lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-07-29 11:41:15 +03:00
Code Activity

Merge pull request #4552 from hanno-arm/mbedtls_3_0_key_export

Browse Source 
Implement modified key export API for Mbed TLS 3.0
This commit is contained in:
Gilles Peskine
2021-06-22 18:52:37 +02:00
committed by GitHub
parent 36ff66c4b4 5ec5003992
commit e9bc857327
10 changed files with 216 additions and 262 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
programs/ssl/ssl_client2.c
View File

@ -1723,27 +1723,6 @@ int main( int argc, char *argv[] )
mbedtls_ssl_conf_encrypt_then_mac( &conf, opt.etm );
#endif
#if defined(MBEDTLS_SSL_EXPORT_KEYS)
if( opt.eap_tls != 0 )
{
mbedtls_ssl_conf_export_keys_ext_cb( &conf, eap_tls_key_derivation,
&eap_tls_keying );
}
else if( opt.nss_keylog != 0 )
{
mbedtls_ssl_conf_export_keys_ext_cb( &conf,
nss_keylog_export,
NULL );
}
#if defined( MBEDTLS_SSL_DTLS_SRTP )
else if( opt.use_srtp != 0 )
{
mbedtls_ssl_conf_export_keys_ext_cb( &conf, dtls_srtp_key_derivation,
&dtls_srtp_keying );
}
#endif /* MBEDTLS_SSL_DTLS_SRTP */
#endif /* MBEDTLS_SSL_EXPORT_KEYS */
#if defined(MBEDTLS_DHM_C)
if( opt.dhmlen != DFL_DHMLEN )
mbedtls_ssl_conf_dhm_min_bitlen( &conf, opt.dhmlen );
@ -1873,6 +1852,27 @@ int main( int argc, char *argv[] )
goto exit;
}
#if defined(MBEDTLS_SSL_EXPORT_KEYS)
if( opt.eap_tls != 0 )
{
mbedtls_ssl_set_export_keys_cb( &ssl, eap_tls_key_derivation,
&eap_tls_keying );
}
else if( opt.nss_keylog != 0 )
{
mbedtls_ssl_set_export_keys_cb( &ssl,
nss_keylog_export,
NULL );
}
#if defined( MBEDTLS_SSL_DTLS_SRTP )
else if( opt.use_srtp != 0 )
{
mbedtls_ssl_set_export_keys_cb( &ssl, dtls_srtp_key_derivation,
&dtls_srtp_keying );
}
#endif /* MBEDTLS_SSL_DTLS_SRTP */
#endif /* MBEDTLS_SSL_EXPORT_KEYS */
#if defined(MBEDTLS_X509_CRT_PARSE_C)
if( ( ret = mbedtls_ssl_set_hostname( &ssl, opt.server_name ) ) != 0 )
{

42
programs/ssl/ssl_server2.c
View File

@ -2512,27 +2512,6 @@ int main( int argc, char *argv[] )
mbedtls_ssl_conf_encrypt_then_mac( &conf, opt.etm );
#endif
#if defined(MBEDTLS_SSL_EXPORT_KEYS)
if( opt.eap_tls != 0 )
{
mbedtls_ssl_conf_export_keys_ext_cb( &conf, eap_tls_key_derivation,
&eap_tls_keying );
}
else if( opt.nss_keylog != 0 )
{
mbedtls_ssl_conf_export_keys_ext_cb( &conf,
nss_keylog_export,
NULL );
}
#if defined( MBEDTLS_SSL_DTLS_SRTP )
else if( opt.use_srtp != 0 )
{
mbedtls_ssl_conf_export_keys_ext_cb( &conf, dtls_srtp_key_derivation,
&dtls_srtp_keying );
}
#endif /* MBEDTLS_SSL_DTLS_SRTP */
#endif /* MBEDTLS_SSL_EXPORT_KEYS */
#if defined(MBEDTLS_SSL_ALPN)
if( opt.alpn_string != NULL )
if( ( ret = mbedtls_ssl_conf_alpn_protocols( &conf, alpn_list ) ) != 0 )
@ -2859,6 +2838,27 @@ int main( int argc, char *argv[] )
goto exit;
}
#if defined(MBEDTLS_SSL_EXPORT_KEYS)
if( opt.eap_tls != 0 )
{
mbedtls_ssl_set_export_keys_cb( &ssl, eap_tls_key_derivation,
&eap_tls_keying );
}
else if( opt.nss_keylog != 0 )
{
mbedtls_ssl_set_export_keys_cb( &ssl,
nss_keylog_export,
NULL );
}
#if defined( MBEDTLS_SSL_DTLS_SRTP )
else if( opt.use_srtp != 0 )
{
mbedtls_ssl_set_export_keys_cb( &ssl, dtls_srtp_key_derivation,
&dtls_srtp_keying );
}
#endif /* MBEDTLS_SSL_DTLS_SRTP */
#endif /* MBEDTLS_SSL_EXPORT_KEYS */
io_ctx.ssl = &ssl;
io_ctx.net = &client_fd;
mbedtls_ssl_set_bio( &ssl, &io_ctx, send_cb, recv_cb,

99
programs/ssl/ssl_test_common_source.c
View File

@ -25,55 +25,46 @@
*/
#if defined(MBEDTLS_SSL_EXPORT_KEYS)
int eap_tls_key_derivation( void *p_expkey,
const unsigned char *ms,
const unsigned char *kb,
size_t maclen,
size_t keylen,
size_t ivlen,
const unsigned char client_random[32],
const unsigned char server_random[32],
mbedtls_tls_prf_types tls_prf_type )
void eap_tls_key_derivation( void *p_expkey,
mbedtls_ssl_key_export_type secret_type,
const unsigned char *secret,
size_t secret_len,
const unsigned char client_random[32],
const unsigned char server_random[32],
mbedtls_tls_prf_types tls_prf_type )
{
eap_tls_keys *keys = (eap_tls_keys *)p_expkey;
( ( void ) kb );
memcpy( keys->master_secret, ms, sizeof( keys->master_secret ) );
/* We're only interested in the TLS 1.2 master secret */
if( secret_type != MBEDTLS_SSL_KEY_EXPORT_TLS12_MASTER_SECRET )
return;
if( secret_len != sizeof( keys->master_secret ) )
return;
memcpy( keys->master_secret, secret, sizeof( keys->master_secret ) );
memcpy( keys->randbytes, client_random, 32 );
memcpy( keys->randbytes + 32, server_random, 32 );
keys->tls_prf_type = tls_prf_type;
if( opt.debug_level > 2 )
{
mbedtls_printf("exported maclen is %u\n", (unsigned)maclen);
mbedtls_printf("exported keylen is %u\n", (unsigned)keylen);
mbedtls_printf("exported ivlen is %u\n", (unsigned)ivlen);
}
return( 0 );
}
int nss_keylog_export( void *p_expkey,
const unsigned char *ms,
const unsigned char *kb,
size_t maclen,
size_t keylen,
size_t ivlen,
const unsigned char client_random[32],
const unsigned char server_random[32],
mbedtls_tls_prf_types tls_prf_type )
void nss_keylog_export( void *p_expkey,
mbedtls_ssl_key_export_type secret_type,
const unsigned char *secret,
size_t secret_len,
const unsigned char client_random[32],
const unsigned char server_random[32],
mbedtls_tls_prf_types tls_prf_type )
{
char nss_keylog_line[ 200 ];
size_t const client_random_len = 32;
size_t const master_secret_len = 48;
size_t len = 0;
size_t j;
int ret = 0;
/* We're only interested in the TLS 1.2 master secret */
if( secret_type != MBEDTLS_SSL_KEY_EXPORT_TLS12_MASTER_SECRET )
return;
((void) p_expkey);
((void) kb);
((void) maclen);
((void) keylen);
((void) ivlen);
((void) server_random);
((void) tls_prf_type);
@ -88,10 +79,10 @@ int nss_keylog_export( void *p_expkey,
len += sprintf( nss_keylog_line + len, " " );
for( j = 0; j < master_secret_len; j++ )
for( j = 0; j < secret_len; j++ )
{
len += sprintf( nss_keylog_line + len,
"%02x", ms[j] );
"%02x", secret[j] );
}
len += sprintf( nss_keylog_line + len, "\n" );
@ -108,13 +99,11 @@ int nss_keylog_export( void *p_expkey,
if( ( f = fopen( opt.nss_keylog_file, "a" ) ) == NULL )
{
ret = -1;
goto exit;
}
if( fwrite( nss_keylog_line, 1, len, f ) != len )
{
ret = -1;
fclose( f );
goto exit;
}
@ -125,35 +114,29 @@ int nss_keylog_export( void *p_expkey,
exit:
mbedtls_platform_zeroize( nss_keylog_line,
sizeof( nss_keylog_line ) );
return( ret );
}
#if defined( MBEDTLS_SSL_DTLS_SRTP )
int dtls_srtp_key_derivation( void *p_expkey,
const unsigned char *ms,
const unsigned char *kb,
size_t maclen,
size_t keylen,
size_t ivlen,
const unsigned char client_random[32],
const unsigned char server_random[32],
mbedtls_tls_prf_types tls_prf_type )
void dtls_srtp_key_derivation( void *p_expkey,
mbedtls_ssl_key_export_type secret_type,
const unsigned char *secret,
size_t secret_len,
const unsigned char client_random[32],
const unsigned char server_random[32],
mbedtls_tls_prf_types tls_prf_type )
{
dtls_srtp_keys *keys = (dtls_srtp_keys *)p_expkey;
( ( void ) kb );
memcpy( keys->master_secret, ms, sizeof( keys->master_secret ) );
/* We're only interested in the TLS 1.2 master secret */
if( secret_type != MBEDTLS_SSL_KEY_EXPORT_TLS12_MASTER_SECRET )
return;
if( secret_len != sizeof( keys->master_secret ) )
return;
memcpy( keys->master_secret, secret, sizeof( keys->master_secret ) );
memcpy( keys->randbytes, client_random, 32 );
memcpy( keys->randbytes + 32, server_random, 32 );
keys->tls_prf_type = tls_prf_type;
if( opt.debug_level > 2 )
{
mbedtls_printf( "exported maclen is %u\n", (unsigned) maclen );
mbedtls_printf( "exported keylen is %u\n", (unsigned) keylen );
mbedtls_printf( "exported ivlen is %u\n", (unsigned) ivlen );
}
return( 0 );
}
#endif /* MBEDTLS_SSL_DTLS_SRTP */