From: Matt Caswell Date: Tue, 21 Apr 2026 16:34:55 +0000 (+0100) Subject: Treat an unknown PSK identity the same way as a binder validation failure X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0f607c776c3488c20b335d13798fb3afbcb5d43a;p=thirdparty%2Fopenssl.git Treat an unknown PSK identity the same way as a binder validation failure Doing things this way removes the possibility of an attacker probing for valid PSK identities as described in Appendix E.6 of RFC8446. This only make a difference in a PSK only server configuration. The signal will still exist if the server can fallback to a full handshake. Reviewed-by: Tomas Mraz Reviewed-by: Eugene Syromiatnikov MergeDate: Wed May 13 07:38:32 2026 (Merged from https://github.com/openssl/openssl/pull/31026) --- diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c index b91be0a52f2..de09706ab67 100644 --- a/ssl/statem/extensions_srvr.c +++ b/ssl/statem/extensions_srvr.c @@ -1533,8 +1533,24 @@ int tls_parse_ctos_psk(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, break; } - if (sess == NULL) - return 1; + if (sess == NULL) { + size_t j; + + for (j = 0; j < s->ssl_pkey_num && !ssl_has_cert(s, (int)j); j++) + ; + if (j < s->ssl_pkey_num) { + /* A certificate exists. Fallback to a full handshake */ + return 1; + } + /* + * decrypt_error here to keep the alert the same as if the binder + * failed. See RFC8446 Appendix E.6. Note we make no attempt to do this + * in constant time compared to verifying the binder. None of this code + * is constant time anyway. + */ + SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_BAD_EXTENSION); + goto err; + } binderoffset = PACKET_data(pkt) - PACKET_msg_start(pkt); hashsize = EVP_MD_get_size(md);