facebookincubator/fizz

Need Pure PSK (out of band) Example with Fizz Tool

pneumillerds opened this issue · 5 comments

I'm interested in using (out-of-band) pre-shared keys with my use of Fizz. The examples provided by the tool use server side certs, I was able to convince the server side I was using a pre-shared key, but I can;'t convince the client side that it should do the same I get the following exception:

29100 FizzClientCommand.cpp:141] Handshake error: fizz::FizzException: unexpected extension in shlo: pre_shared_key

I could not find any command line options (except re-connect) that demonstrate pre-shared keys. If there is something I'm missing I would appreciate any advice on what I need to do in the code to use pure pre-shared keys (with no certs).

Thanks,

Phil

P.S. I'm also having trouble building for Mac OS with the provided mac-build.sh script on:

18.6.0 Darwin Kernel Version 18.6.0: Thu Apr 25 23:16:27 PDT 2019; root:xnu-4903.261.4~2/RELEASE_X86_64 x86_64

So I'm using Ubuntu in a docker container.

The tool doesn't support external PSKs by default (it will require some code modification). If you configure a PskCache that returns a CachedPsk (https://github.com/facebookincubator/fizz/blob/master/fizz/client/PskCache.h) with type of PskType::External, the client should attempt to use it. This is configured in the client tool around https://github.com/facebookincubator/fizz/blob/master/fizz/tool/FizzClientCommand.cpp#L511.

FYI, we don't use external PSKs with fizz in production (we only us resumption PSKs). Everything should work, but it's not as well tested as other parts of fizz. Please lets us know if you run into any issues (and happy to take PRs as well).

Why can't I do this? I am still having difficulty getting pre-shared keys working.

auto cpsk = clientContext->getPsk("fizz");
clientContext->getPsk();
cpsk->secret = "pass";
clientContext->setPskCache(cpsk);

you can't put back the client context ask cache with the get and sets!

Did you try putPsk instead of setPskCache? putPsk is for setting a single PSK on the already existing PskCache.

I landed c3d728d a couple of days ago, which ought to improve support for external PSKs. Previously some other fields had to be set to conform with rules for resumption keys, but this change makes it so that PSKs with type External don't have that apply to them.

You ought to be able to create one like this:

fizz::CachedPsk psk;
psk.psk = "external_psk_identity";
psk.secret = "external_secret_here";
psk.type = PskType::External;
psk.version = ProtocolVersion::tls_1_3;
psk.cipher = CipherSuite::TLS_AES_128_GCM_SHA256; // Or whatever cipher you prefer

Then put it into the cache.