diff options
| author | Matt Caswell <matt@openssl.org> | 2018-03-06 14:12:10 +0000 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2018-03-09 11:22:23 +0000 |
| commit | e73c6eaeff82615d20845692c5c72ba9dfa895f5 (patch) | |
| tree | 3eabbfe2325ad07a300c38e299e927b026aff507 | |
| parent | a7fb4fa1708c65c0932133dca64a53d0237312e3 (diff) | |
Tolerate TLSv1.3 PSKs that are a different size to the hash size
We also default to SHA256 as per the spec if we do not have an explicit
digest defined.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5554)
| -rw-r--r-- | apps/s_client.c | 16 | ||||
| -rw-r--r-- | apps/s_server.c | 10 | ||||
| -rw-r--r-- | ssl/statem/extensions.c | 12 |
3 files changed, 12 insertions, 26 deletions
diff --git a/apps/s_client.c b/apps/s_client.c index a319d217c1..1ed853d14b 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -197,19 +197,13 @@ static int psk_use_session_cb(SSL *s, const EVP_MD *md, return 0; } - if (key_len == EVP_MD_size(EVP_sha256())) - cipher = SSL_CIPHER_find(s, tls13_aes128gcmsha256_id); - else if (key_len == EVP_MD_size(EVP_sha384())) - cipher = SSL_CIPHER_find(s, tls13_aes256gcmsha384_id); - + /* We default to SHA-256 */ + cipher = SSL_CIPHER_find(s, tls13_aes128gcmsha256_id); if (cipher == NULL) { - /* Doesn't look like a suitable TLSv1.3 key. Ignore it */ - OPENSSL_free(key); - *id = NULL; - *idlen = 0; - *sess = NULL; - return 1; + BIO_printf(bio_err, "Error finding suitable ciphersuite\n"); + return 0; } + usesess = SSL_SESSION_new(); if (usesess == NULL || !SSL_SESSION_set1_master_key(usesess, key, key_len) diff --git a/apps/s_server.c b/apps/s_server.c index ff9ee5add9..bc1d1e5608 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -208,14 +208,10 @@ static int psk_find_session_cb(SSL *ssl, const unsigned char *identity, return 0; } - if (key_len == EVP_MD_size(EVP_sha256())) - cipher = SSL_CIPHER_find(ssl, tls13_aes128gcmsha256_id); - else if (key_len == EVP_MD_size(EVP_sha384())) - cipher = SSL_CIPHER_find(ssl, tls13_aes256gcmsha384_id); - + /* We default to SHA256 */ + cipher = SSL_CIPHER_find(ssl, tls13_aes128gcmsha256_id); if (cipher == NULL) { - /* Doesn't look like a suitable TLSv1.3 key. Ignore it */ - OPENSSL_free(key); + BIO_printf(bio_err, "Error finding suitable ciphersuite\n"); return 0; } diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c index 6e3f8d1672..8a8e524899 100644 --- a/ssl/statem/extensions.c +++ b/ssl/statem/extensions.c @@ -1426,7 +1426,7 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart, const char external_label[] = "ext binder"; const char nonce_label[] = "resumption"; const char *label; - size_t bindersize, labelsize, hashsize = EVP_MD_size(md); + size_t bindersize, labelsize, psklen, hashsize = EVP_MD_size(md); int ret = -1; int usepskfored = 0; @@ -1444,16 +1444,12 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart, labelsize = sizeof(resumption_label) - 1; } - if (sess->master_key_length != hashsize) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER, - SSL_R_BAD_PSK); - goto err; - } - if (external) { psk = sess->master_key; + psklen = sess->master_key_length; } else { psk = tmppsk; + psklen = hashsize; if (!tls13_hkdf_expand(s, md, sess->master_key, (const unsigned char *)nonce_label, sizeof(nonce_label) - 1, sess->ext.tick_nonce, @@ -1475,7 +1471,7 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart, early_secret = (unsigned char *)s->early_secret; else early_secret = (unsigned char *)sess->early_secret; - if (!tls13_generate_secret(s, md, NULL, psk, hashsize, early_secret)) { + if (!tls13_generate_secret(s, md, NULL, psk, psklen, early_secret)) { /* SSLfatal() already called */ goto err; } |