tls: Add PSK support (v9.0.0-pre)

doc/api/tls.md

@@ -115,6 +115,26 @@ SNI (Server Name Indication) are TLS handshake extensions:
 * SNI - Allows the use of one TLS server for multiple hostnames with different
   SSL certificates.
 
+### Pre-shared keys
+
+<!-- type=misc -->
+
+TLS-PSK support is also available as an alternative to normal certificate-based
+authentication. TLS-PSK uses a pre-shared key instead of certificates to
+authenticate a TLS connection, providing mutual authentication.
+
+TLS-PSK and public key infrastructure are not mutually exclusive; clients and
+servers can accommodate both, with the variety determined by the normal cipher
+negotiation step.
+
+Note that TLS-PSK is only a good choice where means exist to securely share a
+key with every connecting machine, so it does not replace PKI for the majority
+of TLS uses.
+
+The TLS-PSK implementation in OpenSSL has also seen many security flaws in
+recent years, mostly because it is used only by a minority of applications.
+Please consider all alternative solutions before switching to PSK ciphers.
+
 ### Client-initiated renegotiation attack mitigation
 
 <!-- type=misc -->
@@ -851,6 +871,9 @@ similar to:
 <!-- YAML
 added: v0.11.3
 changes:
+  - version: REPLACEME
+    pr-url: https://github.com/nodejs/node/pull/14978
+    description: The `pskCallback` option is now supported.
   - version: v8.0.0
     pr-url: https://github.com/nodejs/node/pull/12839
     description: The `lookup` option is supported now.
@@ -884,6 +907,17 @@ changes:
     verified against the list of supplied CAs. An `'error'` event is emitted if
     verification fails; `err.code` contains the OpenSSL error code. **Default:**
     `true`.
+  * `pskCallback(hint)` {Function} When negotiating TLS-PSK, this optional
+    function is called with the identity hint provided by the server. If the
+    client should continue to negotiate PSK ciphers, the return value of this
+    function must be an object in the form `{psk: <string>, identity:
+    <string>}`.
+    Note that PSK ciphers are disabled by default, and using TLS-PSK thus
+    requires explicitly specifying a cipher suite with the `ciphers` option.
+    Additionally, it may be necessary to disable `rejectUnauthorized` if a
+    client attempts to specify a certificate for the session.
+    Note that `psk` must be a hexadecimal string, `identity` must use UTF-8
+    encoding.
   * `ALPNProtocols`: {string[]|Buffer[]|Uint8Array[]|Buffer|Uint8Array}
     An array of strings, `Buffer`s or `Uint8Array`s, or a single `Buffer` or
     `Uint8Array` containing the supported ALPN protocols. `Buffer`s should have
@@ -1168,7 +1202,8 @@ changes:
     a 16-byte HMAC key, and a 16-byte AES key. This can be used to accept TLS
     session tickets on multiple instances of the TLS server.
   * ...: Any [`tls.createSecureContext()`][] option can be provided. For
-    servers, the identity options (`pfx` or `key`/`cert`) are usually required.
+    servers, the identity options (`pfx`, `key`/`cert` or `pskCallback`)
+    are usually required.
 * `secureConnectionListener` {Function}
 
 Creates a new [`tls.Server`][]. The `secureConnectionListener`, if provided, is

lib/_tls_common.js

@@ -25,6 +25,7 @@ const { parseCertString } = require('internal/tls');
 const { isArrayBufferView } = require('internal/util/types');
 const tls = require('tls');
 const {
+  ERR_ASSERTION,
   ERR_CRYPTO_CUSTOM_ENGINE_NOT_SUPPORTED,
   ERR_INVALID_ARG_TYPE
 } = require('internal/errors').codes;
@@ -68,6 +69,83 @@ function validateKeyCert(name, value) {
 
 exports.SecureContext = SecureContext;
 
