Don't fail if the PSK identity doesn't match

In 1.1.0 s_server if the PSK identity doesn't match what we have then a warning is printed and we continue the connection anyway. In 1.1.1, if TLSv1.3 is used and the identity doesn't match then we abort the connection. We should really be consistent with the old behaviour. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6659)
author: Matt Caswell <matt@openssl.org> 2018-07-06 09:16:51 +0100
committer: Matt Caswell <matt@openssl.org> 2018-07-06 23:38:53 +0100
commit: c9d6fdd6f79c1725215347ad8409b1e60eaccf0c (patch)
tree: 243f981722d47701f04439d3411c072f10646a8a /apps/s_server.c
parent: 0edb109f97c1bbbd5961326f93b2ccf385b26674 (diff)
1 files changed, 5 insertions, 2 deletions
diff --git a/apps/s_server.c b/apps/s_server.c
index 4e8a9e27bc..94c18266f7 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -192,8 +192,11 @@ static int psk_find_session_cb(SSL *ssl, const unsigned char *identity,
     const SSL_CIPHER *cipher = NULL;
 
     if (strlen(psk_identity) != identity_len
-            || memcmp(psk_identity, identity, identity_len) != 0)
-        return 0;
+            || memcmp(psk_identity, identity, identity_len) != 0) {
+        BIO_printf(bio_s_out,
+                   "PSK warning: client identity not what we expected"
+                   " (got '%s' expected '%s')\n", identity, psk_identity);
+    }
 
     if (psksess != NULL) {
         SSL_SESSION_up_ref(psksess);
author	Matt Caswell <matt@openssl.org>	2018-07-06 09:16:51 +0100
committer	Matt Caswell <matt@openssl.org>	2018-07-06 23:38:53 +0100
commit	c9d6fdd6f79c1725215347ad8409b1e60eaccf0c (patch)
tree	243f981722d47701f04439d3411c072f10646a8a /apps/s_server.c
parent	0edb109f97c1bbbd5961326f93b2ccf385b26674 (diff)