Commit 399ac55fc7 for openssl.org

commit 399ac55fc7c3fda8cedda2bb47945d6d826b34e7
Author: Matt Caswell <matt@openssl.foundation>
Date:   Fri May 1 12:29:44 2026 +0100

    Validate that a PSK identity is at least one byte long

    RFC8446 requires that a PSK identity is at least one byte in length. We
    should validate this.

    Fixes #31007

    Reviewed-by: Tim Hudson <tjh@openssl.org>
    Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
    Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
    MergeDate: Sun May  3 13:46:21 2026
    (Merged from https://github.com/openssl/openssl/pull/31058)

diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
index 8e66fd7230..033c0140dc 100644
--- a/ssl/statem/extensions_srvr.c
+++ b/ssl/statem/extensions_srvr.c
@@ -1354,6 +1354,10 @@ int tls_parse_ctos_psk(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
         }

         idlen = PACKET_remaining(&identity);
+        if (idlen == 0) {
+            SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
+            return 0;
+        }
         if (s->psk_find_session_cb != NULL
             && !s->psk_find_session_cb(ussl, PACKET_data(&identity), idlen,
                 &sess)) {