Commit 0f607c776c for openssl.org

commit 0f607c776c3488c20b335d13798fb3afbcb5d43a
Author: Matt Caswell <matt@openssl.foundation>
Date:   Tue Apr 21 17:34:55 2026 +0100

    Treat an unknown PSK identity the same way as a binder validation failure

    Doing things this way removes the possibility of an attacker probing for
    valid PSK identities as described in Appendix E.6 of RFC8446. This only
    make a difference in a PSK only server configuration. The signal will still
    exist if the server can fallback to a full handshake.

    Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
    Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
    MergeDate: Wed May 13 07:38:32 2026
    (Merged from https://github.com/openssl/openssl/pull/31026)

diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
index b91be0a52f..de09706ab6 100644
--- a/ssl/statem/extensions_srvr.c
+++ b/ssl/statem/extensions_srvr.c
@@ -1533,8 +1533,24 @@ int tls_parse_ctos_psk(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
         break;
     }

-    if (sess == NULL)
-        return 1;
+    if (sess == NULL) {
+        size_t j;
+
+        for (j = 0; j < s->ssl_pkey_num && !ssl_has_cert(s, (int)j); j++)
+            ;
+        if (j < s->ssl_pkey_num) {
+            /* A certificate exists. Fallback to a full handshake */
+            return 1;
+        }
+        /*
+         * decrypt_error here to keep the alert the same as if the binder
+         * failed. See RFC8446 Appendix E.6. Note we make no attempt to do this
+         * in constant time compared to verifying the binder. None of this code
+         * is constant time anyway.
+         */
+        SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_BAD_EXTENSION);
+        goto err;
+    }

     binderoffset = PACKET_data(pkt) - PACKET_msg_start(pkt);
     hashsize = EVP_MD_get_size(md);