In this function the salt can be either a zero buffer of exactly mdlen
length, or an arbitrary salt of prevsecretlen length.
Although in practice OpenSSL will always pass in a salt of mdlen size
bytes in the current TLS 1.3 code, the openssl kdf command can pass in
arbitrary values (I did it for testing), and a future change in the
higher layer code could also result in unmatched lengths.
If prevsecretlen is > mdlen this will cause incorrect salt expansion, if
prevsecretlen < mdlen this could cause a crash or reading random
information. Inboth case the generated output would be incorrect.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25579)
(cherry picked from commit
5c91f70ba8f07eeeb02b6c285479e4482443a6fe)
EVP_MD_CTX_free(mctx);
/* Generate the pre-extract secret */
- if (!prov_tls13_hkdf_expand(md, prevsecret, mdlen,
+ if (!prov_tls13_hkdf_expand(md, prevsecret, prevsecretlen,
prefix, prefixlen, label, labellen,
hash, mdlen, preextractsec, mdlen))
return 0;
Ctrl.digest = digest:SHA256
Result = KDF_CTRL_ERROR
+# Test that salt of arbitrary length works
+FIPSversion = >=3.4.0
+KDF = TLS13-KDF
+Ctrl.mode = mode:EXTRACT_ONLY
+Ctrl.digest = digest:SHA2-256
+Ctrl.key = hexkey:f8af6aea2d397baf2948a25b2834200692cff17eee9165e4e27babee9edefd05
+Ctrl.salt = hexsalt:00010203040506070809000102030405060708090001020304050607080900010203040506070809
+Ctrl.prefix = hexprefix:746c73313320
+Ctrl.label = hexlabel:64657269766564
+Output = ef0aa4925ab6f4588759e15dfadcf7602ca7aa39ebb092bd7ab48f6a68c54449
projects / thirdparty / openssl.git / commitdiff
