Allow TLS PSK without server certificate

WillChilds-Klein · WillChilds-Klein · commit c0f062e54228 · 2024-12-27T19:02:06.000-06:00
diff --git a/ssl/handshake_server.cc b/ssl/handshake_server.cc
@@ -793,11 +793,13 @@ static enum ssl_hs_wait_t do_select_certificate(SSL_HANDSHAKE *hs) {
     }
   }
 
-  // Load |hs->local_pubkey| from the cert prematurely. The certificate could be
-  // subject to change once we negotiate signature algorithms later. If it
-  // changes to another leaf certificate the server and client has support for,
-  // we reload it.
-  if (!ssl_handshake_load_local_pubkey(hs)) {
+  // Load |hs->local_pubkey| from the cert (if present) prematurely. The
+  // certificate could be subject to change once we negotiate signature
+  // algorithms later. If it changes to another leaf certificate the server and
+  // client has support for, we reload it. The public key may only be absent if
+  // PSK is enabled on the server, as indicated by presense of a callback.
+  if (!ssl_handshake_load_local_pubkey(hs) &&
+      !(hs->local_pubkey == nullptr && hs->config->psk_server_callback)) {
     return ssl_hs_error;
   }
 
diff --git a/ssl/ssl_privkey.cc b/ssl/ssl_privkey.cc
@@ -385,6 +385,7 @@ static bool ssl_public_key_rsa_pss_check(EVP_PKEY *pubkey, uint16_t sigalg) {
 
 static bool tls12_pkey_supports_cipher_auth(SSL_HANDSHAKE *hs,
                                             const EVP_PKEY *key) {
+  GUARD_PTR(key);
   SSL *const ssl = hs->ssl;
   // We may have a private key that supports the signature algorithm, but we
   // need to verify that the negotiated cipher allows it. This behavior is only
diff --git a/tests/ci/integration/python_patch/main/aws-lc-cpython.patch b/tests/ci/integration/python_patch/main/aws-lc-cpython.patch
@@ -27,23 +27,6 @@ index 0e50d09..f4b7b3c 100644
      def test_dh_params(self):
          # Check we can get a connection with ephemeral Diffie-Hellman
          client_context, server_context, hostname = testing_context()
-@@ -4364,14 +4366,14 @@ def test_session_handling(self):
-     def test_psk(self):
-         psk = bytes.fromhex('deadbeef')
-
--        client_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
-+        client_context, server_context, _ = testing_context()
-+
-         client_context.check_hostname = False
-         client_context.verify_mode = ssl.CERT_NONE
-         client_context.maximum_version = ssl.TLSVersion.TLSv1_2
-         client_context.set_ciphers('PSK')
-         client_context.set_psk_client_callback(lambda hint: (None, psk))
-
--        server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
-         server_context.maximum_version = ssl.TLSVersion.TLSv1_2
-         server_context.set_ciphers('PSK')
-         server_context.set_psk_server_callback(lambda identity: psk)
 @@ -4443,14 +4445,14 @@ def server_callback(identity):
              self.assertEqual(identity, client_identity)
              return psk

Original file line number	Diff line number	Diff line change
`@@ -793,11 +793,13 @@ static enum ssl_hs_wait_t do_select_certificate(SSL_HANDSHAKE *hs) {`
`793`	`793`	`}`
`794`	`794`	`}`
`795`	`795`
`796`		`- // Load \|hs->local_pubkey\| from the cert prematurely. The certificate could be`
`797`		`- // subject to change once we negotiate signature algorithms later. If it`
`798`		`- // changes to another leaf certificate the server and client has support for,`
`799`		`- // we reload it.`
`800`		`- if (!ssl_handshake_load_local_pubkey(hs)) {`
	`796`	`+ // Load \|hs->local_pubkey\| from the cert (if present) prematurely. The`
	`797`	`+ // certificate could be subject to change once we negotiate signature`
	`798`	`+ // algorithms later. If it changes to another leaf certificate the server and`
	`799`	`+ // client has support for, we reload it. The public key may only be absent if`
	`800`	`+ // PSK is enabled on the server, as indicated by presense of a callback.`
	`801`	`+ if (!ssl_handshake_load_local_pubkey(hs) &&`
	`802`	`+ !(hs->local_pubkey == nullptr && hs->config->psk_server_callback)) {`
`801`	`803`	`return ssl_hs_error;`
`802`	`804`	`}`
`803`	`805`