-
Notifications
You must be signed in to change notification settings - Fork 423
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PSK identity length check - tinydtls binding #708
Comments
The issue here is that tinydtls treats the PSK identity as opaque data, following Section 4.2 of RFC 7925, whereas other TLS implementations such as OpenSSL and GnuTLS treat it as human-readable data that can be represented as zero-terminated string. As a result, liibcoap's wrapper code adds a zero-byte at the end of the PSK identity (see lines 259—262). |
My feeling: |
Yes, within |
In general, There was a debate about whether I agree that a warning about oversize should be printed, an exact length match should be allowed, but then only return back the first part of identity if TinyDTLS does not provide sufficient buffer space rather than no identity at all. |
libcoap: v4.3.0-rc4 (tinydtls binding):
Using a PSK identity with the exact maximum supported length fails with an empty identity in the client_key_exchange message. The check in
coap_tinydtls
-get_psk_info
uses
>=
. Though tinydtls seems not to use a zero-terminated string representation indtls_handshake_parameters_psk_t.identity
, that compare may be relaxed to>
to support identities up to the requested limit. Additionaliy, such an overrun seems to be silently ignored, may be adding a diagnostic message make it easier to understand the behavior.The text was updated successfully, but these errors were encountered: