1e71b7053SJung-uk Kim=pod 2e71b7053SJung-uk Kim 3e71b7053SJung-uk Kim=head1 NAME 4e71b7053SJung-uk Kim 5e71b7053SJung-uk KimSSL_psk_server_cb_func, 6e71b7053SJung-uk KimSSL_psk_find_session_cb_func, 7e71b7053SJung-uk KimSSL_CTX_use_psk_identity_hint, 8e71b7053SJung-uk KimSSL_use_psk_identity_hint, 9e71b7053SJung-uk KimSSL_CTX_set_psk_server_callback, 10e71b7053SJung-uk KimSSL_set_psk_server_callback, 11e71b7053SJung-uk KimSSL_CTX_set_psk_find_session_callback, 12e71b7053SJung-uk KimSSL_set_psk_find_session_callback 13e71b7053SJung-uk Kim- set PSK identity hint to use 14e71b7053SJung-uk Kim 15e71b7053SJung-uk Kim=head1 SYNOPSIS 16e71b7053SJung-uk Kim 17e71b7053SJung-uk Kim #include <openssl/ssl.h> 18e71b7053SJung-uk Kim 19e71b7053SJung-uk Kim typedef int (*SSL_psk_find_session_cb_func)(SSL *ssl, 20e71b7053SJung-uk Kim const unsigned char *identity, 21e71b7053SJung-uk Kim size_t identity_len, 22e71b7053SJung-uk Kim SSL_SESSION **sess); 23e71b7053SJung-uk Kim 24e71b7053SJung-uk Kim 25e71b7053SJung-uk Kim void SSL_CTX_set_psk_find_session_callback(SSL_CTX *ctx, 26e71b7053SJung-uk Kim SSL_psk_find_session_cb_func cb); 27e71b7053SJung-uk Kim void SSL_set_psk_find_session_callback(SSL *s, SSL_psk_find_session_cb_func cb); 28e71b7053SJung-uk Kim 29e71b7053SJung-uk Kim typedef unsigned int (*SSL_psk_server_cb_func)(SSL *ssl, 30e71b7053SJung-uk Kim const char *identity, 31e71b7053SJung-uk Kim unsigned char *psk, 32e71b7053SJung-uk Kim unsigned int max_psk_len); 33e71b7053SJung-uk Kim 34e71b7053SJung-uk Kim int SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *hint); 35e71b7053SJung-uk Kim int SSL_use_psk_identity_hint(SSL *ssl, const char *hint); 36e71b7053SJung-uk Kim 37e71b7053SJung-uk Kim void SSL_CTX_set_psk_server_callback(SSL_CTX *ctx, SSL_psk_server_cb_func cb); 38e71b7053SJung-uk Kim void SSL_set_psk_server_callback(SSL *ssl, SSL_psk_server_cb_func cb); 39e71b7053SJung-uk Kim 40e71b7053SJung-uk Kim=head1 DESCRIPTION 41e71b7053SJung-uk Kim 4217f01e99SJung-uk KimA server application wishing to use TLSv1.3 PSKs should set a callback 4317f01e99SJung-uk Kimusing either SSL_CTX_set_psk_find_session_callback() or 4417f01e99SJung-uk KimSSL_set_psk_find_session_callback() as appropriate. 45e71b7053SJung-uk Kim 46e71b7053SJung-uk KimThe callback function is given a pointer to the SSL connection in B<ssl> and 47e71b7053SJung-uk Kiman identity in B<identity> of length B<identity_len>. The callback function 48e71b7053SJung-uk Kimshould identify an SSL_SESSION object that provides the PSK details and store it 49e71b7053SJung-uk Kimin B<*sess>. The SSL_SESSION object should, as a minimum, set the master key, 50e71b7053SJung-uk Kimthe ciphersuite and the protocol version. See 51e71b7053SJung-uk KimL<SSL_CTX_set_psk_use_session_callback(3)> for details. 52e71b7053SJung-uk Kim 53e71b7053SJung-uk KimIt is also possible for the callback to succeed but not supply a PSK. In this 54e71b7053SJung-uk Kimcase no PSK will be used but the handshake will continue. To do this the 55e71b7053SJung-uk Kimcallback should return successfully and ensure that B<*sess> is 56e71b7053SJung-uk KimNULL. 