forked from h2o/picotls
-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
External PSK mode #1
Open
sshock
wants to merge
16
commits into
master
Choose a base branch
from
plh/psk
base: master
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Design of picotls is based on the assumption that PSK-based handshake will not be used together with HRR.
…cept (ec)dhe + external_psk + resumption
These two changes to lib/picotls.c found in the original PR that are not included in this PR. I don't know if they are needed as they resulted in a merge conflict and I was unable to find the corresponding location of where they should go in the latest code: |
From RFC 8446 section 4.2.11: For externally established PSKs, the Hash algorithm MUST be set when the PSK is established or default to SHA-256 if no such algorithm is defined.
Still default to SHA-256 for the hash, but make it configurable. Be sure to use the same cipher suite on both the client and the server (note technically the client only uses the hash alg of it, unless there is early data).
Server should not send early data indicator unless the client sent an early data indicator.
Use configured cipher, or default to a SHA-256 one. Note: here we've hard-coded PTLS_CIPHER_SUITE_AES_128_GCM_SHA256 for the default, but any SHA256 one could be chosen (unless the client is sending early data, but in that case both endpoints need to specify it explicitly, not rely on default).
From TLS 1.3 RFC 8446 section 4.2.10: The PSK used to encrypt the early data MUST be the first PSK listed in the client's "pre_shared_key" extension. I noticed that later on in the code it only sets up the tls->pending_handshake_secret when accept_early_data && tls->ctx->max_early_data_size != 0 && psk_index == 0, so perhaps we don't need to do a check here, but I think it is still good to check it in the psk handshake.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Based on h2o#321 with the following changes: