Ensure after an HRR any PSKs have the right hash
authorMatt Caswell <matt@openssl.org>
Mon, 13 Mar 2017 16:09:47 +0000 (16:09 +0000)
committerMatt Caswell <matt@openssl.org>
Thu, 16 Mar 2017 14:20:38 +0000 (14:20 +0000)
Don't include a PSK that does not have the right hash for the selected
ciphersuite following an HRR.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2895)

ssl/statem/extensions_clnt.c

index 59bc974..84bfb3c 100644 (file)
@@ -769,6 +769,14 @@ int tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
         return 1;
     }
 
+    if (s->hello_retry_request && md != ssl_handshake_md(s)) {
+        /*
+         * Selected ciphersuite hash does not match the hash for the session so
+         * we can't use it.
+         */
+        return 1;
+    }
+
     /*
      * Technically the C standard just says time() returns a time_t and says
      * nothing about the encoding of that type. In practice most implementations