TLS 1.3 PSK succeeds even if then pre-shared key is wrong

brandon.murphy1996 brandon.murphy1996 at protonmail.com
Mon Apr 20 11:59:17 UTC 2020 

Hi,

I have been trying to perform/debug external PSK based handshake in TLS 1.3 for one of my projects. My team has implemented the "find_session_cb" as :


static int psk_find_session_cb(SSL *ssl, const unsigned char *identity,
                               size_t identity_len, SSL_SESSION **sess){

        SSL_SESSION *tmpsess = NULL;
        unsigned char *key;
        long key_len;
        const SSL_CIPHER *cipher = NULL;
	static char *psk_identity = "Client_identity";
 	const char *psk_key = "0533c95c9ecc310ee07cb70a316c45448487c1f70bbea99fe6616f3348305677";
	 //temperory fixed psk
	const unsigned char tls13_aes128gcmsha256_id[] = { 0x13, 0x01 };

	if (strlen(psk_identity) != identity_len)
	{
	    wpa_printf(MSG_DEBUG, "PSK Identity length does not match.");
	    return 0;
	}

	if(memcmp(psk_identity, identity, identity_len) != 0)
	{
		wpa_printf(MSG_DEBUG, "PSK Identity memory copy failed.");
	    return 0;
	}

	key = OPENSSL_hexstr2buf(psk_key, &key_len);

	if (key == NULL) {
        wpa_printf(MSG_ERROR, "Could not convert PSK key '%s' to buffer\n",
                   psk_key);
        return 0;
    }

    cipher = SSL_CIPHER_find(ssl, tls13_aes128gcmsha256_id);
    if (cipher == NULL) {
        wpa_printf(MSG_DEBUG, "Error finding suitable ciphersuite\n");
        OPENSSL_free(key);
        return 0;
    }

    tmpsess = SSL_SESSION_new();
    if (tmpsess == NULL
            || !SSL_SESSION_set1_master_key(tmpsess, key, key_len)
            || !SSL_SESSION_set_cipher(tmpsess, cipher)
            || !SSL_SESSION_set_protocol_version(tmpsess, SSL_version(ssl))) {
        OPENSSL_free(key);
        return 0;
    }
    OPENSSL_free(key);
    *sess = tmpsess;
    wpa_printf(MSG_DEBUG, "Using external PSK.");
    return 1;
}


and attached the callback to the SSL object using "SSL_set_psk_find_session_callback()" method. From my client, we are sending creating and sending a session using "SSL_set_psk_use_session_callback(sssl, use_session_cb)".

>From what I noticed, the handshake completes successfully, regardless of the value of "psk_key" (as long as PSK length is even). However, if the identity value is mismatched between psk_find_session_cb and use_session_cb, the handshake fails with the message:

   SSL: SSL3 alert: write (local SSL3 detected an error):fatal:internal error
   OpenSSL: openssl_handshake - SSL_connect error:141F906E:SSL routines:tls_parse_ctos_psk:bad extension

I am not sure what am I missing here

Thanks
Bran

More information about the openssl-users mailing list