Fix ECDHE-PSK premaster secret derivation.
The original implementation used the wrong premaster secret; it uses
psk || other_secret rather than other_secret || psk. Fix the
implementation to get it in the right order.
See BoringSSL change https://boringssl-review.googlesource.com/#/c/2052/
Bug: 18147456
(cherry picked from commit d267f08e9ba3894f091344b2a4e3e55ad2498c24)
Change-Id: Ia6576c4c0e28722e66422e24ed0373a86d00efce
diff --git a/patches/0011-ecdhe_psk.patch b/patches/0011-ecdhe_psk.patch
index f2d3d8b..614b3ad 100644
--- a/patches/0011-ecdhe_psk.patch
+++ b/patches/0011-ecdhe_psk.patch
@@ -340,7 +340,7 @@
+ /* ECDHE PSK ciphersuites from RFC 5489 */
+ if ((alg_a & SSL_aPSK) && psk_len != 0)
+ {
-+ pre_ms_len = 2+psk_len+2+n;
++ pre_ms_len = 2+n+2+psk_len;
+ pre_ms = OPENSSL_malloc(pre_ms_len);
+ if (pre_ms == NULL)
+ {
@@ -350,11 +350,11 @@
+ }
+ memset(pre_ms, 0, pre_ms_len);
+ t = pre_ms;
-+ s2n(psk_len, t);
-+ memcpy(t, psk, psk_len);
-+ t += psk_len;
+ s2n(n, t);
+ memcpy(t, p, n);
++ t += n;
++ s2n(psk_len, t);
++ memcpy(t, psk, psk_len);
+ s->session->master_key_length = s->method->ssl3_enc \
+ -> generate_master_secret(s,
+ s->session->master_key, pre_ms, pre_ms_len);
@@ -1120,7 +1120,7 @@
- s->session->psk_identity_hint = BUF_strdup(s->ctx->psk_identity_hint);
- if (s->ctx->psk_identity_hint != NULL &&
- s->session->psk_identity_hint == NULL)
-+ pre_ms_len = 2+psk_len+2+i;
++ pre_ms_len = 2+i+2+psk_len;
+ pre_ms = OPENSSL_malloc(pre_ms_len);
+ if (pre_ms == NULL)
{
@@ -1140,11 +1140,11 @@
- goto f_err;
+ memset(pre_ms, 0, pre_ms_len);
+ t = pre_ms;
-+ s2n(psk_len, t);
-+ memcpy(t, psk, psk_len);
-+ t += psk_len;
+ s2n(i, t);
+ memcpy(t, p, i);
++ t += i;
++ s2n(psk_len, t);
++ memcpy(t, psk, psk_len);
+ s->session->master_key_length = s->method->ssl3_enc \
+ -> generate_master_secret(s,
+ s->session->master_key, pre_ms, pre_ms_len);
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 486f538..1c1ba49 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -2820,7 +2820,7 @@
/* ECDHE PSK ciphersuites from RFC 5489 */
if ((alg_a & SSL_aPSK) && psk_len != 0)
{
- pre_ms_len = 2+psk_len+2+n;
+ pre_ms_len = 2+n+2+psk_len;
pre_ms = OPENSSL_malloc(pre_ms_len);
if (pre_ms == NULL)
{
@@ -2830,11 +2830,11 @@
}
memset(pre_ms, 0, pre_ms_len);
t = pre_ms;
- s2n(psk_len, t);
- memcpy(t, psk, psk_len);
- t += psk_len;
s2n(n, t);
memcpy(t, p, n);
+ t += n;
+ s2n(psk_len, t);
+ memcpy(t, psk, psk_len);
s->session->master_key_length = s->method->ssl3_enc \
-> generate_master_secret(s,
s->session->master_key, pre_ms, pre_ms_len);
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index f83c936..a38e00e 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -2837,7 +2837,7 @@
/* ECDHE PSK ciphersuites from RFC 5489 */
if ((alg_a & SSL_aPSK) && psk_len != 0)
{
- pre_ms_len = 2+psk_len+2+i;
+ pre_ms_len = 2+i+2+psk_len;
pre_ms = OPENSSL_malloc(pre_ms_len);
if (pre_ms == NULL)
{
@@ -2847,11 +2847,11 @@
}
memset(pre_ms, 0, pre_ms_len);
t = pre_ms;
- s2n(psk_len, t);
- memcpy(t, psk, psk_len);
- t += psk_len;
s2n(i, t);
memcpy(t, p, i);
+ t += i;
+ s2n(psk_len, t);
+ memcpy(t, psk, psk_len);
s->session->master_key_length = s->method->ssl3_enc \
-> generate_master_secret(s,
s->session->master_key, pre_ms, pre_ms_len);
