openssl/openssl
Auf GitHub ansehenWhen both psk_ke and psk_dhe_ke exist, there is no verification whether the "key_share" exists.
Open
#25.124 geöffnet am 7. Aug. 2024
help wantedtriaged: bug
Repository-Metriken
- Stars
- (30.157 Stars)
- PR-Merge-Metriken
- (Keine gemergten PRs in 30 T)
Beschreibung
version:3.0.9
I have found that when the client extension is configured as follows, the server will choose the "psk_ke" mode for the handshake
- signature_algorithms
- supported_versions
- psk_key_exchange_modes: psk_dhe_ke, psk_ke
- supported_groups
- psk
There are two problems here. according to rfc8446-4.2.9:
psk_dhe_ke: PSK with (EC)DHE key establishment. In this mode, the client and server MUST supply "key_share" values as described in Section 4.2.8.
- The psk_key_exchange_modes extension contains psk_dhe_ke, but the extension does not contain key_share. It seems that the server should abort the handshake
according to rfc8446-9.2:
If containing a "supported_groups" extension, it MUST also contain a "key_share" extension, and vice versa. An empty KeyShare.client_shares vector is permitted.
- because "psk_ke" mode is available. The association between supported_groups and key_share is not verified.