Update TLS 1.3 PSK-only mode

include/gmssl/tls.h

@@ -792,18 +792,21 @@ typedef struct {
 	const uint8_t *signed_certificate_timestamp;
 	size_t signed_certificate_timestamp_len;
 
-
-	// 用于加密和解密session ticket
-	SM4_KEY server_session_ticket_key;
+	SM4_KEY *session_ticket_key;
+	SM4_KEY _session_ticket_key;
 
 	int new_session_ticket;
+	int new_session_ticket_cnt;
 
 
 	// 设置客户端是否启用PSK模式
-	int pre_shared_key;
+	int pre_shared_key_enabled;
+
 
 	TLS_SESSION session;
 
+	int early_data_enabled;
+	int max_early_data_size;
 
 	int quiet;
 } TLS_CTX;
@@ -1019,10 +1022,33 @@ typedef struct {
 
 	int hello_retry_request;
 	int certificate_request;
-	int early_data;
 	int new_session_ticket;
-	int pre_shared_key;
+
+
+	int pre_shared_key_enabled;
+
+
+	// 客户端和服务器端都可以直接指定若干psk
+	// 服务器端也可能通过解密客户端发出
+	uint8_t psk_identities[512];
+	size_t psk_identities_len;
+	uint8_t psk_keys[32 * 8];
+	size_t psk_keys_len;
+
 	uint8_t psk[32];
+	size_t psk_len;
+
+	const uint8_t *psk_identity;
+	size_t psk_identity_len;
+
+
+
+	// psk_key_exchange_modes
+	int psk_ke;
+	int psk_dhe_ke;
+
+	int new_session_ticket_cnt;
+
 
 	int selected_psk_identity;
 
@@ -1031,13 +1057,13 @@ typedef struct {
 	uint8_t cookie[512];
 	size_t cookielen;
 
-	FILE *out_session;
-	FILE *in_session;
-
-
-	uint8_t early_data_buf[8192];
+	int early_data_enabled;
+	uint8_t early_data[8192];
 	size_t early_data_len;
+	size_t max_early_data_size;
 
+	const char *session_in;
+	const char *session_out;
 } TLS_CONNECT;
 
 
@@ -1090,7 +1116,10 @@ int tls_print_record(FILE *fp, int fmt, int ind, const char *label, TLS_CONNECT
 int tls_init(TLS_CONNECT *conn, const TLS_CTX *ctx);
 int tls_set_hostname(TLS_CONNECT *conn, const char *hostname);
 int tls_set_socket(TLS_CONNECT *conn, tls_socket_t sock);
+
+
 int tls_do_handshake(TLS_CONNECT *conn);
+
 int tls_send(TLS_CONNECT *conn, const uint8_t *in, size_t inlen, size_t *sentlen);
 int tls_recv(TLS_CONNECT *conn, uint8_t *out, size_t outlen, size_t *recvlen);
 int tls_shutdown(TLS_CONNECT *conn);
@@ -1224,7 +1253,94 @@ int tls13_decrypt_ticket(const SM4_KEY *key, const uint8_t *in, size_t inlen,
 
 
 
+/*
+EarlyData (0-RTT)
+	client: tls13_set_early_data 隐式的启用客户端EarlyData
+	server: tls13_set_max_early_data_size 隐式的启用服务器的early_data接收，以及如果发送NewSessionTicket，会把这个信息加上去
+*/
+int tls13_set_early_data(TLS_CONNECT *conn, const uint8_t *data, size_t datalen);
 
