diff options
| author | Simo Sorce <simo@redhat.com> | 2024-09-30 15:25:48 +0200 |
|---|---|---|
| committer | Tomas Mraz <tomas@openssl.org> | 2024-10-02 12:05:39 +0200 |
| commit | 5c91f70ba8f07eeeb02b6c285479e4482443a6fe (patch) | |
| tree | ec8b5c57a44406b7f81330627b66adc15ec4ddeb /providers | |
| parent | ci: add 3.4 to prov-compat-label tests (diff) | |
| download | openssl-5c91f70ba8f07eeeb02b6c285479e4482443a6fe.tar.xz openssl-5c91f70ba8f07eeeb02b6c285479e4482443a6fe.zip | |
Use the correct length value for input salt
In this function the salt can be either a zero buffer of exactly mdlen
length, or an arbitrary salt of prevsecretlen length.
Although in practice OpenSSL will always pass in a salt of mdlen size
bytes in the current TLS 1.3 code, the openssl kdf command can pass in
arbitrary values (I did it for testing), and a future change in the
higher layer code could also result in unmatched lengths.
If prevsecretlen is > mdlen this will cause incorrect salt expansion, if
prevsecretlen < mdlen this could cause a crash or reading random
information. Inboth case the generated output would be incorrect.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25579)
Diffstat (limited to 'providers')
| -rw-r--r-- | providers/implementations/kdfs/hkdf.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c index b3339bdd5a..c7454b00cf 100644 --- a/providers/implementations/kdfs/hkdf.c +++ b/providers/implementations/kdfs/hkdf.c @@ -721,7 +721,7 @@ static int prov_tls13_hkdf_generate_secret(OSSL_LIB_CTX *libctx, EVP_MD_CTX_free(mctx); /* Generate the pre-extract secret */ - if (!prov_tls13_hkdf_expand(md, prevsecret, mdlen, + if (!prov_tls13_hkdf_expand(md, prevsecret, prevsecretlen, prefix, prefixlen, label, labellen, hash, mdlen, preextractsec, mdlen)) return 0; |