I'm working on RFC9258 support in OpenSSL, and taking the time to try to
understand as much as I can about TLS 1.3 PSKs in general.

One thing that's a bit puzzling is what appears to be a stricter
requirement around the PSK (slot 0) ciphersuite when early
data is being negotiated:

    https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.10
    ...
    In order to accept early data, the server MUST have accepted a PSK
    cipher suite and selected the first key offered in the client's
    "pre_shared_key" extension.  In addition, it MUST verify that the
    following values are the same as those associated with the
    selected PSK:
  
    -  The TLS version number
  
    -  The selected cipher suite
  
    -  The selected ALPN [RFC7301] protocol, if any
  
    These requirements are a superset of those needed to perform a 1-RTT
    handshake using the PSK in question.  For externally established
    PSKs, the associated values are those provisioned along with the key.
    For PSKs established via a NewSessionTicket message, the associated
    values are those negotiated in the connection during which the ticket
    was established.

Now the selected (1-RTT) ciphersuite does not actually come into effect
until after early_data has been consumed, and the 0-RTT cipher suite
could just be whatever was baked into the PSK (with just the digest
(KDF) needing to match the 1-RTT choice in order for the PSK to be
acceptable.

With the 0-RTT keys independent of the 1-RTT keys, why must the full
0-RTT cipher suite match the 1-RTT cipher suite that comes into effect
only later?  Or am I misinterpreting the requirement?

-- 
    Viktor.  🇺🇦 Слава Україні!

_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to