+int tls13_ctx_set_max_early_data_size(TLS_CTX *ctx, size_t max_early_data_size);
+int tls13_set_max_early_data_size(TLS_CONNECT *conn, size_t max_early_data_size);
+
+
+
+/*
+PSK 模式
+
+	客户端：关键是要载入SESSION，采用发送PSK，所以
+		tls13_set_session_infile
+
+		这个函数没有明确的和PSK建立关联
+
+	服务器：是否允许PSK，依赖是否设置session_ticket_key
+*/
+
+// enable PSK, enable ClientHello.exts.pre_shared_key
+int tls13_set_session_infile(TLS_CONNECT *conn, const char *file);
+
+int tls13_set_session_resumption(TLS_CONNECT *conn, const char *session_file);
+
+
+// TLS 1.3有静态PSK的模式，这种模式下又有不同的交互
+// 我们应该在支持这个模式之后，再调整接口
+
+
+/* 服务器发送NewSessionTicket
+
+	取决于是否准备了session_ticket_key
+
+	以及到底要发送多少个new_session_tickets，这有明确的对应
+*/
+
+
+#define TLS_NEW_SESSION_TICKET_MAX_COUNT 5
+
+
+
+int tls13_ctx_set_session_ticket_key(TLS_CTX *ctx, const uint8_t *key, size_t keylen);
+int tls13_ctx_set_new_session_ticket(TLS_CTX *ctx, size_t new_session_ticket_cnt);
+int tls13_set_new_session_ticket(TLS_CONNECT *conn, size_t new_session_ticket_cnt);
+
+
+
+// 只是意味着保存NewSessionTicket
+int tls13_set_session_outfile(TLS_CONNECT *conn, const char *file);
+
+
+
+// psk_key_exchange_modes extension
+enum {
+	TLS_psk_ke		= 0,
+	TLS_psk_dhe_ke		= 1,
+	TLS_psk_preserved_max	= 255,
+};
+
+enum {
+	TLS_psk_mode_null	= 0,
+	TLS_psk_mode_ke		= 1,
+	TLS_psk_mode_dhe_ke	= 2,
+	TLS_psk_mode_both	= 3,
+};
+
+const char *tls13_psk_key_exchange_mode_name(int mode);
+int tls13_psk_key_exchange_modes_ext_to_bytes(int ke, int dhe_ke, uint8_t **out, size_t *outlen);
+int tls13_psk_key_exchange_modes_from_bytes(int *ke, int *dhe_ke, const uint8_t *ext_data, size_t ext_datalen);
+
+int tls13_enable_pre_shared_key(TLS_CONNECT *conn, int enable);
+int tls13_enable_early_data(TLS_CONNECT *conn, int enable);
+
+
+int tls13_add_pre_shared_key(TLS_CONNECT *conn, const DIGEST *digest, const uint8_t *identity, size_t identitylen,
+	const uint8_t *pre_shared_key, size_t pre_shared_key_len, uint32_t tls13_add_pre_shared_key);
+int tls13_add_pre_shared_key_from_file(TLS_CONNECT *conn, const char *file);
+
+int tls13_set_psk_key_exchange_modes(TLS_CONNECT *conn, int psk_ke, int psk_dhe_ke);
+
+int tls13_verify_psk_binder(const DIGEST *digest,
+	const uint8_t *pre_shared_key, size_t pre_shared_key_len,
+	const DIGEST_CTX *truncated_client_hello_dgst_ctx,
+	const uint8_t *binder, size_t binderlen);
 
 
 #ifdef  __cplusplus

src/tls.c

@@ -2307,11 +2307,9 @@ int tls_ctx_init(TLS_CTX *ctx, int protocol, int is_client)
 
 	ctx->verify_depth = 5;
 
-	ctx->new_session_ticket = 1;
-
 
 	// TODO: 需要通过函数或者其他设置来启用这个开关
-	ctx->pre_shared_key = 1;
+	ctx->pre_shared_key_enabled = 1;
 
 	return 1;
 }
@@ -2535,6 +2533,70 @@ end:
 	return ret;
 }
 
+/*
+服务器的控制开关
+
+	* 是否验证客户端，这可能依赖很多条件
+		服务器至少需要提供CA证书
+		状态certificate_request = on
+
+	* 是否发送NewSessionTicket
+		这和是否采用PSK模式实际上是没有关系的
+		本次启动服务器可能不支持PSK模式，但是仍然可以提供session_ticket
+		服务器需要设置session的加密密钥
+
+		是否要设置可以发送ticket的次数
+
+		以及ticket有关的信息（有效期之类）
+
+		自动化设置max_early_data_size
+
+	* 是否支持pre_shared_key (1-RTT)
+		TLS 1.3有好几种PSK的模式，比如PSK之后是否进行ECDH
+		服务器需要设置session的加密密钥
+
+	// ok
+	* 是否支持early_data
+		这是一个独立的开关
+
+
+
+客户端的控制开关
+
+	* 初始设置客户端的证书（这和服务器无关）
+
+	* 是否发送pre_shared_key
+
+		需要提供session_ticket的文件，载入信息
+		并且需要开关
+
+	* 是否发送early_data
+
+		是否已经准备了session
+		是否已经准备了early_data数据（这个无所谓，只要指定了这个状态，有没有数据都发送一个early_data报文）
+		如果有max_early_data_size，要判断一下大小
+
+		我们可以延迟到开始发送early_data的时候再检查
+
+
+服务器是否支持PSK，客户端是否发送PSK实际上是两个独立的功能。
+
+	如果我们打开服务器支持PSK的开关，但是没有设置session_ticket的密钥，那么就会出问题
+	我们还是延迟检查比较好
+
+	因为PSK对于服务器来说是一个隐含的，不是主动的，服务器是被动的
+	如果服务器准备好了session_ticket_key，那么就意味着允许
+
+
+	对于客户端来说，如果要在ClientHello中提供pre_shared_key，那么就必须要提供session_infile
+	或者说，set_session_in 就说明我们一定是要发送pre_shared_key的，并且就来自于session_in
+	但是如果设置了session_out ，那么意味着我们会保存信息，但是不一定会发送psk，这两个是独立的
+
+	因此对于客户端来说，pre_shared_key的状态是否有必要的
+
+
+*/
+
 int tls_init(TLS_CONNECT *conn, const TLS_CTX *ctx)
 {
 	size_t i;
@@ -2580,12 +2642,20 @@ int tls_init(TLS_CONNECT *conn, const TLS_CTX *ctx)
 
