Georg/luksrku
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Consolidated session establishment for client and server

Browse Source 
Essentially, they share most of the same code. Consolidate everything
into one function.
This commit is contained in:
Johannes Bauer 2019-10-23 22:06:47 +02:00
parent 0e8e42d0ea
commit 1f56e19361
4 changed files with 63 additions and 79 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
client.c
View File

@ -225,45 +225,7 @@ static int psk_client_callback(SSL *ssl, const EVP_MD *md, const unsigned char *
*id = key_client->identifier; *id = key_client->identifier;
*idlen = ASCII_UUID_CHARACTER_COUNT; *idlen = ASCII_UUID_CHARACTER_COUNT;
SSL_SESSION *sess = SSL_SESSION_new(); return openssl_tls13_psk_establish_session(ssl, key_client->keydb->hosts[0].tls_psk, PSK_SIZE_BYTES, EVP_sha256(), sessptr);
if (!sess) {
log_openssl(LLVL_ERROR, "Failed to create SSL_SESSION context for client.");
return 0;
}
const uint8_t tls13_aes128gcmsha256_id[] = { 0x13, 0x01 };
const SSL_CIPHER *cipher = SSL_CIPHER_find(ssl, tls13_aes128gcmsha256_id);
if (!cipher) {
log_openssl(LLVL_ERROR, "Unable to look up SSL_CIPHER for TLSv1.3-PSK");
return 0;
}
int return_value = 1;
do {
if (!SSL_SESSION_set1_master_key(sess, key_client->keydb->hosts[0].tls_psk, PSK_SIZE_BYTES)) {
log_openssl(LLVL_ERROR, "Failed to set TLSv1.3-PSK master key.");
return_value = 0;
break;
}
if (!SSL_SESSION_set_cipher(sess, cipher)) {
log_openssl(LLVL_ERROR, "Failed to set TLSv1.3-PSK cipher.");
return_value = 0;
break;
}
if (!SSL_SESSION_set_protocol_version(sess, TLS1_3_VERSION)) {
log_openssl(LLVL_ERROR, "Failed to set TLSv1.3-PSK protocol version.");
return_value = 0;
break;
}
} while (false);
if (return_value) {
*sessptr = sess;
}
return return_value;
} }
static bool contact_keyserver_socket(struct keyclient_t *keyclient, int sd) { static bool contact_keyserver_socket(struct keyclient_t *keyclient, int sd) {

60
openssl.c
View File

@ -111,3 +111,63 @@ void free_generic_tls_context(struct generic_tls_ctx_t *gctx) {
gctx->conf_ctx = NULL; gctx->conf_ctx = NULL;
} }
enum psk_hash_t {
PSK_HASH_SHA256,
PSK_HASH_SHA384,
};
int openssl_tls13_psk_establish_session(SSL *ssl, const uint8_t *psk, unsigned int psk_length, const EVP_MD *cipher_md, SSL_SESSION **new_session) {
uint8_t codepoint[2];
if (cipher_md == EVP_sha256()) {
// TLS_AES_128_GCM_SHA256
codepoint[0] = 0x13;
codepoint[1] = 0x01;
} else if (cipher_md == EVP_sha384()) {
// TLS_AES_256_GCM_SHA384
codepoint[0] = 0x13;
codepoint[1] = 0x02;
} else {
log_msg(LLVL_ERROR, "Unknown hash function %p (%s) passed for which we do not know how to create a SSL_CIPHER*.", cipher_md, EVP_MD_name(cipher_md));
return 0;
}
const SSL_CIPHER *cipher = SSL_CIPHER_find(ssl, codepoint);
if (!cipher) {
log_msg(LLVL_ERROR, "Unable to determine SSL_CIPHER* from codepoint 0x%02x 0x%02x (%s).", codepoint[0], codepoint[1], EVP_MD_name(cipher_md));
return 0;
}
SSL_SESSION *sess = SSL_SESSION_new();
if (!sess) {
log_openssl(LLVL_ERROR, "Failed to create SSL_SESSION context for client.");
return 0;
}
int return_value = 1;
do {
if (!SSL_SESSION_set1_master_key(sess, psk, psk_length)) {
log_openssl(LLVL_ERROR, "Failed to set TLSv1.3-PSK master key.");
return_value = 0;
break;
}
if (!SSL_SESSION_set_cipher(sess, cipher)) {
log_openssl(LLVL_ERROR, "Failed to set TLSv1.3-PSK cipher.");
return_value = 0;
break;
}
if (!SSL_SESSION_set_protocol_version(sess, TLS1_3_VERSION)) {
log_openssl(LLVL_ERROR, "Failed to set TLSv1.3-PSK protocol version.");
return_value = 0;
break;
}
} while (false);
if (return_value) {
*new_session = sess;
} else {
SSL_SESSION_free(sess);
}
return return_value;
}

1
openssl.h
View File

@ -37,6 +37,7 @@ struct generic_tls_ctx_t {
bool openssl_init(void); bool openssl_init(void);
bool create_generic_tls_context(struct generic_tls_ctx_t *gctx, bool server); bool create_generic_tls_context(struct generic_tls_ctx_t *gctx, bool server);
void free_generic_tls_context(struct generic_tls_ctx_t *gctx); void free_generic_tls_context(struct generic_tls_ctx_t *gctx);
int openssl_tls13_psk_establish_session(SSL *ssl, const uint8_t *psk, unsigned int psk_length, const EVP_MD *cipher_md, SSL_SESSION **new_session);
/*************** AUTO GENERATED SECTION ENDS ***************/ /*************** AUTO GENERATED SECTION ENDS ***************/
#endif #endif

41
server.c
View File

@ -286,46 +286,7 @@ static int psk_server_callback(SSL *ssl, const unsigned char *identity, size_t i
return 0; return 0;
} }
const uint8_t tls13_aes128gcmsha256_id[] = { 0x13, 0x01 }; return openssl_tls13_psk_establish_session(ssl, ctx->host->tls_psk, PSK_SIZE_BYTES, EVP_sha256(), sessptr);
const SSL_CIPHER *cipher = SSL_CIPHER_find(ssl, tls13_aes128gcmsha256_id);
if (!cipher) {
log_openssl(LLVL_ERROR, "Unable to look up SSL_CIPHER for TLSv1.3-PSK");
return 0;
}
SSL_SESSION *sess = SSL_SESSION_new();
if (!sess) {
log_openssl(LLVL_ERROR, "Failed to create SSL_SESSION context for client.");
return 0;
}
int return_value = 1;
do {
if (!SSL_SESSION_set1_master_key(sess, ctx->host->tls_psk, PSK_SIZE_BYTES)) {
log_openssl(LLVL_ERROR, "Failed to set TLSv1.3-PSK master key.");
return_value = 0;
break;
}
if (!SSL_SESSION_set_cipher(sess, cipher)) {
log_openssl(LLVL_ERROR, "Failed to set TLSv1.3-PSK cipher.");
return_value = 0;
break;
}
if (!SSL_SESSION_set_protocol_version(sess, TLS1_3_VERSION)) {
log_openssl(LLVL_ERROR, "Failed to set TLSv1.3-PSK protocol version.");
return_value = 0;
break;
}
} while (false);
if (return_value) {
*sessptr = sess;
} else {
SSL_SESSION_free(sess);
}
return return_value;
} }
static void client_handler_thread(void *vctx) { static void client_handler_thread(void *vctx) {