Add an extra key export function
Add an additional function `mbedtls_ssl_export_keys_ext_t()` for exporting key, that adds additional information such as the used `tls_prf` and the random bytes.
This commit is contained in:
parent
3b350856ff
commit
f5cc10d93b
2 changed files with 91 additions and 0 deletions
|
@ -559,6 +559,25 @@ typedef void mbedtls_ssl_set_timer_t( void * ctx,
|
|||
*/
|
||||
typedef int mbedtls_ssl_get_timer_t( void * ctx );
|
||||
|
||||
/**
|
||||
* \brief Function type: TLS-PRF function.
|
||||
*
|
||||
* \param secret Secret for the key derivation function.
|
||||
* \param slen Length of the secret.
|
||||
* \param label String label for the key derivation function,
|
||||
* terminated with null character.
|
||||
* \param random Random bytes.
|
||||
* \param rlen Length of the random bytes buffer.
|
||||
* \param dstbuf The buffer holding the derived key.
|
||||
* \param dlen Length of the output buffer.
|
||||
*
|
||||
* \return 0 on sucess. An SSL specific error on failure.
|
||||
*/
|
||||
typedef int mbedtls_ssl_tls_prf( const unsigned char *secret, size_t slen,
|
||||
const char *label,
|
||||
const unsigned char *random, size_t rlen,
|
||||
unsigned char *dstbuf, size_t dlen );
|
||||
|
||||
/* Defined below */
|
||||
typedef struct mbedtls_ssl_session mbedtls_ssl_session;
|
||||
typedef struct mbedtls_ssl_context mbedtls_ssl_context;
|
||||
|
@ -920,6 +939,11 @@ struct mbedtls_ssl_config
|
|||
/** Callback to export key block and master secret */
|
||||
int (*f_export_keys)( void *, const unsigned char *,
|
||||
const unsigned char *, size_t, size_t, size_t );
|
||||
/** Callback to export key block, master secret,
|
||||
* tls_prf and random bytes. Should replace f_export_keys */
|
||||
int (*f_export_keys_ext)( void *, const unsigned char *,
|
||||
const unsigned char *, size_t, size_t, size_t,
|
||||
mbedtls_ssl_tls_prf *, unsigned char[32], unsigned char[32]);
|
||||
void *p_export_keys; /*!< context for key export callback */
|
||||
#endif
|
||||
|
||||
|
@ -1624,6 +1648,41 @@ typedef int mbedtls_ssl_export_keys_t( void *p_expkey,
|
|||
size_t maclen,
|
||||
size_t keylen,
|
||||
size_t ivlen );
|
||||
|
||||
/**
|
||||
* \brief Callback type: Export key block, master secret,
|
||||
* handshake randbytes and the tls_prf function
|
||||
* used to derive keys.
|
||||
*
|
||||
* \note This is required for certain uses of TLS, e.g. EAP-TLS
|
||||
* (RFC 5216) and Thread. The key pointers are ephemeral and
|
||||
* therefore must not be stored. The master secret and keys
|
||||
* should not be used directly except as an input to a key
|
||||
* derivation function.
|
||||
*
|
||||
* \param p_expkey Context for the callback.
|
||||
* \param ms Pointer to master secret (fixed length: 48 bytes).
|
||||
* \param kb Pointer to key block, see RFC 5246 section 6.3.
|
||||
* (variable length: 2 * maclen + 2 * keylen + 2 * ivlen).
|
||||
* \param maclen MAC length.
|
||||
* \param keylen Key length.
|
||||
* \param ivlen IV length.
|
||||
* \param tls_prf The TLS PRF function used in the handshake.
|
||||
* \param client_random The client random bytes.
|
||||
* \param server_random The server random bytes.
|
||||
*
|
||||
* \return 0 if successful, or
|
||||
* a specific MBEDTLS_ERR_XXX code.
|
||||
*/
|
||||
typedef int mbedtls_ssl_export_keys_ext_t( void *p_expkey,
|
||||
const unsigned char *ms,
|
||||
const unsigned char *kb,
|
||||
size_t maclen,
|
||||
size_t keylen,
|
||||
size_t ivlen,
|
||||
mbedtls_ssl_tls_prf *tls_prf,
|
||||
unsigned char client_random[32],
|
||||
unsigned char server_random[32] );
|
||||
#endif /* MBEDTLS_SSL_EXPORT_KEYS */
|
||||
|
||||
/**
|
||||
|
@ -1689,6 +1748,20 @@ void mbedtls_ssl_conf_session_tickets_cb( mbedtls_ssl_config *conf,
|
|||
void mbedtls_ssl_conf_export_keys_cb( mbedtls_ssl_config *conf,
|
||||
mbedtls_ssl_export_keys_t *f_export_keys,
|
||||
void *p_export_keys );
|
||||
|
||||
/**
|
||||
* \brief Configure extended key export callback.
|
||||
* (Default: none.)
|
||||
*
|
||||
* \note See \c mbedtls_ssl_export_keys_ext_t.
|
||||
*
|
||||
* \param conf SSL configuration context
|
||||
* \param f_export_keys_ext Callback for exporting keys
|
||||
* \param p_export_keys Context for the callback
|
||||
*/
|
||||
void mbedtls_ssl_conf_export_keys_ext_cb( mbedtls_ssl_config *conf,
|
||||
mbedtls_ssl_export_keys_ext_t *f_export_keys_ext,
|
||||
void *p_export_keys );
|
||||
#endif /* MBEDTLS_SSL_EXPORT_KEYS */
|
||||
|
||||
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
|
||||
|
|
|
@ -1265,6 +1265,16 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
|
|||
mac_key_len, keylen,
|
||||
iv_copy_len );
|
||||
}
|
||||
|
||||
if( ssl->conf->f_export_keys_ext != NULL )
|
||||
{
|
||||
ssl->conf->f_export_keys_ext( ssl->conf->p_export_keys,
|
||||
session->master, keyblk,
|
||||
mac_key_len, transform->keylen,
|
||||
iv_copy_len, handshake->tls_prf,
|
||||
handshake->randbytes + 32,
|
||||
handshake->randbytes );
|
||||
}
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
|
@ -8653,6 +8663,14 @@ void mbedtls_ssl_conf_export_keys_cb( mbedtls_ssl_config *conf,
|
|||
conf->f_export_keys = f_export_keys;
|
||||
conf->p_export_keys = p_export_keys;
|
||||
}
|
||||
|
||||
void mbedtls_ssl_conf_export_keys_ext_cb( mbedtls_ssl_config *conf,
|
||||
mbedtls_ssl_export_keys_ext_t *f_export_keys_ext,
|
||||
void *p_export_keys )
|
||||
{
|
||||
conf->f_export_keys_ext = f_export_keys_ext;
|
||||
conf->p_export_keys = p_export_keys;
|
||||
}
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
|
||||
|
|
Loading…
Reference in a new issue