OpenSSL: Handle EVP_PKEY_derive() secret_len changes for ECDH

It looks like EVP_PKEY_derive() may change the returned length of the
buffer from the initial length determination (NULL buffer) to the
fetching of the value. Handle this by updating the secret length based
on the second call instead of the first one. This fixes some cases where
ECDH result has been used with extra data (zeros in the end) with OWE or
FILS PFS.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c
index aa5b9b4c74f1e72737f28259c39c006862b35c60..bab33a5372931c5c9520fd1e7355d826f7ac2b2f 100644 (file)
--- a/src/crypto/crypto_openssl.c
+++ b/src/crypto/crypto_openssl.c
@@ -2059,13 +2059,17 @@ struct wpabuf * crypto_ecdh_set_peerkey(struct crypto_ecdh *ecdh, int inc_y,
        secret = wpabuf_alloc(secret_len);
        if (!secret)
                goto fail;
-       if (EVP_PKEY_derive(ctx, wpabuf_put(secret, secret_len),
-                           &secret_len) != 1) {
+       if (EVP_PKEY_derive(ctx, wpabuf_put(secret, 0), &secret_len) != 1) {
                wpa_printf(MSG_ERROR,
                           "OpenSSL: EVP_PKEY_derive(2) failed: %s",
                           ERR_error_string(ERR_get_error(), NULL));
                goto fail;
        }
+       if (secret->size != secret_len)
+               wpa_printf(MSG_DEBUG,
+                          "OpenSSL: EVP_PKEY_derive(2) changed secret_len %d -> %d",
+                          (int) secret->size, (int) secret_len);
+       wpabuf_put(secret, secret_len);
 
 done:
        BN_free(x);