diff options
author | Benjamin Kaduk <bkaduk@akamai.com> | 2021-03-29 21:27:49 -0700 |
---|---|---|
committer | Benjamin Kaduk <bkaduk@akamai.com> | 2021-05-14 11:40:21 -0700 |
commit | df1fd3c986f5a58b6dc87d2c4bb565a8f1e688fa (patch) | |
tree | bf1f95652f64cb69f435fae9324b6fe6ff0e466f /ssl | |
parent | 5d88a9c62c81e38918becae96a842986e2e0940e (diff) |
Don't send key_share for PSK-only key exchange
TLS 1.3 allows for the "psk_ke" and "psk_dhe_ke" key-exchange modes.
Only the latter mode introduces a new ephemeral (Diffie-Hellman)
key exchange, with the PSK being the only key material used in the
former case.
It's a compliance requirement of RFC 8446 that the server MUST NOT
send a KeyShareEntry when using the "psk_ke" mode, but prior to
this commit we would send a key-share based solely on whether the
client sent one. This bug goes unnoticed in our internal test suite
since openssl communicating with openssl can never negotiate the
PSK-only key-exchange mode. However, we should still be compliant
with the spec, so check whether the DHE mode was offered and don't
send a key-share if it wasn't.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(cherry picked from commit e776858bce32d473bd7a69c616ad7f6c2f979dfc)
(Merged from https://github.com/openssl/openssl/pull/15255)
Diffstat (limited to 'ssl')
-rw-r--r-- | ssl/statem/extensions_srvr.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c index 3c7395c0eb..90e8bce19b 100644 --- a/ssl/statem/extensions_srvr.c +++ b/ssl/statem/extensions_srvr.c @@ -1714,6 +1714,13 @@ EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt, } return EXT_RETURN_NOT_SENT; } + if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0) { + /* + * PSK ('hit') and explicitly not doing DHE (if the client sent the + * DHE option we always take it); don't send key share. + */ + return EXT_RETURN_NOT_SENT; + } if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share) || !WPACKET_start_sub_packet_u16(pkt) |