TLS 1.3 PSK succeeds even if the pre-shared key is wrong

[brandon.murphy1996]

Hi Matt

Thanks for the reply.

Yes! the handshake completes even when the PSK does not match between the ones provided in Client and Server. However, if there is a mismatch in the provided identity inside the callbacks, I see the above-mentioned error(the bad extension one).

Unless I am missing something, if the code was not trying to perform a PSK verification, I would have received a complete handshake even if there was identity value mismatch between find_session_cb and use_session_cb.

Moreover, I am using SSL_CTX_set_verify() with option SSL_VERIFY_PEER. Also, I am not providing the client Hello with any certificates. So I see no reason for handshake to complete without verification.

Thanks
Bran


‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, April 20, 2020 5:35 PM, Matt Caswell <matt at openssl.org> wrote:

> On 20/04/2020 12:59, brandon.murphy1996 via openssl-users wrote:
>
> > From what I noticed, the handshake completes successfully, regardless
> > of the value of "psk_key" (as long as PSK length is even). However,
> > if the identity value is mismatched between psk_find_session_cb and
> > use_session_cb, the handshake fails with the message:
>
> It's not clear from your question what you expected to happen. The
> length of the PSK key doesn't actually matter from a TLS perspective
> (obviously in practice it is best if the length is consistent with the
> ciphersuite key length).
>
> Or did you mean that that the value doesn't matter - even if it is
> mismatched with the client's value? That would be unexpected (and
> probably indicates you are not actually using the PSK at all and doing a
> full handshake).
>
> Matt