Increase the max key length of HMAC to 512 bytes. Previously we would

run into trouble in the TLS PRF with large pre-master secrets. This
especially crops up in TLS 1.2 as there the entire pre master secret
is fed to a single PRF (in earlier verions it is split in half).  A
limit of 512 bytes allows a DH group up to 4096 bits which seems good
enough for now.

Also catch Invalid_Key_Length in the TLS PRF and throw an exception
that makes more sense - initially I was completely thrown off by the
HMAC key length exception, and it took me a while to figure it
out. Someone else looking at this the first time a server sends a 8192
bit DH group would be even more confused.

1 files changed, 8 insertions, 1 deletions

diff --git a/src/kdf/prf_tls/prf_tls.cpp b/src/kdf/prf_tls/prf_tls.cpp
index 2b57cdd25..55d72bea4 100644
--- a/src/kdf/prf_tls/prf_tls.cpp
+++ b/src/kdf/prf_tls/prf_tls.cpp
@@ -23,7 +23,14 @@ void P_hash(MemoryRegion<byte>& output,
             const byte secret[], size_t secret_len,
             const byte seed[], size_t seed_len)
    {
-   mac->set_key(secret, secret_len);
+   try
+      {
+      mac->set_key(secret, secret_len);
+      }
+   catch(Invalid_Key_Length)
+      {
+      throw Internal_Error("The premaster secret is too long for the PRF");
+      }
 
    SecureVector<byte> A(seed, seed_len);