Merge branch 'ingela/ssl/maint-27/psk-bugs/OTP-19825' into maint-27

Erlang/OTP · Erlang/OTP · commit 6931b67f9f34 · 2025-10-24T14:42:36.000+02:00
* ingela/ssl/maint-27/psk-bugs/OTP-19825:
  ssl: pre_shared_key shall be last client hello extension
  ssl: Improve interoperability

# Conflicts:
#	lib/ssl/src/ssl_handshake.erl
diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
@@ -431,7 +431,7 @@ certificate_verify(Signature, PublicKeyInfo, Version,
     end.
 %%--------------------------------------------------------------------
 -spec verify_signature(ssl_record:ssl_version(), binary(), {term(), term()}, binary(),
-				   public_key_info()) -> true | false.
+                       public_key_info()) -> true | false.
 %%
 %% Description: Checks that a public_key signature is valid.
 %%--------------------------------------------------------------------
@@ -2687,9 +2687,13 @@ encode_psk_binders(Binders) ->
     Len = byte_size(Result),
     <<?UINT16(Len), Result/binary>>.
 
-
 hello_extensions_list(HelloExtensions) ->
-    [Ext || {_, Ext} <- maps:to_list(HelloExtensions), Ext =/= undefined].
+    case maps:take(pre_shared_key, HelloExtensions) of
+        {#pre_shared_key_client_hello{} = PSK, Rest} ->
+            [Ext || {_, Ext} <- maps:to_list(Rest), Ext =/= undefined] ++ [PSK];
+        _ ->
+            [Ext || {_, Ext} <- maps:to_list(HelloExtensions), Ext =/= undefined]
+    end.
 
 %%-------------Decode handshakes---------------------------------
 dec_server_key(<<?UINT16(PLen), P:PLen/binary,
@@ -3133,7 +3137,9 @@ decode_extensions(<<?UINT16(?PRE_SHARED_KEY_EXT), ?UINT16(Len),
                                #pre_shared_key_client_hello{
                                   offered_psks = #offered_psks{
                                                     identities = decode_psk_identities(Identities),
-                                                    binders = decode_psk_binders(Binders)}}});
+                                                    binders = decode_psk_binders(Binders)},
+                                  binder_length = BLen + 2}}
+                    		  ); 
 decode_extensions(<<?UINT16(?PRE_SHARED_KEY_EXT), ?UINT16(Len),
                        ExtData:Len/binary, Rest/binary>>,
                   Version, MessageType = server_hello, Acc) ->
diff --git a/lib/ssl/src/tls_client_connection_1_3.erl b/lib/ssl/src/tls_client_connection_1_3.erl
@@ -632,7 +632,7 @@ do_handle_exlusive_1_3_hello_or_hello_retry_request(
          connection_states = ConnectionStates0
         } = State0) ->
     {Ref,Maybe} = tls_gen_connection_1_3:do_maybe(),
-                                              try
+    try
         ClientGroups =
             Maybe(tls_handshake_1_3:get_supported_groups(ClientGroups0)),
         Cookie = maps:get(cookie, Extensions, undefined),
diff --git a/lib/ssl/src/tls_handshake_1_3.erl b/lib/ssl/src/tls_handshake_1_3.erl
@@ -1750,28 +1750,11 @@ create_binders(Context, [#ticket_data{
 %% } OfferedPsks;
 truncate_client_hello(HelloBin0) ->
     <<?BYTE(Type), ?UINT24(_Length), Body/binary>> = HelloBin0,
-    CH0 = #client_hello{
-             extensions = #{pre_shared_key := PSK0} = Extensions0} =
+    #client_hello{
+       extensions = #{pre_shared_key := PSK0}} =
         tls_handshake:decode_handshake(?TLS_1_3, Type, Body),
-    #pre_shared_key_client_hello{offered_psks = OfferedPsks0} = PSK0,
-    OfferedPsks = OfferedPsks0#offered_psks{binders = []},
-    PSK = PSK0#pre_shared_key_client_hello{offered_psks = OfferedPsks},
-    Extensions = Extensions0#{pre_shared_key => PSK},
-    CH = CH0#client_hello{extensions = Extensions},
-
-    %% Decoding a ClientHello from an another TLS implementation can contain
-    %% unsupported extensions and thus executing decoding and encoding on
-    %% the input can result in a different handshake binary.
-    %% The original length of the binders can still be determined by
-    %% re-encoding the original ClientHello and using its size as reference
-    %% when we subtract the size of the truncated binary.
-    TruncatedSize = iolist_size(tls_handshake:encode_handshake(CH, ?TLS_1_3)),
-    RefSize = iolist_size(tls_handshake:encode_handshake(CH0, ?TLS_1_3)),
-    BindersSize = RefSize - TruncatedSize,
-
-    %% Return the truncated ClientHello by cutting of the binders from the original
-    %% ClientHello binary.
-    {Truncated, _} = split_binary(HelloBin0, byte_size(HelloBin0) - BindersSize - 2),
+    #pre_shared_key_client_hello{binder_length = BinderLen} = PSK0,
+    {Truncated, _} = split_binary(HelloBin0, byte_size(HelloBin0) - BinderLen),
     Truncated.
 
 maybe_add_early_data_indication(#client_hello{
diff --git a/lib/ssl/src/tls_handshake_1_3.hrl b/lib/ssl/src/tls_handshake_1_3.hrl
@@ -115,7 +115,8 @@
 %% } PreSharedKeyExtension;
 -record(pre_shared_key_client_hello,
         {
-         offered_psks
+         offered_psks,
+         binder_length
         }).
 
 -record(pre_shared_key_server_hello,

Original file line number	Diff line number	Diff line change
`@@ -115,7 +115,8 @@`
`115`	`115`	`%% } PreSharedKeyExtension;`
`116`	`116`	`-record(pre_shared_key_client_hello,`
`117`	`117`	`{`
`118`		`- offered_psks`
	`118`	`+ offered_psks,`
	`119`	`+ binder_length`
`119`	`120`	`}).`
`120`	`121`
`121`	`122`	`-record(pre_shared_key_server_hello,`