Fail early in legacy exporter if master secret is not available

The exporter depends on having a master secret. If the handshake is
not completed, it is neither guaranteed that a shared ciphersuite was
selected (in which case tls1_PRF() will currently NULL deref) or that
a master secret was set up (in which case the exporter will succeed
with a predictable value). Neither outcome is desirable, so error out
early instead of entering the sausage factory unprepared. This aligns
the legacy exporter with the TLSv1.3 exporter in that regard.

with/ok jsing

diff --git a/lib/libssl/t1_enc.c b/lib/libssl/t1_enc.c
index b84a534..8f3e964 100644 (file)
--- a/lib/libssl/t1_enc.c
+++ b/lib/libssl/t1_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_enc.c,v 1.131 2021/01/28 17:00:39 jsing Exp $ */
+/* $OpenBSD: t1_enc.c,v 1.132 2021/02/03 15:14:44 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -619,6 +619,11 @@ tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen,
        size_t vallen, currentvalpos;
        int rv;
 
+       if (!SSL_is_init_finished(s)) {
+               SSLerror(s, SSL_R_BAD_STATE);
+               return 0;
+       }
+
        /* construct PRF arguments
         * we construct the PRF argument ourself rather than passing separate
         * values into the TLS PRF to ensure that the concatenation of values