Tolerate TLSv1.3 PSKs that are a different size to the hash size

We also default to SHA256 as per the spec if we do not have an explicit
digest defined.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5554)

diff --git a/apps/s_client.c b/apps/s_client.c
index a319d217c1f25518e07cab266d4485257e70ad6d..1ed853d14b710c820ae2d27a2b2022c75862eeec 100644 (file)
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -197,19 +197,13 @@ static int psk_use_session_cb(SSL *s, const EVP_MD *md,
             return 0;
         }
 
-        if (key_len == EVP_MD_size(EVP_sha256()))
-            cipher = SSL_CIPHER_find(s, tls13_aes128gcmsha256_id);
-        else if (key_len == EVP_MD_size(EVP_sha384()))
-            cipher = SSL_CIPHER_find(s, tls13_aes256gcmsha384_id);
-
+        /* We default to SHA-256 */
+        cipher = SSL_CIPHER_find(s, tls13_aes128gcmsha256_id);
         if (cipher == NULL) {
-            /* Doesn't look like a suitable TLSv1.3 key. Ignore it */
-            OPENSSL_free(key);
-            *id = NULL;
-            *idlen = 0;
-            *sess = NULL;
-            return 1;
+            BIO_printf(bio_err, "Error finding suitable ciphersuite\n");
+            return 0;
         }
+
         usesess = SSL_SESSION_new();
         if (usesess == NULL
                 || !SSL_SESSION_set1_master_key(usesess, key, key_len)

diff --git a/apps/s_server.c b/apps/s_server.c
index ff9ee5add9a30aab6776b102960800e126ef05f5..bc1d1e5608612b4f35de3f5829899c1c0071a6a7 100644 (file)
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -208,14 +208,10 @@ static int psk_find_session_cb(SSL *ssl, const unsigned char *identity,
         return 0;
     }
 
-    if (key_len == EVP_MD_size(EVP_sha256()))
-        cipher = SSL_CIPHER_find(ssl, tls13_aes128gcmsha256_id);
-    else if (key_len == EVP_MD_size(EVP_sha384()))
-        cipher = SSL_CIPHER_find(ssl, tls13_aes256gcmsha384_id);
-
+    /* We default to SHA256 */
+    cipher = SSL_CIPHER_find(ssl, tls13_aes128gcmsha256_id);
     if (cipher == NULL) {
-        /* Doesn't look like a suitable TLSv1.3 key. Ignore it */
-        OPENSSL_free(key);
+        BIO_printf(bio_err, "Error finding suitable ciphersuite\n");
         return 0;
     }
 

diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c
index 6e3f8d16726d2d1d27d887831d6fc10f9746a423..8a8e524899cba28d0974e968ccbe823d8f3afbff 100644 (file)
--- a/ssl/statem/extensions.c
+++ b/ssl/statem/extensions.c
@@ -1426,7 +1426,7 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart,
     const char external_label[] = "ext binder";
     const char nonce_label[] = "resumption";
     const char *label;
-    size_t bindersize, labelsize, hashsize = EVP_MD_size(md);
+    size_t bindersize, labelsize, psklen, hashsize = EVP_MD_size(md);
     int ret = -1;
     int usepskfored = 0;
 
@@ -1444,16 +1444,12 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart,
         labelsize = sizeof(resumption_label) - 1;
     }
 
-    if (sess->master_key_length != hashsize) {
-        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
-                 SSL_R_BAD_PSK);
-        goto err;
-    }
-
     if (external) {
         psk = sess->master_key;
+        psklen = sess->master_key_length;
     } else {
         psk = tmppsk;
+        psklen = hashsize;
         if (!tls13_hkdf_expand(s, md, sess->master_key,
                                (const unsigned char *)nonce_label,
                                sizeof(nonce_label) - 1, sess->ext.tick_nonce,
@@ -1475,7 +1471,7 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart,
         early_secret = (unsigned char *)s->early_secret;
     else
         early_secret = (unsigned char *)sess->early_secret;
-    if (!tls13_generate_secret(s, md, NULL, psk, hashsize, early_secret)) {
+    if (!tls13_generate_secret(s, md, NULL, psk, psklen, early_secret)) {
         /* SSLfatal() already called */
         goto err;
     }