PeterMosmans
diff --git a/‎CHANGES
Lines changed: 3 additions & 0 deletions b/‎CHANGES
Lines changed: 3 additions & 0 deletions
diff --git a/‎doc/apps/ciphers.pod
Lines changed: 4 additions & 0 deletions b/‎doc/apps/ciphers.pod
Lines changed: 4 additions & 0 deletions
diff --git a/‎ssl/s3_clnt.c
Lines changed: 111 additions & 19 deletions b/‎ssl/s3_clnt.c
Lines changed: 111 additions & 19 deletions
diff --git a/‎ssl/s3_lib.c
Lines changed: 68 additions & 1 deletion b/‎ssl/s3_lib.c
Lines changed: 68 additions & 1 deletion
@@ -2,6 +2,9 @@
  OpenSSL CHANGES
  _______________
 
+  *) Support for TLS-RSA-PSK ciphersuites has been added.
+     [Giuseppe D'Angelo, Christian J. Dietrich]
+
  Changes between 1.0.1j and 1.0.2 [xx XXX xxxx]
 
   *) SRTP Memory Leak.
 
@@ -587,6 +587,10 @@ Note: these ciphers can also be used in SSL v3.
 
 =head2 Pre shared keying (PSK) ciphersuites
 
+ TLS_RSA_PSK_WITH_RC4_128_SHA              RSA-PSK-RC4-SHA
+ TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA         RSA-PSK-3DES-EDE-CBC-SHA
+ TLS_RSA_PSK_WITH_AES_128_CBC_SHA          RSA-PSK-AES128-CBC-SHA
+ TLS_RSA_PSK_WITH_AES_256_CBC_SHA          RSA-PSK-AES256-CBC-SHA
  TLS_PSK_WITH_RC4_128_SHA                  PSK-RC4-SHA
  TLS_PSK_WITH_3DES_EDE_CBC_SHA             PSK-3DES-EDE-CBC-SHA
  TLS_PSK_WITH_AES_128_CBC_SHA              PSK-AES128-CBC-SHA
 
@@ -336,7 +336,7 @@ int ssl3_connect(SSL *s)
 				}
 #endif
 			/* Check if it is anon DH/ECDH, SRP auth */
-			/* or PSK */
+			/* or plain PSK */
 			if (!(s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL|SSL_aSRP)) &&
 			    !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK))
 				{
@@ -1402,9 +1402,9 @@ int ssl3_get_key_exchange(SSL *s)
 	if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE)
 		{
 #ifndef OPENSSL_NO_PSK
-		/* In plain PSK ciphersuite, ServerKeyExchange can be
+		/* In PSK ciphersuites, ServerKeyExchange can be
 		   omitted if no identity hint is sent. Set
-		   session->sess_cert anyway to avoid problems
+		   session->sess_cert for plain PSK anyway to avoid problems
 		   later.*/
 		if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)
 			{
@@ -1458,7 +1458,12 @@ int ssl3_get_key_exchange(SSL *s)
 	al=SSL_AD_DECODE_ERROR;
 
 #ifndef OPENSSL_NO_PSK
-	if (alg_k & SSL_kPSK)
+	/* handle PSK identity hint */
+	if (alg_k & (SSL_kPSK
+#ifndef OPENSSL_NO_RSA
+		     |SSL_kRSAPSK
+#endif
+		     ))
 		{
 		char tmp_id_hint[PSK_MAX_IDENTITY_LEN+1];
 
@@ -1635,7 +1640,11 @@ int ssl3_get_key_exchange(SSL *s)
 	else
 #endif /* !OPENSSL_NO_SRP */
 #ifndef OPENSSL_NO_RSA
-	if (alg_k & SSL_kRSA)
+	if (alg_k & (SSL_kRSA
+#ifndef OPENSSL_NO_PSK
+		     |SSL_kRSAPSK
+#endif
+		     ))
 		{
 		if ((rsa=RSA_new()) == NULL)
 			{
@@ -2038,8 +2047,16 @@ fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
 		}
 	else
 		{
-		/* aNULL, aSRP or kPSK do not need public keys */
-		if (!(alg_a & (SSL_aNULL|SSL_aSRP)) && !(alg_k & SSL_kPSK))
+		/* aNULL, aSRP, kPSK or kRSAPSK do not need public keys */
+		if (!(alg_a & (SSL_aNULL|SSL_aSRP))
+#ifndef OPENSSL_NO_PSK
+				&& !(alg_k & (SSL_kPSK
+#ifndef OPENSSL_NO_RSA
+					      |SSL_kRSAPSK
+#endif
+					      ))
+#endif
+				)
 			{
 			/* Might be wrong key type, check it */
 			if (ssl3_check_cert_and_algorithm(s))
@@ -3109,15 +3126,19 @@ int ssl3_send_client_key_exchange(SSL *s)
 			}
 #endif
 #ifndef OPENSSL_NO_PSK
-		else if (alg_k & SSL_kPSK)
+		else if (alg_k & SSL_kPSK
+#ifndef OPENSSL_NO_RSA
+			|| alg_k & SSL_kRSAPSK
+#endif
+			 )
 			{
 			/* The callback needs PSK_MAX_IDENTITY_LEN + 1 bytes
 			 * to return a \0-terminated identity. The last byte
 			 * is for us for simulating strnlen. */
 			char identity[PSK_MAX_IDENTITY_LEN + 2];
 			size_t identity_len;
-			unsigned char *t = NULL;
 			unsigned char psk_or_pre_ms[PSK_MAX_PSK_LEN*2+4];
+			unsigned char *t = psk_or_pre_ms;
 			unsigned int pre_ms_len = 0, psk_len = 0;
 			int psk_err = 1;
 
@@ -3153,14 +3174,36 @@ int ssl3_send_client_key_exchange(SSL *s)
 					ERR_R_INTERNAL_ERROR);
 				goto psk_err;
 				}
-			/* create PSK pre_master_secret */
-			pre_ms_len = 2+psk_len+2+psk_len;
-			t = psk_or_pre_ms;
-			memmove(psk_or_pre_ms+psk_len+4, psk_or_pre_ms, psk_len);
-			s2n(psk_len, t);
-			memset(t, 0, psk_len);
-			t+=psk_len;
-			s2n(psk_len, t);
+
+			if (alg_k & SSL_kPSK)
+				{
+				/* create PSK pre_master_secret */
+				pre_ms_len = 2+psk_len+2+psk_len;
+				memmove(psk_or_pre_ms+psk_len+4, psk_or_pre_ms, psk_len);
+				s2n(psk_len, t);
+				memset(t, 0, psk_len);
+				t+=psk_len;
+				s2n(psk_len, t);
+				}
+#ifndef OPENSSL_NO_RSA
+			else if (alg_k & SSL_kRSAPSK)
+				{
+				const unsigned int pre_ms_prefix = 48;
+
+				pre_ms_len = 2 + 2 + 46 + 2 + psk_len;
+				memmove(psk_or_pre_ms + 52, psk_or_pre_ms, psk_len);
+				s2n(pre_ms_prefix, t);
+
+				psk_or_pre_ms[2] = s->client_version >> 8;
+				psk_or_pre_ms[3] = s->client_version & 0xff;
+				t += 2;
+
+				if (RAND_bytes(psk_or_pre_ms + 4, 46) <= 0)
+					goto psk_err;
+				t += 46;
+				s2n(psk_len, t);
+				}
+#endif
 
 			if (s->session->psk_identity_hint != NULL)
 				OPENSSL_free(s->session->psk_identity_hint);
@@ -3187,10 +3230,51 @@ int ssl3_send_client_key_exchange(SSL *s)
 				s->method->ssl3_enc->generate_master_secret(s,
 					s->session->master_key,
 					psk_or_pre_ms, pre_ms_len);
+
 			s2n(identity_len, p);
 			memcpy(p, identity, identity_len);
+			p += identity_len;
+
 			n = 2 + identity_len;
+
+#ifndef OPENSSL_NO_RSA
+			if (alg_k & SSL_kRSAPSK)
+				{
+				RSA *rsa;
+				int enc_n;
+
+				if (s->session->sess_cert->peer_rsa_tmp != NULL)
+					{
+					rsa = s->session->sess_cert->peer_rsa_tmp;
+					}
+				else
+					{
+					pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
+					if ((pkey == NULL) ||
+							(pkey->type != EVP_PKEY_RSA) ||
+							(pkey->pkey.rsa == NULL))
+						{
+							SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
+							goto psk_err;
+						}
+					rsa = pkey->pkey.rsa;
+					EVP_PKEY_free(pkey);
+					}
+
+				enc_n = RSA_public_encrypt(48, psk_or_pre_ms + 2, p + 2, rsa, RSA_PKCS1_PADDING);
+				if (enc_n <= 0)
+					{
+						SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, SSL_R_BAD_RSA_ENCRYPT);
+						goto psk_err;
+					}
+				n += enc_n;
+
+				s2n(enc_n, p);
+				n += 2;
+				}
+#endif
 			psk_err = 0;
+
 		psk_err:
 			OPENSSL_cleanse(identity, sizeof(identity));
 			OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms));
@@ -3597,7 +3681,11 @@ int ssl3_check_cert_and_algorithm(SSL *s)
 		}
 #endif
 #ifndef OPENSSL_NO_RSA
-	if ((alg_k & SSL_kRSA) &&
+	if ((alg_k & (SSL_kRSA
+#ifndef OPENSSL_NO_PSK
+	     |SSL_kRSAPSK
+#endif
+	     )) &&
 		!(has_bits(i,EVP_PK_RSA|EVP_PKT_ENC) || (rsa != NULL)))
 		{
 		SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_RSA_ENCRYPTING_CERT);
@@ -3630,7 +3718,11 @@ int ssl3_check_cert_and_algorithm(SSL *s)
 	if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && !has_bits(i,EVP_PKT_EXP))
 		{
 #ifndef OPENSSL_NO_RSA
-		if (alg_k & SSL_kRSA)
+		if (alg_k & (SSL_kRSA
+#ifndef OPENSSL_NO_PSK
+			     |SSL_kRSAPSK
+#endif
+			     ))
 			{
 			if (rsa == NULL
 			    || RSA_size(rsa)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher))
 
@@ -1720,6 +1720,73 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	256,
 	256,
 	},
+
+#ifndef OPENSSL_NO_RSA
+	/* RSA-PSK ciphersuites */
+	/* Cipher 92 */
+	{
+	1,
+	TLS1_TXT_RSA_PSK_WITH_RC4_128_SHA,
+	TLS1_CK_RSA_PSK_WITH_RC4_128_SHA,
+	SSL_kRSAPSK,
+	SSL_aRSA,
+	SSL_RC4,
+	SSL_SHA1,
+	SSL_TLSV1,
+	SSL_NOT_EXP|SSL_MEDIUM,
+	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
+	128,
+	128,
+	},
+
+	/* Cipher 93 */
+	{
+	1,
+	TLS1_TXT_RSA_PSK_WITH_3DES_EDE_CBC_SHA,
+	TLS1_CK_RSA_PSK_WITH_3DES_EDE_CBC_SHA,
+	SSL_kRSAPSK,
+	SSL_aRSA,
+	SSL_3DES,
+	SSL_SHA1,
+	SSL_TLSV1,
+	SSL_NOT_EXP|SSL_HIGH,
+	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
+	112,
+	168,
+	},
+
+	/* Cipher 94 */
+	{
+	1,
+	TLS1_TXT_RSA_PSK_WITH_AES_128_CBC_SHA,
+	TLS1_CK_RSA_PSK_WITH_AES_128_CBC_SHA,
+	SSL_kRSAPSK,
+	SSL_aRSA,
+	SSL_AES128,
+	SSL_SHA1,
+	SSL_TLSV1,
+	SSL_NOT_EXP|SSL_HIGH,
+	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
+	128,
+	128,
+	},
+
+	/* Cipher 95 */
+	{
+	1,
+	TLS1_TXT_RSA_PSK_WITH_AES_256_CBC_SHA,
+	TLS1_CK_RSA_PSK_WITH_AES_256_CBC_SHA,
+	SSL_kRSAPSK,
+	SSL_aRSA,
+	SSL_AES256,
+	SSL_SHA1,
+	SSL_TLSV1,
+	SSL_NOT_EXP|SSL_HIGH,
+	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
+	256,
+	256,
+	},
+#endif  /* OPENSSL_NO_RSA */
 #endif  /* OPENSSL_NO_PSK */
 
 #ifndef OPENSSL_NO_SEED
@@ -4553,7 +4620,7 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
 #endif /* OPENSSL_NO_KRB5 */
 #ifndef OPENSSL_NO_PSK
 		/* with PSK there must be server callback set */
-		if ((alg_k & SSL_kPSK) && s->psk_server_callback == NULL)
+		if ((alg_k & (SSL_kPSK|SSL_kRSAPSK)) && s->psk_server_callback == NULL)
 			continue;
 #endif /* OPENSSL_NO_PSK */