Allow TLS PSK without server certificate

aws · Dec 28, 2024 · c0f062e · c0f062e
1 parent 39b3fae
commit c0f062e
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 22 deletions.
diff --git a/ssl/handshake_server.cc b/ssl/handshake_server.cc
@@ -793,11 +793,13 @@ static enum ssl_hs_wait_t do_select_certificate(SSL_HANDSHAKE *hs) {
     }
   }
 
-  // Load |hs->local_pubkey| from the cert prematurely. The certificate could be
-  // subject to change once we negotiate signature algorithms later. If it
-  // changes to another leaf certificate the server and client has support for,
-  // we reload it.
-  if (!ssl_handshake_load_local_pubkey(hs)) {
+  // Load |hs->local_pubkey| from the cert (if present) prematurely. The
+  // certificate could be subject to change once we negotiate signature
+  // algorithms later. If it changes to another leaf certificate the server and
+  // client has support for, we reload it. The public key may only be absent if
+  // PSK is enabled on the server, as indicated by presense of a callback.
+  if (!ssl_handshake_load_local_pubkey(hs) &&
+      !(hs->local_pubkey == nullptr && hs->config->psk_server_callback)) {
     return ssl_hs_error;
   }
 

diff --git a/ssl/ssl_privkey.cc b/ssl/ssl_privkey.cc
@@ -385,6 +385,7 @@ static bool ssl_public_key_rsa_pss_check(EVP_PKEY *pubkey, uint16_t sigalg) {
 
 static bool tls12_pkey_supports_cipher_auth(SSL_HANDSHAKE *hs,
                                             const EVP_PKEY *key) {
+  GUARD_PTR(key);
   SSL *const ssl = hs->ssl;
   // We may have a private key that supports the signature algorithm, but we
   // need to verify that the negotiated cipher allows it. This behavior is only

diff --git a/tests/ci/integration/python_patch/main/aws-lc-cpython.patch b/tests/ci/integration/python_patch/main/aws-lc-cpython.patch
@@ -27,23 +27,6 @@ index 0e50d09..f4b7b3c 100644
      def test_dh_params(self):
          # Check we can get a connection with ephemeral Diffie-Hellman
          client_context, server_context, hostname = testing_context()
-@@ -4364,14 +4366,14 @@ def test_session_handling(self):
-     def test_psk(self):
-         psk = bytes.fromhex('deadbeef')
-
--        client_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
-+        client_context, server_context, _ = testing_context()
-+
-         client_context.check_hostname = False
-         client_context.verify_mode = ssl.CERT_NONE
-         client_context.maximum_version = ssl.TLSVersion.TLSv1_2
-         client_context.set_ciphers('PSK')
-         client_context.set_psk_client_callback(lambda hint: (None, psk))
-
--        server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
-         server_context.maximum_version = ssl.TLSVersion.TLSv1_2
-         server_context.set_ciphers('PSK')
-         server_context.set_psk_server_callback(lambda identity: psk)
 @@ -4443,14 +4445,14 @@ def server_callback(identity):
              self.assertEqual(identity, client_identity)
              return psk