Skip to content

Commit 4292326

Browse files
author
Mika Leppänen
committed
Updated eapol TLS library to use extended version of export keys callback
Take extended keys callback into use and remove random number and PRF functionality that was required in temporary solution.
1 parent f8f0762 commit 4292326

File tree

1 file changed

+21
-69
lines changed

1 file changed

+21
-69
lines changed

source/Security/protocols/tls_sec_prot/tls_sec_prot_lib.c

Lines changed: 21 additions & 69 deletions
Original file line numberDiff line numberDiff line change
@@ -70,12 +70,6 @@ struct tls_security_s {
7070
mbedtls_x509_crl *crl; /**< Certificate Revocation List */
7171
mbedtls_x509_crt owncert; /**< Own certificate(s) */
7272
mbedtls_pk_context pkey; /**< Private key for own certificate */
73-
74-
uint8_t client_random[32]; /**< Client random (from Client Hello) */
75-
uint8_t server_random[32]; /**< Server random (from Server Hello) */
76-
77-
uint8_t step; /**< Random extract step */
78-
7973
void *handle; /**< Handle provided in callbacks (defined by library user) */
8074
tls_sec_prot_lib_send *send; /**< Send callback */
8175
tls_sec_prot_lib_receive *receive; /**< Receive callback */
@@ -89,9 +83,11 @@ static int tls_sec_prot_lib_ssl_get_timer(void *ctx);
8983
static int tls_sec_lib_entropy_poll(void *data, unsigned char *output, size_t len, size_t *olen);
9084
static int tls_sec_prot_lib_ssl_send(void *ctx, const unsigned char *buf, size_t len);
9185
static int tls_sec_prot_lib_ssl_recv(void *ctx, unsigned char *buf, size_t len);
92-
static int tls_sec_prot_lib_ssl_export_keys(void *ctx, const unsigned char *ms,
93-
const unsigned char *kb, size_t maclen, size_t keylen, size_t ivlen);
94-
static void tls_sec_prot_lib_random_extract(tls_security_t *sec, const uint8_t *buf, uint16_t len);
86+
static int tls_sec_prot_lib_ssl_export_keys(void *p_expkey, const unsigned char *ms,
87+
const unsigned char *kb, size_t maclen, size_t keylen,
88+
size_t ivlen, unsigned char client_random[32],
89+
unsigned char server_random[32],
90+
mbedtls_tls_prf_types tls_prf_type);
9591
#ifdef TLS_SEC_PROT_LIB_TLS_DEBUG
9692
static void tls_sec_prot_lib_debug(void *ctx, int level, const char *file, int line, const char *string);
9793
#endif
@@ -126,7 +122,6 @@ int8_t tls_sec_prot_lib_init(tls_security_t *sec)
126122
mbedtls_pk_init(&sec->pkey);
127123

128124
sec->crl = NULL;
129-
sec->step = 0;
130125

131126
if (mbedtls_entropy_add_source(&sec->entropy, tls_sec_lib_entropy_poll, NULL,
132127
128, MBEDTLS_ENTROPY_SOURCE_WEAK) < 0) {
@@ -331,7 +326,7 @@ int8_t tls_sec_prot_lib_connect(tls_security_t *sec, bool is_server, const sec_p
331326
#endif
332327

333328
// Export keys callback
334-
mbedtls_ssl_conf_export_keys_cb(&sec->conf, tls_sec_prot_lib_ssl_export_keys, sec);
329+
mbedtls_ssl_conf_export_keys_ext_cb(&sec->conf, tls_sec_prot_lib_ssl_export_keys, sec);
335330

336331
mbedtls_ssl_conf_min_version(&sec->conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MAJOR_VERSION_3);
337332
mbedtls_ssl_conf_max_version(&sec->conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MAJOR_VERSION_3);
@@ -394,9 +389,6 @@ static int tls_sec_prot_lib_ssl_get_timer(void *ctx)
394389
static int tls_sec_prot_lib_ssl_send(void *ctx, const unsigned char *buf, size_t len)
395390
{
396391
tls_security_t *sec = (tls_security_t *)ctx;
397-
398-
tls_sec_prot_lib_random_extract(sec, buf, len);
399-
400392
return sec->send(sec->handle, buf, len);
401393
}
402394

@@ -408,74 +400,34 @@ static int tls_sec_prot_lib_ssl_recv(void *ctx, unsigned char *buf, size_t len)
408400
if (ret == TLS_SEC_PROT_LIB_NO_DATA) {
409401
return MBEDTLS_ERR_SSL_WANT_READ;
410402
}
411-
412-
tls_sec_prot_lib_random_extract(sec, buf, len);
413-
414403
return ret;
415404
}
416405

417-
static void tls_sec_prot_lib_random_extract(tls_security_t *sec, const uint8_t *buf, uint16_t len)
418-
{
419-
if (sec->step == 0) {
420-
if (*buf++ != 22 && len < 5) {
421-
return;
422-
}
423-
424-
buf++; // version
425-
buf++;
426-
427-
buf++; // length
428-
buf++;
429-
430-
sec->step++;
431-
432-
if (len < 6) {
433-
return;
434-
}
435-
}
436-
437-
if (sec->step == 1) {
438-
uint8_t *random_ptr;
439-
if (*buf == 0x01) { // Client hello
440-
random_ptr = sec->client_random;
441-
} else if (*buf == 0x02) { // Server hello
442-
random_ptr = sec->server_random;
443-
} else {
444-
return;
445-
}
446-
buf++;
447-
448-
buf++; // length
449-
buf++;
450-
buf++;
451-
452-
buf++; // version
453-
buf++;
454-
455-
memcpy(random_ptr, buf, 32);
456-
457-
sec->step = 0;
458-
}
459-
}
460-
461-
static int tls_sec_prot_lib_ssl_export_keys(void *ctx, const unsigned char *ms,
462-
const unsigned char *kb, size_t maclen,
463-
size_t keylen, size_t ivlen)
406+
static int tls_sec_prot_lib_ssl_export_keys(void *p_expkey, const unsigned char *ms,
407+
const unsigned char *kb, size_t maclen, size_t keylen,
408+
size_t ivlen, unsigned char client_random[32],
409+
unsigned char server_random[32],
410+
mbedtls_tls_prf_types tls_prf_type)
464411
{
465412
(void) kb;
466413
(void) maclen;
467414
(void) keylen;
468415
(void) ivlen;
469416

470-
tls_security_t *sec = (tls_security_t *)ctx;
417+
tls_security_t *sec = (tls_security_t *)p_expkey;
471418

472419
uint8_t eap_tls_key_material[128];
473420
uint8_t random[64];
474-
memcpy(random, sec->client_random, 32);
475-
memcpy(&random[32], sec->server_random, 32);
421+
memcpy(random, client_random, 32);
422+
memcpy(&random[32], server_random, 32);
423+
424+
int ret = mbedtls_ssl_tls_prf(tls_prf_type, ms, 48, "client EAP encryption",
425+
random, 64, eap_tls_key_material, 128);
476426

477-
sec->ssl.handshake->tls_prf(ms, 48, "client EAP encryption",
478-
random, 64, eap_tls_key_material, 128);
427+
if (ret != 0) {
428+
tr_error("key material PRF error");
429+
return 0;
430+
}
479431

480432
sec->export_keys(sec->handle, ms, eap_tls_key_material);
481433
return 0;

0 commit comments

Comments
 (0)