diff --git a/configs/config-thread.h b/configs/config-thread.h
|
index 25db16b..c2d8c88 100644
|
--- a/configs/config-thread.h
|
+++ b/configs/config-thread.h
|
@@ -21,6 +21,13 @@
|
*
|
* This file is part of mbed TLS (https://tls.mbed.org)
|
*/
|
+/*
|
+ * Portions of this file are copyright (c) 2019 - 2020
|
+ * Amazon.com, Inc. or its affiliates. All rights reserved.
|
+ *
|
+ * PORTIONS OF THIS FILE ARE AMAZON PROPRIETARY/CONFIDENTIAL. USE IS SUBJECT TO
|
+ * LICENSE TERMS.
|
+ */
|
|
/*
|
* Minimal configuration for using TLS a part of Thread
|
@@ -51,6 +58,7 @@
|
#define MBEDTLS_SSL_DTLS_ANTI_REPLAY
|
#define MBEDTLS_SSL_DTLS_HELLO_VERIFY
|
#define MBEDTLS_SSL_EXPORT_KEYS
|
+#define MBEDTLS_EAP_TLS_EXPORT_KEYS
|
|
/* mbed TLS modules */
|
#define MBEDTLS_AES_C
|
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
|
index 834cced..d2e3878 100644
|
--- a/include/mbedtls/config.h
|
+++ b/include/mbedtls/config.h
|
@@ -1620,6 +1620,16 @@
|
#define MBEDTLS_SSL_EXPORT_KEYS
|
|
/**
|
+ * \def MBEDTLS_EAP_TLS_EXPORT_KEYS
|
+ *
|
+ * Enable support for exporting EAP_TLS keys as defined in rfc5216.
|
+ * This is required for 802.1X support.
|
+ *
|
+ * Comment this macro to disable support for EAP_TLS key export
|
+ */
|
+#define MBEDTLS_EAP_TLS_EXPORT_KEYS
|
+
|
+/**
|
* \def MBEDTLS_SSL_SERVER_NAME_INDICATION
|
*
|
* Enable support for RFC 6066 server name indication (SNI) in SSL.
|
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
|
index 1adf960..622a8b4 100644
|
--- a/include/mbedtls/ssl.h
|
+++ b/include/mbedtls/ssl.h
|
@@ -21,6 +21,13 @@
|
*
|
* This file is part of mbed TLS (https://tls.mbed.org)
|
*/
|
+/*
|
+ * Portions of this file are copyright (c) 2019 - 2020
|
+ * Amazon.com, Inc. or its affiliates. All rights reserved.
|
+ *
|
+ * PORTIONS OF THIS FILE ARE AMAZON PROPRIETARY/CONFIDENTIAL. USE IS SUBJECT TO
|
+ * LICENSE TERMS.
|
+ */
|
#ifndef MBEDTLS_SSL_H
|
#define MBEDTLS_SSL_H
|
|
@@ -419,6 +426,18 @@ union mbedtls_ssl_premaster_secret
|
extern "C" {
|
#endif
|
|
+#if defined(MBEDTLS_EAP_TLS_EXPORT_KEYS)
|
+/*
|
+ * Exported key type
|
+ */
|
+typedef enum
|
+{
|
+ TLS_KEY, /* rfc5246 - default*/
|
+ EAP_TLS_KEY /* rfc5216 */
|
+}
|
+mbedtls_tls_key_t;
|
+#endif
|
+
|
/*
|
* SSL state machine
|
*/
|
@@ -890,6 +909,10 @@ struct mbedtls_ssl_config
|
int (*f_export_keys)( void *, const unsigned char *,
|
const unsigned char *, size_t, size_t, size_t );
|
void *p_export_keys; /*!< context for key export callback */
|
+#if defined(MBEDTLS_EAP_TLS_EXPORT_KEYS)
|
+ mbedtls_tls_key_t export_key_type;
|
+ unsigned char eap_tls_keyblk[128];
|
+#endif
|
#endif
|
|
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
@@ -1589,6 +1589,19 @@ void mbedtls_ssl_conf_session_tickets_cb( mbedtls_ssl_config *conf,
|
#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_SRV_C */
|
|
#if defined(MBEDTLS_SSL_EXPORT_KEYS)
|
+#if defined(MBEDTLS_EAP_TLS_EXPORT_KEYS)
|
+/**
|
+ * \brief Set type of the TLS key to export.
