Re: [openssl-dev] [openssl.org #2464] [PATCH] Experimental TLS-RSA-PSK support for OpenSSL
Il 22/06/2015 23:14, Stephen Henson via RT ha scritto: > On Sun Jun 21 19:00:55 2015, giuseppe.dang...@kdab.com wrote: >> Yet another version after some refactorings that landed in master. >> >> Please, pretty please, with sugar on top, could anyone review this code >> so that it can get merged? >> >> It's becoming a difficult exercise to keep track of upstream changes and >> adapt the patch every single time... >> > > I'm currently looking at the OpenSSL PSK code. I'll look into incopoorating > your changes (in a modified form) as part of that so there is no need to keep > it up to date with the changing master branch. Great, thank you! If you have questions on the implementation just ask. It should me mostly straightforward with the RFC at hand, with a small section copied as-is from the plain RSA code. > I hope to revise the PSK code and make it more flexible so it can support > {RSA,DH,ECDH}+PSK more cleanly. > > FYI, I can tell you the cause of the GCM crash: the cipher structure isn't set > up correctly in your patch, it needs to use SSL_AEAD not SSL_SHA256 (compare > it > with other GCM entries). A-ha! That explains the silly mistake, thank you. Cheers, -- Giuseppe D'Angelo | giuseppe.dang...@kdab.com | Software Engineer KDAB (UK) Ltd., a KDAB Group company | Tel: UK +44-1625-809908 KDAB - The Qt Experts smime.p7s Description: S/MIME cryptographic signature ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #2464] TLS-RSA-PSK support
Yet another version after some refactorings that landed in master. Please, pretty please, with sugar on top, could anyone review this code so that it can get merged? It's becoming a difficult exercise to keep track of upstream changes and adapt the patch every single time... Cheers, -- Giuseppe D'Angelo | giuseppe.dang...@kdab.com | Software Engineer KDAB (UK) Ltd., a KDAB Group company | Tel: UK +44-1625-809908 KDAB - The Qt Experts >From 9f304d4a48494a2f1a46540a9fe775318ed70397 Mon Sep 17 00:00:00 2001 From: Giuseppe D'Angelo Date: Sat, 8 Nov 2014 20:44:23 +0100 Subject: [PATCH] Introduce TLS-RSA-PSK support Build on the existing PSK support and introduce RSA-PSK (cf. RFC 4279, 5487). Based on the original patch by Christian J. Dietrich. This work has been sponsored by Governikus GmbH & Co. KG. PR: 2464 --- CHANGES| 3 + doc/apps/ciphers.pod | 12 +++ include/openssl/ssl.h | 2 + include/openssl/tls1.h | 36 ssl/s3_clnt.c | 122 + ssl/s3_lib.c | 208 ++- ssl/s3_srvr.c | 235 ++--- ssl/ssl_ciph.c | 9 +- ssl/ssl_lib.c | 6 ++ ssl/ssl_locl.h | 2 + 10 files changed, 602 insertions(+), 33 deletions(-) diff --git a/CHANGES b/CHANGES index fae1123..243c5d6 100644 --- a/CHANGES +++ b/CHANGES @@ -425,6 +425,9 @@ whose return value is often ignored. [Steve Henson] + *) Support for TLS-RSA-PSK ciphersuites has been added. + [Giuseppe D'Angelo, Christian J. Dietrich] + Changes between 1.0.2a and 1.0.2b [xx XXX ] *) Malformed ECParameters causes infinite loop diff --git a/doc/apps/ciphers.pod b/doc/apps/ciphers.pod index c2d40ac..7fbe3a4 100644 --- a/doc/apps/ciphers.pod +++ b/doc/apps/ciphers.pod @@ -585,10 +585,22 @@ Note: these ciphers can also be used in SSL v3. =head2 Pre shared keying (PSK) ciphersuites + TLS_RSA_PSK_WITH_RC4_128_SHA RSA-PSK-RC4-SHA + TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA RSA-PSK-3DES-EDE-CBC-SHA + TLS_RSA_PSK_WITH_AES_128_CBC_SHA RSA-PSK-AES128-CBC-SHA + TLS_RSA_PSK_WITH_AES_256_CBC_SHA RSA-PSK-AES256-CBC-SHA + TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 RSA-PSK-AES128-CBC-SHA256 + TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 RSA-PSK-AES256-CBC-SHA384 + TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 RSA-PSK-AES128-GCM-SHA256 + TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 RSA-PSK-AES256-GCM-SHA384 TLS_PSK_WITH_RC4_128_SHA PSK-RC4-SHA TLS_PSK_WITH_3DES_EDE_CBC_SHA PSK-3DES-EDE-CBC-SHA TLS_PSK_WITH_AES_128_CBC_SHA PSK-AES128-CBC-SHA TLS_PSK_WITH_AES_256_CBC_SHA PSK-AES256-CBC-SHA + TLS_PSK_WITH_AES_128_CBC_SHA256 PSK-AES128-CBC-SHA256 + TLS_PSK_WITH_AES_256_CBC_SHA384 PSK-AES256-CBC-SHA384 + TLS_PSK_WITH_AES_128_GCM_SHA256 PSK-AES128-GCM-SHA256 + TLS_PSK_WITH_AES_256_GCM_SHA384 PSK-AES256-GCM-SHA384 =head1 NOTES diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index cd932e5..ded2f48 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -204,6 +204,7 @@ extern "C" { # define SSL_TXT_kEECDH "kEECDH"/* alias for kECDHE */ # define SSL_TXT_kECDHE "kECDHE" # define SSL_TXT_kPSK"kPSK" +# define SSL_TXT_kRSAPSK "kRSAPSK" # define SSL_TXT_kGOST "kGOST" # define SSL_TXT_kSRP"kSRP" @@ -230,6 +231,7 @@ extern "C" { # define SSL_TXT_AECDH "AECDH" # define SSL_TXT_ECDSA "ECDSA" # define SSL_TXT_PSK "PSK" +# define SSL_TXT_RSAPSK "RSAPSK" # define SSL_TXT_SRP "SRP" # define SSL_TXT_DES "DES" diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h index 40205e1..873c331 100644 --- a/include/openssl/tls1.h +++ b/include/openssl/tls1.h @@ -409,6 +409,24 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb) # define TLS1_CK_PSK_WITH_AES_128_CBC_SHA0x038C # define TLS1_CK_PSK_WITH_AES_256_CBC_SHA0x038D +/* PSK ciphersuites from 5487 */ +# define TLS1_CK_PSK_WITH_AES_128_GCM_SHA256 0x03A8 +# define TLS1_CK_PSK_WITH_AES_256_GCM_SHA384 0x03A9 +# define TLS1_CK_PSK_WITH_AES_128_CBC_SHA256 0x03AE +# define TLS1_CK_PSK_WITH_AES_256_CBC_SHA384 0x03AF + +/* RSA-PSK ciphersuites from 4279 */ +# define TLS1_CK_RSA_PSK_WITH_RC4_128_SHA0x0392 +# define TLS1_CK_RSA_PSK_WITH_3DES_EDE_CBC_SHA 0x0393 +# define TLS1_CK_RSA_PSK_WITH_AES_128_CBC_SHA0x0394 +# define TLS1_CK_RSA_PSK_WITH_AES_256_CBC_SHA0x0395 + +/* RSA-PSK ciphersuites from 5487 */ +# define TLS1_CK_RSA_PSK_WITH_AES_128_GCM_SHA256 0x03AC +# define TLS1_CK_RSA_PSK_WITH_AES_256_GCM_SHA384 0x03AD +# define TL
[openssl-dev] [openssl.org #2464] TLS-RSA-PSK support
