rozbb
Missing `VerifyPSKInputs` check in the key schedule
According to RFC 9180 section 5.1, the first step of the KeySchedule() function is to run the validation function VerifyPSKInputs(), which checks that:
pskandpsk_idare either both empty or both non-empty,- they are not empty in PSK mode (and they are empty in non-PSK mode).
These checks are emphasized with "MUST" language:
The psk and psk_id fields MUST appear together or not at all. That is, if a non-default value is provided for one of them, then the other MUST be set to a non-default value. This requirement is encoded in VerifyPSKInputs() below.
In the hpke crate, the RFC pseudo-code is pasted as comment for the derive_enc_ctx() function ; however I didn't see the VerifyPSKInputs() check implemented in the function body.
As far as I can tell, the hpke crate represents the PSK state as part of the PskBundle struct, which has public fields (https://github.com/rozbb/rust-hpke/blob/main/src/op_mode.rs). Given that these fields are public, it may be fine to let the user bear the responsibility of setting consistent (i.e. non-empty) values, but the documentation doesn't look strong enough (it mentions "psk MUST contain at least 32 bytes of entroy", but gives no requirement for psk_id).
In any case, adding a check within derive_enc_ctx() and either returning an error or panicking in case the PSK bundle is invalid would be good defense in depth.
This is a great point, thank you! It might be a breaking change. I can draft this this weekend
Housekeeping question -- was this issue addressed by https://github.com/rozbb/rust-hpke/pull/72?
