diff options
author | Matt Caswell <matt@openssl.org> | 2017-03-20 18:03:34 +0000 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2017-03-21 10:09:14 +0000 |
commit | 2c7e64564cf7ab00c099d4f398ae9e53698b68f6 (patch) | |
tree | d2f22aa0fa7e07d2ad0f3db8199ec5307b670368 | |
parent | 7baabf45c424c135ecfafc6b3bb7ea1d225fbfda (diff) |
Fix resumption after HRR
Commit 6b1bb98fa moved the processing of ClientHello extensions into the
state machine post-processing stage. After processing s->init_num is reset
to 0, so by post-processing we cannot rely on its value. Unfortunately we
were using it to handle the PSK extension. This causes the handshake to
fail.
We were using init_num to figure out the length of ClientHello2 so we can
remove it from the handshake_buffer. The handshake_buffer holds the
transcript of all the messages sent so far. For PSK processing though we
only want to add in a partial ClientHello2. This commit changes things so
we just work out where ClientHello2 starts, working forward from the
beginning of handshake_buffer.
Fixes #2983
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2996)
(cherry picked from commit 77815a026cbedbb7b9a89558612f69e6294fe1ea)
-rw-r--r-- | ssl/statem/extensions.c | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c index 0ab1f0494c..8550dfe22e 100644 --- a/ssl/statem/extensions.c +++ b/ssl/statem/extensions.c @@ -1191,11 +1191,18 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart, * ClientHello - which we don't want - so we need to take that bit off. */ if (s->server) { - if (hdatalen < s->init_num + SSL3_HM_HEADER_LENGTH) { + PACKET hashprefix, msg; + + /* Find how many bytes are left after the first two messages */ + if (!PACKET_buf_init(&hashprefix, hdata, hdatalen) + || !PACKET_forward(&hashprefix, 1) + || !PACKET_get_length_prefixed_3(&hashprefix, &msg) + || !PACKET_forward(&hashprefix, 1) + || !PACKET_get_length_prefixed_3(&hashprefix, &msg)) { SSLerr(SSL_F_TLS_PSK_DO_BINDER, ERR_R_INTERNAL_ERROR); goto err; } - hdatalen -= s->init_num + SSL3_HM_HEADER_LENGTH; + hdatalen -= PACKET_remaining(&hashprefix); } if (EVP_DigestUpdate(mctx, hdata, hdatalen) <= 0) { |