TLS 1.3 PSK succeeds even if then pre-shared key is wrong

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

TLS 1.3 PSK succeeds even if then pre-shared key is wrong

OpenSSL - User mailing list
Hi,

I have been trying to perform/debug external PSK based handshake in TLS 1.3 for one of my projects. My team has implemented the "find_session_cb" as :


static int psk_find_session_cb(SSL *ssl, const unsigned char *identity,
                               size_t identity_len, SSL_SESSION **sess){

        SSL_SESSION *tmpsess = NULL;
        unsigned char *key;
        long key_len;
        const SSL_CIPHER *cipher = NULL;
        static char *psk_identity = "Client_identity";
  const char *psk_key = "0533c95c9ecc310ee07cb70a316c45448487c1f70bbea99fe6616f3348305677";
         //temperory fixed psk
        const unsigned char tls13_aes128gcmsha256_id[] = { 0x13, 0x01 };

        if (strlen(psk_identity) != identity_len)
        {
            wpa_printf(MSG_DEBUG, "PSK Identity length does not match.");
            return 0;
        }

        if(memcmp(psk_identity, identity, identity_len) != 0)
        {
                wpa_printf(MSG_DEBUG, "PSK Identity memory copy failed.");
            return 0;
        }

        key = OPENSSL_hexstr2buf(psk_key, &key_len);

        if (key == NULL) {
        wpa_printf(MSG_ERROR, "Could not convert PSK key '%s' to buffer\n",
                   psk_key);
        return 0;
    }

    cipher = SSL_CIPHER_find(ssl, tls13_aes128gcmsha256_id);
    if (cipher == NULL) {
        wpa_printf(MSG_DEBUG, "Error finding suitable ciphersuite\n");
        OPENSSL_free(key);
        return 0;
    }

    tmpsess = SSL_SESSION_new();
    if (tmpsess == NULL
            || !SSL_SESSION_set1_master_key(tmpsess, key, key_len)
            || !SSL_SESSION_set_cipher(tmpsess, cipher)
            || !SSL_SESSION_set_protocol_version(tmpsess, SSL_version(ssl))) {
        OPENSSL_free(key);
        return 0;
    }
    OPENSSL_free(key);
    *sess = tmpsess;
    wpa_printf(MSG_DEBUG, "Using external PSK.");
    return 1;
}


and attached the callback to the SSL object using "SSL_set_psk_find_session_callback()" method. From my client, we are sending creating and sending a session using "SSL_set_psk_use_session_callback(sssl, use_session_cb)".

From what I noticed, the handshake completes successfully, regardless of the value of "psk_key" (as long as PSK length is even). However, if the identity value is mismatched between psk_find_session_cb and use_session_cb, the handshake fails with the message:

   SSL: SSL3 alert: write (local SSL3 detected an error):fatal:internal error
   OpenSSL: openssl_handshake - SSL_connect error:141F906E:SSL routines:tls_parse_ctos_psk:bad extension

I am not sure what am I missing here

Thanks
Bran

Reply | Threaded
Open this post in threaded view
|

Re: TLS 1.3 PSK succeeds even if then pre-shared key is wrong

Matt Caswell-2


On 20/04/2020 12:59, brandon.murphy1996 via openssl-users wrote:
> From what I noticed, the handshake completes successfully, regardless
> of the value of "psk_key" (as long as PSK length is even). However,
> if the identity value is mismatched between psk_find_session_cb and
> use_session_cb, the handshake fails with the message:

It's not clear from your question what you expected to happen. The
length of the PSK key doesn't actually matter from a TLS perspective
(obviously in practice it is best if the length is consistent with the
ciphersuite key length).

Or did you mean that that the value doesn't matter - even if it is
mismatched with the client's value? That would be unexpected (and
probably indicates you are not actually using the PSK at all and doing a
full handshake).

Matt