TLSv1.3 Add external PSK support #3670
Conversation
|
Rebased now that #3623 has gone in. I've also added some documentation. Still WIP because there is more documentation to do and tests to add. |
Broken through previous PSK related commits
Ensure that we properly distinguish between successful return (PSK provided), successful return (no PSK provided) and failure.
|
Rebased again and more documentation added. Just tests to add now. |
Found while developing the PSK tests
mattcaswell
changed the title
|
I've now added some tests for this too. This is now out of WIP and ready for review. Anyone? |
| @@ -515,9 +515,9 @@ int do_X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md, | |||
| STACK_OF(OPENSSL_STRING) *sigopts); | |||
| int do_X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md, | |||
| STACK_OF(OPENSSL_STRING) *sigopts); | |||
| # ifndef OPENSSL_NO_PSK | |||
|
|
|||
There was a problem hiding this comment.
I am in favor of fewer config things. So TLS 1.3 turns PSK on. Can TLS 1.3 be disabled at config time? Should there be a warning if you do enable-tls13 and disable-psk? Should we really remove all no-psk guards?
There was a problem hiding this comment.
No, TLS1.3 does not turn PSK on. OPENSSL_NO_PSK only applies to TLSv1.2 and does not impact the TLSv1.3 PSK implementation. In the apps there are a few options that are re-used between the TLSv1.2 and TLSv1.3 implementations which is why there are a few changes to the guards in this area.
apps/s_client.c
Outdated
| @@ -197,6 +198,77 @@ static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity, | |||
| } | |||
| #endif | |||
|
|
|||
| #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01") | |||
There was a problem hiding this comment.
Is this better?
static const unsigned char tls13_aesgcm256_id[] = { 0x13, 0x01 };
? I think so ...
| *sess = NULL; | ||
| return 0; | ||
| } | ||
| usesess = SSL_SESSION_new(); |
There was a problem hiding this comment.
I keep reading this variable as "useless" Maybe just "sess" or "newsess" Or leave it as-is.
There was a problem hiding this comment.
I think that's just you ;-). I left it.
apps/s_client.c
Outdated
| } | ||
|
|
||
| cipher = SSL_SESSION_get0_cipher(usesess); | ||
|
|
apps/s_client.c
Outdated
| OPT_PSK_IDENTITY, OPT_PSK, | ||
| #endif | ||
| OPT_PSK_SESS, |
There was a problem hiding this comment.
wrap this on the previous line.
ssl/ssl_lib.c
Outdated
|
|
||
| memcpy(sess->master_key, in, len); | ||
| sess->master_key_length = len; | ||
|
|
ssl/statem/extensions_clnt.c
Outdated
| return EXT_RETURN_NOT_SENT; | ||
| } | ||
| if (s->session->ext.ticklen != 0) { | ||
| if (s->session->cipher == NULL) { |
There was a problem hiding this comment.
I'd like to see a short comment here, if possible.
| } | ||
|
|
||
| pskhashsize = EVP_MD_size(mdpsk); | ||
| } | ||
|
|
||
| /* Create the extension, but skip over the binder for now */ |
There was a problem hiding this comment.
is this skip binder part still right?
There was a problem hiding this comment.
Yes, the binder generation isn't done until the tls_psk_do_binder() calls below.
ssl/statem/extensions_clnt.c
Outdated
| @@ -893,16 +956,30 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context, | |||
|
|
|||
| msgstart = WPACKET_get_curr(pkt) - msglen; | |||
|
|
|||
| if (tls_psk_do_binder(s, md, msgstart, binderoffset, NULL, binder, | |||
| s->session, 1) != 1) { | |||
| if (dores && tls_psk_do_binder(s, mdres, msgstart, binderoffset, NULL, | |||
There was a problem hiding this comment.
break the line before the "&&" and rewrap the args. here and below. it will be logically cleaner.
test/sslapitest.c
Outdated
| static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id, | ||
| size_t *idlen, SSL_SESSION **sess) | ||
| { | ||
| use_session_cb_cnt++; |
There was a problem hiding this comment.
perhaps switch (++use_session_cb_cnt) is more clear here.
|
New commits pushed addressing review comments. |
|
Pushed. Thanks. |
Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from #3670)
Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from #3670)
Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from #3670)
Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from #3670)
Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from #3670)
Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from #3670)
Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from #3670)
Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from #3670)
Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from #3670)
Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from #3670)
Broken through previous PSK related commits Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from #3670)
Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from #3670)
Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from #3670)
Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from #3670)
Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from #3670)
Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from #3670)
Ensure that we properly distinguish between successful return (PSK provided), successful return (no PSK provided) and failure. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from #3670)
Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from #3670)
Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from #3670)
Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from #3670)
Found while developing the PSK tests Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from #3670)
Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from #3670)
Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from #3670)
Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from #3670)
This PR adds support for external PSKs with TLSv1.3.
PSKs work differently in TLSv1.3 and there is a new API for them.
I have mostly reused the existing s_client/s_server options for PSKs. So "-psk" can be used to set a hex PSK key (which must be 32 or 48 bytes long to be usable by any TLSv1.3 ciphersuite), and "-psk_identity" is used to set the identity associated with the PSK. The server side "-psk_hint" is not relevant for TLSv1.3. I have also introduced a new option "-psk_session" which only works for TLSv1.3 and can be used instead of "-psk". The argument is a session file which is used as the basis for the PSK (i.e. the key is loaded from the session file). This enables other settings, such as ALPN, to be associated with the PSK too.
Marked as WIP because this still needs tests and documentation.
Note: this is based on PR#3623 so there are a number of commits from that PR showing here.
Checklist