New version of the patch, targeting master. It's basically style changes after the massive OpenSSL refactoring. Thanks, -- Giuseppe D'Angelo | giuseppe.dang...@kdab.com | Software Engineer KDAB (UK) Ltd., a KDAB Group company Tel. UK +44-1738-450410, Sweden (HQ) +46-563-540090 KDAB - Qt Experts - Platform-independent software solutions >From db9155f74e7cb3785851a49f1d11be2d57f70c9e Mon Sep 17 00:00:00 2001 From: Giuseppe D'Angelo Date: Sat, 8 Nov 2014 20:44:23 +0100 Subject: [PATCH] Introduce TLS-RSA-PSK support Build on the existing PSK support and introduce RSA-PSK (cf. RFC 4279, 5487). Based on the original patch by Christian J. Dietrich. This work has been sponsored by Governikus GmbH & Co. KG. PR: 2464 --- CHANGES |3 + doc/apps/ciphers.pod | 12 +++ ssl/s3_clnt.c| 122 ++- ssl/s3_lib.c | 208 - ssl/s3_srvr.c| 227 +++--- ssl/ssl.h|2 + ssl/ssl_ciph.c |9 +- ssl/ssl_lib.c|6 ++ ssl/ssl_locl.h |2 + ssl/tls1.h | 36 10 files changed, 592 insertions(+), 35 deletions(-) diff --git a/CHANGES b/CHANGES index 26ea797..726a54a 100644 --- a/CHANGES +++ b/CHANGES @@ -351,6 +351,9 @@ whose return value is often ignored. [Steve Henson] + *) Support for TLS-RSA-PSK ciphersuites has been added. + [Giuseppe D'Angelo, Christian J. Dietrich] + Changes between 1.0.1k and 1.0.2 [xx XXX ] *) Facilitate "universal" ARM builds targeting range of ARM ISAs, e.g. diff --git a/doc/apps/ciphers.pod b/doc/apps/ciphers.pod index 6d39c54..79644ef 100644 --- a/doc/apps/ciphers.pod +++ b/doc/apps/ciphers.pod @@ -587,10 +587,22 @@ Note: these ciphers can also be used in SSL v3. =head2 Pre shared keying (PSK) cipheruites + TLS_RSA_PSK_WITH_RC4_128_SHA RSA-PSK-RC4-SHA + TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA RSA-PSK-3DES-EDE-CBC-SHA + TLS_RSA_PSK_WITH_AES_128_CBC_SHA RSA-PSK-AES128-CBC-SHA + TLS_RSA_PSK_WITH_AES_256_CBC_SHA RSA-PSK-AES256-CBC-SHA + TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 RSA-PSK-AES128-CBC-SHA256 + TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 RSA-PSK-AES256-CBC-SHA384 + TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 RSA-PSK-AES128-GCM-SHA256 + TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 RSA-PSK-AES256-GCM-SHA384 TLS_PSK_WITH_RC4_128_SHA PSK-RC4-SHA TLS_PSK_WITH_3DES_EDE_CBC_SHA PSK-3DES-EDE-CBC-SHA TLS_PSK_WITH_AES_128_CBC_SHA PSK-AES128-CBC-SHA TLS_PSK_WITH_AES_256_CBC_SHA PSK-AES256-CBC-SHA + TLS_PSK_WITH_AES_128_CBC_SHA256 PSK-AES128-CBC-SHA256 + TLS_PSK_WITH_AES_256_CBC_SHA384 PSK-AES256-CBC-SHA384 + TLS_PSK_WITH_AES_128_GCM_SHA256 PSK-AES128-GCM-SHA256 + TLS_PSK_WITH_AES_256_GCM_SHA384 PSK-AES256-GCM-SHA384 =head1 NOTES diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index a383eee..d7908e5 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -320,7 +320,7 @@ int ssl3_connect(SSL *s) case SSL3_ST_CR_CERT_A: case SSL3_ST_CR_CERT_B: /* Check if it is anon DH/ECDH, SRP auth */ -/* or PSK */ +/* or plain PSK */ if (! (s->s3->tmp. new_cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP)) @@ -1367,9 +1367,9 @@ int ssl3_get_key_exchange(SSL *s) } #ifndef OPENSSL_NO_PSK /* - * In plain PSK ciphersuite, ServerKeyExchange can be omitted if no - * identity hint is sent. Set session->sess_cert anyway to avoid - * problems later. + * In PSK ciphersuites, ServerKeyExchange can be omitted if no + * identity hint is sent. Set session->sess_cert for plain PSK + * anyway to avoid problems later. */ if (alg_k & SSL_kPSK) { s->session->sess_cert = ssl_sess_cert_new(); @@ -1414,7 +1414,12 @@ int ssl3_get_key_exchange(SSL *s) al = SSL_AD_DECODE_ERROR; #ifndef OPENSSL_NO_PSK -if (alg_k & SSL_kPSK) { +/* handle PSK identity hint */ +if (alg_k & (SSL_kPSK +#ifndef OPENSSL_NO_RSA + | SSL_kRSAPSK +#endif + )) { char tmp_id_hint[PSK_MAX_IDENTITY_LEN + 1]; param_len = 2; @@ -1569,7 +1574,11 @@ int ssl3_get_key_exchange(SSL *s) } else #endif /* !OPENSSL_NO_SRP */ #ifndef OPENSSL_NO_RSA -if (alg_k & SSL_kRSA) { +if (alg_k & (SSL_kRSA +#ifndef OPENSSL_NO_PSK + | SSL_kRSAPSK +#endif + )) { /* Temporary RSA keys only allowed in export ciphersuites */ if (!SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)) { al = SSL_AD_UNEXPECTED_MESSAGE; @@ -1943,8 +1952,16 @@ int ssl3_get_key_exchange(SSL *s) } } } else { -/* aNULL, aSRP or kPSK do not need public keys */ -i
[openssl.org #2464] TLS-RSA-PSK support
Hi, new version of the patch, adding also the PSK variants defined in RFC 5487 (basically, SHA256 and SHA384 support for both plain PSK and RSA-PSK). I also sketched up the support for the AES-GCM variants, but using them results in a crash inside s3_pkt.c. I'm still not sure what I'm doing wrong, but I've disabled the corresponding code... Lastly: does it make sense for this patch to target master? Should it be targeting 1.0.2 instead? Thanks, -- Giuseppe D'Angelo | giuseppe.dang...@kdab.com | Software Engineer KDAB (UK) Ltd., a KDAB Group company Tel. UK +44-1738-450410, Sweden (HQ) +46-563-540090 KDAB - Qt Experts - Platform-independent software solutions >From b3f71ae0386f8bbaba23e6263d752da6c7ef030a Mon Sep 17 00:00:00 2001 From: Giuseppe D'Angelo Date: Sat, 8 Nov 2014 20:44:23 +0100 Subject: [PATCH] Introduce TLS-RSA-PSK support Build on the existing PSK support and introduce RSA-PSK (cf. RFC 4279, 5487). Based on the original patch by Christian J. Dietrich. This work has been sponsored by Governikus GmbH & Co. KG. PR: 2464 --- CHANGES |3 + doc/apps/ciphers.pod | 12 +++ ssl/s3_clnt.c| 130 +++- ssl/s3_lib.c | 207 +++- ssl/s3_srvr.c| 232 +++--- ssl/ssl.h|4 +- ssl/ssl_ciph.c | 16 ++-- ssl/ssl_lib.c|6 ++ ssl/ssl_locl.h |1 + ssl/tls1.h | 36 10 files changed, 610 insertions(+), 37 deletions(-) diff --git a/CHANGES b/CHANGES index d90febc..8b48914 100644 --- a/CHANGES +++ b/CHANGES @@ -303,6 +303,9 @@ whose return value is often ignored. [Steve Henson] + *) Support for TLS-RSA-PSK ciphersuites has been added. + [Giuseppe D'Angelo, Christian J. Dietrich] + Changes between 1.0.1j and 1.0.2 [xx XXX ] *) Tighten client-side session ticket handling during renegotiation: diff --git a/doc/apps/ciphers.pod b/doc/apps/ciphers.pod index c41a297..b1f4517 100644 --- a/doc/apps/ciphers.pod +++ b/doc/apps/ciphers.pod @@ -600,10 +600,22 @@ Note: these ciphers can also be used in SSL v3. =head2 Pre shared keying (PSK) cipheruites + TLS_RSA_PSK_WITH_RC4_128_SHA RSA-PSK-RC4-SHA + TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA RSA-PSK-3DES-EDE-CBC-SHA + TLS_RSA_PSK_WITH_AES_128_CBC_SHA RSA-PSK-AES128-CBC-SHA + TLS_RSA_PSK_WITH_AES_256_CBC_SHA RSA-PSK-AES256-CBC-SHA + TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 RSA-PSK-AES128-CBC-SHA256 + TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 RSA-PSK-AES256-CBC-SHA384 + TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 RSA-PSK-AES128-GCM-SHA256 + TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 RSA-PSK-AES256-GCM-SHA384 TLS_PSK_WITH_RC4_128_SHA PSK-RC4-SHA TLS_PSK_WITH_3DES_EDE_CBC_SHA PSK-3DES-EDE-CBC-SHA TLS_PSK_WITH_AES_128_CBC_SHA PSK-AES128-CBC-SHA TLS_PSK_WITH_AES_256_CBC_SHA PSK-AES256-CBC-SHA + TLS_PSK_WITH_AES_128_CBC_SHA256 PSK-AES128-CBC-SHA256 + TLS_PSK_WITH_AES_256_CBC_SHA384 PSK-AES256-CBC-SHA384 + TLS_PSK_WITH_AES_128_GCM_SHA256 PSK-AES128-GCM-SHA256 + TLS_PSK_WITH_AES_256_GCM_SHA384 PSK-AES256-GCM-SHA384 =head2 Deprecated SSL v2.0 cipher suites. diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index 68c00c5..bbcebcb 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -343,7 +343,7 @@ int ssl3_connect(SSL *s) } #endif /* Check if it is anon DH/ECDH, SRP auth */ - /* or PSK */ + /* or plain PSK */ if (!(s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL|SSL_aSRP)) && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) { @@ -1417,9 +1417,9 @@ int ssl3_get_key_exchange(SSL *s) if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) { #ifndef OPENSSL_NO_PSK - /* In plain PSK ciphersuite, ServerKeyExchange can be + /* In PSK ciphersuites, ServerKeyExchange can be omitted if no identity hint is sent. Set - session->sess_cert anyway to avoid problems + session->sess_cert for plain PSK anyway to avoid problems later.*/ if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK) { @@ -1473,7 +1473,12 @@ int ssl3_get_key_exchange(SSL *s) al=SSL_AD_DECODE_ERROR; #ifndef OPENSSL_NO_PSK - if (alg_k & SSL_kPSK) + /* handle PSK identity hint */ + if (alg_k & (SSL_kPSK +#ifndef OPENSSL_NO_RSA + |SSL_kRSAPSK +#endif + )) { char tmp_id_hint[PSK_MAX_IDENTITY_LEN+1]; @@ -1650,7 +1655,11 @@ int ssl3_get_key_exchange(SSL *s) else #endif /* !OPENSSL_NO_SRP */ #ifndef OPENSSL_NO_RSA - if (alg_k & SSL_kRSA) + if (alg_k & (SSL_kRSA +#ifndef OPENSSL_NO_PSK + |SSL_kRSAPSK +#endif + )) { if ((rsa=RSA_new()) == NULL) { @@ -2061,8 +2070,16 @@ fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md)); } else { - /* aNULL, aSRP or kPSK do not need public keys */ - if (!(alg_a & (SSL_aNULL|SSL_aSR
[openssl.org #2464]
