Commit ed371b8c authored by Matt Caswell's avatar Matt Caswell
Browse files

Revert "Reduce stack usage in tls13_hkdf_expand" 



This reverts commit ec0c5f56.

SSL_export_keying_material() may use longer label lengths.

Fixes #7712

Reviewed-by: default avatarTim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7755)
parent 3a4a88f4

ssl/tls13_enc.c

+4 −12
Original line number Diff line number Diff line
@@ -13,14 +13,7 @@ 
#include <openssl/evp.h>

#include <openssl/kdf.h>



/*

 * RFC 8446, 7.1 Key Schedule, says:

 * Note: With common hash functions, any label longer than 12 characters

 * requires an additional iteration of the hash function to compute.

 * The labels in this specification have all been chosen to fit within

 * this limit.

 */

#define TLS13_MAX_LABEL_LEN     12

#define TLS13_MAX_LABEL_LEN     246



/* Always filled with zeros */

static const unsigned char default_zeros[EVP_MAX_MD_SIZE];
@@ -36,15 +29,14 @@ int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret, 
                             const unsigned char *data, size_t datalen,

                             unsigned char *out, size_t outlen)

{

    static const unsigned char label_prefix[] = "tls13 ";

    const unsigned char label_prefix[] = "tls13 ";

    EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);

    int ret;

    size_t hkdflabellen;

    size_t hashlen;

    /*

     * 2 bytes for length of derived secret + 1 byte for length of combined

     * prefix and label + bytes for the label itself + 1 byte length of hash

     * + bytes for the hash itself

     * 2 bytes for length of whole HkdfLabel + 1 byte for length of combined

     * prefix and label + bytes for the label itself + bytes for the hash

     */

    unsigned char hkdflabel[sizeof(uint16_t) + sizeof(uint8_t) +

                            + sizeof(label_prefix) + TLS13_MAX_LABEL_LEN