From 2f4329306b7ae30892dcc7c6d284d3fbbe088488 Mon Sep 17 00:00:00 2001 From: night1rider Date: Thu, 19 Dec 2024 15:37:50 -0700 Subject: [PATCH 1/2] Initial Extended Master Secret PK Callback ZD#19038 --- src/ssl.c | 23 +++++++++++++++++++++++ src/tls.c | 24 ++++++++++++++++++------ wolfssl/internal.h | 3 +++ wolfssl/ssl.h | 7 +++++++ 4 files changed, 51 insertions(+), 6 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index bc6d3b5009..29d764530c 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -19234,6 +19234,29 @@ void* wolfSSL_GetGenMasterSecretCtx(WOLFSSL* ssl) return NULL; } +/* callback for extended master secret generation */ +void wolfSSL_CTX_SetGenExtMasterSecretCb(WOLFSSL_CTX* ctx, + CallbackGenExtMasterSecret cb) +{ + if (ctx) + ctx->GenExtMasterCb = cb; +} +/* Set extended master secret generation callback context */ +void wolfSSL_SetGenExtMasterSecretCtx(WOLFSSL* ssl, void *ctx) +{ + if (ssl) + ssl->GenExtMasterCtx = ctx; +} +/* Get extended master secret generation callback context */ +void* wolfSSL_GetGenExtMasterSecretCtx(WOLFSSL* ssl) +{ + if (ssl) + return ssl->GenExtMasterCtx; + + return NULL; +} + + /* callback for session key generation */ void wolfSSL_CTX_SetGenSessionKeyCb(WOLFSSL_CTX* ctx, CallbackGenSessionKey cb) { diff --git a/src/tls.c b/src/tls.c index 2bc19532b7..12fdfe81bd 100644 --- a/src/tls.c +++ b/src/tls.c @@ -645,12 +645,24 @@ int MakeTlsMasterSecret(WOLFSSL* ssl) XMEMSET(handshake_hash, 0, HSHASH_SZ); ret = BuildTlsHandshakeHash(ssl, handshake_hash, &hashSz); if (ret == 0) { - ret = _MakeTlsExtendedMasterSecret( - ssl->arrays->masterSecret, SECRET_LEN, - ssl->arrays->preMasterSecret, ssl->arrays->preMasterSz, - handshake_hash, hashSz, - IsAtLeastTLSv1_2(ssl), ssl->specs.mac_algorithm, - ssl->heap, ssl->devId); + #if !defined(NO_CERTS) && defined(HAVE_PK_CALLBACKS) + ret = PROTOCOLCB_UNAVAILABLE; + if (ssl->ctx->GenExtMasterCb) { + void* ctx = wolfSSL_GetGenExtMasterSecretCtx(ssl); + ret = ssl->ctx->GenExtMasterCb(ssl, handshake_hash, hashSz, + ctx); + } + if (!ssl->ctx->GenExtMasterCb || + ret == WC_NO_ERR_TRACE(PROTOCOLCB_UNAVAILABLE)) + #endif /* (HAVE_SECRET_CALLBACK) && (HAVE_EXT_SECRET_CALLBACK) */ + { + ret = _MakeTlsExtendedMasterSecret( + ssl->arrays->masterSecret, SECRET_LEN, + ssl->arrays->preMasterSecret, ssl->arrays->preMasterSz, + handshake_hash, hashSz, + IsAtLeastTLSv1_2(ssl), ssl->specs.mac_algorithm, + ssl->heap, ssl->devId); + } ForceZero(handshake_hash, hashSz); } diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 3f3c036a38..60caad03a6 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -4123,6 +4123,8 @@ struct WOLFSSL_CTX { CallbackGenPreMaster GenPreMasterCb; /* User generate master secret handler */ CallbackGenMasterSecret GenMasterCb; + /* User generate Extended master secret handler */ + CallbackGenExtMasterSecret GenExtMasterCb; /* User generate session key handler */ CallbackGenSessionKey GenSessionKeyCb; /* User setting encrypt keys handler */ @@ -6168,6 +6170,7 @@ struct WOLFSSL { #endif /* NO_RSA */ void* GenPreMasterCtx; /* Generate Premaster Callback Context */ void* GenMasterCtx; /* Generate Master Callback Context */ + void* GenExtMasterCtx; /* Generate Extended Master Callback Context */ void* GenSessionKeyCtx; /* Generate Session Key Callback Context */ void* EncryptKeysCtx; /* Set Encrypt keys Callback Context */ void* TlsFinishedCtx; /* Generate Tls Finished Callback Context */ diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 623639a20f..e33ba22ef2 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -4049,6 +4049,13 @@ WOLFSSL_API void wolfSSL_CTX_SetGenMasterSecretCb(WOLFSSL_CTX* ctx, WOLFSSL_API void wolfSSL_SetGenMasterSecretCtx(WOLFSSL* ssl, void *ctx); WOLFSSL_API void* wolfSSL_GetGenMasterSecretCtx(WOLFSSL* ssl); +typedef int (*CallbackGenExtMasterSecret)(WOLFSSL* ssl, byte* hash, + word32 hashsz, void* ctx); +WOLFSSL_API void wolfSSL_CTX_SetGenExtMasterSecretCb(WOLFSSL_CTX* ctx, + CallbackGenExtMasterSecret cb); +WOLFSSL_API void wolfSSL_SetGenExtMasterSecretCtx(WOLFSSL* ssl, void *ctx); +WOLFSSL_API void* wolfSSL_GetGenExtMasterSecretCtx(WOLFSSL* ssl); + typedef int (*CallbackGenPreMaster)(WOLFSSL* ssl, byte *premaster, word32 preSz, void* ctx); WOLFSSL_API void wolfSSL_CTX_SetGenPreMasterCb(WOLFSSL_CTX* ctx, From 6617a8afca9d0012c5ed2cd2f69058333f87fb73 Mon Sep 17 00:00:00 2001 From: night1rider Date: Thu, 19 Dec 2024 16:27:35 -0700 Subject: [PATCH 2/2] Updating Client/Server with myGenExtMaster Callback --- wolfssl/test.h | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/wolfssl/test.h b/wolfssl/test.h index 478a9056af..ec9d67369f 100644 --- a/wolfssl/test.h +++ b/wolfssl/test.h @@ -4220,6 +4220,25 @@ static WC_INLINE int myGenMaster(WOLFSSL* ssl, void* ctx) return ret; } +static WC_INLINE int myGenExtMaster(WOLFSSL* ssl, byte* hash, word32 hashSz, + void* ctx) +{ + int ret; + PkCbInfo* cbInfo = (PkCbInfo*)ctx; + + (void)ssl; + (void)cbInfo; + (void)hash; + (void)hashSz; + + WOLFSSL_PKMSG("Gen Extended Master"); + /* fall through to original routine */ + ret = PROTOCOLCB_UNAVAILABLE; + WOLFSSL_PKMSG("Gen Extended Master: ret %d\n", ret); + + return ret; +} + static WC_INLINE int myGenPreMaster(WOLFSSL* ssl, byte *premaster, word32 preSz, void* ctx) { @@ -4372,6 +4391,7 @@ static WC_INLINE void SetupPkCallbacks(WOLFSSL_CTX* ctx) #ifndef NO_CERTS wolfSSL_CTX_SetGenMasterSecretCb(ctx, myGenMaster); + wolfSSL_CTX_SetGenExtMasterSecretCb(ctx, myGenExtMaster); wolfSSL_CTX_SetGenPreMasterCb(ctx, myGenPreMaster); wolfSSL_CTX_SetGenSessionKeyCb(ctx, myGenSessionKey); wolfSSL_CTX_SetEncryptKeysCb(ctx, mySetEncryptKeys); @@ -4427,6 +4447,7 @@ static WC_INLINE void SetupPkCallbackContexts(WOLFSSL* ssl, void* myCtx) #ifndef NO_CERTS wolfSSL_SetGenMasterSecretCtx(ssl, myCtx); + wolfSSL_SetGenExtMasterSecretCtx(ssl, myCtx); wolfSSL_SetGenPreMasterCtx(ssl, myCtx); wolfSSL_SetGenSessionKeyCtx(ssl, myCtx); wolfSSL_SetEncryptKeysCtx(ssl, myCtx);