|
+ * (Default: TLS_KEY as defined in rfc4346
|
+ *
|
+ * \note See \c mbedtls_tls_key_t.
|
+ *
|
+ * \param conf SSL configuration context
|
+ * \param export_key_type Type of the key to be exported
|
+ */
|
+void mbedtls_ssl_conf_export_keys_type( mbedtls_ssl_config *conf,
|
+ mbedtls_tls_key_t export_key_type);
|
+#endif /* MBEDTLS_EAP_TLS_EXPORT_KEYS */
|
/**
|
* \brief Configure key export callback.
|
* (Default: none.)
|
diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h
|
index bd5ad94..2db53a4 100644
|
--- a/include/mbedtls/ssl_internal.h
|
+++ b/include/mbedtls/ssl_internal.h
|
@@ -21,6 +21,13 @@
|
*
|
* This file is part of mbed TLS (https://tls.mbed.org)
|
*/
|
+/*
|
+ * Portions of this file are copyright (c) 2019 - 2020
|
+ * Amazon.com, Inc. or its affiliates. All rights reserved.
|
+ *
|
+ * PORTIONS OF THIS FILE ARE AMAZON PROPRIETARY/CONFIDENTIAL. USE IS SUBJECT TO
|
+ * LICENSE TERMS.
|
+ */
|
#ifndef MBEDTLS_SSL_INTERNAL_H
|
#define MBEDTLS_SSL_INTERNAL_H
|
|
@@ -126,6 +133,15 @@
|
#define MBEDTLS_SSL_RETRANS_FINISHED 3
|
|
/*
|
+ * Move the definition from mbedtls/library/ssl_tls.c
|
+ *
|
+ * Note: Used by mbedtls_ssl_write_record function in
|
+ * mbedtls/library/ssl_tls.c
|
+ */
|
+#define SSL_DONT_FORCE_FLUSH 0
|
+#define SSL_FORCE_FLUSH 1
|
+
|
+/*
|
* Allow extra bytes for record, authentication and encryption overhead:
|
* counter (8) + header (5) + IV(16) + MAC (16-48) + padding (0-256)
|
* and allow for a maximum of 1024 of compression expansion if
|
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
|
index b8f35fe..48185fb 100644
|
--- a/library/ssl_tls.c
|
+++ b/library/ssl_tls.c
|
@@ -19,6 +19,13 @@
|
* This file is part of mbed TLS (https://tls.mbed.org)
|
*/
|
/*
|
+ * Portions of this file are copyright (c) 2019 - 2020
|
+ * Amazon.com, Inc. or its affiliates. All rights reserved.
|
+ *
|
+ * PORTIONS OF THIS FILE ARE AMAZON PROPRIETARY/CONFIDENTIAL. USE IS SUBJECT TO
|
+ * LICENSE TERMS.
|
+ */
|
+/*
|
* The SSL 3.0 specification was drafted by Netscape in 1996,
|
* and became an IETF standard in 1999.
