Georg/luksrku
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

TLS-PSK connection is working in TLSv1.3

Browse Source 
Apparently, I need to spell out "-ciphersuites
TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384" in the openssl
s_client command, or it simply will not work.
This commit is contained in:
Johannes Bauer 2019-10-23 14:28:42 +02:00
parent 969eae12c7
commit d70bd1f672
3 changed files with 21 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Makefile
View File

@ -6,7 +6,7 @@ INSTALL_PREFIX := /usr/local/
CFLAGS := -Wall -Wextra -Wshadow -Wswitch -Wpointer-arith -Wcast-qual -Wstrict-prototypes -Wmissing-prototypes -Werror=implicit-function-declaration -Werror=format -Wno-unused-parameter CFLAGS := -Wall -Wextra -Wshadow -Wswitch -Wpointer-arith -Wcast-qual -Wstrict-prototypes -Wmissing-prototypes -Werror=implicit-function-declaration -Werror=format -Wno-unused-parameter
CFLAGS += -O3 -std=c11 -pthread -D_POSIX_SOURCE -D_XOPEN_SOURCE=500 -DBUILD_REVISION='"$(BUILD_REVISION)"' CFLAGS += -O3 -std=c11 -pthread -D_POSIX_SOURCE -D_XOPEN_SOURCE=500 -DBUILD_REVISION='"$(BUILD_REVISION)"'
CFLAGS += `pkg-config --cflags openssl` CFLAGS += `pkg-config --cflags openssl`
CFLAGS += -ggdb3 -DDEBUG -fsanitize=address -fsanitize=undefined -fsanitize=leak #CFLAGS += -ggdb3 -DDEBUG -fsanitize=address -fsanitize=undefined -fsanitize=leak
PYPGMOPTS := ../Python/pypgmopts/pypgmopts PYPGMOPTS := ../Python/pypgmopts/pypgmopts
LDFLAGS := `pkg-config --libs openssl` LDFLAGS := `pkg-config --libs openssl`

8
openssl.c
View File

@ -91,21 +91,15 @@ bool create_generic_tls_context(struct generic_tls_ctx_t *gctx, bool server) {
return false; return false;
} }
/* In the cipher suite we're using, none of these should be used anyways if (!SSL_CTX_set1_sigalgs_list(gctx->ctx, "ed448:ed25519")) {
* (PSK); however for the future we want to have proper crypto here as
* well. */
#if 0
if (!SSL_CTX_set1_sigalgs_list(gctx->ctx, "ECDSA+SHA256:RSA+SHA256:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA512:RSA+SHA512")) {
log_openssl(LLVL_FATAL, "Cannot set TLS generic context signature algorithms."); log_openssl(LLVL_FATAL, "Cannot set TLS generic context signature algorithms.");
return false; return false;
} }
#endif
if (!SSL_CTX_set1_curves_list(gctx->ctx, "X448:X25519")) { if (!SSL_CTX_set1_curves_list(gctx->ctx, "X448:X25519")) {
log_openssl(LLVL_FATAL, "Cannot set TLS generic context ECDHE curves."); log_openssl(LLVL_FATAL, "Cannot set TLS generic context ECDHE curves.");
return false; return false;
} }
return true; return true;
} }

22
server.c
View File

@ -308,9 +308,12 @@ static int psk_server_callback(SSL *ssl, const unsigned char *identity, size_t i
fprintf(stderr, "PSK server SSL %p identity %s len %ld sess %p\n", ssl, identity, identity_len, *sessptr); fprintf(stderr, "PSK server SSL %p identity %s len %ld sess %p\n", ssl, identity, identity_len, *sessptr);
SSL_SESSION *sess = SSL_SESSION_new(); SSL_SESSION *sess = SSL_SESSION_new();
SSL_SESSION_set1_master_key(sess, (const unsigned char*)"\x00\x11\x22", 3); SSL_SESSION_set1_master_key(sess, (const unsigned char*)"\x00\x11\x22", 3);
SSL_SESSION_set_cipher(sess, SSL_get_pending_cipher(ssl)); const unsigned char tls13_aes128gcmsha256_id[] = { 0x13, 0x01 };
//const SSL_CIPHER *cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES); const SSL_CIPHER *cipher = SSL_CIPHER_find(ssl, tls13_aes128gcmsha256_id);
//SSL_SESSION_set_cipher(sess, cipher); if (!cipher) {
return 0;
}
SSL_SESSION_set_cipher(sess, cipher);
SSL_SESSION_set_protocol_version(sess, TLS1_3_VERSION); SSL_SESSION_set_protocol_version(sess, TLS1_3_VERSION);
*sessptr = sess; *sessptr = sess;
return 1; return 1;
@ -331,8 +334,18 @@ static void *client_handler_thread(void *vctx) {
ERR_print_errors_fp(stderr); ERR_print_errors_fp(stderr);
} else { } else {
log_msg(LLVL_DEBUG, "Client connected, waiting for data..."); log_msg(LLVL_DEBUG, "Client connected, waiting for data...");
while (true) {
struct msg_t msg;
int rxlen = SSL_read(ssl, &msg, sizeof(msg));
if (rxlen != sizeof(msg)) {
log_msg(LLVL_WARNING, "Tried to read message of %d bytes, recevied %d. Severing connection to client.", sizeof(msg), rxlen);
break;
}
}
fprintf(stderr, "done\n");
} }
SSL_free(ssl);
shutdown(client->fd, SHUT_RDWR); shutdown(client->fd, SHUT_RDWR);
close(client->fd); close(client->fd);
free(client); free(client);
@ -348,6 +361,9 @@ bool keyserver_start(const struct pgmopts_server_t *opts) {
SSL_CTX_set_psk_find_session_callback(gctx.ctx, psk_server_callback); SSL_CTX_set_psk_find_session_callback(gctx.ctx, psk_server_callback);
if (!SSL_CTX_use_psk_identity_hint(gctx.ctx, "watwatwat")) {
}
int tcp_sock = create_tcp_server_socket(opts->port); int tcp_sock = create_tcp_server_socket(opts->port);
if (tcp_sock == -1) { if (tcp_sock == -1) {
log_msg(LLVL_ERROR, "Cannot start server without server socket."); log_msg(LLVL_ERROR, "Cannot start server without server socket.");