diff options
author | Matt Caswell <matt@openssl.org> | 2018-03-06 14:12:10 +0000 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2018-03-09 11:22:23 +0000 |
commit | e73c6eaeff82615d20845692c5c72ba9dfa895f5 (patch) | |
tree | 3eabbfe2325ad07a300c38e299e927b026aff507 /ssl | |
parent | a7fb4fa1708c65c0932133dca64a53d0237312e3 (diff) | |
download | openssl-e73c6eaeff82615d20845692c5c72ba9dfa895f5.tar.gz |
Tolerate TLSv1.3 PSKs that are a different size to the hash size
We also default to SHA256 as per the spec if we do not have an explicit
digest defined.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5554)
Diffstat (limited to 'ssl')
-rw-r--r-- | ssl/statem/extensions.c | 12 |
1 files changed, 4 insertions, 8 deletions
diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c index 6e3f8d1672..8a8e524899 100644 --- a/ssl/statem/extensions.c +++ b/ssl/statem/extensions.c @@ -1426,7 +1426,7 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart, const char external_label[] = "ext binder"; const char nonce_label[] = "resumption"; const char *label; - size_t bindersize, labelsize, hashsize = EVP_MD_size(md); + size_t bindersize, labelsize, psklen, hashsize = EVP_MD_size(md); int ret = -1; int usepskfored = 0; @@ -1444,16 +1444,12 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart, labelsize = sizeof(resumption_label) - 1; } - if (sess->master_key_length != hashsize) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER, - SSL_R_BAD_PSK); - goto err; - } - if (external) { psk = sess->master_key; + psklen = sess->master_key_length; } else { psk = tmppsk; + psklen = hashsize; if (!tls13_hkdf_expand(s, md, sess->master_key, (const unsigned char *)nonce_label, sizeof(nonce_label) - 1, sess->ext.tick_nonce, @@ -1475,7 +1471,7 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart, early_secret = (unsigned char *)s->early_secret; else early_secret = (unsigned char *)sess->early_secret; - if (!tls13_generate_secret(s, md, NULL, psk, hashsize, early_secret)) { + if (!tls13_generate_secret(s, md, NULL, psk, psklen, early_secret)) { /* SSLfatal() already called */ goto err; } |