-
Notifications
You must be signed in to change notification settings - Fork 362
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unknown PSK Identity and Bad PSK should be both handled in a same way #605
Conversation
@@ -689,7 +689,7 @@ private void createCertificateRequest(final ClientHello clientHello, final DTLSF | |||
if (psk == null) { | |||
throw new HandshakeException( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It may be academic, but wasn't the discussion, that in this case, a random secret is assumed to "fake" the calculation times?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As we don't answer at all, there is no calculation time to detect.
But if we had chosen to send "decrypt_error" alert, we should have to do something like this. (I mean fake calculation)
This is one of the reason which make this solution simple to implement.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
:-). If we do a parallel handshake, we may see the difference there :-).
// In production both should be silently ignored : https://bugs.eclipse.org/bugs/show_bug.cgi?id=533258 | ||
if (AlertDescription.UNKNOWN_PSK_IDENTITY != description) { | ||
terminateOngoingHandshake(record.getPeerAddress(), cause, description); | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add return to skip discardRecord
?
Otherwise the log may be irritating.
cafb172
to
b25bfd5
Compare
b25bfd5
to
74965dc
Compare
LGTM |
This PR aims to fix this issue : https://bugs.eclipse.org/bugs/show_bug.cgi?id=533258.
An "unknown PSK identity" will be ignored as a "bad PSK".