openssl/openssl

When both psk_ke and psk_dhe_ke exist, there is no verification whether the "key_share" exists.

Open

#25.124 geöffnet am 7. Aug. 2024

Auf GitHub ansehen
 (4 Kommentare) (0 Reaktionen) (0 zugewiesene Personen)C (11.262 Forks)batch import
help wantedtriaged: bug

Repository-Metriken

Stars
 (30.157 Stars)
PR-Merge-Metriken
 (Keine gemergten PRs in 30 T)

Beschreibung

version:3.0.9

I have found that when the client extension is configured as follows, the server will choose the "psk_ke" mode for the handshake

  • signature_algorithms
  • supported_versions
  • psk_key_exchange_modes: psk_dhe_ke, psk_ke
  • supported_groups
  • psk

There are two problems here. according to rfc8446-4.2.9:

psk_dhe_ke: PSK with (EC)DHE key establishment. In this mode, the client and server MUST supply "key_share" values as described in Section 4.2.8.

  1. The psk_key_exchange_modes extension contains psk_dhe_ke, but the extension does not contain key_share. It seems that the server should abort the handshake

according to rfc8446-9.2:

If containing a "supported_groups" extension, it MUST also contain a "key_share" extension, and vice versa. An empty KeyShare.client_shares vector is permitted.

  1. because "psk_ke" mode is available. The association between supported_groups and key_share is not verified.

Contributor Guide