Treat an unknown PSK identity the same way as a binder validation failure

Doing things this way removes the possibility of an attacker probing for
valid PSK identities as described in Appendix E.6 of RFC8446. This only
make a difference in a PSK only server configuration. The signal will still
exist if the server can fallback to a full handshake.

Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Wed May 13 07:38:32 2026
(Merged from https://github.com/openssl/openssl/pull/31026)

diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
index b91be0a52f2531fb0c20b59fb6801ebd3b78a1d7..de09706ab6783e3c3458f160eb7f31296456c4f0 100644 (file)
--- a/ssl/statem/extensions_srvr.c
+++ b/ssl/statem/extensions_srvr.c
@@ -1533,8 +1533,24 @@ int tls_parse_ctos_psk(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
         break;
     }
 
-    if (sess == NULL)
-        return 1;
+    if (sess == NULL) {
+        size_t j;
+
+        for (j = 0; j < s->ssl_pkey_num && !ssl_has_cert(s, (int)j); j++)
+            ;
+        if (j < s->ssl_pkey_num) {
+            /* A certificate exists. Fallback to a full handshake */
+            return 1;
+        }
+        /*
+         * decrypt_error here to keep the alert the same as if the binder
+         * failed. See RFC8446 Appendix E.6. Note we make no attempt to do this
+         * in constant time compared to verifying the binder. None of this code
+         * is constant time anyway.
+         */
+        SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_BAD_EXTENSION);
+        goto err;
+    }
 
     binderoffset = PACKET_data(pkt) - PACKET_msg_start(pkt);
     hashsize = EVP_MD_get_size(md);