Add option `SSL_OP_PREFER_NO_DHE_KEX`, allowing the server to prefer non-dhe psk key exchange over psk with dhe (config file option `PreferNoDHEKEX`, server option `prefer_no_dhe_kex`).

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22794)

2 files changed, 30 insertions, 8 deletions

diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c
index 0a64ca2246..e77ab2f3e5 100644
--- a/ssl/statem/extensions.c
+++ b/ssl/statem/extensions.c
@@ -1393,7 +1393,8 @@ static int final_key_share(SSL_CONNECTION *s, unsigned int context, int sent)
      *             the client sent a key_share extension
      *             AND
      *             (we are not resuming
-     *              OR the kex_mode allows key_share resumes)
+     *              OR (the kex_mode allows key_share resumes
+     *                  AND (kex_mode doesn't allow non-dh resumes OR non-dh is not preferred)))
      *             AND
      *             a shared group exists
      *         THEN
@@ -1428,10 +1429,18 @@ static int final_key_share(SSL_CONNECTION *s, unsigned int context, int sent)
             }
         } else {
             /* No suitable key_share */
+
+            /* Do DHE PSK? */
+            int dhe_psk =
+                /* kex_mode allows key_share resume */
+                (((s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) != 0)
+
+                /* and psk-only is not available or not explicitly preferred */
+                && ((((s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE) == 0)
+                    || (s->options & SSL_OP_PREFER_NO_DHE_KEX) == 0)));
+
             if (s->hello_retry_request == SSL_HRR_NONE && sent
-                    && (!s->hit
-                        || (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE)
-                           != 0)) {
+                    && (!s->hit || dhe_psk)) {
                 const uint16_t *pgroups, *clntgroups;
                 size_t num_groups, clnt_num_groups, i;
                 unsigned int group_id = 0;
diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
index 64ccb3ed6d..2d28ea3b3d 100644
--- a/ssl/statem/extensions_srvr.c
+++ b/ssl/statem/extensions_srvr.c
@@ -1645,12 +1645,25 @@ EXT_RETURN tls_construct_stoc_key_share(SSL_CONNECTION *s, WPACKET *pkt,
         }
         return EXT_RETURN_NOT_SENT;
     }
-    if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0) {
+    if (s->hit) {
+        /* PSK ('hit') */
+
         /*
-         * PSK ('hit') and explicitly not doing DHE (if the client sent the
-         * DHE option we always take it); don't send key share.
+         * If we're doing PSK ('hit') but the client doesn't support psk-dhe,
+         * we don't need to send a key share.
          */
-        return EXT_RETURN_NOT_SENT;
+        if ((s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0)
+            return EXT_RETURN_NOT_SENT;
+
+        /*
+         * If both, psk_ke and psk_dh_ke are available, we do psk_dh_ke and
+         * send a key share by default, but not if the server is explicitly
+         * configured to prefer psk_ke.
+         */
+        if (((s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE) != 0)
+                && ((s->options & SSL_OP_PREFER_NO_DHE_KEX) != 0)) {
+            return EXT_RETURN_NOT_SENT;
+        }
     }
 
     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)