Question: How to add more cipher suites?

Question

Question: How to add more cipher suites?

Porok12 opened this issue 2 years ago · 3 comments

Hello,
I would like to fork this project and add more cipher suites, let's say TLS_PSK_WITH_AES_128_CBC_SHA256, what I should change/add (in conscript/boringSSL) to make it working?

I'm getting

org.conscrypt.ConscryptSuite > org.conscrypt.javax.net.ssl.SSLSocketVersionCompatibilityTest.test_SSLSocket_TlsUniqueLength[2: TLSv1.3 client, TLSv1.2 server] FAILED
    java.lang.AssertionError: Cipher suite is TLS_PSK_WITH_AES_128_CBC_SHA256
        at org.conscrypt.javax.net.ssl.SSLSocketVersionCompatibilityTest.test_SSLSocket_TlsUniqueLength(SSLSocketVersionCompatibilityTest.java:2077)

        Caused by:
        java.lang.RuntimeException: java.util.concurrent.ExecutionException: javax.net.ssl.SSLHandshakeException: connection closed
            at org.conscrypt.javax.net.ssl.TestSSLSocketPair.connect(TestSSLSocketPair.java:126)
            at org.conscrypt.javax.net.ssl.SSLSocketVersionCompatibilityTest.test_SSLSocket_TlsUniqueLength(SSLSocketVersionCompatibilityTest.java:2066)

            Caused by:
            java.util.concurrent.ExecutionException: javax.net.ssl.SSLHandshakeException: connection closed
                at java.base/java.util.concurrent.FutureTask.report(FutureTask.java:122)
                at java.base/java.util.concurrent.FutureTask.get(FutureTask.java:205)
                at org.conscrypt.javax.net.ssl.TestSSLSocketPair.connect(TestSSLSocketPair.java:99)
                ... 1 more

                Caused by:
                javax.net.ssl.SSLHandshakeException: connection closed
                    at org.conscrypt.SSLUtils.toSSLHandshakeException(SSLUtils.java:362)
                    at org.conscrypt.ConscryptEngineSocket.doHandshake(ConscryptEngineSocket.java:232)
                    at org.conscrypt.ConscryptEngineSocket.startHandshake(ConscryptEngineSocket.java:212)
                    at org.conscrypt.javax.net.ssl.TestSSLSocketPair$1.call(TestSSLSocketPair.java:79)
                    at org.conscrypt.javax.net.ssl.TestSSLSocketPair$1.call(TestSSLSocketPair.java:72)
                    at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
                    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
                    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
                    at java.base/java.lang.Thread.run(Thread.java:829)

                    Caused by:
                    java.io.EOFException: connection closed
                        at org.conscrypt.ConscryptEngineSocket.doHandshake(ConscryptEngineSocket.java:232)
                        ... 7 more

I added to ssl_cipher.cc

    {
     TLS1_TXT_PSK_WITH_AES_128_CBC_SHA256,
     "TLS_PSK_WITH_AES_128_CBC_SHA256",
     TLS1_CK_PSK_WITH_AES_128_CBC_SHA256,
     SSL_kPSK,
     SSL_aPSK,
     SSL_AES128,
     SSL_AEAD,
     SSL_HANDSHAKE_MAC_SHA256,
    },

Answer 1 · 2023-01-30T20:00:12.000Z

TLS-PSK was deprecated a long time ago and support for that negotiation was removed.

Answer 2 · 2023-01-30T20:03:40.000Z

Thanks, but can I easily add it again in my fork project ?

Already there is support for TLS_PSK_WITH_AES_128_CBC_SHA, so adding TLS_PSK_WITH_AES_128_CBC_SHA256 should be fairly easy right?

Perhaps I should modify ssl_cipher_get_evp_aead somehow to handle SHA256.

Answer 3 · 2023-02-05T15:21:21.000Z

It seems that this is possible