Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unknown PSK Identity and Bad PSK should be both handled in a same way #605

Merged
merged 3 commits into from
Apr 12, 2018
Merged

Unknown PSK Identity and Bad PSK should be both handled in a same way #605

merged 3 commits into from
Apr 12, 2018

Conversation

sbernard31
Copy link
Contributor

This PR aims to fix this issue : https://bugs.eclipse.org/bugs/show_bug.cgi?id=533258.

An "unknown PSK identity" will be ignored as a "bad PSK".

@sbernard31 sbernard31 mentioned this pull request Apr 9, 2018
Open
boaks
boaks reviewed Apr 9, 2018
View reviewed changes
scandium-core/src/main/java/org/eclipse/californium/scandium/dtls/ServerHandshaker.java
@@ -689,7 +689,7 @@ private void createCertificateRequest(final ClientHello clientHello, final DTLSF
if (psk == null) {
throw new HandshakeException(
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It may be academic, but wasn't the discussion, that in this case, a random secret is assumed to "fake" the calculation times?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As we don't answer at all, there is no calculation time to detect.

But if we had chosen to send "decrypt_error" alert, we should have to do something like this. (I mean fake calculation)

This is one of the reason which make this solution simple to implement.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:-). If we do a parallel handshake, we may see the difference there :-).

boaks
boaks reviewed Apr 9, 2018
View reviewed changes
scandium-core/src/main/java/org/eclipse/californium/scandium/DTLSConnector.java Outdated
// In production both should be silently ignored : https://bugs.eclipse.org/bugs/show_bug.cgi?id=533258
if (AlertDescription.UNKNOWN_PSK_IDENTITY != description) {
terminateOngoingHandshake(record.getPeerAddress(), cause, description);
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add return to skip discardRecord?
Otherwise the log may be irritating.

@boaks
Copy link
Contributor

boaks commented Apr 11, 2018

LGTM

@sbernard31 sbernard31 merged commit 74965dc into 2.0.x Apr 12, 2018
@sbernard31 sbernard31 deleted the unknown_identity branch April 12, 2018 10:11
@sbernard31 sbernard31 mentioned this pull request Apr 13, 2018
Merged
@boaks boaks mentioned this pull request Sep 10, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@boaks boaks boaks left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@sbernard31 @boaks