EVP_MD_CTX *mctx = NULL;
unsigned char hash[EVP_MAX_MD_SIZE], binderkey[EVP_MAX_MD_SIZE];
unsigned char finishedkey[EVP_MAX_MD_SIZE], tmpbinder[EVP_MAX_MD_SIZE];
- unsigned char *early_secret;
+ unsigned char tmppsk[EVP_MAX_MD_SIZE];
+ unsigned char *early_secret, *psk;
const char resumption_label[] = "res binder";
const char external_label[] = "ext binder";
+ const char nonce_label[] = "resumption";
const char *label;
size_t bindersize, labelsize, hashsize = EVP_MD_size(md);
int ret = -1;
labelsize = sizeof(resumption_label) - 1;
}
+ if (sess->master_key_length != hashsize) {
+ SSLerr(SSL_F_TLS_PSK_DO_BINDER, SSL_R_BAD_PSK);
+ goto err;
+ }
+
+ if (external) {
+ psk = sess->master_key;
+ } else {
+ if (sess->ext.tick_nonce == NULL) {
+ SSLerr(SSL_F_TLS_PSK_DO_BINDER, SSL_R_BAD_PSK);
+ goto err;
+ }
+ psk = tmppsk;
+ if (!tls13_hkdf_expand(s, md, sess->master_key,
+ (const unsigned char *)nonce_label,
+ sizeof(nonce_label) - 1, sess->ext.tick_nonce,
+ sess->ext.tick_nonce_len, psk, hashsize)) {
+ SSLerr(SSL_F_TLS_PSK_DO_BINDER, ERR_R_INTERNAL_ERROR);
+ goto err;
+ }
+ }
+
/*
* Generate the early_secret. On the server side we've selected a PSK to
* resume with (internal or external) so we always do this. On the client
early_secret = (unsigned char *)s->early_secret;
else
early_secret = (unsigned char *)sess->early_secret;
- if (!tls13_generate_secret(s, md, NULL, sess->master_key,
- sess->master_key_length, early_secret)) {
+ if (!tls13_generate_secret(s, md, NULL, psk, hashsize, early_secret)) {
SSLerr(SSL_F_TLS_PSK_DO_BINDER, ERR_R_INTERNAL_ERROR);
goto err;
}
projects / oweals / openssl.git / commitdiff