feat: add post-HelloRetryRequest PSK support

Add UpdateOnHRR to allow PSK to recalculate its state using previously transcribed Client Hello's hash and client handshake state. Signed-off-by: Gaukas Wang <i@gaukas.wang>
2025-04-04 20:47:36 +03:00 · 2024-07-16 02:15:04 -06:00 · 2024-07-16 02:15:04 -06:00 · 888b9cb09d
commit 888b9cb09d
parent 841ef93712
3 changed files with 99 additions and 12 deletions
--- a/handshake_client_tls13.go
+++ b/handshake_client_tls13.go
@ -14,6 +14,7 @@ import (
 	"errors"
 	"fmt"
 	"hash"
+	"log"
 	"time"

 	"github.com/cloudflare/circl/kem"
@ -410,11 +411,6 @@ func (hs *clientHandshakeStateTLS13) processHelloRetryRequest() error {
 	// and utlsExtensionPadding are supposed to change
 	if hs.uconn != nil {
 		if hs.uconn.ClientHelloID != HelloGolang {
-			if len(hs.hello.pskIdentities) > 0 {
-				// TODO: wait for someone who cares about PSK to implement
-				return errors.New("uTLS does not support reprocessing of PSK key triggered by HelloRetryRequest")
-			}
-
 			keyShareExtFound := false
 			for _, ext := range hs.uconn.Extensions {
 				// new ks seems to be generated either way
@ -459,6 +455,22 @@ func (hs *clientHandshakeStateTLS13) processHelloRetryRequest() error {
 			if err := hs.uconn.MarshalClientHello(); err != nil {
 				return err
 			}
+
+			if len(hs.hello.pskIdentities) > 0 {
+				for _, ext := range hs.uconn.Extensions {
+					if psk, ok := ext.(PreSharedKeyExtension); ok {
+						if err := psk.UpdateOnHRR(chHash, hs, c.config.time()); err != nil {
+							hs.uconn.HandshakeState.Hello.PskIdentities = nil
+							hs.uconn.HandshakeState.Hello.PskBinders = nil
+							log.Printf("[Error] PreSharedKeyExtension.UpdateOnHRR failed: %v", err)
+						} else {
+							psk.PatchBuiltHello(hs.uconn.HandshakeState.Hello)
+						}
+						break
+					}
+				}
+			}
+
 			hs.hello.raw = hs.uconn.HandshakeState.Hello.Raw
 		}
 	}