Don't send key_share for PSK-only key exchange

TLS 1.3 allows for the "psk_ke" and "psk_dhe_ke" key-exchange modes.
Only the latter mode introduces a new ephemeral (Diffie-Hellman)
key exchange, with the PSK being the only key material used in the
former case.

It's a compliance requirement of RFC 8446 that the server MUST NOT
send a KeyShareEntry when using the "psk_ke" mode, but prior to
this commit we would send a key-share based solely on whether the
client sent one.  This bug goes unnoticed in our internal test suite
since openssl communicating with openssl can never negotiate the
PSK-only key-exchange mode.  However, we should still be compliant
with the spec, so check whether the DHE mode was offered and don't
send a key-share if it wasn't.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14749)

diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
index 8462a67c1a8513d0e9f4a511f5961d740915bbe0..b2d7ff8f39c4ff3595b3f759c2592fc268aafb49 100644 (file)
--- a/ssl/statem/extensions_srvr.c
+++ b/ssl/statem/extensions_srvr.c
@@ -1614,6 +1614,13 @@ EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt,
         }
         return EXT_RETURN_NOT_SENT;
     }
+    if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0) {
+        /*
+         * PSK ('hit') and explicitly not doing DHE (if the client sent the
+         * DHE option we always take it); don't send key share.
+         */
+        return EXT_RETURN_NOT_SENT;
+    }
 
     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
             || !WPACKET_start_sub_packet_u16(pkt)