Likely upgrade issues with PSK use in TLS 1.3

[tomato42]

Current (1d0c08b) OpenSSL code requires PSKs to be of the same size as the hash output of the PRF used in the connection for them to be usable in TLS 1.3 (and uses that size to select associated hash).

This will likely cause connection problems when upgrading from OpenSSL 1.1.0 to 1.1.1 when only PSKs are configured.

Given that OpenSSL follows the implementor's note (that cipher suite should be selected first and PSK filtered later), and it selects strongest ciphersuite first (i.e. AES-256), the used PRF for the connection is SHA-384. If the TLS 1.3 draft requirement to associate PSKs by default with SHA-256 is followed (as needs to be for the upgrade use case), then it will cause connection failure after upgrade to new OpenSSL and when TLS 1.3 is enabled.

Thus I'm afraid that OpenSSL should not follow the implementer's note if externally provided PSKs are present, and select a ciphersuite that matches the client provided PSKs.

[mattcaswell]

I'm not sure I follow you. TLSv1.3 PSKs are a completely different beast to TLSv1.2 PSKs. At an application level you need to use different APIs to implement them.

If the TLS 1.3 draft requirement to associate PSKs by default with SHA-256 is followed (as needs to be for the upgrade use case), then it will cause connection failure after upgrade to new OpenSSL and when TLS 1.3 is enabled.

I don't know what you are referring to here. Can you give me a specific reference?

[mattcaswell]

As per the documentation here:

https://www.openssl.org/docs/man1.1.1/man3/SSL_psk_use_session_cb_func.html

"TLSv1.3 Pre-Shared Keys (PSKs) and PSKs for TLSv1.2 and below are not compatible."

[tomato42]

TLSv1.3 PSKs are a completely different beast

how so? they have an identity and an associated secret, that's all that is sufficient to negotiate PSK in TLS 1.3 and 1.2. Yes, for TLS1.2 identity was optional, but this is minor.

even with the SSL_set_psk_client_callback() it's possible to support at least one PSK - it's possible to provide a dummy SSL context, an empty hint to the callback and get at least one identity and PSK from it

Can you give me a specific reference?

draft 23, page 59

   Each PSK is associated with a single Hash algorithm.  For PSKs
   established via the ticket mechanism (Section 4.6.1), this is the KDF
   Hash algorithm on the connection where the ticket was established.
   For externally established PSKs, the Hash algorithm MUST be set when
   the PSK is established, or default to SHA-256 if no such algorithm is
   defined.  The server MUST ensure that it selects a compatible PSK (if
   any) and cipher suite.

page 60:

   Implementor's note: the most straightforward way to implement the
   PSK/cipher suite matching requirements is to negotiate the cipher
   suite first and then exclude any incompatible PSKs.  Any unknown PSKs
   (e.g., they are not in the PSK database or are encrypted with an
   unknown key) SHOULD simply be ignored.  If no acceptable PSKs are
   found, the server SHOULD perform a non-PSK handshake if possible.

"TLSv1.3 Pre-Shared Keys (PSKs) and PSKs for TLSv1.2 and below are not compatible."

not saying it's not documented -- I'm saying that it will break use cases in a way that is unexpected (and unwelcome) to users

[mattcaswell]

I'm saying that it will break use cases in a way that is unexpected (and unwelcome) to users

I'm still not following why you think this is. In TLSv1.2 you have to make sure you have configured appropriate ciphersuites for your PSK to be used. In TLSv1.3 you have to do the same. If you've only configured a SHA256 based PSK key, then don't offer SHA384 ciphersuites if you don't want the server to use them?

[tomato42]

In TLSv1.2 you have to make sure you have configured appropriate ciphersuites for your PSK to be used.

you mean such as DEFAULT?

In short:
openssl s_server -psk abcde123 [-nocert|-cert ...]
and
openssl s_client -psk abcde123
works in 1.1.0, doesn't in 1.1.1. There's nothing inherent in the TLS 1.3 specification to cause that.

[mattcaswell]

So you're concern is specifically limited to the s_client/s_server behaviour? The s_client/s_server callbacks figure out which hash to use based on the length of the PSK provided. We could change that to always default to SHA-256 unless you specify otherwise through some other option.

Ah...is that your concern?That we could choose to default to SHA-256 (as per the text in the reference you provided)...but we by default select a SHA-384 ciphersuite?

Actually I'm not too sure we do select a SHA-384 ciphersuite by default. It's not clear to me that that is the best choice.

[tomato42]

So you're concern is specifically limited to the s_client/s_server behaviour?

no, it's just symptom/simplest way to show problematic behaviour

my worry is that users will start upgrading OpenSSL after release of TLS 1.3 and the simplest case of PSK will stop working, despite not needing to

Actually I'm not too sure we do select a SHA-384 ciphersuite by default.

if the psk is 48 bytes, connection with s_server -nocert works, if it's 32 bytes it doesn't

[mattcaswell]

In short:
openssl s_server -psk abcde123 [-nocert|-cert ...]
and
openssl s_client -psk abcde123
works in 1.1.0, doesn't in 1.1.1. There's nothing inherent in the TLS 1.3 specification to cause that.

In TLSv1.2 a PSK is variable in length. In TLSv1.3 a PSK is fixed length - it must be the size of the Hash output for the associated hash function. In your example how would we cope with PSKs which are not the correct length for any supported hash function?

[tomato42]

it must be the size of the Hash output for the associated hash function

which part of the draft says that?

[mattcaswell]

which part of the draft says that?

Hmmm. This seems to be a misunderstanding on my part. One hardcoded in at various points:

https://github.com/openssl/openssl/blob/master/ssl/statem/extensions.c#L1447
https://github.com/openssl/openssl/blob/master/apps/s_client.c#L200
https://github.com/openssl/openssl/blob/master/apps/s_server.c#L211

Probably this stems from implementing session resumption first where the resumption key is the length of the hash output, and in the absence of the spec explicitly stating that an external PSK can be different to that (at least I haven't come across it if it does (maybe it should?)), I've just applied the same logic.

That actually changes things. If I assume a PSK uses SHA-256 unless specified otherwise, I can probably implement some kind of compatibility layer to enable TLSv1.2 PSKs to be used. I'll need to think on that. There is still the issue that, using the DEFAULT ciphersuites we end up negotiating a SHA-384 ciphersuite by default - but I'm thinking that is probably wrong behaviour anyway and that SHA-256 should be chosen by default. I'm considering some other changes to the TLSv1.3 ciphersuite mechanism, so I might be able wrap that change up in that work.

[kroeckx]

My understanding of that text is that if no hash is given, we should (MUST?) use SHA-256. The text at least isn't clear to me. I think there are 2 options:

• The hash used is the one from the cipher
• If no hash is specified we select SHA-256 as the hash and the cipher selection should only use SHA-256 ciphers for the PSK ciphers

[tomato42]

I read this
Each PSK is associated with a single Hash algorithm.
together with this
default to SHA-256 if no such algorithm is defined.
as "you have to say which PSK uses which hash, and in case the user didn't set the hash through API, you have to use SHA-256"

note that for externally established PSKs the establishing happens out-of-band, not during the handshake