|
*
|
@@ -104,9 +111,6 @@ static void ssl_update_out_pointers( mbedtls_ssl_context *ssl,
|
static void ssl_update_in_pointers( mbedtls_ssl_context *ssl,
|
mbedtls_ssl_transform *transform );
|
|
-#define SSL_DONT_FORCE_FLUSH 0
|
-#define SSL_FORCE_FLUSH 1
|
-
|
#if defined(MBEDTLS_SSL_PROTO_DTLS)
|
|
/* Forward declarations for functions related to message buffering. */
|
@@ -498,7 +502,16 @@ static int tls_prf_generic( mbedtls_md_type_t md_type,
|
{
|
size_t nb;
|
size_t i, j, k, md_len;
|
+#if defined(MBEDTLS_EAP_TLS_EXPORT_KEYS)
|
+ /*
|
+ * EAP-TLS is using label: "client EAP encryption" (RFC 5216)
|
+ * while TLS is using "master secret" (RFC4346 and RFC5246)
|
+ * If EAP-TLS is supported, increase buffer by 8 bytes
|
+ */
|
+ unsigned char tmp[128+8];
|
+#else
|
unsigned char tmp[128];
|
+#endif
|
unsigned char h_i[MBEDTLS_MD_MAX_SIZE];
|
const mbedtls_md_info_t *md_info;
|
mbedtls_md_context_t md_ctx;
|
@@ -612,6 +625,9 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
|
int ret = 0;
|
unsigned char tmp[64];
|
unsigned char keyblk[256];
|
+#if defined(MBEDTLS_EAP_TLS_EXPORT_KEYS)
|
+ unsigned char eap_tls_keyblk[128];
|
+#endif
|
unsigned char *key1;
|
unsigned char *key2;
|
unsigned char *mac_enc;
|
@@ -762,6 +778,17 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
|
}
|
else
|
MBEDTLS_SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );
|
+#if defined(MBEDTLS_EAP_TLS_EXPORT_KEYS)
|
+ if ( ssl->conf->export_key_type == EAP_TLS_KEY ) {
|
+ ret = handshake->tls_prf( session->master, 48, "client EAP encryption",
|
+ handshake->randbytes, 64, eap_tls_keyblk, 128 );
|
+ if( ret != 0 )
|
+ {
|
+ MBEDTLS_SSL_DEBUG_RET( 1, "eap_tls_prf", ret );
|
+ return( ret );
|
+ }
|
+ }
|
+#endif
|
|
/*
|
* Swap the client and server random values.
|
@@ -1023,6 +1050,13 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
|
#if defined(MBEDTLS_SSL_EXPORT_KEYS)
|
if( ssl->conf->f_export_keys != NULL )
|
{
|
+#if defined(MBEDTLS_EAP_TLS_EXPORT_KEYS)
|
+ if ( ssl->conf->export_key_type == EAP_TLS_KEY )
|
+ ssl->conf->f_export_keys( ssl->conf->p_export_keys,
|
+ session->master, eap_tls_keyblk,
|
+ 0, 128, 0 );
|
+ else
|
+#endif /* MBEDTLS_EAP_TLS_EXPORT_KEYS */
|
ssl->conf->f_export_keys( ssl->conf->p_export_keys,
|
session->master, keyblk,
|
mac_key_len, transform->keylen,
|
@@ -1079,6 +1113,10 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
|
}
|
#endif /* MBEDTLS_CIPHER_MODE_CBC */
|
|
+#if defined(MBEDTLS_EAP_TLS_EXPORT_KEYS)
|
+ mbedtls_platform_zeroize( eap_tls_keyblk, sizeof(eap_tls_keyblk) );
|
+#endif
|
+
|
mbedtls_platform_zeroize( keyblk, sizeof( keyblk ) );
|
|
#if defined(MBEDTLS_ZLIB_SUPPORT)
|
@@ -7719,6 +7757,13 @@ void mbedtls_ssl_conf_export_keys_cb( mbedtls_ssl_config *conf,
|
conf->f_export_keys = f_export_keys;
|
conf->p_export_keys = p_export_keys;
|
}
|
+#if defined(MBEDTLS_EAP_TLS_EXPORT_KEYS)
|
+void mbedtls_ssl_conf_export_keys_type( mbedtls_ssl_config *conf,
|
+ mbedtls_tls_key_t export_key_type )
|
+{
|
+ conf->export_key_type=export_key_type;
|
+}
|
+#endif /* MBEDTLS_EAP_TLS_EXPORT_KEYS */
|
#endif
|
|
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
|
