Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

External PSK mode #1

Open
wants to merge 16 commits into
base: master
Choose a base branch
from
Open

External PSK mode #1

wants to merge 16 commits into from

Conversation

sshock
Copy link
Owner

@sshock sshock commented Jul 18, 2023
edited
Loading

Based on h2o#321 with the following changes:

  • Rebased against latest master
  • Resolved conflicts
  • Fixed several PSK issues

@sshock
Copy link
Owner Author

sshock commented Jul 18, 2023

These two changes to lib/picotls.c found in the original PR that are not included in this PR. I don't know if they are needed as they resulted in a merge conflict and I was unable to find the corresponding location of where they should go in the latest code:

lost 1

lost 2

@sshock sshock mentioned this pull request Jul 18, 2023
Closed
@sshock
Add a todo comment about renaming
92d9832
@sshock
Use correct binder key label on client
fba3d96
@sshock
Default to SHA-256 with external PSK
b6b3c04 
From RFC 8446 section 4.2.11:
   For externally established PSKs, the Hash algorithm MUST be set when
   the PSK is established or default to SHA-256 if no such algorithm is
   defined.
@sshock
Make cipher suite to use with PSK configurable
b6e55b8 
Still default to SHA-256 for the hash, but make it configurable.

Be sure to use the same cipher suite on both the client and the server
(note technically the client only uses the hash alg of it, unless there is early data).
@sshock
Use correct binder key label on server
9912af6
@sshock
Fix bug where server was sending early data indicator
7782e0a 
Server should not send early data indicator unless the client sent an
early data indicator.
@sshock
Use PSK compatiable cipher suite on server
ea44c61 
Use configured cipher, or default to a SHA-256 one.

Note: here we've hard-coded PTLS_CIPHER_SUITE_AES_128_GCM_SHA256 for the default,
but any SHA256 one could be chosen (unless the client is sending early data,
but in that case both endpoints need to specify it explicitly, not rely on default).
@sshock
Only accept early data if using the first PSK
415f5c4 
From TLS 1.3 RFC 8446 section 4.2.10:
   The PSK used to encrypt the
   early data MUST be the first PSK listed in the client's
   "pre_shared_key" extension.

I noticed that later on in the code it only sets up the tls->pending_handshake_secret when
accept_early_data && tls->ctx->max_early_data_size != 0 && psk_index == 0,
so perhaps we don't need to do a check here, but I think it is still
good to check it in the psk handshake.
@sshock
Fix warnings
13976f0
@kazuho kazuho mentioned this pull request Aug 7, 2023
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sshock @kazuho