From 8df68632e838539730556f13ee8e06121fe986e5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= <mpg@elzevir.fr>
Date: Mon, 23 Jun 2014 17:56:08 +0200
Subject: [PATCH] Fix bug in DHE-PSK PMS computation

---
 ChangeLog         | 3 +++
 library/ssl_tls.c | 8 +++++---
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index f22a14604..7dff0cfae 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -51,6 +51,9 @@ Bugfix
      interpret semicolons as comment delimiters (found by Barry K. Nathan).
    * Fix off-by-one error in parsing Supported Point Format extension that
      caused some handshakes to fail.
+   * Fix possible miscomputation of the premaster secret with DHE-PSK key
+     exchange that caused some handshakes to fail with other implementations.
+     (Failure rate <= 1/255 with common DHM moduli.)
 
 = PolarSSL 1.3.7 released on 2014-05-02
 Features
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index b0812848f..3de7f7c93 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -913,14 +913,16 @@ int ssl_psk_derive_premaster( ssl_context *ssl, key_exchange_type_t key_ex )
         if( end - p < 2 + (int) len )
             return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
 
-        *(p++) = (unsigned char)( len >> 8 );
-        *(p++) = (unsigned char)( len );
+        /* Write length only when we know the actual value */
         if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
-                                      p, &len, ssl->f_rng, ssl->p_rng ) ) != 0 )
+                                      p + 2, &len,
+                                      ssl->f_rng, ssl->p_rng ) ) != 0 )
         {
             SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
             return( ret );
         }
+        *(p++) = (unsigned char)( len >> 8 );
+        *(p++) = (unsigned char)( len );
         p += len;
 
         SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K  );