Tolerate TLSv1.3 PSKs that are a different size to the hash size

We also default to SHA256 as per the spec if we do not have an explicit digest defined. Reviewed-by: N Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5554)

Tolerate TLSv1.3 PSKs that are a different size to the hash size
We also default to SHA256 as per the spec if we do not have an explicit digest defined. Reviewed-by: N Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5554)
e73c6eae · Matt Caswell · a7fb4fa1 · e73c6eae · e73c6eae · e73c6eae
隐藏空白更改
内联并排

Showing with 12 addition and 26 deletion

apps/s_client.c apps/s_client.c +5 -11

apps/s_server.c apps/s_server.c +3 -7

ssl/statem/extensions.c ssl/statem/extensions.c +4 -8

未找到文件。
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -197,19 +197,13 @@ static int psk_use_session_cb(SSL *s, const EVP_MD *md,
            return 0;
        }
-        if (key_len == EVP_MD_size(EVP_sha256()))
+        /* We default to SHA-256 */
-            cipher = SSL_CIPHER_find(s, tls13_aes128gcmsha256_id);
+        cipher = SSL_CIPHER_find(s, tls13_aes128gcmsha256_id);
-        else if (key_len == EVP_MD_size(EVP_sha384()))
-            cipher = SSL_CIPHER_find(s, tls13_aes256gcmsha384_id);
        if (cipher == NULL) {
-            /* Doesn't look like a suitable TLSv1.3 key. Ignore it */
+            BIO_printf(bio_err, "Error finding suitable ciphersuite\n");
-            OPENSSL_free(key);
+            return 0;
-            *id = NULL;
-            *idlen = 0;
-            *sess = NULL;
-            return 1;
        }
        usesess = SSL_SESSION_new();
        if (usesess == NULL
                || !SSL_SESSION_set1_master_key(usesess, key, key_len)

--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -208,14 +208,10 @@ static int psk_find_session_cb(SSL *ssl, const unsigned char *identity,
        return 0;
    }
-    if (key_len == EVP_MD_size(EVP_sha256()))
+    /* We default to SHA256 */
-        cipher = SSL_CIPHER_find(ssl, tls13_aes128gcmsha256_id);
+    cipher = SSL_CIPHER_find(ssl, tls13_aes128gcmsha256_id);
-    else if (key_len == EVP_MD_size(EVP_sha384()))
-        cipher = SSL_CIPHER_find(ssl, tls13_aes256gcmsha384_id);
    if (cipher == NULL) {
-        /* Doesn't look like a suitable TLSv1.3 key. Ignore it */
+        BIO_printf(bio_err, "Error finding suitable ciphersuite\n");
-        OPENSSL_free(key);
        return 0;
    }

--- a/ssl/statem/extensions.c
+++ b/ssl/statem/extensions.c
@@ -1426,7 +1426,7 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart,
    const char external_label[] = "ext binder";
    const char nonce_label[] = "resumption";
    const char *label;
-    size_t bindersize, labelsize, hashsize = EVP_MD_size(md);
+    size_t bindersize, labelsize, psklen, hashsize = EVP_MD_size(md);
    int ret = -1;
    int usepskfored = 0;
@@ -1444,16 +1444,12 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart,
        labelsize = sizeof(resumption_label) - 1;
    }
-    if (sess->master_key_length != hashsize) {
-        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
-                 SSL_R_BAD_PSK);
-        goto err;
-    }
    if (external) {
        psk = sess->master_key;
+        psklen = sess->master_key_length;
    } else {
        psk = tmppsk;
+        psklen = hashsize;
        if (!tls13_hkdf_expand(s, md, sess->master_key,
                               (const unsigned char *)nonce_label,
                               sizeof(nonce_label) - 1, sess->ext.tick_nonce,
@@ -1475,7 +1471,7 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart,
        early_secret = (unsigned char *)s->early_secret;
    else
        early_secret = (unsigned char *)sess->early_secret;
-    if (!tls13_generate_secret(s, md, NULL, psk, hashsize, early_secret)) {
+    if (!tls13_generate_secret(s, md, NULL, psk, psklen, early_secret)) {
        /* SSLfatal() already called */
        goto err;
    }