From 3d622e554e12da7b29c6216eaeb927b79e481093 Mon Sep 17 00:00:00 2001
From: David Benjamin <davidben@google.com>
Date: Wed, 23 Nov 2016 12:39:29 -0500
Subject: [PATCH] Add missing bounds check in tls13_derive_resumption_secret.

This is fine because TLS PRFs only go up to SHA-384, but since
SSL_SESSION::master_key is sized to 48, not EVP_MAX_MD_SIZE, this should
explicitly check the bounds.

Change-Id: I2b1bcaab5cdfc3ce4d7a8b8ed5cc4c6d15d10270
Reviewed-on: https://boringssl-review.googlesource.com/12460
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
---
 ssl/tls13_enc.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c
index d87d8a6f..d53313cb 100644
--- a/ssl/tls13_enc.c
+++ b/ssl/tls13_enc.c
@@ -270,6 +270,11 @@ int tls13_rotate_traffic_key(SSL *ssl, enum evp_aead_direction_t direction) {
 static const char kTLS13LabelResumption[] = "resumption master secret";
 
 int tls13_derive_resumption_secret(SSL *ssl) {
+  if (ssl->s3->hs->hash_len > SSL_MAX_MASTER_KEY_LENGTH) {
+    OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
+    return 0;
+  }
+
   ssl->s3->new_session->master_key_length = ssl->s3->hs->hash_len;
   return derive_secret(ssl, ssl->s3->new_session->master_key,
                        ssl->s3->new_session->master_key_length,