From: jsing Date: Sun, 2 May 2021 15:57:29 +0000 (+0000) Subject: Harden tls12_finished_verify_data() by checking master key length. X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=f55f2bcfa8ecd36582506743c67f10f1d06e41c8;p=openbsd Harden tls12_finished_verify_data() by checking master key length. Require master key length to be greater than zero if we're asked to derive verify data for a finished or peer finished message. ok tb@ --- diff --git a/lib/libssl/tls12_lib.c b/lib/libssl/tls12_lib.c index e7171ba8333..f30f3a7b463 100644 --- a/lib/libssl/tls12_lib.c +++ b/lib/libssl/tls12_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls12_lib.c,v 1.2 2021/04/30 19:26:45 jsing Exp $ */ +/* $OpenBSD: tls12_lib.c,v 1.3 2021/05/02 15:57:29 jsing Exp $ */ /* * Copyright (c) 2021 Joel Sing * @@ -27,6 +27,9 @@ tls12_finished_verify_data(SSL *s, const char *finished_label, *out_len = 0; + if (s->session->master_key_length <= 0) + return 0; + if (verify_data_len < TLS1_FINISH_MAC_LENGTH) return 0;