From: Simo Sorce Date: Mon, 30 Sep 2024 13:25:48 +0000 (-0400) Subject: Use the correct length value for input salt X-Git-Tag: openssl-3.1.8~110 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ddcf26e109c1f8e78d0b11ac4cf20b966890a569;p=thirdparty%2Fopenssl.git Use the correct length value for input salt In this function the salt can be either a zero buffer of exactly mdlen length, or an arbitrary salt of prevsecretlen length. Although in practice OpenSSL will always pass in a salt of mdlen size bytes in the current TLS 1.3 code, the openssl kdf command can pass in arbitrary values (I did it for testing), and a future change in the higher layer code could also result in unmatched lengths. If prevsecretlen is > mdlen this will cause incorrect salt expansion, if prevsecretlen < mdlen this could cause a crash or reading random information. Inboth case the generated output would be incorrect. Signed-off-by: Simo Sorce Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/25579) (cherry picked from commit 5c91f70ba8f07eeeb02b6c285479e4482443a6fe) --- diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c index 6d52de94e5b..df725cc71ac 100644 --- a/providers/implementations/kdfs/hkdf.c +++ b/providers/implementations/kdfs/hkdf.c @@ -701,7 +701,7 @@ static int prov_tls13_hkdf_generate_secret(OSSL_LIB_CTX *libctx, EVP_MD_CTX_free(mctx); /* Generate the pre-extract secret */ - if (!prov_tls13_hkdf_expand(md, prevsecret, mdlen, + if (!prov_tls13_hkdf_expand(md, prevsecret, prevsecretlen, prefix, prefixlen, label, labellen, hash, mdlen, preextractsec, mdlen)) return 0; diff --git a/test/recipes/30-test_evp_data/evpkdf_tls13_kdf.txt b/test/recipes/30-test_evp_data/evpkdf_tls13_kdf.txt index 9ad8b9fbd2d..c7e7b4b5bf9 100644 --- a/test/recipes/30-test_evp_data/evpkdf_tls13_kdf.txt +++ b/test/recipes/30-test_evp_data/evpkdf_tls13_kdf.txt @@ -4935,3 +4935,13 @@ Ctrl.mode = mode:EXTRACT_AND_EXPAND Ctrl.digest = digest:SHA256 Result = KDF_CTRL_ERROR +# Test that salt of arbitrary length works +FIPSversion = >=3.4.0 +KDF = TLS13-KDF +Ctrl.mode = mode:EXTRACT_ONLY +Ctrl.digest = digest:SHA2-256 +Ctrl.key = hexkey:f8af6aea2d397baf2948a25b2834200692cff17eee9165e4e27babee9edefd05 +Ctrl.salt = hexsalt:00010203040506070809000102030405060708090001020304050607080900010203040506070809 +Ctrl.prefix = hexprefix:746c73313320 +Ctrl.label = hexlabel:64657269766564 +Output = ef0aa4925ab6f4588759e15dfadcf7602ca7aa39ebb092bd7ab48f6a68c54449