 	conn->ctx = ctx;
 
-
 	conn->key_exchanges_cnt = 2;
 
 	conn->new_session_ticket = ctx->new_session_ticket;
 
-	conn->pre_shared_key = ctx->pre_shared_key;
+	conn->pre_shared_key_enabled = ctx->pre_shared_key_enabled;
+
+	// 仅仅用于测试0-RTT
+	/*
+	conn->early_data_enabled = 1;
+	tls13_set_early_data(conn, (uint8_t *)"Early data", strlen("Early data"));
+	*/
+
+	tls13_set_max_early_data_size(conn, ctx->max_early_data_size);
+
 
 	return 1;
 }

tools/tls13_client.c

@@ -12,6 +12,7 @@
 #include <errno.h>
 #include <string.h>
 #include <stdlib.h>
+#include <gmssl/hex.h>
 #include <gmssl/tls.h>
 #include <gmssl/error.h>
 
@@ -34,6 +35,11 @@ static const char *help =
 "    -cert file             Client's certificate chain in PEM format\n"
 "    -key file              Client's encrypted private key in PEM format\n"
 "    -pass str              Password to decrypt private key\n"
+"    -sess_in               Load server's session ticket file\n"
+"    -sess_out              Save server's session ticket file\n"
+"    -psk_identity str      Identity of pre_shared_key\n"
+"    -psk hex               Pre-shared key in HEX format\n"
+"    -early_data file       Send early data\n"
 "\n"
 "Examples\n"
 "\n"
@@ -57,6 +63,7 @@ static const char *help =
 "\n"
 "    sudo gmssl tls13_server -port 4430 -cert certs.pem -key signkey.pem -pass 1234\n"
 "    gmssl tls13_client -host 127.0.0.1 -port 4430 -cacert rootcacert.pem\n"
+"            -sess_in session.bin -sess_out session.bin\n"
 "\n";
 
 int tls13_client_main(int argc, char *argv[])
@@ -78,6 +85,17 @@ int tls13_client_main(int argc, char *argv[])
 	size_t len = sizeof(buf);
 	char send_buf[1024] = {0};
 
+	char *sess_in = NULL;
+	char *sess_out = NULL;
+	char *psk_identity = NULL;
+	char *psk = NULL;
+	uint8_t psk_buf[32];
+	size_t psk_len;
+
+	char *early_data_file = NULL;
+	FILE *early_data_fp = NULL;
+	int max_early_data_size = 0;
+
 	argc--;
 	argv++;
 	if (argc < 1) {
@@ -107,6 +125,24 @@ int tls13_client_main(int argc, char *argv[])
 		} else if (!strcmp(*argv, "-pass")) {
 			if (--argc < 1) goto bad;
 			pass = *(++argv);
+		} else if (!strcmp(*argv, "-sess_in")) {
+			if (--argc < 1) goto bad;
+			sess_in = *(++argv);
+		} else if (!strcmp(*argv, "-sess_out")) {
+			if (--argc < 1) goto bad;
+			sess_out = *(++argv);
+		} else if (!strcmp(*argv, "-psk_identity")) {
+			if (--argc < 1) goto bad;
+			psk_identity = *(++argv);
+		} else if (!strcmp(*argv, "-psk")) {
+			if (--argc < 1) goto bad;
+			psk = *(++argv);
+		} else if (!strcmp(*argv, "-early_data")) {
+			if (--argc < 1) goto bad;
+			early_data_file = *(++argv);
+		} else if (!strcmp(*argv, "-max_early_data_size")) {
+			if (--argc < 1) goto bad;
+			max_early_data_size = atoi(*(++argv));
 		} else {
 			fprintf(stderr, "%s: invalid option '%s'\n", prog, *argv);
 			return 1;
@@ -132,6 +168,8 @@ bad:
 		goto end;
 	}
 
+
+
 	memset(&ctx, 0, sizeof(ctx));
 	memset(&conn, 0, sizeof(conn));
 
@@ -165,8 +203,75 @@ bad:
 			goto end;
 		}
 	}
-	if (tls_init(&conn, &ctx) != 1
-		|| tls_set_socket(&conn, sock) != 1
+	if (tls_init(&conn, &ctx) != 1) {
+		fprintf(stderr, "%s: error\n", prog);
+		goto end;
+	}
+
+	if (sess_in) {
+
+		if (tls13_add_pre_shared_key_from_file(&conn, sess_in) != 1) {
+			error_print();
+			return -1;
+		}
+		tls13_enable_pre_shared_key(&conn, 1);
+		tls13_set_psk_key_exchange_modes(&conn, 1, 1);
+	}
+	if (sess_out) {
+		if (tls13_set_session_outfile(&conn, sess_out) != 1) {
+			error_print();
+			goto end;
+		}
+	}
+	if (psk) {
+		if (!psk_identity) {
+			error_print();
+			return -1;
+		}
+		if (strlen(psk) != sizeof(psk_buf) * 2) {
+			error_print();
+			return -1;
+		}
+		if (hex_to_bytes(psk, strlen(psk), psk_buf, &psk_len) != 1) {
+			error_print();
+			return -1;
+		}
+		if (tls13_add_pre_shared_key(&conn, DIGEST_sm3(), (uint8_t *)psk_identity, strlen(psk_identity), psk_buf, psk_len, 0) != 1) {
+			error_print();
+			return -1;
+		}
+
+		tls13_enable_pre_shared_key(&conn, 1);
+		tls13_set_psk_key_exchange_modes(&conn, 1, 1);
+
+	}
+
+
+	if (early_data_file) {
+		uint8_t early_data[8192];
+		size_t early_data_len;
+
+		if (!(early_data_fp = fopen(early_data_file, "rb"))) {
+			error_print();
+			return -1;
+		}
+
+		early_data_len = fread(early_data, 1, sizeof(early_data), early_data_fp);
+
+		if (early_data_len) {
+
+			if (tls13_set_early_data(&conn, early_data, early_data_len) != 1) {
+				fclose(early_data_fp);
+				error_print();
+				return -1;
+			}
+		}
+		fclose(early_data_fp);
+	}
+
+
+
+	if (tls_set_socket(&conn, sock) != 1
 		|| tls_do_handshake(&conn) != 1) {
 		fprintf(stderr, "%s: error\n", prog);
 		goto end;

tools/tls13_server.c

@@ -13,6 +13,7 @@
 #include <string.h>
 #include <stdlib.h>
 #include <gmssl/mem.h>
+#include <gmssl/hex.h>
 #include <gmssl/sm2.h>
 #include <gmssl/tls.h>
 #include <gmssl/error.h>
@@ -23,11 +24,17 @@ static const char *options = "[-port num] -cert file -key file -pass str [-cacer
 static const char *help =
 "Options\n"
 "\n"
-"    -port num              Listening port number, default 443\n"
-"    -cert file             Server's certificate chain in PEM format\n"
-"    -key file              Server's encrypted private key in PEM format\n"
-"    -pass str              Password to decrypt private key\n"
-"    -cacert file           CA certificate for client certificate verification\n"
+"    -port num                 Listening port number, default 443\n"
+"    -cert file                Server's certificate chain in PEM format\n"
+"    -key file                 Server's encrypted private key in PEM format\n"
+"    -pass str                 Password to decrypt private key\n"
+"    -cacert file              CA certificate for client certificate verification\n"
+"    -new_session_ticket num   Send NewSessionTicket <num> times\n"
+"    -ticket_key hex           Session ticket encrypt/decrypt key in HEX format\n"
+"    -psk_identity str         Identity of pre_shared_key\n"
+"    -psk hex                  Pre-shared key in HEX format\n"
+"    -early_data               Accept EarlyData, support 0-RTT\n"
+"    -max_early_data_size num  Set extension max_early_data_size\n"
 "\n"
 "Examples\n"
 "\n"
@@ -72,6 +79,19 @@ int tls13_server_main(int argc , char **argv)
 	struct sockaddr_in server_addr;
 	struct sockaddr_in client_addr;
 