Improved version of the patch... -- Giuseppe D'Angelo | giuseppe.dang...@kdab.com | Software Engineer KDAB (UK) Ltd., a KDAB Group company Tel. UK +44-1738-450410, Sweden (HQ) +46-563-540090 KDAB - Qt Experts - Platform-independent software solutions >From 0058677acf940dad15ec50c5084e9d8dc756222a Mon Sep 17 00:00:00 2001 From: Giuseppe D'Angelo Date: Sat, 8 Nov 2014 20:44:23 +0100 Subject: [PATCH] Introduce TLS-RSA-PSK support Build on the existing PSK support and introduce RSA-PSK (cf. RFC 4279). Based on the original patch by Christian J. Dietrich This work has been sponsored by Governikus GmbH & Co. KG. PR: 2464 --- CHANGES |3 + doc/apps/ciphers.pod |4 + ssl/s3_clnt.c| 130 +++- ssl/s3_lib.c | 69 ++- ssl/s3_srvr.c| 232 +++--- ssl/ssl.h|4 +- ssl/ssl_ciph.c | 16 ++-- ssl/ssl_lib.c|6 ++ ssl/ssl_locl.h |1 + ssl/tls1.h | 12 +++ 10 files changed, 440 insertions(+), 37 deletions(-) diff --git a/CHANGES b/CHANGES index d90febc..8b48914 100644 --- a/CHANGES +++ b/CHANGES @@ -303,6 +303,9 @@ whose return value is often ignored. [Steve Henson] + *) Support for TLS-RSA-PSK ciphersuites has been added. + [Giuseppe D'Angelo, Christian J. Dietrich] + Changes between 1.0.1j and 1.0.2 [xx XXX ] *) Tighten client-side session ticket handling during renegotiation: diff --git a/doc/apps/ciphers.pod b/doc/apps/ciphers.pod index c41a297..f43abff 100644 --- a/doc/apps/ciphers.pod +++ b/doc/apps/ciphers.pod @@ -600,6 +600,10 @@ Note: these ciphers can also be used in SSL v3. =head2 Pre shared keying (PSK) cipheruites + TLS_RSA_PSK_WITH_RC4_128_SHA RSA-PSK-RC4-SHA + TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA RSA-PSK-3DES-EDE-CBC-SHA + TLS_RSA_PSK_WITH_AES_128_CBC_SHA RSA-PSK-AES128-CBC-SHA + TLS_RSA_PSK_WITH_AES_256_CBC_SHA RSA-PSK-AES256-CBC-SHA TLS_PSK_WITH_RC4_128_SHA PSK-RC4-SHA TLS_PSK_WITH_3DES_EDE_CBC_SHA PSK-3DES-EDE-CBC-SHA TLS_PSK_WITH_AES_128_CBC_SHA PSK-AES128-CBC-SHA diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index 68c00c5..bbcebcb 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -343,7 +343,7 @@ int ssl3_connect(SSL *s) } #endif /* Check if it is anon DH/ECDH, SRP auth */ - /* or PSK */ + /* or plain PSK */ if (!(s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL|SSL_aSRP)) && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) { @@ -1417,9 +1417,9 @@ int ssl3_get_key_exchange(SSL *s) if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) { #ifndef OPENSSL_NO_PSK - /* In plain PSK ciphersuite, ServerKeyExchange can be + /* In PSK ciphersuites, ServerKeyExchange can be omitted if no identity hint is sent. Set - session->sess_cert anyway to avoid problems + session->sess_cert for plain PSK anyway to avoid problems later.*/ if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK) { @@ -1473,7 +1473,12 @@ int ssl3_get_key_exchange(SSL *s) al=SSL_AD_DECODE_ERROR; #ifndef OPENSSL_NO_PSK - if (alg_k & SSL_kPSK) + /* handle PSK identity hint */ + if (alg_k & (SSL_kPSK +#ifndef OPENSSL_NO_RSA + |SSL_kRSAPSK +#endif + )) { char tmp_id_hint[PSK_MAX_IDENTITY_LEN+1]; @@ -1650,7 +1655,11 @@ int ssl3_get_key_exchange(SSL *s) else #endif /* !OPENSSL_NO_SRP */ #ifndef OPENSSL_NO_RSA - if (alg_k & SSL_kRSA) + if (alg_k & (SSL_kRSA +#ifndef OPENSSL_NO_PSK + |SSL_kRSAPSK +#endif + )) { if ((rsa=RSA_new()) == NULL) { @@ -2061,8 +2070,16 @@ fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md)); } else { - /* aNULL, aSRP or kPSK do not need public keys */ - if (!