+function onpskexchange(pskCallback) {
+  return (identity, maxPskLen, maxIdentLen) => {
+    let ret = pskCallback(identity);
+    if (typeof ret !== 'object' || ret == null) {
+      ret = undefined;
+    }
+
+    if (ret) {
+      ret = { psk: ret.psk, identity: ret.identity };
+
+      if (!typeof ret.psk === 'string') {
+        throw new ERR_INVALID_ARG_TYPE('psk', ['string']);
+      }
+      if (ret.psk.length / 2 > maxPskLen) {
+        throw new ERR_ASSERTION(`Pre-shared key exceeds ${maxPskLen} bytes`);
+      }
+
+      // Only set for the client callback, which must provide an identity.
+      if (maxIdentLen) {
+        if (typeof ret.identity !== 'string') {
+          throw new ERR_INVALID_ARG_TYPE('identity', 'string');
+        }
+        if (ret.identity.length > maxIdentLen) {
+          throw new ERR_ASSERTION(`PSK identity exceeds ${maxIdentLen} bytes`);
+        }
+      }
+    }
+
+    return ret;
+  };
+}
+
+function ecdhCurveWarning() {
+  if (ecdhCurveWarning.emitted) return;
+  process.emitWarning('{ ecdhCurve: false } is deprecated.',
+                      'DeprecationWarning',
+                      'DEP0083');
+  ecdhCurveWarning.emitted = true;
+}
+ecdhCurveWarning.emitted = false;
+
+function onpskexchange(pskCallback) {
+  return (identity, maxPskLen, maxIdentLen) => {
+    let ret = pskCallback(identity);
+    if (typeof ret !== 'object' || ret == null) {
+      ret = undefined;
+    }
+
+    if (ret) {
+      ret = { psk: ret.psk, identity: ret.identity };
+
+      if (!typeof ret.psk === 'string') {
+        throw new ERR_INVALID_ARG_TYPE('psk', ['string']);
+      }
+      if (ret.psk.length / 2 > maxPskLen) {
+        throw new ERR_ASSERTION(
+          `Pre-shared key exceeds ${maxPskLen} bytes`
+        );
+      }
+
+      // Only set for the client callback, which must provide an identity.
+      if (maxIdentLen) {
+        if (typeof ret.identity !== 'string') {
+          throw new ERR_INVALID_ARG_TYPE('identity',
+                                         'string');
+        }
+        if (ret.identity.length > maxIdentLen) {
+          throw new ERR_ASSERTION(
+            `PSK identity exceeds ${maxIdentLen} bytes`
+          );
+        }
+      }
+    }
+
+    return ret;
+  };
+}
 
 exports.createSecureContext = function createSecureContext(options, context) {
   if (!options) options = {};
@@ -161,6 +239,29 @@ exports.createSecureContext = function createSecureContext(options, context) {
     }
   }
 
+  if (options.pskCallback && c.context.enablePskCallback) {
+    if (typeof options.pskCallback !== 'function') {
+      throw new ERR_INVALID_ARG_TYPE('pskCallback',
+                                     'function',
+                                     options.pskCallback);
+    }
+
+    c.context.onpskexchange = onpskexchange(options.pskCallback);
+    c.context.enablePskCallback();
+
+    if (options.pskIdentityHint) {
+      if (typeof options.pskIdentityHint !== 'string') {
+        throw new ERR_INVALID_ARG_TYPE(
+          'options.pskIdentityHint',
+          'string',
+          options.pskIdentityHint
+        );
+      }
+
+      c.context.setPskIdentity(options.pskIdentityHint);
+    }
+  }
+
   if (options.sessionIdContext) {
     c.context.setSessionIdContext(options.sessionIdContext);
   }

lib/_tls_wrap.js

@@ -689,7 +689,7 @@ TLSSocket.prototype.getCipher = function(err) {
   return null;
 };
 
-// TODO: support anonymous (nocert) and PSK
+// TODO: support anonymous (nocert)
 
 
 function onSocketSecure() {
@@ -846,6 +846,8 @@ function Server(options, listener) {
     dhparam: this.dhparam,
     secureProtocol: this.secureProtocol,
     secureOptions: this.secureOptions,
+    pskCallback: this.pskCallback,
+    pskIdentityHint: this.pskIdentityHint,
     honorCipherOrder: this.honorCipherOrder,
     crl: this.crl,
     sessionIdContext: this.sessionIdContext
@@ -934,6 +936,8 @@ Server.prototype.setOptions = function(options) {
   else
     this.honorCipherOrder = true;
   if (secureOptions) this.secureOptions = secureOptions;
+  if (options.pskIdentityHint) this.pskIdentityHint = options.pskIdentityHint;
+  if (options.pskCallback) this.pskCallback = options.pskCallback;
   if (options.ALPNProtocols)
     tls.convertALPNProtocols(options.ALPNProtocols, this);
   if (options.sessionIdContext) {

src/env.h

@@ -154,6 +154,8 @@ struct PackageConfig {
   V(duration_string, "duration")                                              \
   V(emit_warning_string, "emitWarning")                                       \
   V(exchange_string, "exchange")                                              \
+  V(identity_string, "identity")                                              \
+  V(enablepush_string, "enablePush")                                          \
   V(encoding_string, "encoding")                                              \
   V(entries_string, "entries")                                                \
   V(entry_type_string, "entryType")                                           \
@@ -223,6 +225,7 @@ struct PackageConfig {
   V(onmessage_string, "onmessage")                                            \
   V(onnewsession_string, "onnewsession")                                      \
   V(onocspresponse_string, "onocspresponse")                                  \
+  V(onpskexchange_string, "onpskexchange")                                    \
   V(ongoawaydata_string, "ongoawaydata")                                      \
   V(onorigin_string, "onorigin")                                              \
   V(onpriority_string, "onpriority")                                          \
@@ -257,6 +260,7 @@ struct PackageConfig {
   V(promise_string, "promise")                                                \
   V(pubkey_string, "pubkey")                                                  \
   V(query_string, "query")                                                    \
+  V(psk_string, "psk")                                                        \
   V(raw_string, "raw")                                                        \
   V(read_host_object_string, "_readHostObject")                               \
   V(readable_string, "readable")                                              \