Fix TLSv1.3 exporter
authorMatt Caswell <matt@openssl.org>
Fri, 30 Jun 2017 09:45:11 +0000 (10:45 +0100)
committerMatt Caswell <matt@openssl.org>
Mon, 3 Jul 2017 09:48:34 +0000 (10:48 +0100)
We need to use the hashsize in generating the exportsecret not 0! Otherwise
we end up with random garbage for the secret.

It was pure chance that this passed the tests previously. It so happens
that, because we call SSL_export_keying_material() repeatedly for different
scenarios in the test, we end up in the tls13_export_keying_material() at
exactly the same position in the stack each time and therefore end up using
the same random garbage secret each time!

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3810)

ssl/tls13_enc.c

index 55e68c60db1178d517e2023ddeafc5a156bbd846..92b1f198ab6bba0af097406c5b144d5ce71de778 100644 (file)
@@ -622,7 +622,7 @@ int tls13_export_keying_material(SSL *s, unsigned char *out, size_t olen,
             || EVP_DigestFinal_ex(ctx, hash, &hashsize) <= 0
             || !tls13_hkdf_expand(s, md, s->exporter_master_secret,
                                   (const unsigned char *)label, llen, NULL,
             || EVP_DigestFinal_ex(ctx, hash, &hashsize) <= 0
             || !tls13_hkdf_expand(s, md, s->exporter_master_secret,
                                   (const unsigned char *)label, llen, NULL,
-                                  exportsecret, 0)
+                                  exportsecret, hashsize)
             || !tls13_hkdf_expand(s, md, exportsecret, exporterlabel,
                                   sizeof(exporterlabel) - 1, hash, out, olen))
         goto err;
             || !tls13_hkdf_expand(s, md, exportsecret, exporterlabel,
                                   sizeof(exporterlabel) - 1, hash, out, olen))
         goto err;