Commit 0fb2815b authored by Matt Caswell's avatar Matt Caswell
Browse files

Fix some SSL_export_keying_material() issues 



Fix some issues in tls13_hkdf_expand() which impact the above function
for TLSv1.3. In particular test that we can use the maximum label length
in TLSv1.3.

Reviewed-by: default avatarTim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7755)
parent ed371b8c

doc/man3/SSL_export_keying_material.pod

+2 −1
Original line number Diff line number Diff line
@@ -59,7 +59,8 @@ B<label> and should be B<llen> bytes long. Typically this will be a value from 
the IANA Exporter Label Registry

(L<https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#exporter-labels>).

Alternatively labels beginning with "EXPERIMENTAL" are permitted by the standard

to be used without registration.

to be used without registration. TLSv1.3 imposes a maximum label length of

249 bytes.



Note that this function is only defined for TLSv1.0 and above, and DTLSv1.0 and

above. Attempting to use it in SSLv3 will result in an error.

ssl/ssl_locl.h

+1 −1
Original line number Diff line number Diff line
@@ -2461,7 +2461,7 @@ __owur int tls13_hkdf_expand(SSL *s, const EVP_MD *md, 
                             const unsigned char *secret,

                             const unsigned char *label, size_t labellen,

                             const unsigned char *data, size_t datalen,

                             unsigned char *out, size_t outlen);

                             unsigned char *out, size_t outlen, int fatal);

__owur int tls13_derive_key(SSL *s, const EVP_MD *md,

                            const unsigned char *secret, unsigned char *key,

                            size_t keylen);

ssl/statem/extensions.c

+1 −1
Original line number Diff line number Diff line
@@ -1506,7 +1506,7 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart, 


    /* Generate the binder key */

    if (!tls13_hkdf_expand(s, md, early_secret, label, labelsize, hash,

                           hashsize, binderkey, hashsize)) {

                           hashsize, binderkey, hashsize, 1)) {

        /* SSLfatal() already called */

        goto err;

    }

ssl/statem/statem_clnt.c

+1 −1
Original line number Diff line number Diff line
@@ -2740,7 +2740,7 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt) 
                               PACKET_data(&nonce),

                               PACKET_remaining(&nonce),

                               s->session->master_key,

                               hashlen)) {

                               hashlen, 1)) {

            /* SSLfatal() already called */

            goto err;

        }

ssl/statem/statem_srvr.c

+1 −1
Original line number Diff line number Diff line
@@ -4099,7 +4099,7 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt) 
                               tick_nonce,

                               TICKET_NONCE_SIZE,

                               s->session->master_key,

                               hashlen)) {

                               hashlen, 1)) {

            /* SSLfatal() already called */

            goto err;

        }