Ensure after an HRR any PSKs have the right hash

Don't include a PSK that does not have the right hash for the selected ciphersuite following an HRR. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2895)
2024-11-27 05:21:51 +08:00 · 2017-03-13 16:09:47 +00:00 · 2017-03-13 16:09:47 +00:00 · cf3e221bd9
commit cf3e221bd9
parent 11c67eeaf4
1 changed files with 8 additions and 0 deletions
--- a/ssl/statem/extensions_clnt.c
+++ b/ssl/statem/extensions_clnt.c
@ -769,6 +769,14 @@ int tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
        return 1;
    }

+    if (s->hello_retry_request && md != ssl_handshake_md(s)) {
+        /*
+         * Selected ciphersuite hash does not match the hash for the session so
+         * we can't use it.
+         */
+        return 1;
+    }
+
    /*
     * Technically the C standard just says time() returns a time_t and says
     * nothing about the encoding of that type. In practice most implementations