Unable to make pre-shared key based wifi socket connection to server on iOS 13 Beta 7

[ranmyfriend]

Expected behavior

The handshake should happen on iOS 13

Actual behavior

Handshake is not happening and it failing due to the Error:
PSK_IDENTITY NOT FOUND

Note

Working fine on iOS 12 but it broke on iOS 13

Through OPEN SSL

Even I have tried with OpenSSL@1.1 and it works. and it says CONNECTED.
/usr/local/Cellar/openssl@1.1/1.1.1c/bin/openssl s_client -connect XXXXX:XXXX -psk 054dd7317f689a3425d5aadfd53771af7987be96 -psk_identity 1002535472 -no_tls1_3 -cipher PSK-AES256-CBC-SHA

Steps to reproduce

1. Simply connect the server with PSK and PSK identity. NIO will throw Timeout Error and in debug console getting Error from the iOS side: PSK IDENTITY NOT FOUND

If possible, minimal yet complete reproducer code (or URL to code)

 do {
            let tlsOptions = NWProtocolTLS.Options()
            
            let storePinHashData = Data(fromHexEncodedString: authProcessInfo.preSharedKeyAsEncodedString)!
            let requestIdData = Data("\(authProcessInfo.pairingRequestId!)".utf8)
                                    
            let psk = DispatchData(data: storePinHashData as Data)
            let pskIdentity = DispatchData(data: requestIdData as Data)

            sec_protocol_options_add_pre_shared_key(tlsOptions.securityProtocolOptions, psk as __DispatchData, pskIdentity as __DispatchData)
             sec_protocol_options_add_tls_ciphersuite(tlsOptions.securityProtocolOptions, TLS_PSK_WITH_AES_256_CBC_SHA)
            
            do {
                try NIOTSConnectionBootstrap(group: self.group)
                    .channelOption(ChannelOptions.socket(SocketOptionLevel(SOL_SOCKET), SO_REUSEADDR), value: 1)
                    .channelOption(ChannelOptions.socket(IPPROTO_TCP, TCP_NODELAY), value: 1)
                    .tlsOptions(tlsOptions)
                    .channelInitializer { channel in
                        channel.pipeline.addHandler(self.handler!)
                }.connect(host: host, port: port).whenFailure({ (error) in
                    print("Error:\(error)")
                })
            }catch(let e) {
                debugPrint("Error:\(e)")
            }
        }catch(let e) {
            debugPrint("Error:\(e)")
        }
    }

Extension Dispatch Data

extension DispatchData {
    public init(data source: Data) {
        self = source.withUnsafeBytes { ptr in
            DispatchData(bytes: ptr)
        }
    }
}

Swift & OS version (output of swift --version && uname -a)

Swift 5.0
iOS 13 Beta 7
Tried both Simulator as well as Device
Swift NIO 2.7.0

[weissi]

This is almost 100% not a swift-nio(-transport-services) issue. There are really two possibilities:

• Network.framework issue
• PSK (identity) incorrect

[ranmyfriend]

Finally, it works when passing PSK Identity on

sec_protocol_options_set_pre_shared_key_selection_block

Working code is below:

if #available(iOS 13.0, *) {
                sec_protocol_options_set_pre_shared_key_selection_block(tlsOptions.securityProtocolOptions, { (sec, dispatchData, sec_protocol_pre_shared_key_selection_complete) in
                    sec_protocol_pre_shared_key_selection_complete(pskIdentity as __DispatchData)
                }, DispatchQueue(label: "com.psk"))
            } else {
                // Fallback on earlier versions
            }

Am closing this issue :)

Thanks, @weissi @Lukasa

[kalaivanivelusamy]

@ranmyfriend I can connect for TLS 1.2 - PSK using NIOTSConnectionBootstrap. But not able to do it for TLS 1.3 after adding ciphersuites like below:

sec_protocol_options_add_pre_shared_key(tlsOptions.securityProtocolOptions, psk as __DispatchData, identity as __DispatchData)
sec_protocol_options_add_tls_ciphersuite(tlsOptions.securityProtocolOptions, TLS_PSK_WITH_AES_128_GCM_SHA256)

     Can you elaborate on how PSK in Swift nio can be achieved for TLS 1.3. Am having trouble in connecting with TLS 1.3 through PSK. 

[ranmyfriend]

@kalaivanivelusamy
Actually TLS 1.3 onwards the weak ciphers are not allowed. So apple they are restricting when it comes to security. Even though if you would have added into sec_protocol_options_add_tls_ciphersuite but not reached out to your server. you can clearly able to checkout using Wireshark Tool. So, for this we have enabled strong cipher on the server side which apple supports on TLS 1.3. Then we have added from our client side. This is the only solution we have figured out.

[kalaivanivelusamy]

@ranmyfriend thanx for the feedback. Actually server has strong cipher like CHACHA20_POLY1305_SHA256 and client is using 3 ciphersuites (.AES_128_GCM_SHA256, .AES_256_GCM_SHA384,.CHACHA20_POLY1305_SHA256)

wireshark shows client hello handshake is failed. On inspecting Client hello message, extensions like supported versions ,key share which are for 1.3 are missing in my client hello message.
sec_protocol_options_add_pre_shared_key. and sec_protocol_options_append_tls_ciphersuite are the extras am adding in client side to facilitate tls 1.3.

Am i missing any configuration in tlsoptions of this NIOTSConnectionBootstrap to support 1.3?

NIOTSConnectionBootstrap(group: group)
                     .channelOption(ChannelOptions.socket(SocketOptionLevel(SOL_SOCKET), SO_REUSEADDR), value: 1)
                     .tlsOptions(tlsOptions)
                     .connectTimeout(TimeAmount.seconds(10))
                     .channelInitializer { channel in
                            channel.pipeline.addHandler(self.handler)

[ranmyfriend]

@kalaivanivelusamy
We have used RSA_WITH_AES_256_GCM_SHA384 cipher. and dont know about this .CHACHA20_POLY1305_SHA256. Check your Wireshark packet whether in the client hello call shows your cipher or not. and check with your server team as well.