Allow TLS PSK without server certificate #2083
Conversation
WillChilds-Klein
changed the title
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #2083 +/- ##
==========================================
- Coverage 78.75% 78.74% -0.01%
==========================================
Files 598 598
Lines 103650 103652 +2
Branches 14718 14719 +1
==========================================
- Hits 81633 81625 -8
- Misses 21366 21372 +6
- Partials 651 655 +4 ☔ View full report in Codecov by Sentry. |
WillChilds-Klein
changed the title
| // client has support for, we reload it. The public key may only be absent if | ||
| // PSK is enabled on the server, as indicated by presense of a callback. | ||
| if (!ssl_handshake_load_local_pubkey(hs) && | ||
| !(hs->local_pubkey == nullptr && hs->config->psk_server_callback)) { |
There was a problem hiding this comment.
Is the check for hs->local_pubkey == nullptr not redundant here?
There was a problem hiding this comment.
Sort of. You're right that the call to ssl_handshake_load_local_pubkey will check hs->local_pubkey's nullity, but that's an implementation detail. I check it again here 1.) for clarity 2.) to preserve this logic if ssl_handshake_load_local_pubkey's implementation is changed in the future.
There was a problem hiding this comment.
... if ssl_handshake_load_local_pubkey's implementation is changed in the future.
NP: Even if the implementation changed, I don't think it matters whether hs->local_pubkey is null or not. Looking at the condition in an equivalent form makes it more clear to me:
if (!ssl_handshake_load_local_pubkey(hs) &&
(hs->local_pubkey != nullptr ||
hs->config->psk_server_callback == nullptr)) {
```
| // client has support for, we reload it. The public key may only be absent if | ||
| // PSK is enabled on the server, as indicated by presense of a callback. | ||
| if (!ssl_handshake_load_local_pubkey(hs) && | ||
| !(hs->local_pubkey == nullptr && hs->config->psk_server_callback)) { |
There was a problem hiding this comment.
... if ssl_handshake_load_local_pubkey's implementation is changed in the future.
NP: Even if the implementation changed, I don't think it matters whether hs->local_pubkey is null or not. Looking at the condition in an equivalent form makes it more clear to me:
if (!ssl_handshake_load_local_pubkey(hs) &&
(hs->local_pubkey != nullptr ||
hs->config->psk_server_callback == nullptr)) {
```
Description of changes:
While we currently support TLS pre-shared keys (PSKs) for TLS 1.2, our
python integration tests have shown that we don't currently support TLS 1.2
PSKs on the server side unless a certificate has been configured. PSKs can be
used for both secret establishment and authentication, so there likely exist
legitimate use-cases for establishing PSK connections without certificates.
CPython's integration tests expect this behavior.
This gap appears to be incidental, not intentional. Unrelated OCSP work
introduced a requirement that a valid certificate public key is loaded on the
server before we sort out handshake parameters. If that load fails, the
hanshake is aborted before PSK can be negotiated for secret establishment. To
fix this, we simply check whether the server has a PSK callback enabled, and
allow the certificate loading to fail if so. We also handle the potential
nullity of the public key.
Call-outs:
This PR only applies to TLSv1.2 PSK. TLSv1.3 moved PSK negotiation earlier in
the handshake to client/server hello's, so does utilize this code path.
Currently, we only support TLSv1.3 PSK for session resumption, _not "pure" PSK
used for initial shared secret establishment. I have a branch where I'm
implementing this, but it's non-trivial.
We won't be able to delete the TLSv1.3 PSK python test patch until we implement
"pure" TLSv1.3 PSK.
Testing:
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.