From: Matt Caswell <matt@openssl.foundation>
Date: Fri, 10 Apr 2026 11:15:33 +0000 (+0100)
Subject: Add a test for too many PSKs
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=350adfe3f922062986195e9bc2ec1ed5dd5efc37;p=thirdparty%2Fopenssl.git

Add a test for too many PSKs

We test that even if we add too many PSKs we still handle the
ClientHello correctly.

Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Thu Apr 16 17:07:38 2026
(Merged from https://github.com/openssl/openssl/pull/30761)
---

diff --git a/test/recipes/70-test_tls13psk.t b/test/recipes/70-test_tls13psk.t
index 83ce3b1ef13..dcac269d1bd 100644
--- a/test/recipes/70-test_tls13psk.t
+++ b/test/recipes/70-test_tls13psk.t
@@ -40,7 +40,8 @@ my $proxy = TLSProxy::Proxy->new(
 
 use constant {
     PSK_LAST_FIRST_CH => 0,
-    ILLEGAL_EXT_SECOND_CH => 1
+    ILLEGAL_EXT_SECOND_CH => 1,
+    TOO_MANY_PSKS => 2
 };
 
 #Most PSK tests are done in test_ssl_new. This tests various failure scenarios
@@ -52,7 +53,7 @@ $proxy->clientflags("-sess_out ".$session);
 $proxy->serverflags("-servername localhost");
 $proxy->sessionfile($session);
 $proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
-plan tests => 5;
+plan tests => 6;
 ok(TLSProxy::Message->success(), "Initial connection");
 
 #Test 2: Attempt a resume with PSK not in last place. Should fail
@@ -112,6 +113,15 @@ $proxy->filter(\&remove_sig_algs_filter);
 $proxy->start();
 ok(TLSProxy::Message->success(), "Remove sig algs");
 
+#Test 6: Attempt a resume with too many PSKs. Handshake should still succeed.
+#        It will just ignore the PSKs.
+$proxy->clear();
+$proxy->clientflags("-sess_in ".$session);
+$proxy->filter(\&modify_psk_filter);
+$testtype = TOO_MANY_PSKS;
+$proxy->start();
+ok(TLSProxy::Message->success(), "Too many PSKs");
+
 unlink $session;
 
 sub modify_psk_filter
@@ -120,19 +130,19 @@ sub modify_psk_filter
     my $flight;
     my $message;
 
-    if ($testtype == PSK_LAST_FIRST_CH) {
-        $flight = 0;
-    } else {
+    if ($testtype == ILLEGAL_EXT_SECOND_CH) {
         $flight = 2;
+    } else {
+        $flight = 0;
     }
 
     # Only look at the first or second ClientHello
     return if $proxy->flight != $flight;
 
-    if ($testtype == PSK_LAST_FIRST_CH) {
-        $message = ${$proxy->message_list}[0];
-    } else {
+    if ($testtype == ILLEGAL_EXT_SECOND_CH) {
         $message = ${$proxy->message_list}[2];
+    } else {
+        $message = ${$proxy->message_list}[0];
     }
 
     return if (!defined $message
@@ -140,9 +150,20 @@ sub modify_psk_filter
 
     if ($testtype == PSK_LAST_FIRST_CH) {
         $message->set_extension(TLSProxy::Message::EXT_FORCE_LAST, "");
-    } else {
+    } elsif ($testtype == ILLEGAL_EXT_SECOND_CH) {
         #Deliberately break the connection
         $message->set_extension(TLSProxy::Message::EXT_SUPPORTED_GROUPS, "");
+    } else {
+        my $psklist = pack "C*",
+            0x00, 0x77, #Identities length
+            ((
+                0x00, 0x01, #Identity length
+                0x01, #Identity data
+                0x00, 0x00, 0x00, 0x00 #Obfuscated ticket age
+            ) x 17), #17 identities
+            0x00, 0x22, #Binder length
+            (0x01) x 34; #17 fake binders, each with 1 length byte, and 1 payload byte
+        $message->set_extension(TLSProxy::Message::EXT_PSK, $psklist);
     }
     $message->repack();
 }