You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
According to RFC 9180 section 5.1, the first step of the KeySchedule() function is to run the validation function VerifyPSKInputs(), which checks that:
psk and psk_id are either both empty or both non-empty,
they are not empty in PSK mode (and they are empty in non-PSK mode).
These checks are emphasized with "MUST" language:
The psk and psk_id fields MUST appear together or not at all. That is, if a non-default value is provided for one of them, then the other MUST be set to a non-default value. This requirement is encoded in VerifyPSKInputs() below.
In the hpke crate, the RFC pseudo-code is pasted as comment for the derive_enc_ctx() function ; however I didn't see the VerifyPSKInputs() check implemented in the function body.
As far as I can tell, the hpke crate represents the PSK state as part of the PskBundle struct, which has public fields (https://github.com/rozbb/rust-hpke/blob/main/src/op_mode.rs). Given that these fields are public, it may be fine to let the user bear the responsibility of setting consistent (i.e. non-empty) values, but the documentation doesn't look strong enough (it mentions "psk MUST contain at least 32 bytes of entroy", but gives no requirement for psk_id).
In any case, adding a check within derive_enc_ctx() and either returning an error or panicking in case the PSK bundle is invalid would be good defense in depth.
The text was updated successfully, but these errors were encountered:
According to RFC 9180 section 5.1, the first step of the
KeySchedule()
function is to run the validation functionVerifyPSKInputs()
, which checks that:psk
andpsk_id
are either both empty or both non-empty,These checks are emphasized with "MUST" language:
In the
hpke
crate, the RFC pseudo-code is pasted as comment for thederive_enc_ctx()
function ; however I didn't see theVerifyPSKInputs()
check implemented in the function body.As far as I can tell, the
hpke
crate represents the PSK state as part of thePskBundle
struct, which has public fields (https://github.com/rozbb/rust-hpke/blob/main/src/op_mode.rs). Given that these fields are public, it may be fine to let the user bear the responsibility of setting consistent (i.e. non-empty) values, but the documentation doesn't look strong enough (it mentions "psk
MUST contain at least 32 bytes of entroy", but gives no requirement forpsk_id
).In any case, adding a check within
derive_enc_ctx()
and either returning an error or panicking in case the PSK bundle is invalid would be good defense in depth.The text was updated successfully, but these errors were encountered: