New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement client side identity-hint callback #3831
base: development
Are you sure you want to change the base?
Conversation
The CI is failing with:
Please fix these formatting issues and please commit with the |
Thank you for doing the implementation. We are unlikely to accept it without tests, however. Can you please add the requisite support in |
4aa8e60
to
0e08a29
Compare
Support to |
Signed-off-by: Specht, Tobias <tobias.specht@aisec.fraunhofer.de>
0e08a29
to
853da5a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for your contribution! This is looking pretty good so far, but I think there are a few things left to address:
-
In terms of testing, currently the patch doesn't actually exercise the new feature in
ssl_client2.c
. I think what we want is a new command-line option for the program that causes it to set the PSK dynamically via the callback instead of setting it statically as usual. Perhaps something likepsk_callback=%%d
(default: 0). Also, ideally the callback should match if the server identity hint matches the locally configured identity, and return an error if it doesn't - that way we can test the behavior of the library when the callback fails, which we should do inssl-opt.sh
. -
The documentation of
mbedtls_ssl_conf_psk_cb()
ininclude/mbedtls/ssl.h
needs to be updated, currently it still starts with "Set the PSK callback (server-side only)." this line and the following paragraph need to be adjusted now that you've lifted this restriction. -
The new feature should be briefly described in a ChangeLog entry - see
ChangeLog.d/00README.md
for how to add one.
Signed-off-by: Specht, Tobias <tobias.specht@aisec.fraunhofer.de>
Signed-off-by: Specht, Tobias <tobias.specht@aisec.fraunhofer.de>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for implemented the test as requested. I think this is progressing very well. I'll comment below on your questions about setting the client identity.
Actually
Ah, that's a good point. (By the way, that's one of the reasons I wanted to test actually setting the key in the callback: before you did, we didn't notice this.) Considering my previous remark about not modifying the SSL conf inside a callback, I think the only clean option here is to add a new function I hope that makes sense, please don't hesitate if you have more questions or want to clarify the strategy before implementing it. |
Hi @peckto ! I just wanted to check how things are going with this PR. If you need any support from us in order to progress it, feel free to ask. |
Signed-off-by: Specht, Tobias <tobias.specht@aisec.fraunhofer.de>
If I understood you right, you want to have two possibilities to store the client identity:
In this case, the callback could store the identity inside the I'm not sure if we have the requirement to set the client identity dynamically inside the callback at all. |
Hi @peckto and sorry for not replying sooner, especially after I asked how this was going; we have a release coming soon and I've been busy making sure fixes that need to be in were ready, and each time I came to this PR, I found that I needed to think about it more... Just to recap the context: In general, there's 3 ways a particular SSL setting can be configured (in order of precedence):
Regarding PSK (disregarding opaque PSKs for a moment), we currently have the following functions:
I think I misunderstood a previous comment of yours as implying that you'd like to overwrite the identify in the callback, but your last comment made it cleat that it's actually the opposite: you'd like to set the identify globally, and set the key only in the callback. I think the existing functions allow that, but currently in a suboptimal way:
If you agree, I suggest ding that in |
mbedtls_printf( " failed\n ! mbedtls_ssl_conf_psk returned %d\n\n", ret ); | ||
goto exit; | ||
psk_info.psk_server_identity = opt.psk_server_identity; | ||
mbedtls_ssl_conf_psk_cb(&conf, &psk_cb, &psk_info); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Here I think we also want to call mbedtls_ssl_conf_psk()
with a dummy buffer for the key, and the correct identity. That way we'll have the identity set, and won't need to set it in the callback (while the key set from the callback will overwrite the one set here).
Hmm, sorry, you should probably wait before implementing my suggestion. I keep changing my mind about how to go with this. The other option is to add I understand that in cases where the client identity is set regardless of the server hint, this is less convenient, but otoh I see the following advantages:
Since I've been thinking about this (on-and-off) for 10 days now and sill haven't made up my mind, I think it's time for a second opinion. @hanno-arm it looks like you've been thinking about PSK recently, would you mind having a look and telling us what you think? |
I see your point. In my use-case I have a static client identity and server dependent PSK. But I see the use-case, where the identity is also dependent on the server.
|
@peckto Yes, I think we're on the same page regarding the solution space. Now as I said, I'm undecided about which of these solutions would be best to support. @hanno-arm if you had any opinion to share on the topic, that would be appreciated. Also, just to set expectations, I'm going to be on leave until end of March, so I won't be able to discuss or review this further before April. |
@@ -2817,9 +2817,9 @@ int mbedtls_ssl_set_hs_psk_opaque( mbedtls_ssl_context *ssl, | |||
* - \c mbedtls_ssl_context*: The SSL context to which | |||
* the operation applies. | |||
* - \c const unsigned char*: The PSK identity |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In the case of the new client-side callback, this is actually the PSK identity hint, or am I misunderstanding something?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure, if I got your point. Which identity hint are you referring to? In my understanding, the client side callback receives the sever identity hint. For me the question is, how the client can configure the client identity.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@peckto Yes that's right. My point is that now we're using a single callback which (a) for the client, receives a PSK identity hint, (b) for the server, receives a PSK identity. Semantically these are different things that are overloaded into a single parameter here, which we may or may not find acceptable. In any case, it would need to be documented.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, now I see your point. You want to refer with PSK identity
to what the client is sending and with PSK identity hint
to what the server is sending. I will clarify this in the doc.
Update: Initially I had it just the other way around
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I updated the doc accordingly
Please edit the commit message on the last commit to add a signoff line. Also, there are multiple failures on the CI. Please get Travis to pass. Please ask for help if you don't understand the failures on Travis or if there are remaining failures on Jenkins once Travis passes. |
Signed-off-by: Specht, Tobias <tobias.specht@aisec.fraunhofer.de>
Thanks for the hint. I fixed the commit message. |
Description
This pull request implements the client side of the identity-hint (TLS server identity) callback.
With the identity-hint, the TLS server can hint the client to choose the right PSK.
The current code base is already prepared for the identity-hint, so only small changes are necessary.
The implementation and usage is analog to the handling of the client hint on the server side.
Note: This is only the client side implementation of the identity-hint, the server side of mbedTLS is still not capable of sending the hint.
Status
READY
Requires Backporting
No backporting required.
Migrations
mbedtls_ssl_conf_psk_cb
can now be used on the client side to receive the server identity-hint.Additional comments
The server identity is a TLS 1.2 only feature and is changed in TLS 1.3.
Todos
Steps to test or reproduce
mbedtls_ssl_conf_psk_cb
.