diff options
| author | Matt Caswell <matt@openssl.org> | 2018-06-01 16:52:34 +0100 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2018-06-07 10:58:35 +0100 |
| commit | 4ff1a5266685f4a687a9f91b531c2f979b96db22 (patch) | |
| tree | 43fd2babb3b724e2c1eb4786a66f66ee4757cf88 /ssl/statem/extensions.c | |
| parent | 309371d6266877a8f04d0aa7b0f6add6d269d962 (diff) | |
Fix TLSv1.3 ticket nonces
All tickets on a connection need to have a unique nonce. When this was
originally implemented we only ever sent one ticket on the conneciton so
this didn't matter. We were just using the value 0. Now we can get multiple
tickets to we need to start doing the ticket nonce properly.
Fixes #6387
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6415)
Diffstat (limited to 'ssl/statem/extensions.c')
| -rw-r--r-- | ssl/statem/extensions.c | 35 |
1 files changed, 10 insertions, 25 deletions
diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c index 209b4df782..8885e5e0d7 100644 --- a/ssl/statem/extensions.c +++ b/ssl/statem/extensions.c @@ -1421,13 +1421,11 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart, EVP_MD_CTX *mctx = NULL; unsigned char hash[EVP_MAX_MD_SIZE], binderkey[EVP_MAX_MD_SIZE]; unsigned char finishedkey[EVP_MAX_MD_SIZE], tmpbinder[EVP_MAX_MD_SIZE]; - unsigned char tmppsk[EVP_MAX_MD_SIZE]; - unsigned char *early_secret, *psk; - const char resumption_label[] = "res binder"; - const char external_label[] = "ext binder"; - const char nonce_label[] = "resumption"; - const char *label; - size_t bindersize, labelsize, psklen, hashsize; + unsigned char *early_secret; + static const unsigned char resumption_label[] = "res binder"; + static const unsigned char external_label[] = "ext binder"; + const unsigned char *label; + size_t bindersize, labelsize, hashsize; int hashsizei = EVP_MD_size(md); int ret = -1; int usepskfored = 0; @@ -1454,21 +1452,6 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart, labelsize = sizeof(resumption_label) - 1; } - if (external) { - psk = sess->master_key; - psklen = sess->master_key_length; - } else { - psk = tmppsk; - psklen = hashsize; - if (!tls13_hkdf_expand(s, md, sess->master_key, - (const unsigned char *)nonce_label, - sizeof(nonce_label) - 1, sess->ext.tick_nonce, - sess->ext.tick_nonce_len, psk, hashsize)) { - /* SSLfatal() already called */ - goto err; - } - } - /* * Generate the early_secret. On the server side we've selected a PSK to * resume with (internal or external) so we always do this. On the client @@ -1481,7 +1464,9 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart, early_secret = (unsigned char *)s->early_secret; else early_secret = (unsigned char *)sess->early_secret; - if (!tls13_generate_secret(s, md, NULL, psk, psklen, early_secret)) { + + if (!tls13_generate_secret(s, md, NULL, sess->master_key, + sess->master_key_length, early_secret)) { /* SSLfatal() already called */ goto err; } @@ -1500,8 +1485,8 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart, } /* Generate the binder key */ - if (!tls13_hkdf_expand(s, md, early_secret, (unsigned char *)label, - labelsize, hash, hashsize, binderkey, hashsize)) { + if (!tls13_hkdf_expand(s, md, early_secret, label, labelsize, hash, + hashsize, binderkey, hashsize)) { /* SSLfatal() already called */ goto err; } |