(alg_a & (SSL_aNULL|SSL_aSRP)) && !(alg_k & SSL_kPSK)) + /* aNULL, aSRP, kPSK or kRSAPSK do not need public keys */ + if (!(alg_a & (SSL_aNULL|SSL_aSRP)) +#ifndef OPENSSL_NO_PSK +&& !(alg_k & (SSL_kPSK +#ifndef OPENSSL_NO_RSA + |SSL_kRSAPSK +#endif + )) +#endif +) { /* Might be wrong key type, check it */ if (ssl3_check_cert_and_algorithm(s)) @@ -3132,15 +3149,19 @@ int ssl3_send_client_key_exchange(SSL *s) } #endif #ifndef OPENSSL_NO_PSK - else if (alg_k & SSL_kPSK) + else if (alg_k & SSL_kPSK +#ifndef OPENSSL_NO_RSA + || alg_k & SSL_kRSAPSK +#endif + ) { /* The callback needs PSK_MAX_IDENTITY_LEN + 1 bytes * to return a \0-terminated identity. The last byte * is for us for simulating strnlen. */ char identity[PSK_MAX_IDENTITY_LEN + 2]; size_t identity_len; - unsigned char *t = NULL; unsigned char psk_or_pre_ms[PSK_MAX_PSK_LEN*2+4]; + unsigned char *t = psk_or_pre_ms; unsigned int pre_ms_len = 0, psk_len = 0; int psk_err = 1; @@ -3176,14 +3197,36 @@ int ssl3_send_client_key_exchange(SSL *s) ERR_R_INTERNAL_ERROR); goto psk
[openssl.org #2464]
Hello, I recently started working on this patch, rebasing it on latest master, cleaning it up (f.i. unifying some code paths where possible, to avoid duplicating code), completing the support for the other RSA-PSK ciphersuites defined by RFC 4279 and so on. I'm attaching the version I'm working on, I will be glad if anyone could give some feedback (any sorts -- obvious mistakes, code policy violations, code style issues, etc.). Thanks! -- Giuseppe D'Angelo | giuseppe.dang...@kdab.com | Software Engineer KDAB (UK) Ltd., a KDAB Group company Tel. UK +44-1738-450410, Sweden (HQ) +46-563-540090 KDAB - Qt Experts - Platform-independent software solutions >From f8e352542c54e412103de5410604958b99bd197e Mon Sep 17 00:00:00 2001 From: Giuseppe D'Angelo Date: Sat, 8 Nov 2014 20:44:23 +0100 Subject: [PATCH] Introduce TLS-RSA-PSK support Build on the existing PSK support and introduce RSA-PSK (cf. RFC 4279). Based on the original patch by Christian J. Dietrich This work has been sponsored by Governikus GmbH & Co. KG. PR: 2464 --- CHANGES |3 + doc/apps/ciphers.pod |4 + ssl/s3_clnt.c| 109 - ssl/s3_lib.c | 69 +++- ssl/s3_srvr.c| 216 +++--- ssl/ssl.h|4 +- ssl/ssl_ciph.c | 16 ++-- ssl/ssl_lib.c|6 ++ ssl/ssl_locl.h |1 + ssl/tls1.h | 12 +++ 10 files changed, 403 insertions(+), 37 deletions(-) diff --git a/CHANGES b/CHANGES index d90febc..8b48914 100644 --- a/CHANGES +++ b/CHANGES @@ -303,6 +303,9 @@ whose return value is often ignored. [Steve Henson] + *) Support for TLS-RSA-PSK ciphersuites has been added. + [Giuseppe D'Angelo, Christian J. Dietrich] + Changes