Tolerate TLSv1.3 PSKs that are a different size to the hash size

We also default to SHA256 as per the spec if we do not have an explicit
digest defined.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5554)

1 files changed, 4 insertions, 8 deletions

diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c
index 6e3f8d1672..8a8e524899 100644
--- a/ssl/statem/extensions.c
+++ b/ssl/statem/extensions.c
@@ -1426,7 +1426,7 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart,
     const char external_label[] = "ext binder";
     const char nonce_label[] = "resumption";
     const char *label;
-    size_t bindersize, labelsize, hashsize = EVP_MD_size(md);
+    size_t bindersize, labelsize, psklen, hashsize = EVP_MD_size(md);
     int ret = -1;
     int usepskfored = 0;
 
@@ -1444,16 +1444,12 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart,
         labelsize = sizeof(resumption_label) - 1;
     }
 
-    if (sess->master_key_length != hashsize) {
-        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
-                 SSL_R_BAD_PSK);
-        goto err;
-    }
-
     if (external) {
         psk = sess->master_key;
+        psklen = sess->master_key_length;
     } else {
         psk = tmppsk;
+        psklen = hashsize;
         if (!tls13_hkdf_expand(s, md, sess->master_key,
                                (const unsigned char *)nonce_label,
                                sizeof(nonce_label) - 1, sess->ext.tick_nonce,
@@ -1475,7 +1471,7 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart,
         early_secret = (unsigned char *)s->early_secret;
     else
         early_secret = (unsigned char *)sess->early_secret;
-    if (!tls13_generate_secret(s, md, NULL, psk, hashsize, early_secret)) {
+    if (!tls13_generate_secret(s, md, NULL, psk, psklen, early_secret)) {
         /* SSLfatal() already called */
         goto err;
     }