mirror of
https://github.com/openssl/openssl.git
synced 2025-01-18 13:44:20 +08:00
e776858bce
TLS 1.3 allows for the "psk_ke" and "psk_dhe_ke" key-exchange modes. Only the latter mode introduces a new ephemeral (Diffie-Hellman) key exchange, with the PSK being the only key material used in the former case. It's a compliance requirement of RFC 8446 that the server MUST NOT send a KeyShareEntry when using the "psk_ke" mode, but prior to this commit we would send a key-share based solely on whether the client sent one. This bug goes unnoticed in our internal test suite since openssl communicating with openssl can never negotiate the PSK-only key-exchange mode. However, we should still be compliant with the spec, so check whether the DHE mode was offered and don't send a key-share if it wasn't. Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14749) |
||
|---|---|---|
| .. | ||
| record | ||
| statem | ||
| bio_ssl.c | ||
| build.info | ||
| d1_lib.c | ||
| d1_msg.c | ||
| d1_srtp.c | ||
| ktls.c | ||
| methods.c | ||
| pqueue.c | ||
| s3_cbc.c | ||
| s3_enc.c | ||
| s3_lib.c | ||
| s3_msg.c | ||
| ssl_asn1.c | ||
| ssl_cert_table.h | ||
| ssl_cert.c | ||
| ssl_ciph.c | ||
| ssl_conf.c | ||
| ssl_err_legacy.c | ||
| ssl_err.c | ||
| ssl_init.c | ||
| ssl_lib.c | ||
| ssl_local.h | ||
| ssl_mcnf.c | ||
| ssl_rsa_legacy.c | ||
| ssl_rsa.c | ||
| ssl_sess.c | ||
| ssl_stat.c | ||
| ssl_txt.c | ||
| ssl_utst.c | ||
| sslerr.h | ||
| t1_enc.c | ||
| t1_lib.c | ||
| t1_trce.c | ||
| tls13_enc.c | ||
| tls_depr.c | ||
| tls_srp.c | ||