From: Matt Caswell <matt@openssl.org>
Date: Mon, 13 Mar 2017 16:09:47 +0000 (+0000)
Subject: Ensure after an HRR any PSKs have the right hash
X-Git-Tag: OpenSSL_1_1_1-pre1~2009
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=cf3e221bd90085035d869d3a233a03970d036638;p=oweals%2Fopenssl.git

Ensure after an HRR any PSKs have the right hash

Don't include a PSK that does not have the right hash for the selected
ciphersuite following an HRR.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2895)
---

diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
index 59bc974219..84bfb3c265 100644
--- a/ssl/statem/extensions_clnt.c
+++ b/ssl/statem/extensions_clnt.c
@@ -769,6 +769,14 @@ int tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
         return 1;
     }
 
+    if (s->hello_retry_request && md != ssl_handshake_md(s)) {
+        /*
+         * Selected ciphersuite hash does not match the hash for the session so
+         * we can't use it.
+         */
+        return 1;
+    }
+
     /*
      * Technically the C standard just says time() returns a time_t and says
      * nothing about the encoding of that type. In practice most implementations