[openssl-commits] [openssl] master update

Matt Caswell matt at openssl.org
Mon Jul 3 09:54:30 UTC 2017

The branch master has been updated
       via  4d89bf448490e7c77743f53bfbefbaddee9b275e (commit)
      from  48feaceb53fa6ae924e298b8eba0e247019313e4 (commit)

- Log -----------------------------------------------------------------
commit 4d89bf448490e7c77743f53bfbefbaddee9b275e
Author: Matt Caswell <matt at openssl.org>
Date:   Fri Jun 30 10:45:11 2017 +0100

    Fix TLSv1.3 exporter
    We need to use the hashsize in generating the exportsecret not 0! Otherwise
    we end up with random garbage for the secret.
    It was pure chance that this passed the tests previously. It so happens
    that, because we call SSL_export_keying_material() repeatedly for different
    scenarios in the test, we end up in the tls13_export_keying_material() at
    exactly the same position in the stack each time and therefore end up using
    the same random garbage secret each time!
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/3810)


Summary of changes:
 ssl/tls13_enc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c
index 55e68c6..92b1f19 100644
--- a/ssl/tls13_enc.c
+++ b/ssl/tls13_enc.c
@@ -622,7 +622,7 @@ int tls13_export_keying_material(SSL *s, unsigned char *out, size_t olen,
             || EVP_DigestFinal_ex(ctx, hash, &hashsize) <= 0
             || !tls13_hkdf_expand(s, md, s->exporter_master_secret,
                                   (const unsigned char *)label, llen, NULL,
-                                  exportsecret, 0)
+                                  exportsecret, hashsize)
             || !tls13_hkdf_expand(s, md, exportsecret, exporterlabel,
                                   sizeof(exporterlabel) - 1, hash, out, olen))
         goto err;

More information about the openssl-commits mailing list