between 1.0.1j and 1.0.2 [xx XXX ] *) Tighten client-side session ticket handling during renegotiation: diff --git a/doc/apps/ciphers.pod b/doc/apps/ciphers.pod index c41a297..f43abff 100644 --- a/doc/apps/ciphers.pod +++ b/doc/apps/ciphers.pod @@ -600,6 +600,10 @@ Note: these ciphers can also be used in SSL v3. =head2 Pre shared keying (PSK) cipheruites + TLS_RSA_PSK_WITH_RC4_128_SHA RSA-PSK-RC4-SHA + TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA RSA-PSK-3DES-EDE-CBC-SHA + TLS_RSA_PSK_WITH_AES_128_CBC_SHA RSA-PSK-AES128-CBC-SHA + TLS_RSA_PSK_WITH_AES_256_CBC_SHA RSA-PSK-AES256-CBC-SHA TLS_PSK_WITH_RC4_128_SHA PSK-RC4-SHA TLS_PSK_WITH_3DES_EDE_CBC_SHA PSK-3DES-EDE-CBC-SHA TLS_PSK_WITH_AES_128_CBC_SHA PSK-AES128-CBC-SHA diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index 68c00c5..5fc5f1a 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -343,7 +343,7 @@ int ssl3_connect(SSL *s) } #endif /* Check if it is anon DH/ECDH, SRP auth */ - /* or PSK */ + /* or plain PSK */ if (!(s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL|SSL_aSRP)) && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) { @@ -1417,9 +1417,9 @@ int ssl3_get_key_exchange(SSL *s) if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) { #ifndef OPENSSL_NO_PSK - /* In plain PSK ciphersuite, ServerKeyExchange can be + /* In PSK ciphersuites, ServerKeyExchange can be omitted if no identity hint is sent. Set - session->sess_cert anyway to avoid problems + session->sess_cert for plain PSK anyway to avoid problems later.*/ if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK) { @@ -1473,7 +1473,8 @@ int ssl3_get_key_exchange(SSL *s) al=SSL_AD_DECODE_ERROR; #ifndef OPENSSL_NO_PSK - if (alg_k & SSL_kPSK) + /* handle PSK identity hint */ + if (alg_k & (SSL_kPSK|SSL_kRSAPSK)) { char tmp_id_hint[PSK_MAX_IDENTITY_LEN+1]; @@ -1650,7 +1651,7 @@ int ssl3_get_key_exchange(SSL *s) else #endif /* !OPENSSL_NO_SRP */ #ifndef OPENSSL_NO_RSA - if (alg_k & SSL_kRSA) + if (alg_k & (SSL_kRSA|SSL_kRSAPSK)) { if ((rsa=RSA_new()) == NULL) { @@ -2061,8 +2062,8 @@ fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md)); } else { - /* aNULL, aSRP or kPSK do not need public keys */ - if (!(alg_a & (SSL_aNULL|SSL_aSRP)) && !(alg_k & SSL_kPSK)) + /* aNULL, aSRP, kPSK or kRSAPSK do not need public keys */ + if (!(alg_a & (SSL_aNULL|SSL_aSRP)) && !(alg_k & (SSL_kPSK|SSL_kRSAPSK))) { /* Might be wrong key type, check it */ if (ssl3_check_cert_and_algorithm(s)) @@ -2540,7 +2541,7 @@ int ssl3_send_client_key_exchange(SSL *s) rsa=pkey->pkey.rsa; EVP_PKEY_free(pkey); } - + tmp_buf[0]=s->client_version>>8; tmp_buf[1]=s->client_version&0xff; if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0) @@ -3132,15 +3133,19 @@ int ssl3_send_client_key_exchange(SSL *s) } #endif #ifndef OPENSSL_NO_PSK - else if (alg_k & SSL_kPSK) + else if (alg_k & SSL_kPSK +#ifndef OPENSSL_NO_RSA + || alg_k & SSL_kRSAPSK +#endif + ) { /* The callback needs PSK_MAX_IDENTITY_LEN + 1 byte