diff options
author | Matt Caswell <matt@openssl.org> | 2018-12-03 18:14:57 +0000 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2018-12-05 10:54:52 +0000 |
commit | ed371b8cbac0d0349667558c061c1ae380cf75eb (patch) | |
tree | 6a51d22aa54322d1212723072fe0363bf2336d55 /ssl | |
parent | 3a4a88f436ed1dd1165e0b59c1ca4a25e9e1d690 (diff) | |
download | openssl-ed371b8cbac0d0349667558c061c1ae380cf75eb.zip openssl-ed371b8cbac0d0349667558c061c1ae380cf75eb.tar.gz openssl-ed371b8cbac0d0349667558c061c1ae380cf75eb.tar.bz2 |
Revert "Reduce stack usage in tls13_hkdf_expand"
This reverts commit ec0c5f5693e39c5a013f81e6dd9dfd09ec65162d.
SSL_export_keying_material() may use longer label lengths.
Fixes #7712
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7755)
Diffstat (limited to 'ssl')
-rw-r--r-- | ssl/tls13_enc.c | 16 |
1 files changed, 4 insertions, 12 deletions
diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c index b6825d2..f7ab0fa 100644 --- a/ssl/tls13_enc.c +++ b/ssl/tls13_enc.c @@ -13,14 +13,7 @@ #include <openssl/evp.h> #include <openssl/kdf.h> -/* - * RFC 8446, 7.1 Key Schedule, says: - * Note: With common hash functions, any label longer than 12 characters - * requires an additional iteration of the hash function to compute. - * The labels in this specification have all been chosen to fit within - * this limit. - */ -#define TLS13_MAX_LABEL_LEN 12 +#define TLS13_MAX_LABEL_LEN 246 /* Always filled with zeros */ static const unsigned char default_zeros[EVP_MAX_MD_SIZE]; @@ -36,15 +29,14 @@ int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret, const unsigned char *data, size_t datalen, unsigned char *out, size_t outlen) { - static const unsigned char label_prefix[] = "tls13 "; + const unsigned char label_prefix[] = "tls13 "; EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL); int ret; size_t hkdflabellen; size_t hashlen; /* - * 2 bytes for length of derived secret + 1 byte for length of combined - * prefix and label + bytes for the label itself + 1 byte length of hash - * + bytes for the hash itself + * 2 bytes for length of whole HkdfLabel + 1 byte for length of combined + * prefix and label + bytes for the label itself + bytes for the hash */ unsigned char hkdflabel[sizeof(uint16_t) + sizeof(uint8_t) + + sizeof(label_prefix) + TLS13_MAX_LABEL_LEN |