TLSv1.3 PSK: reject PSK without psk_key_exchange_modes

Tue, 31 May 2022 06:25:45 -0700 

RFC 8446, 4.2.9:
   A client MUST provide a "psk_key_exchange_modes" extension if it
   offers a "pre_shared_key" extension.  If clients offer
   "pre_shared_key" without a "psk_key_exchange_modes" extension,
   servers MUST abort the handshake.

The check below will make servers abort the handshake with a
missing_extension alert. Since we don't support these extensions
(i.e., we ignore them), this is currently a noop.

Index: tls13_server.c
===================================================================
RCS file: /cvs/src/lib/libssl/tls13_server.c,v
retrieving revision 1.96
diff -u -p -r1.96 tls13_server.c
--- tls13_server.c      3 Feb 2022 16:33:12 -0000       1.96
+++ tls13_server.c      31 May 2022 13:02:49 -0000
@@ -108,10 +108,15 @@ tls13_client_hello_required_extensions(s
         */
 
        /*
-        * If we got no pre_shared_key, then signature_algorithms and
-        * supported_groups must both be present.
+        * RFC 8446, 4.2.9: if we got a pre_shared_key, then we also need
+        * psk_key_exchange_modes. Otherwise, section 9.2 specifies that we
+        * need both signature_algorithms and supported_groups.
         */
-       if (!tlsext_extension_seen(s, TLSEXT_TYPE_pre_shared_key)) {
+       if (tlsext_extension_seen(s, TLSEXT_TYPE_pre_shared_key)) {
+               if (!tlsext_extension_seen(s,
+                   TLSEXT_TYPE_psk_key_exchange_modes))
+                       return 0;
+       } else {
                if (!tlsext_extension_seen(s, TLSEXT_TYPE_signature_algorithms))
                        return 0;
                if (!tlsext_extension_seen(s, TLSEXT_TYPE_supported_groups))

Reply via email to