Don't fail if the PSK identity doesn't match

In 1.1.0 s_server if the PSK identity doesn't match what we have then a warning is printed and we continue the connection anyway. In 1.1.1, if TLSv1.3 is used and the identity doesn't match then we abort the connection. We should really be consistent with the old behaviour. Reviewed-by: N Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6659)

Don't fail if the PSK identity doesn't match
In 1.1.0 s_server if the PSK identity doesn't match what we have then a warning is printed and we continue the connection anyway. In 1.1.1, if TLSv1.3 is used and the identity doesn't match then we abort the connection. We should really be consistent with the old behaviour. Reviewed-by: N Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6659)
c9d6fdd6 · Matt Caswell · 0edb109f · c9d6fdd6
隐藏空白更改
内联并排

Showing with 5 addition and 2 deletion

apps/s_server.c apps/s_server.c +5 -2

未找到文件。
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -192,8 +192,11 @@ static int psk_find_session_cb(SSL *ssl, const unsigned char *identity,
    const SSL_CIPHER *cipher = NULL;

    if (strlen(psk_identity) != identity_len
-            || memcmp(psk_identity, identity, identity_len) != 0)
-        return 0;
+            || memcmp(psk_identity, identity, identity_len) != 0) {
+        BIO_printf(bio_s_out,
+                   "PSK warning: client identity not what we expected"
+                   " (got '%s' expected '%s')\n", identity, psk_identity);
+    }

    if (psksess != NULL) {
        SSL_SESSION_up_ref(psksess);