Commit e73c6eae authored by Matt Caswell's avatar Matt Caswell
Browse files

Tolerate TLSv1.3 PSKs that are a different size to the hash size 



We also default to SHA256 as per the spec if we do not have an explicit
digest defined.

Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5554)
parent a7fb4fa1

apps/s_client.c

+5 −11
Original line number Diff line number Diff line
@@ -197,19 +197,13 @@ static int psk_use_session_cb(SSL *s, const EVP_MD *md, 
            return 0;

        }



        if (key_len == EVP_MD_size(EVP_sha256()))

        /* We default to SHA-256 */

        cipher = SSL_CIPHER_find(s, tls13_aes128gcmsha256_id);

        else if (key_len == EVP_MD_size(EVP_sha384()))

            cipher = SSL_CIPHER_find(s, tls13_aes256gcmsha384_id);



        if (cipher == NULL) {

            /* Doesn't look like a suitable TLSv1.3 key. Ignore it */

            OPENSSL_free(key);

            *id = NULL;

            *idlen = 0;

            *sess = NULL;

            return 1;

            BIO_printf(bio_err, "Error finding suitable ciphersuite\n");

            return 0;

        }



        usesess = SSL_SESSION_new();

        if (usesess == NULL

                || !SSL_SESSION_set1_master_key(usesess, key, key_len)

apps/s_server.c

+3 −7
Original line number Diff line number Diff line
@@ -208,14 +208,10 @@ static int psk_find_session_cb(SSL *ssl, const unsigned char *identity, 
        return 0;

    }



    if (key_len == EVP_MD_size(EVP_sha256()))

    /* We default to SHA256 */

    cipher = SSL_CIPHER_find(ssl, tls13_aes128gcmsha256_id);

    else if (key_len == EVP_MD_size(EVP_sha384()))

        cipher = SSL_CIPHER_find(ssl, tls13_aes256gcmsha384_id);



    if (cipher == NULL) {

        /* Doesn't look like a suitable TLSv1.3 key. Ignore it */

        OPENSSL_free(key);

        BIO_printf(bio_err, "Error finding suitable ciphersuite\n");

        return 0;

    }

ssl/statem/extensions.c

+4 −8
Original line number Diff line number Diff line
@@ -1426,7 +1426,7 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart, 
    const char external_label[] = "ext binder";

    const char nonce_label[] = "resumption";

    const char *label;

    size_t bindersize, labelsize, hashsize = EVP_MD_size(md);

    size_t bindersize, labelsize, psklen, hashsize = EVP_MD_size(md);

    int ret = -1;

    int usepskfored = 0;
@@ -1444,16 +1444,12 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart, 
        labelsize = sizeof(resumption_label) - 1;

    }



    if (sess->master_key_length != hashsize) {

        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,

                 SSL_R_BAD_PSK);

        goto err;

    }



    if (external) {

        psk = sess->master_key;

        psklen = sess->master_key_length;

    } else {

        psk = tmppsk;

        psklen = hashsize;

        if (!tls13_hkdf_expand(s, md, sess->master_key,

                               (const unsigned char *)nonce_label,

                               sizeof(nonce_label) - 1, sess->ext.tick_nonce,
@@ -1475,7 +1471,7 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart, 
        early_secret = (unsigned char *)s->early_secret;

    else

        early_secret = (unsigned char *)sess->early_secret;

    if (!tls13_generate_secret(s, md, NULL, psk, hashsize, early_secret)) {

    if (!tls13_generate_secret(s, md, NULL, psk, psklen, early_secret)) {

        /* SSLfatal() already called */

        goto err;

    }