57e71b7053SJung-uk Kim 58e71b7053SJung-uk KimIdentity hints are not relevant for TLSv1.3. A server application wishing to use 59e71b7053SJung-uk KimPSK ciphersuites for TLSv1.2 and below may call SSL_CTX_use_psk_identity_hint() 60e71b7053SJung-uk Kimto set the given B<NUL>-terminated PSK identity hint B<hint> for SSL context 61e71b7053SJung-uk Kimobject B<ctx>. SSL_use_psk_identity_hint() sets the given B<NUL>-terminated PSK 62e71b7053SJung-uk Kimidentity hint B<hint> for the SSL connection object B<ssl>. If B<hint> is 63e71b7053SJung-uk KimB<NULL> the current hint from B<ctx> or B<ssl> is deleted. 64e71b7053SJung-uk Kim 65e71b7053SJung-uk KimIn the case where PSK identity hint is B<NULL>, the server does not send the 66e71b7053SJung-uk KimServerKeyExchange message to the client. 67e71b7053SJung-uk Kim 68e71b7053SJung-uk KimA server application wishing to use PSKs for TLSv1.2 and below must provide a 69e71b7053SJung-uk Kimcallback function which is called when the server receives the 70e71b7053SJung-uk KimClientKeyExchange message from the client. The purpose of the callback function 71e71b7053SJung-uk Kimis to validate the received PSK identity and to fetch the pre-shared key used 72e71b7053SJung-uk Kimduring the connection setup phase. The callback is set using the functions 73e71b7053SJung-uk KimSSL_CTX_set_psk_server_callback() or SSL_set_psk_server_callback(). The callback 74e71b7053SJung-uk Kimfunction is given the connection in parameter B<ssl>, B<NUL>-terminated PSK 75e71b7053SJung-uk Kimidentity sent by the client in parameter B<identity>, and a buffer B<psk> of 76e71b7053SJung-uk Kimlength B<max_psk_len> bytes where the pre-shared key is to be stored. 77e71b7053SJung-uk Kim 78e71b7053SJung-uk KimThe callback for use in TLSv1.2 will also work in TLSv1.3 although it is 79e71b7053SJung-uk Kimrecommended to use SSL_CTX_set_psk_find_session_callback() 80e71b7053SJung-uk Kimor SSL_set_psk_find_session_callback() for this purpose instead. If TLSv1.3 has 81e71b7053SJung-uk Kimbeen negotiated then OpenSSL will first check to see if a callback has been set 82e71b7053SJung-uk Kimvia SSL_CTX_set_psk_find_session_callback() or SSL_set_psk_find_session_callback() 83e71b7053SJung-uk Kimand it will use that in preference. If no such callback is present then it will 84e71b7053SJung-uk Kimcheck to see if a callback has been set via SSL_CTX_set_psk_server_callback() or 85e71b7053SJung-uk KimSSL_set_psk_server_callback() and use that. In this case the handshake digest 8658f35182SJung-uk Kimwill default to SHA-256 for any returned PSK. TLSv1.3 early data exchanges are 8758f35182SJung-uk Kimpossible in PSK connections only with the B<SSL_psk_find_session_cb_func> 8858f35182SJung-uk Kimcallback, and are not possible with the B<SSL_psk_server_cb_func> callback. 89e71b7053SJung-uk Kim 90e71b7053SJung-uk KimA connection established via a TLSv1.3 PSK will appear as if session resumption 91e71b7053SJung-uk Kimhas occurred so that L<SSL_session_reused(3)> will return true. 92e71b7053SJung-uk Kim 93e71b7053SJung-uk Kim=head1 RETURN VALUES 94e71b7053SJung-uk Kim 95e71b7053SJung-uk KimB<SSL_CTX_use_psk_identity_hint()> and B<SSL_use_psk_identity_hint()> return 96e71b7053SJung-uk Kim1 on success, 0 otherwise. 