[openssl] OpenSSL_1_1_1-stable update

Dr. Paul Dale pauli at openssl.org
Fri Jul 9 00:47:27 UTC 2021 

The branch OpenSSL_1_1_1-stable has been updated
       via  6eba6a9b35e97f8fc9fee33a7bdfff0bed04a6dc (commit)
      from  d1a8201e88f0a5d46731010bb442f0f207c74fe9 (commit)


- Log -----------------------------------------------------------------
commit 6eba6a9b35e97f8fc9fee33a7bdfff0bed04a6dc
Author: Matt Caswell <matt at openssl.org>
Date:   Tue Jul 6 16:24:07 2021 +0100

    Fix s_server PSK handling
    
    Issue #15951 describes a scenario which causes s_server to fail when using
    a PSK. In the originally described issue this only impacted master and not
    1.1.1. However, in fact this issue does also impact 1.1.1 - but only if you
    additionally supply the option "-no_ticket" to the s_server command line.
    
    The difference between the behaviour in master and 1.1.1 is due to 9c13b49,
    which changed PSK_MAX_IDENTITY_LEN from 128 to 256. It just so happens that
    a default OpenSSL TLSv1.3 ticket length happens to fall between those 2
    values. Tickets are presented in TLSv1.3 as a PSK "identity". Passing
    "no_ticket" doesn't actually stop TLSv1.3 tickets completely, it just
    forces the use of "session ids as a ticket" instead. This significantly
    reduces the ticket size to below 128 in 1.1.1.
    
    The problem was due to s_server setting a TLSv1.2 PSK callback and a
    TLSv1.3 PSK callback. For backwards compat reasons the TLSv1.2 PSK
    callbacks also work in TLSv1.3 but are not preferred. In the described
    scenario we use a PSK to create the initial connection. Subsequent to that
    we attempt a resumption using a TLSv1.3 ticket (psk). If the psk length is
    below PSK_MAX_IDENTITY_LEN then we first call the TLSv1.2 PSK callback.
    Subsequently we call the TLSv1.3 PSK callback. Unfortunately s_server's
    TLSv1.2 PSK callback accepts the identity regardless, even though it is an
    unexpected value, and hence the binder subsequently fails to verify.
    
    The fix is to bail early in the TLSv1.2 callback if we detect we are being
    called from a TLSv1.3 connection.
    
    Fixes #15951
    
    Reviewed-by: Ben Kaduk <kaduk at mit.edu>
    Reviewed-by: Paul Dale <pauli at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/16008)
    
    (cherry picked from commit 0007ff257c95f5cd046799e492436f41caf4ecb2)

-----------------------------------------------------------------------

Summary of changes:
 apps/s_server.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/apps/s_server.c b/apps/s_server.c
index 0ba75999fd..bb81c9b40f 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -133,6 +133,17 @@ static unsigned int psk_server_cb(SSL *ssl, const char *identity,
 
     if (s_debug)
         BIO_printf(bio_s_out, "psk_server_cb\n");
+
+    if (SSL_version(ssl) >= TLS1_3_VERSION) {
+        /*
+         * This callback is designed for use in TLSv1.2. It is possible to use
+         * a single callback for all protocol versions - but it is preferred to
+         * use a dedicated callback for TLSv1.3. For TLSv1.3 we have
+         * psk_find_session_cb.
+         */
+        return 0;
+    }
+
     if (identity == NULL) {
         BIO_printf(bio_err, "Error: client did not send PSK identity\n");
         goto out_err;

More information about the openssl-commits mailing list