git.ipfire.org Git - thirdparty/openssl.git/commit

author	Simo Sorce <simo@redhat.com>
	Mon, 30 Sep 2024 13:25:48 +0000 (09:25 -0400)
committer	Tomas Mraz <tomas@openssl.org>
	Wed, 2 Oct 2024 10:09:44 +0000 (12:09 +0200)
commit	3c2b5256b546fbb941737c35c9cfd2cf3aa83c96
tree	022fb3240c3a31067bb4ec2085fd28629c9b2a08	tree
parent	2b19a76914b50c7c3331d2eff1948dfe1904dc1a	commit \| diff

Use the correct length value for input salt

In this function the salt can be either a zero buffer of exactly mdlen
length, or an arbitrary salt of prevsecretlen length.
Although in practice OpenSSL will always pass in a salt of mdlen size
bytes in the current TLS 1.3 code, the openssl kdf command can pass in
arbitrary values (I did it for testing), and a future change in the
higher layer code could also result in unmatched lengths.

If prevsecretlen is > mdlen this will cause incorrect salt expansion, if
prevsecretlen < mdlen this could cause a crash or reading random
information. Inboth case the generated output would be incorrect.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25579)

(cherry picked from commit 5c91f70ba8f07eeeb02b6c285479e4482443a6fe)

providers/implementations/kdfs/hkdf.c		diff \| blob \| blame \| history
test/recipes/30-test_evp_data/evpkdf_tls13_kdf.txt		diff \| blob \| blame \| history