| From 56e0f123dc17cb99f50efbae4bbbab77f360818f Mon Sep 17 00:00:00 2001 |
| From: Matt Caswell <matt@openssl.org> |
| Date: Mon, 3 Dec 2018 18:14:57 +0000 |
| Subject: [PATCH] Revert "Reduce stack usage in tls13_hkdf_expand" |
| |
| This reverts commit ec0c5f5693e39c5a013f81e6dd9dfd09ec65162d. |
| |
| SSL_export_keying_material() may use longer label lengths. |
| |
| Fixes #7712 |
| |
| Reviewed-by: Tim Hudson <tjh@openssl.org> |
| (Merged from https://github.com/openssl/openssl/pull/7755) |
| |
| (cherry picked from commit ed371b8cbac0d0349667558c061c1ae380cf75eb) |
| Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> |
| --- |
| ssl/tls13_enc.c | 16 ++++------------ |
| 1 file changed, 4 insertions(+), 12 deletions(-) |
| |
| diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c |
| index b6825d20c2..f7ab0fa470 100644 |
| --- a/ssl/tls13_enc.c |
| +++ b/ssl/tls13_enc.c |
| @@ -13,14 +13,7 @@ |
| #include <openssl/evp.h> |
| #include <openssl/kdf.h> |
| |
| -/* |
| - * RFC 8446, 7.1 Key Schedule, says: |
| - * Note: With common hash functions, any label longer than 12 characters |
| - * requires an additional iteration of the hash function to compute. |
| - * The labels in this specification have all been chosen to fit within |
| - * this limit. |
| - */ |
| -#define TLS13_MAX_LABEL_LEN 12 |
| +#define TLS13_MAX_LABEL_LEN 246 |
| |
| /* Always filled with zeros */ |
| static const unsigned char default_zeros[EVP_MAX_MD_SIZE]; |
| @@ -36,15 +29,14 @@ int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret, |
| const unsigned char *data, size_t datalen, |
| unsigned char *out, size_t outlen) |
| { |
| - static const unsigned char label_prefix[] = "tls13 "; |
| + const unsigned char label_prefix[] = "tls13 "; |
| EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL); |
| int ret; |
| size_t hkdflabellen; |
| size_t hashlen; |
| /* |
| - * 2 bytes for length of derived secret + 1 byte for length of combined |
| - * prefix and label + bytes for the label itself + 1 byte length of hash |
| - * + bytes for the hash itself |
| + * 2 bytes for length of whole HkdfLabel + 1 byte for length of combined |
| + * prefix and label + bytes for the label itself + bytes for the hash |
| */ |
| unsigned char hkdflabel[sizeof(uint16_t) + sizeof(uint8_t) + |
| + sizeof(label_prefix) + TLS13_MAX_LABEL_LEN |
| -- |
| 2.20.1 |
| |