diff options
author | Mårten Nordheim <marten.nordheim@qt.io> | 2021-08-31 15:18:55 +0200 |
---|---|---|
committer | Mårten Nordheim <marten.nordheim@qt.io> | 2021-09-08 18:28:40 +0000 |
commit | 2e520f29a73fe4c3432a992d41c33220736a0d65 (patch) | |
tree | c354f049199147f728a25da9f96bee69bcfc1570 /src/plugins/tls/openssl/qtls_openssl.cpp | |
parent | 4641ff0f6a1b0da6f55db5e33c58a77be2032808 (diff) |
OpenSSL: Let people opt-in to use TLS 1.3 PSK callback
It's a workaround for the workaround...
If TLS 1.3 was explicitly chosen and the PSK callback is set then
without this patch the callback is never called since, with TLS 1.3, PSK
would only be queried once at the start of a connection.
It can now be re-enabled with an environment variable. A new API should
be added to address the new requirements of PSK with TLS 1.3:
For session resumption the connection MUST use the same hash algorithm
as in the original session. For new sessions the hash algorithm must be
decided ahead of time, or a default will be used (as defined by the
standard). A user can also pass along multiple identity+key pairs and
the server will pick one it recognizes. This is not something we can
currently do with the preSharedKeyAuthenticationRequired callback.
[ChangeLog][Network][QSslSocket][OpenSSL] When using TLS 1.3 we
suppress the first callback from OpenSSL about pre-shared keys, as it
doesn't conform to the past behavior which
preSharedKeyAuthenticationRequired provided. With this update you can
opt-out of that workaround by setting the QT_USE_TLS_1_3_PSK environment
variable
Pick-to: 6.2 6.1 5.15
Task-number: QTBUG-95670
Change-Id: Ia7454bbbf394cbcb859de333b371d0890b42a1c3
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
Diffstat (limited to 'src/plugins/tls/openssl/qtls_openssl.cpp')
-rw-r--r-- | src/plugins/tls/openssl/qtls_openssl.cpp | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/src/plugins/tls/openssl/qtls_openssl.cpp b/src/plugins/tls/openssl/qtls_openssl.cpp index db7316e927..5a9a55ebbd 100644 --- a/src/plugins/tls/openssl/qtls_openssl.cpp +++ b/src/plugins/tls/openssl/qtls_openssl.cpp @@ -258,15 +258,22 @@ static unsigned q_ssl_psk_restore_client(SSL *ssl, const char *hint, char *ident Q_ASSERT(tls->d); Q_ASSERT(tls->d->tlsMode() == QSslSocket::SslClientMode); #endif + unsigned retVal = 0; + + // Let developers opt-in to having the normal PSK callback get called for TLS 1.3 + // PSK (which works differently in a few ways, and is called at the start of every connection). + // When they do opt-in we just call the old callback from here. + if (qEnvironmentVariableIsSet("QT_USE_TLS_1_3_PSK")) + retVal = q_ssl_psk_client_callback(ssl, hint, identity, max_identity_len, psk, max_psk_len); + q_SSL_set_psk_client_callback(ssl, &q_ssl_psk_client_callback); - return 0; + return retVal; } static int q_ssl_psk_use_session_callback(SSL *ssl, const EVP_MD *md, const unsigned char **id, size_t *idlen, SSL_SESSION **sess) { - Q_UNUSED(ssl); Q_UNUSED(md); Q_UNUSED(id); Q_UNUSED(idlen); |