From 14e353506a8a255c31b5b6b7520e00ed323d5a13 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Tue, 13 Jun 2017 14:28:45 +0100 Subject: [PATCH] Fix no-psk Broken through previous PSK related commits Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/3670) --- apps/apps.h | 4 ++-- apps/s_client.c | 8 +------- apps/s_server.c | 12 ++++-------- include/openssl/ssl.h | 17 +++++++++-------- 4 files changed, 16 insertions(+), 25 deletions(-) diff --git a/apps/apps.h b/apps/apps.h index 31cf7b0961..66ece0b43c 100644 --- a/apps/apps.h +++ b/apps/apps.h @@ -515,9 +515,9 @@ int do_X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md, STACK_OF(OPENSSL_STRING) *sigopts); int do_X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md, STACK_OF(OPENSSL_STRING) *sigopts); -# ifndef OPENSSL_NO_PSK + extern char *psk_key; -# endif + unsigned char *next_protos_parse(size_t *outlen, const char *in); diff --git a/apps/s_client.c b/apps/s_client.c index f84ae2b4b3..df33e0a596 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -109,10 +109,10 @@ static void do_ssl_shutdown(SSL *ssl) } while (ret < 0); } -#ifndef OPENSSL_NO_PSK /* Default PSK identity and key */ static char *psk_identity = "Client_identity"; +#ifndef OPENSSL_NO_PSK static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity, unsigned int max_identity_len, unsigned char *psk, @@ -570,9 +570,7 @@ typedef enum OPTION_choice { OPT_DEBUG, OPT_TLSEXTDEBUG, OPT_STATUS, OPT_WDEBUG, OPT_MSG, OPT_MSGFILE, OPT_ENGINE, OPT_TRACE, OPT_SECURITY_DEBUG, OPT_SECURITY_DEBUG_VERBOSE, OPT_SHOWCERTS, OPT_NBIO_TEST, OPT_STATE, -#ifndef OPENSSL_NO_PSK OPT_PSK_IDENTITY, OPT_PSK, -#endif OPT_PSK_SESS, #ifndef OPENSSL_NO_SRP OPT_SRPUSER, OPT_SRPPASS, OPT_SRP_STRENGTH, OPT_SRP_LATEUSER, @@ -752,10 +750,8 @@ const OPTIONS s_client_options[] = { {"wdebug", OPT_WDEBUG, '-', "WATT-32 tcp debugging"}, #endif {"nbio", OPT_NBIO, '-', "Use non-blocking IO"}, -#ifndef OPENSSL_NO_PSK {"psk_identity", OPT_PSK_IDENTITY, 's', "PSK identity"}, {"psk", OPT_PSK, 's', "PSK in hex (without 0x)"}, -#endif {"psk_session", OPT_PSK_SESS, '<', "File to read PSK SSL session from"}, #ifndef OPENSSL_NO_SRP {"srpuser", OPT_SRPUSER, 's', "SRP authentication for 'user'"}, @@ -1202,7 +1198,6 @@ int s_client_main(int argc, char **argv) case OPT_STATE: state = 1; break; -#ifndef OPENSSL_NO_PSK case OPT_PSK_IDENTITY: psk_identity = opt_arg(); break; @@ -1214,7 +1209,6 @@ int s_client_main(int argc, char **argv) goto end; } break; -#endif case OPT_PSK_SESS: psksessf = opt_arg(); break; diff --git a/apps/s_server.c b/apps/s_server.c index d5e226ad7d..c2ef521479 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -119,10 +119,10 @@ static int dtlslisten = 0; static int early_data = 0; static SSL_SESSION *psksess = NULL; -#ifndef OPENSSL_NO_PSK static char *psk_identity = "Client_identity"; char *psk_key = NULL; /* by default PSK is not used */ +#ifndef OPENSSL_NO_PSK static unsigned int psk_server_cb(SSL *ssl, const char *identity, unsigned char *psk, unsigned int max_psk_len) @@ -892,11 +892,11 @@ const OPTIONS s_server_options[] = { OPT_V_OPTIONS, OPT_X_OPTIONS, {"nbio", OPT_NBIO, '-', "Use non-blocking IO"}, -#ifndef OPENSSL_NO_PSK {"psk_identity", OPT_PSK_IDENTITY, 's', "PSK identity to expect"}, +#ifndef OPENSSL_NO_PSK {"psk_hint", OPT_PSK_HINT, 's', "PSK identity hint to use"}, - {"psk", OPT_PSK, 's', "PSK in hex (without 0x)"}, #endif + {"psk", OPT_PSK, 's', "PSK in hex (without 0x)"}, {"psk_session", OPT_PSK_SESS, '<', "File to read PSK SSL session from"}, #ifndef OPENSSL_NO_SRP {"srpvfile", OPT_SRPVFILE, '<', "The verifier file for SRP"}, @@ -1011,8 +1011,8 @@ int s_server_main(int argc, char *argv[]) #ifndef OPENSSL_NO_PSK /* by default do not send a PSK identity hint */ char *psk_identity_hint = NULL; - char *p; #endif + char *p; #ifndef OPENSSL_NO_SRP char *srpuserseed = NULL; char *srp_verifier_file = NULL; @@ -1379,9 +1379,7 @@ int s_server_main(int argc, char *argv[]) no_resume_ephemeral = 1; break; case OPT_PSK_IDENTITY: -#ifndef OPENSSL_NO_PSK psk_identity = opt_arg(); -#endif break; case OPT_PSK_HINT: #ifndef OPENSSL_NO_PSK @@ -1389,14 +1387,12 @@ int s_server_main(int argc, char *argv[]) #endif break; case OPT_PSK: -#ifndef OPENSSL_NO_PSK for (p = psk_key = opt_arg(); *p; p++) { if (isxdigit(_UC(*p))) continue; BIO_printf(bio_err, "Not a hex number '%s'\n", *argv); goto end; } -#endif break; case OPT_PSK_SESS: psksessf = opt_arg(); diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index 0f75509827..83099615df 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -763,14 +763,6 @@ typedef unsigned int (*SSL_psk_server_cb_func)(SSL *ssl, const char *identity, unsigned char *psk, unsigned int max_psk_len); -typedef int (*SSL_psk_find_session_cb_func)(SSL *ssl, - const unsigned char *identity, - size_t identity_len, - SSL_SESSION **sess); -typedef int (*SSL_psk_use_session_cb_func)(SSL *ssl, const EVP_MD *md, - const unsigned char **id, - size_t *idlen, - SSL_SESSION **sess); void SSL_CTX_set_psk_server_callback(SSL_CTX *ctx, SSL_psk_server_cb_func cb); void SSL_set_psk_server_callback(SSL *ssl, SSL_psk_server_cb_func cb); @@ -780,6 +772,15 @@ const char *SSL_get_psk_identity_hint(const SSL *s); const char *SSL_get_psk_identity(const SSL *s); # endif +typedef int (*SSL_psk_find_session_cb_func)(SSL *ssl, + const unsigned char *identity, + size_t identity_len, + SSL_SESSION **sess); +typedef int (*SSL_psk_use_session_cb_func)(SSL *ssl, const EVP_MD *md, + const unsigned char **id, + size_t *idlen, + SSL_SESSION **sess); + void SSL_set_psk_find_session_callback(SSL *s, SSL_psk_find_session_cb_func cb); void SSL_CTX_set_psk_find_session_callback(SSL_CTX *ctx, SSL_psk_find_session_cb_func cb); -- 2.34.1