diff options
author | Markus Minichmayr <markus@tapkey.com> | 2023-11-21 20:42:12 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2023-11-24 15:08:04 +0000 |
commit | b8590b2f365a963965d799c438c5c92659c2fcae (patch) | |
tree | bc6575840fa2b8b3e6ac4c4fb1bc71832a308368 /ssl/statem | |
parent | 40a24c20a809916b43116c2bb16a36bdc40221f3 (diff) |
Add option `SSL_OP_PREFER_NO_DHE_KEX`, allowing the server to prefer non-dhe psk key exchange over psk with dhe (config file option `PreferNoDHEKEX`, server option `prefer_no_dhe_kex`).
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22794)
Diffstat (limited to 'ssl/statem')
-rw-r--r-- | ssl/statem/extensions.c | 17 | ||||
-rw-r--r-- | ssl/statem/extensions_srvr.c | 21 |
2 files changed, 30 insertions, 8 deletions
diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c index 0a64ca2246..e77ab2f3e5 100644 --- a/ssl/statem/extensions.c +++ b/ssl/statem/extensions.c @@ -1393,7 +1393,8 @@ static int final_key_share(SSL_CONNECTION *s, unsigned int context, int sent) * the client sent a key_share extension * AND * (we are not resuming - * OR the kex_mode allows key_share resumes) + * OR (the kex_mode allows key_share resumes + * AND (kex_mode doesn't allow non-dh resumes OR non-dh is not preferred))) * AND * a shared group exists * THEN @@ -1428,10 +1429,18 @@ static int final_key_share(SSL_CONNECTION *s, unsigned int context, int sent) } } else { /* No suitable key_share */ + + /* Do DHE PSK? */ + int dhe_psk = + /* kex_mode allows key_share resume */ + (((s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) != 0) + + /* and psk-only is not available or not explicitly preferred */ + && ((((s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE) == 0) + || (s->options & SSL_OP_PREFER_NO_DHE_KEX) == 0))); + if (s->hello_retry_request == SSL_HRR_NONE && sent - && (!s->hit - || (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) - != 0)) { + && (!s->hit || dhe_psk)) { const uint16_t *pgroups, *clntgroups; size_t num_groups, clnt_num_groups, i; unsigned int group_id = 0; diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c index 64ccb3ed6d..2d28ea3b3d 100644 --- a/ssl/statem/extensions_srvr.c +++ b/ssl/statem/extensions_srvr.c @@ -1645,12 +1645,25 @@ EXT_RETURN tls_construct_stoc_key_share(SSL_CONNECTION *s, WPACKET *pkt, } return EXT_RETURN_NOT_SENT; } - if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0) { + if (s->hit) { + /* PSK ('hit') */ + /* - * PSK ('hit') and explicitly not doing DHE (if the client sent the - * DHE option we always take it); don't send key share. + * If we're doing PSK ('hit') but the client doesn't support psk-dhe, + * we don't need to send a key share. */ - return EXT_RETURN_NOT_SENT; + if ((s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0) + return EXT_RETURN_NOT_SENT; + + /* + * If both, psk_ke and psk_dh_ke are available, we do psk_dh_ke and + * send a key share by default, but not if the server is explicitly + * configured to prefer psk_ke. + */ + if (((s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE) != 0) + && ((s->options & SSL_OP_PREFER_NO_DHE_KEX) != 0)) { + return EXT_RETURN_NOT_SENT; + } } if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share) |