlib.h> #include <stdlib.h>
#include <stdio.h> #include <stdio.h>
#include <time.h> #include <time.h>
@ -644,15 +640,8 @@ static int ssl_write_server_key_exchange( ssl_context *ssl )
if( ssl->rsa_key == NULL ) if( ssl->rsa_key == NULL )
{ {
#if defined(POLARSSL_PKCS11_C) SSL_DEBUG_MSG( 1, ( "got no private key" ) );
if( ssl->pkcs11_key == NULL ) return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
{
#endif /* defined(POLARSSL_PKCS11_C) */
SSL_DEBUG_MSG( 1, ( "got no private key" ) );
return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
#if defined(POLARSSL_PKCS11_C)
}
#endif /* defined(POLARSSL_PKCS11_C) */
} }
/* /*
@ -738,11 +727,7 @@ static int ssl_write_server_key_exchange( ssl_context *ssl )
SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen ); SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen );
if ( ssl->rsa_key ) if ( ssl->rsa_key )
rsa_key_len = ssl->rsa_key->len; rsa_key_len = ssl->rsa_key_len( ssl->rsa_key );
#if defined(POLARSSL_PKCS11_C)
else
rsa_key_len = ssl->pkcs11_key->len;
#endif /* defined(POLARSSL_PKCS11_C) */
if( ssl->minor_ver == SSL_MINOR_VERSION_3 ) if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
{ {
@ -758,16 +743,11 @@ static int ssl_write_server_key_exchange( ssl_context *ssl )
if ( ssl->rsa_key ) if ( ssl->rsa_key )
{ {
ret = rsa_pkcs1_sign( ssl->rsa_key, ssl->f_rng, ssl->p_rng, ret = ssl->rsa_sign( ssl->rsa_key, ssl->f_rng, ssl->p_rng,
RSA_PRIVATE, RSA_PRIVATE,
hash_id, hashlen, hash, ssl->out_msg + 6 + n ); hash_id, hashlen, hash,
ssl->out_msg + 6 + n );
} }
#if defined(POLARSSL_PKCS11_C)
else {
ret = pkcs11_sign( ssl->pkcs11_key, RSA_PRIVATE,
hash_id, hashlen, hash, ssl->out_msg + 6 + n );
}
#endif /* defined(POLARSSL_PKCS11_C) */
if( ret != 0 ) if( ret != 0 )
{ {
@ -898,15 +878,8 @@ static int ssl_parse_client_key_exchange( ssl_context *ssl )
{ {
if( ssl->rsa_key == NULL ) if( ssl->rsa_key == NULL )
{ {
#if defined(POLARSSL_PKCS11_C) SSL_DEBUG_MSG( 1, ( "got no private key" ) );
if( ssl->pkcs11_key == NULL ) return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
{
#endif
SSL_DEBUG_MSG( 1, ( "got no private key" ) );
return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
#if defined(POLARSSL_PKCS11_C)
}
#endif
} }
/* /*
@ -914,11 +887,7 @@ static int ssl_parse_client_key_exchange( ssl_context *ssl )
*/ */
i = 4; i = 4;
if( ssl->rsa_key ) if( ssl->rsa_key )
n = ssl->rsa_key->len; n = ssl->rsa_key_len( ssl->rsa_key );
#if defined(POLARSSL_PKCS11_C)
else
n = ssl->pkcs11_key->len;
#endif
ssl->handshake->pmslen = 48; ssl->handshake->pmslen = 48;
if( ssl->minor_ver != SSL_MINOR_VERSION_0 ) if( ssl->minor_ver != SSL_MINOR_VERSION_0 )
@ -939,21 +908,12 @@ static int ssl_parse_client_key_exchange( ssl_context *ssl )
} }
if( ssl->rsa_key ) { if( ssl->rsa_key ) {
ret = rsa_pkcs1_decrypt( ssl->rsa_key, RSA_PRIVATE, ret = ssl->rsa_decrypt( ssl->rsa_key, RSA_PRIVATE,
&ssl->handshake->pmslen, &ssl->handshake->pmslen,
ssl->in_msg + i, ssl->in_msg + i,
ssl->handshake->premaster, ssl->handshake->premaster,
sizeof(ssl->handshake->premaster) ); sizeof(ssl->handshake->premaster) );
} }
#if defined(POLARSSL_PKCS11_C)
else {
ret = pkcs11_decrypt( ssl->pkcs11_key, RSA_PRIVATE,
&ssl->handshake->pmslen,
ssl->in_msg + i,
ssl->handshake->premaster,
sizeof(ssl->handshake->premaster) );
}
#endif /* defined(POLARSSL_PKCS11_C) */
if( ret != 0 || ssl->handshake->pmslen != 48 || if( ret != 0 || ssl->handshake->pmslen != 48 ||
ssl->handshake->premaster[0] != ssl->max_major_ver || ssl->handshake->premaster[0] != ssl->max_major_ver ||

41
library/ssl_tls.c
View file

@ -65,6 +65,28 @@ int (*ssl_hw_record_read)(ssl_context *ssl) = NULL;
int (*ssl_hw_record_finish)(ssl_context *ssl) = NULL; int (*ssl_hw_record_finish)(ssl_context *ssl) = NULL;
#endif #endif
static int ssl_rsa_decrypt( void *ctx, int mode, size_t *olen,
const unsigned char *input, unsigned char *output,
size_t output_max_len )
{
return rsa_pkcs1_decrypt( (rsa_context *) ctx, mode, olen, input, output,
output_max_len );
}
static int ssl_rsa_sign( void *ctx,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
int mode, int hash_id, unsigned int hashlen,
const unsigned char *hash, unsigned char *sig )
{
return rsa_pkcs1_sign( (rsa_context *) ctx, f_rng, p_rng, mode, hash_id,
hashlen, hash, sig );
}
static size_t ssl_rsa_key_len( void *ctx )
{
return ( (rsa_context *) ctx )->len;
}
/* /*
* Key material generation * Key material generation
*/ */
@ -2826,6 +2848,10 @@ int ssl_init( ssl_context *ssl )
memset( ssl, 0, sizeof( ssl_context ) ); memset( ssl, 0, sizeof( ssl_context ) );
ssl->rsa_decrypt = ssl_rsa_decrypt;
ssl->rsa_sign = ssl_rsa_sign;
ssl->rsa_key_len = ssl_rsa_key_len;
ssl->in_ctr = (unsigned char *) malloc( len ); ssl->in_ctr = (unsigned char *) malloc( len );
ssl->in_hdr = ssl->in_ctr + 8; ssl->in_hdr = ssl->in_ctr + 8;
ssl->in_msg = ssl->in_ctr + 13; ssl->in_msg = ssl->in_ctr + 13;
@ -3002,14 +3028,19 @@ void ssl_set_own_cert( ssl_context *ssl, x509_cert *own_cert,
ssl->rsa_key = rsa_key; ssl->rsa_key = rsa_key;
} }
#if defined(POLARSSL_PKCS11_C) void ssl_set_own_cert_alt( ssl_context *ssl, x509_cert *own_cert,
void ssl_set_own_cert_pkcs11( ssl_context *ssl, x509_cert *own_cert, void *rsa_key,
pkcs11_context *pkcs11_key ) rsa_decrypt_func rsa_decrypt,
rsa_sign_func rsa_sign,
rsa_key_len_func rsa_key_len )
{ {
ssl->own_cert = own_cert; ssl->own_cert = own_cert;
ssl->pkcs11_key = pkcs11_key; ssl->rsa_key = rsa_key;
ssl->rsa_decrypt = rsa_decrypt;
ssl->rsa_sign = rsa_sign;
ssl->rsa_key_len = rsa_key_len;
} }
#endif
#if defined(POLARSSL_DHM_C) #if defined(POLARSSL_DHM_C)
int ssl_set_dh_param( ssl_context *ssl, const char *dhm_P, const char *dhm_G ) int ssl_set_dh_param( ssl_context *ssl, const char *dhm_P, const char *dhm_G )