From ea371564e7bc6e4402ff2a80b768b649644b18f2 Mon Sep 17 00:00:00 2001
From: "Roger A. Light" <roger@atchoo.org>
Date: Thu, 19 Aug 2021 17:18:59 +0100
Subject: [PATCH] Disable TLS 1.3 when using TLS-PSK, because it isn't
 correctly config'd.

---
 ChangeLog.txt  |  2 ++
 lib/net_mosq.c |  8 +++++++-
 src/net.c      | 21 ++++++++++++++-------
 3 files changed, 23 insertions(+), 8 deletions(-)

diff --git a/ChangeLog.txt b/ChangeLog.txt
index c0a646d2..3cc753c9 100644
--- a/ChangeLog.txt
+++ b/ChangeLog.txt
@@ -8,6 +8,7 @@ Broker:
 - Fix `max_connections` option not being correctly counted.
 - Fix TLS certificates and TLS-PSK not being able to be configured at the same
   time.
+- Disable TLS v1.3 when using TLS-PSK, because it isn't correctly configured.
 
 Client library:
 - If a client uses TLS-PSK then force the default cipher list to use "PSK"
@@ -15,6 +16,7 @@ Client library:
   with x509 certificates only will now fail. Prior to this, the client would
   connect successfully without verifying certificates, because they were not
   configured.
+- Disable TLS v1.3 when using TLS-PSK, because it isn't correctly configured.
 
 Clients:
 - mosquitto_sub and mosquitto_rr now open stdout in binary mode on Windows
diff --git a/lib/net_mosq.c b/lib/net_mosq.c
index 26179ecf..aea34ab3 100644
--- a/lib/net_mosq.c
+++ b/lib/net_mosq.c
@@ -698,8 +698,14 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
 			}
 		}
 
+#ifdef SSL_OP_NO_TLSv1_3
+		if(mosq->tls_psk){
+			SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_TLSv1_3);
+		}
+#endif
+
 		if(!mosq->tls_version){
-			SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1);
+			SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1);
 #ifdef SSL_OP_NO_TLSv1_3
 		}else if(!strcmp(mosq->tls_version, "tlsv1.3")){
 			SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2);
diff --git a/src/net.c b/src/net.c
index e4708fe0..774395c9 100644
--- a/src/net.c
+++ b/src/net.c
@@ -329,21 +329,28 @@ int net__tls_server_ctx(struct mosquitto__listener *listener)
 		return MOSQ_ERR_TLS;
 	}
 
+#ifdef SSL_OP_NO_TLSv1_3
+	if(db.config->per_listener_settings){
+		if(listener->security_options.psk_file){
+			SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_TLSv1_3);
+		}
+	}else{
+		if(db.config->security_options.psk_file){
+			SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_TLSv1_3);
+		}
+	}
+#endif
+
 	if(listener->tls_version == NULL){
 		SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1);
 #ifdef SSL_OP_NO_TLSv1_3
 	}else if(!strcmp(listener->tls_version, "tlsv1.3")){
 		SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2);
+#endif
 	}else if(!strcmp(listener->tls_version, "tlsv1.2")){
 		SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1);
 	}else if(!strcmp(listener->tls_version, "tlsv1.1")){
 		SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1);
-#else
-	}else if(!strcmp(listener->tls_version, "tlsv1.2")){
-		SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1);
-	}else if(!strcmp(listener->tls_version, "tlsv1.1")){
-		SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1);
-#endif
 	}else{
 		log__printf(NULL, MOSQ_LOG_ERR, "Error: Unsupported tls_version \"%s\".", listener->tls_version);
 		return MOSQ_ERR_TLS;
@@ -903,8 +910,8 @@ int net__socket_listen(struct mosquitto__listener *listener)
 					return 1;
 				}
 			}
-#  endif /* FINAL_WITH_TLS_PSK */
 		}
+#  endif /* FINAL_WITH_TLS_PSK */
 #endif /* WITH_TLS */
 		return 0;
 	}else{