我正在尝试将PSK与mbedtls库结合使用SGX。没有PSK,连接就可以正常工作。
以下是相关的客户端代码:
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_ssl_context ssl;
mbedtls_ssl_config conf;
mbedtls_x509_crt cacert;
mbedtls_net_init(&server_fd);
mbedtls_ssl_init(&ssl);
mbedtls_ssl_config_init(&conf);
mbedtls_x509_crt_init(&cacert);
mbedtls_ctr_drbg_init(&ctr_drbg);
mbedtls_entropy_init( &entropy );
if ((mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, (const unsigned char*) pers, strlen(pers))) != 0) {
mbedtls_printf( " failed\n ! mbedtls_ctr_drbg_seed returned %d\n", ret );
ret = -1;
break;
}
ret = mbedtls_x509_crt_parse(&cacert, (const unsigned char *) mbedtls_crt, mbedtls_crt_len);
if ((ret = mbedtls_net_connect(&server_fd, SERVER_NAME, SERVER_PORT, MBEDTLS_NET_PROTO_TCP )) != 0) {
mbedtls_printf( " failed\n ! mbedtls_net_connect returned %d\n\n", ret );
break;
}
if ((ret = mbedtls_ssl_config_defaults(&conf,
MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT)) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_config_defaults returned %d\n\n", ret );
break;
}
mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_OPTIONAL );
mbedtls_ssl_conf_ca_chain( &conf, &cacert, NULL );
mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg );
mbedtls_ssl_conf_dbg( &conf, my_debug, NULL );
mbedtls_ssl_conf_verify( &conf, my_verify, NULL );
const unsigned char psk_key[] = {
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
};
size_t psk_len = sizeof( psk_key );
const char psk_id[] = "Client_identity";
if ((ret = mbedtls_ssl_conf_psk(&conf, psk_key, psk_len,
(const unsigned char *) psk_id,
strlen(psk_id))) != 0 )
{
mbedtls_printf( " mbedtls_ssl_conf_psk returned %d\n\n", ret );
break;
}
if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned %d\n\n", ret );
break;
}
if( ( ret = mbedtls_ssl_set_hostname( &ssl, "mbed TLS Server 1" ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", ret );
break;
}
mbedtls_ssl_set_bio( &ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL );
mbedtls_printf( " ok\n" );
mbedtls_printf( " . Performing the SSL/TLS handshake..." );
while ((ret = mbedtls_ssl_handshake(&ssl)) != 0) {
if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
mbedtls_printf( " failed\n ! mbedtls_ssl_handshake returned -0x%x\n\n", -ret);
break;
}
}
....
我使用以下命令运行openssl测试服务器:
openssl s_server -accept 4433 -cert server.pem -psk 000102030405060708090a0b0c0d0e0f -psk_hint Client_identity -cipher PSK-AES256-CBC-SHA -debug
服务器也接收连接并交换PSK消息,但是 在解密点,我收到以下错误:
error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac:s3_pkt.c:532:
我还尝试将-cipher PSK-AES256-CBC-SHA更改为其他密码但仍然是相同的错误。
完全省略密码时,连接有效但没有执行PSK!?
答案 0 :(得分:1)
经过几次尝试,我设法找到了这个问题的根本原因。失败的原因来自openssl s_server日志中的以下日志(我使用了-debug -tlsextdebug):
创建了PSK len = 15
源于openssl code 但是,您使用的密钥是16个字节。 当我将psk更改为“010102030405060708090a0b0c0d0e0f”时,TLS连接工作正常,并显示以下日志:
创建了PSK len = 16
我认为这次失败的根本原因是OPENSSL_hexstr2buf() implementation,忽略了最重要的零,从而返回了一个错误的密钥长度。