Using an externally-provided PSK for post-quantum resistance
Good Day,
I am trying to find a way to specify an extra pre-shared key to be used as one of the inputs that generates the master secret at both sides of an OC tunnel. (OpenConnect client & ocserv server) This will give the tunnel's encryption some post-quantum resistance.
My understanding from a mailing list contributor is a mechanism like this (DHE_PSK) is already used for DTLS. I would like to extend this functionality to take an externally supplied PSK (Ex: .key file copied to both sides out-of-band), and used for both TCP and UDP tunnels.
The mailing list contributor also suggested a system to match usernames to PSKs to easily support multiple PSKs. Perhaps something analogous to ocpasswd could work for this.
Any help on implementing this would be greatly appreciated. I've included the mailing list chain as an attachment, with addresses removed.
Thank you!