97e71b7053SJung-uk Kim 98e71b7053SJung-uk KimReturn values from the TLSv1.2 and below server callback are interpreted as 99e71b7053SJung-uk Kimfollows: 100e71b7053SJung-uk Kim 101e71b7053SJung-uk Kim=over 4 102e71b7053SJung-uk Kim 103e71b7053SJung-uk Kim=item Z<>0 104e71b7053SJung-uk Kim 105e71b7053SJung-uk KimPSK identity was not found. An "unknown_psk_identity" alert message 106e71b7053SJung-uk Kimwill be sent and the connection setup fails. 107e71b7053SJung-uk Kim 108e71b7053SJung-uk Kim=item E<gt>0 109e71b7053SJung-uk Kim 110e71b7053SJung-uk KimPSK identity was found and the server callback has provided the PSK 111e71b7053SJung-uk Kimsuccessfully in parameter B<psk>. Return value is the length of 112e71b7053SJung-uk KimB<psk> in bytes. It is an error to return a value greater than 113e71b7053SJung-uk KimB<max_psk_len>. 114e71b7053SJung-uk Kim 115e71b7053SJung-uk KimIf the PSK identity was not found but the callback instructs the 116e71b7053SJung-uk Kimprotocol to continue anyway, the callback must provide some random 117e71b7053SJung-uk Kimdata to B<psk> and return the length of the random data, so the 118e71b7053SJung-uk Kimconnection will fail with decryption_error before it will be finished 119e71b7053SJung-uk Kimcompletely. 120e71b7053SJung-uk Kim 121e71b7053SJung-uk Kim=back 122e71b7053SJung-uk Kim 123e71b7053SJung-uk KimThe B<SSL_psk_find_session_cb_func> callback should return 1 on success or 0 on 124e71b7053SJung-uk Kimfailure. In the event of failure the connection setup fails. 125e71b7053SJung-uk Kim 126e71b7053SJung-uk Kim=head1 NOTES 127e71b7053SJung-uk Kim 128e71b7053SJung-uk KimThere are no known security issues with sharing the same PSK between TLSv1.2 (or 12958f35182SJung-uk Kimbelow) and TLSv1.3. However, the RFC has this note of caution: 130e71b7053SJung-uk Kim 131e71b7053SJung-uk Kim"While there is no known way in which the same PSK might produce related output 132e71b7053SJung-uk Kimin both versions, only limited analysis has been done. Implementations can 133e71b7053SJung-uk Kimensure safety from cross-protocol related output by not reusing PSKs between 134e71b7053SJung-uk KimTLS 1.3 and TLS 1.2." 135e71b7053SJung-uk Kim 136e71b7053SJung-uk Kim=head1 SEE ALSO 137e71b7053SJung-uk Kim 138*b077aed3SPierre ProncheryL<ssl(7)>, 139e71b7053SJung-uk KimL<SSL_CTX_set_psk_use_session_callback(3)>, 140e71b7053SJung-uk KimL<SSL_set_psk_use_session_callback(3)> 141e71b7053SJung-uk Kim 142e71b7053SJung-uk Kim=head1 HISTORY 143e71b7053SJung-uk Kim 144e71b7053SJung-uk KimSSL_CTX_set_psk_find_session_callback() and SSL_set_psk_find_session_callback() 145e71b7053SJung-uk Kimwere added in OpenSSL 1.1.1. 146e71b7053SJung-uk Kim 147e71b7053SJung-uk Kim=head1 COPYRIGHT 148e71b7053SJung-uk Kim 14958f35182SJung-uk KimCopyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved. 150e71b7053SJung-uk Kim 151*b077aed3SPierre ProncheryLicensed under the Apache License 2.0 (the "License"). You may not use 152e71b7053SJung-uk Kimthis file except in compliance with the License. You can obtain a copy 153e71b7053SJung-uk Kimin the file LICENSE in the source distribution or at 154e71b7053SJung-uk KimL<https://www.openssl.org/source/license.html>. 155e71b7053SJung-uk Kim 156e71b7053SJung-uk Kim=cut 157