TLS 1.3 PSK howto

[Matt Caswell]

On 20/05/2023 17:55, Fabian Mauchle wrote:
> Hi there,
> 
> I'm currently trying to implement TLS 1.3 pre shared keys (PSK) with out-of-band agreed keys (not session resumption). But I'm a bit confused how to do this correctly. Please correct any of my assumptions below, if I got it wrong.
> My goal is to provide a very simple way to establish a mutually authenticated connection (even without exchanging self-signed certificates; just a key)
> 
> The admins will have to agree on a key and a hash algorithm (or use SHA256 by default).
> 
> I've implemented psk_use_session_cb() and psk_find_session_cb() to provide the PSK, set a cipher with selected hash (as described in the manpage), and set the sessions TLS version to 1.3. I also disable verification (SSL_VERIFY_NONE).
> If I leave everything else as default and select SHA256, the connection will fail with `no suitable signature algorithm`.

Ciphersuite negotiation happens *before* PSK selection. If the PSK is 
the only valid way that a connection will succeed then you should ensure 
that the configured ciphersuites are consistent with the PSK, i.e. that 
the TLSv1.3 ciphersuite hash is the same hash as associated with the PSK.

Otherwise the server may negotiate an incompatible ciphersuite and then 
find there is no PSK consistent with it.

For example if you want to use a SHA-256 PSK then you can call 
SSL_CTX_set_ciphersuites (or SSL_set_ciphersuites) on the client like 
this to only configure SHA-256 compatible ciphersuites:

SSL_CTX_set_ciphersuites(ctx, 
"TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256");

If on the other hand you want to use a SHA-384 PSK, then you can call it 
like this:

SSL_CTX_set_ciphersuites(ctx, "TLS_AES_256_GCM_SHA384");


(I've omitted error handling above for brevity - but you should check 
the return code from SSL_CTX_set_ciphersuites in real code).

Matt