From cf3e221bd90085035d869d3a233a03970d036638 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Mon, 13 Mar 2017 16:09:47 +0000 Subject: [PATCH] Ensure after an HRR any PSKs have the right hash Don't include a PSK that does not have the right hash for the selected ciphersuite following an HRR. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/2895) --- ssl/statem/extensions_clnt.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c index 59bc974219..84bfb3c265 100644 --- a/ssl/statem/extensions_clnt.c +++ b/ssl/statem/extensions_clnt.c @@ -769,6 +769,14 @@ int tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context, X509 *x, return 1; } + if (s->hello_retry_request && md != ssl_handshake_md(s)) { + /* + * Selected ciphersuite hash does not match the hash for the session so + * we can't use it. + */ + return 1; + } + /* * Technically the C standard just says time() returns a time_t and says * nothing about the encoding of that type. In practice most implementations -- 2.25.1