+	int new_session_ticket = 0;
+	char *ticket_key = NULL;
+	uint8_t ticket_key_buf[16];
+
+	// TODO: clean
+	char *psk_identity = NULL;
+	char *psk = NULL;
+	uint8_t psk_buf[32];
+	size_t psk_len;
+
+	int early_data = 0;
+	int max_early_data_size = 0;
+
 	argc--;
 	argv++;
 
@@ -100,6 +120,23 @@ int tls13_server_main(int argc , char **argv)
 		} else if (!strcmp(*argv, "-cacert")) {
 			if (--argc < 1) goto bad;
 			cacertfile = *(++argv);
+		} else if (!strcmp(*argv, "-new_session_ticket")) {
+			if (--argc < 1) goto bad;
+			new_session_ticket = atoi(*(++argv));
+		} else if (!strcmp(*argv, "-ticket_key")) {
+			if (--argc < 1) goto bad;
+			ticket_key = *(++argv);
+		} else if (!strcmp(*argv, "-psk_identity")) {
+			if (--argc < 1) goto bad;
+			psk_identity = *(++argv);
+		} else if (!strcmp(*argv, "-psk")) {
+			if (--argc < 1) goto bad;
+			psk = *(++argv);
+		} else if (!strcmp(*argv, "-early_data")) {
+			early_data = 1;
+		} else if (!strcmp(*argv, "-max_early_data_size")) {
+			if (--argc < 1) goto bad;
+			max_early_data_size = atoi(*(++argv));
 		} else {
 			fprintf(stderr, "%s: invalid option '%s'\n", prog, *argv);
 			return 1;
@@ -110,6 +147,7 @@ bad:
 		argc--;
 		argv++;
 	}
+	/*
 	if (!certfile) {
 		fprintf(stderr, "%s: '-cert' option required\n", prog);
 		return 1;
@@ -122,6 +160,8 @@ bad:
 		fprintf(stderr, "%s: '-pass' option required\n", prog);
 		return 1;
 	}
+	*/
+
 	if (tls_socket_lib_init() != 1) {
 		error_print();
 		return -1;
@@ -143,6 +183,40 @@ bad:
 		}
 	}
 
+	// NewSessionTicket
+	if (new_session_ticket < 0) {
+		error_print();
+		return -1;
+	}
+	if (new_session_ticket > 0) {
+		if (!ticket_key) {
+			error_print();
+			return -1;
+		}
+		if (tls13_ctx_set_new_session_ticket(&ctx, new_session_ticket) != 1) {
+			error_print();
+			return -1;
+		}
+	}
+
+	if (ticket_key) {
+		size_t ticket_key_len;
+		if (strlen(ticket_key) != sizeof(ticket_key_buf) * 2) {
+			error_print();
+			return -1;
+		}
+		if (hex_to_bytes(ticket_key, strlen(ticket_key), ticket_key_buf, &ticket_key_len) != 1) {
+			error_print();
+			return -1;
+		}
+		if (tls13_ctx_set_session_ticket_key(&ctx, ticket_key_buf, ticket_key_len) != 1) {
+			error_print();
+			return -1;
+		}
+		tls13_enable_pre_shared_key(&conn, 1);
+		tls13_set_psk_key_exchange_modes(&conn, 1, 1);
+	}
+
 	if (tls_socket_create(&sock, AF_INET, SOCK_STREAM, 0) != 1) {
 		fprintf(stderr, "%s: socket create error\n", prog);
 		goto end;
@@ -174,6 +248,44 @@ restart:
 		return -1;
 	}
 
+
+	if (psk) {
+		if (!psk_identity) {
+			error_print();
+			return -1;
+		}
+		if (strlen(psk) != sizeof(psk_buf) * 2) {
+			error_print();
+			return -1;
+		}
+		if (hex_to_bytes(psk, strlen(psk), psk_buf, &psk_len) != 1) {
+			error_print();
+			return -1;
+		}
+		if (tls13_add_pre_shared_key(&conn, DIGEST_sm3(), (uint8_t *)psk_identity, strlen(psk_identity), psk_buf, psk_len, 0) != 1) {
+			error_print();
+			return -1;
+		}
+
+		tls13_enable_pre_shared_key(&conn, 1);
+		tls13_set_psk_key_exchange_modes(&conn, 1, 1);
+	}
+
+	if (max_early_data_size > 0) {
+		if (tls13_set_max_early_data_size(&conn, max_early_data_size) != 1) {
+			error_print();
+			return -1;
+		}
+	}
+
+	if (early_data) {
+		if (tls13_enable_early_data(&conn, 1) != 1) {
+			error_print();
+			return -1;
+		}
+	}
+
+
 	if (tls_do_handshake(&conn) != 1) {
 		error_print();
 		return -1;