From e73c6eaeff82615d20845692c5c72ba9dfa895f5 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Tue, 6 Mar 2018 14:12:10 +0000 Subject: Tolerate TLSv1.3 PSKs that are a different size to the hash size We also default to SHA256 as per the spec if we do not have an explicit digest defined. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/5554) --- ssl/statem/extensions.c | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) (limited to 'ssl') diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c index 6e3f8d1672..8a8e524899 100644 --- a/ssl/statem/extensions.c +++ b/ssl/statem/extensions.c @@ -1426,7 +1426,7 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart, const char external_label[] = "ext binder"; const char nonce_label[] = "resumption"; const char *label; - size_t bindersize, labelsize, hashsize = EVP_MD_size(md); + size_t bindersize, labelsize, psklen, hashsize = EVP_MD_size(md); int ret = -1; int usepskfored = 0; @@ -1444,16 +1444,12 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart, labelsize = sizeof(resumption_label) - 1; } - if (sess->master_key_length != hashsize) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER, - SSL_R_BAD_PSK); - goto err; - } - if (external) { psk = sess->master_key; + psklen = sess->master_key_length; } else { psk = tmppsk; + psklen = hashsize; if (!tls13_hkdf_expand(s, md, sess->master_key, (const unsigned char *)nonce_label, sizeof(nonce_label) - 1, sess->ext.tick_nonce, @@ -1475,7 +1471,7 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart, early_secret = (unsigned char *)s->early_secret; else early_secret = (unsigned char *)sess->early_secret; - if (!tls13_generate_secret(s, md, NULL, psk, hashsize, early_secret)) { + if (!tls13_generate_secret(s, md, NULL, psk, psklen, early_secret)) { /* SSLfatal() already called */ goto err; } -- cgit v1.2.3