Skip to content

Comments

Fix the s_server psk_server_cb for use in DTLS#16838

Closed
mattcaswell wants to merge 2 commits intoopenssl:masterfrom
mattcaswell:fix-dtls-psk
Closed

Fix the s_server psk_server_cb for use in DTLS#16838
mattcaswell wants to merge 2 commits intoopenssl:masterfrom
mattcaswell:fix-dtls-psk

Conversation

@mattcaswell
Copy link
Member

@mattcaswell mattcaswell commented Oct 14, 2021

Commit 0007ff2 added a protocol version check to psk_server_cb but
failed to take account of DTLS causing DTLS based psk connections to
fail.

Fixes #16707

@mattcaswell
Fix the s_server psk_server_cb for use in DTLS
c682163 
Commit 0007ff2 added a protocol version check to psk_server_cb but
failed to take account of DTLS causing DTLS based psk connections to
fail.

Fixes openssl#16707
@mattcaswell mattcaswell added branch: master Applies to master branch approval: review pending This pull request needs review by a committer branch: 3.0 Applies to openssl-3.0 branch labels Oct 14, 2021
@mattcaswell mattcaswell mentioned this pull request Oct 14, 2021
Closed
@t8m
Copy link
Member

t8m commented Oct 15, 2021

@mattcaswell there is also PR #16709 fixing the same issue.

@t8m t8m added the triaged: bug The issue/pr is/fixes a bug label Oct 15, 2021
kaduk
kaduk reviewed Oct 15, 2021
View reviewed changes
apps/s_server.c
BIO_printf(bio_s_out, "psk_server_cb\n");

if (SSL_version(ssl) >= TLS1_3_VERSION) {
if (!SSL_is_dtls(ssl) && SSL_version(ssl) >= TLS1_3_VERSION) {
Copy link
Contributor

@kaduk kaduk Oct 15, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't we also check the specific DTLS version in the DTLS case?

Copy link
Member Author

@mattcaswell mattcaswell Oct 18, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Err, no. It actually works just fine for DTLSv1 as well (and TLSv1). I fixed the comment instead :-)

Copy link
Contributor

@kaduk kaduk Oct 19, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh! I meant that we should check that it's not DTLS1_3_VERSION in the DTLS case, since DTLS 1.3 is basically just TLS 1.3.
The DTLS 1.3 specification is, of course, in the RFC Editor's queue, and thus going to be something we ought to care about Real Soon Now.

But fixing the comment is also useful :)

Copy link
Member Author

@mattcaswell mattcaswell Oct 20, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

At the moment we don't have a definition for DTLS1_3_VERSION in the header files. Since there's a whole heap of places we check TLS1_3_VERSION without worrying about DTLS, when we do the DTLS1.3 work we're going to have to review each and every one of them.

@mattcaswell mattcaswell added the branch: 1.1.1 Applies to OpenSSL_1_1_1-stable branch (EOL) label Oct 18, 2021
@mattcaswell
Copy link
Member Author

mattcaswell commented Oct 18, 2021

This fix also needs to be applied to the 1.1.1 branch.

@mattcaswell mattcaswell added approval: done This pull request has the required number of approvals and removed approval: review pending This pull request needs review by a committer labels Oct 20, 2021
@openssl-machine openssl-machine added approval: ready to merge The 24 hour grace period has passed, ready to merge and removed approval: done This pull request has the required number of approvals labels Oct 21, 2021
@openssl-machine
Copy link
Collaborator

openssl-machine commented Oct 21, 2021

This pull request is ready to merge

openssl-machine pushed a commit that referenced this pull request Oct 22, 2021
@mattcaswell
Fix the s_server psk_server_cb for use in DTLS
8b09a9c 
Commit 0007ff2 added a protocol version check to psk_server_cb but
failed to take account of DTLS causing DTLS based psk connections to
fail.

Fixes #16707

Reviewed-by: Ben Kaduk <[email protected]>
(Merged from #16838)
openssl-machine pushed a commit that referenced this pull request Oct 22, 2021
@mattcaswell
Fix the s_server psk_server_cb for use in DTLS
fd7c2ff 
Commit 0007ff2 added a protocol version check to psk_server_cb but
failed to take account of DTLS causing DTLS based psk connections to
fail.

Fixes #16707

Reviewed-by: Ben Kaduk <[email protected]>
(Merged from #16838)

(cherry picked from commit 8b09a9c)
openssl-machine pushed a commit that referenced this pull request Oct 22, 2021
@mattcaswell
Fix the s_server psk_server_cb for use in DTLS
0ad7578 
Commit 0007ff2 added a protocol version check to psk_server_cb but
failed to take account of DTLS causing DTLS based psk connections to
fail.

Fixes #16707

Reviewed-by: Ben Kaduk <[email protected]>
(Merged from #16838)

(cherry picked from commit 8b09a9c)
@mattcaswell
Copy link
Member Author

mattcaswell commented Oct 22, 2021

Pushed. Thanks!

@kaduk kaduk mentioned this pull request Nov 8, 2021
Closed
baentsch added a commit to open-quantum-safe/openssl that referenced this pull request Jun 23, 2022
@baentsch @luyahan
@devnexen @davidben @t8m @paulidale @mattcaswell @levitte @ueno @ischwarze @bbbrumley @tmshort @ifranzki @romen @bernd-edlinger @uudiin @zhaozg @Dani-Hub @ellert @lprimak @mspncp @beldmit @PeiweiHu @x2018 @allanjude @DDvO @dongbeiouba @KanPlus @roussosalex @pkubaj @jmgdjgpp @Thomas1664 @JiangJias @faramir-dev @hlandau @juergenchrist @reaperhulk @basavesh @frasertweedale