New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TLSv1.3 Add external PSK support #3670
Conversation
Rebased now that #3623 has gone in. I've also added some documentation. Still WIP because there is more documentation to do and tests to add. |
Broken through previous PSK related commits
Ensure that we properly distinguish between successful return (PSK provided), successful return (no PSK provided) and failure.
Rebased again and more documentation added. Just tests to add now. |
Found while developing the PSK tests
I've now added some tests for this too. This is now out of WIP and ready for review. Anyone? |
@@ -515,9 +515,9 @@ int do_X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md, | |||
STACK_OF(OPENSSL_STRING) *sigopts); | |||
int do_X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md, | |||
STACK_OF(OPENSSL_STRING) *sigopts); | |||
# ifndef OPENSSL_NO_PSK | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am in favor of fewer config things. So TLS 1.3 turns PSK on. Can TLS 1.3 be disabled at config time? Should there be a warning if you do enable-tls13 and disable-psk? Should we really remove all no-psk guards?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, TLS1.3 does not turn PSK on. OPENSSL_NO_PSK only applies to TLSv1.2 and does not impact the TLSv1.3 PSK implementation. In the apps there are a few options that are re-used between the TLSv1.2 and TLSv1.3 implementations which is why there are a few changes to the guards in this area.
apps/s_client.c
Outdated
@@ -197,6 +198,77 @@ static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity, | |||
} | |||
#endif | |||
|
|||
#define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this better?
static const unsigned char tls13_aesgcm256_id[] = { 0x13, 0x01 };
? I think so ...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
*sess = NULL; | ||
return 0; | ||
} | ||
usesess = SSL_SESSION_new(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I keep reading this variable as "useless" Maybe just "sess" or "newsess" Or leave it as-is.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think that's just you ;-). I left it.
apps/s_client.c
Outdated
} | ||
|
||
cipher = SSL_SESSION_get0_cipher(usesess); | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
remove this blank line.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
apps/s_client.c
Outdated
OPT_PSK_IDENTITY, OPT_PSK, | ||
#endif | ||
OPT_PSK_SESS, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
wrap this on the previous line.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
ssl/ssl_lib.c
Outdated
|
||
memcpy(sess->master_key, in, len); | ||
sess->master_key_length = len; | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
remove this blank line.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
ssl/statem/extensions_clnt.c
Outdated
return EXT_RETURN_NOT_SENT; | ||
} | ||
if (s->session->ext.ticklen != 0) { | ||
if (s->session->cipher == NULL) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd like to see a short comment here, if possible.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added
} | ||
|
||
pskhashsize = EVP_MD_size(mdpsk); | ||
} | ||
|
||
/* Create the extension, but skip over the binder for now */ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is this skip binder part still right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, the binder generation isn't done until the tls_psk_do_binder() calls below.
ssl/statem/extensions_clnt.c
Outdated
@@ -893,16 +956,30 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context, | |||
|
|||
msgstart = WPACKET_get_curr(pkt) - msglen; | |||
|
|||
if (tls_psk_do_binder(s, md, msgstart, binderoffset, NULL, binder, | |||
s->session, 1) != 1) { | |||
if (dores && tls_psk_do_binder(s, mdres, msgstart, binderoffset, NULL, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
break the line before the "&&" and rewrap the args. here and below. it will be logically cleaner.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
test/sslapitest.c
Outdated
static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id, | ||
size_t *idlen, SSL_SESSION **sess) | ||
{ | ||
use_session_cb_cnt++; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
perhaps switch (++use_session_cb_cnt)
is more clear here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
New commits pushed addressing review comments. |
Pushed. Thanks. |
Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from #3670)
Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from #3670)
Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from #3670)
Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from #3670)
Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from #3670)
Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from #3670)
Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from #3670)
Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from #3670)
Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from #3670)
Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from #3670)
Broken through previous PSK related commits Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from #3670)
Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from #3670)
Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from #3670)
Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from #3670)
Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from #3670)
Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from #3670)
Ensure that we properly distinguish between successful return (PSK provided), successful return (no PSK provided) and failure. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from #3670)
Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from #3670)
Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from #3670)
Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from #3670)
Found while developing the PSK tests Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from #3670)
Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from #3670)
Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from #3670)
Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from #3670)
This PR adds support for external PSKs with TLSv1.3.
PSKs work differently in TLSv1.3 and there is a new API for them.
I have mostly reused the existing s_client/s_server options for PSKs. So "-psk" can be used to set a hex PSK key (which must be 32 or 48 bytes long to be usable by any TLSv1.3 ciphersuite), and "-psk_identity" is used to set the identity associated with the PSK. The server side "-psk_hint" is not relevant for TLSv1.3. I have also introduced a new option "-psk_session" which only works for TLSv1.3 and can be used instead of "-psk". The argument is a session file which is used as the basis for the PSK (i.e. the key is loaded from the session file). This enables other settings, such as ALPN, to be associated with the PSK too.
Marked as WIP because this still needs tests and documentation.
Note: this is based on PR#3623 so there are a number of commits from that PR showing here.
Checklist