external PSK mode #481
external PSK mode #481
Conversation
Design of picotls is based on the assumption that PSK-based handshake will not be used together with HRR.
…cept (ec)dhe + external_psk + resumption
From RFC 8446 section 4.2.11: For externally established PSKs, the Hash algorithm MUST be set when the PSK is established or default to SHA-256 if no such algorithm is defined.
Still default to SHA-256 for the hash, but make it configurable. Be sure to use the same cipher suite on both the client and the server (note technically the client only uses the hash alg of it, unless there is early data).
Server should not send early data indicator unless the client sent an early data indicator.
Use configured cipher, or default to a SHA-256 one. Note: here we've hard-coded PTLS_CIPHER_SUITE_AES_128_GCM_SHA256 for the default, but any SHA256 one could be chosen (unless the client is sending early data, but in that case both endpoints need to specify it explicitly, not rely on default).
From TLS 1.3 RFC 8446 section 4.2.10: The PSK used to encrypt the early data MUST be the first PSK listed in the client's "pre_shared_key" extension. I noticed that later on in the code it only sets up the tls->pending_handshake_secret when accept_early_data && tls->ctx->max_early_data_size != 0 && psk_index == 0, so perhaps we don't need to do a check here, but I think it is still good to check it in the psk handshake.
|
Hi @kazuho. I'm seeing an unexpected behavior for no matching PSK identity in a scenario where there is no key share. In my testing earlier with mismatching PSK identity, the server would fail with a 115 UNKNOWN_PSK_IDENTITY as expected, as we fixed it here to do. However, in my latest testing I have no key share (ptls_context_t key_exchanges is set to NULL), and now instead of failing with 115 as expected, the server sends a This is happening around line 4633 in picotls.c, right after the I'm not sure what the right solution is, but it seems like maybe this block of code to fail with UNKNOWN_PSK_IDENTITY needs to be moved up (to right after the I'm not confident though because that is currently placed after a I'm hoping you can understand the proper way to fix this 🤞, thanks! |
|
Since my primary concern is security, I can live with this inconsistent behavior as long as it doesn't present a security vulnerability. That is, as long as the 2nd ClientHello attempt will fail, both with or without a key share. I just don't want a client to be able to trick a server into allowing an anonymous connection. If you can help me confirm this, that would make me feel a lot better. Then we can take our time thinking about the proper way to fix it, which I need your help with. Or if you believe this behavior is correct, please explain. The RFC says Hello Retry is when "it is able to find an acceptable set of parameters but the ClientHello does not contain sufficient information to proceed with the handshake." I just don't see how "no matching PSK identity" falls into this category, but only when key share is missing. |
…r handshake, and binder_key is derived from null message
Thank you for the patience. I've made some changes reducing differences from master so that this PR can be merged. I think I've fixed the bug alongside that. We also have tests that involve PSK + HRR. |
Thanks @kazuho ! I was able to confirm that it now fails properly with 115 on wrong psk identity, even with no key share. |
|
I also noticed that cli.c now helps set the psk_hash (a522cd9), thanks! |
Subsumes #321, sshock#1.
ToDo: