From 9ae62f4dfb39031110048c25e86bfecb964d3b9a Mon Sep 17 00:00:00 2001 From: tb Date: Wed, 3 Feb 2021 15:14:44 +0000 Subject: [PATCH] Fail early in legacy exporter if master secret is not available The exporter depends on having a master secret. If the handshake is not completed, it is neither guaranteed that a shared ciphersuite was selected (in which case tls1_PRF() will currently NULL deref) or that a master secret was set up (in which case the exporter will succeed with a predictable value). Neither outcome is desirable, so error out early instead of entering the sausage factory unprepared. This aligns the legacy exporter with the TLSv1.3 exporter in that regard. with/ok jsing --- lib/libssl/t1_enc.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/lib/libssl/t1_enc.c b/lib/libssl/t1_enc.c index b84a5347f1b..8f3e9649b06 100644 --- a/lib/libssl/t1_enc.c +++ b/lib/libssl/t1_enc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: t1_enc.c,v 1.131 2021/01/28 17:00:39 jsing Exp $ */ +/* $OpenBSD: t1_enc.c,v 1.132 2021/02/03 15:14:44 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -619,6 +619,11 @@ tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen, size_t vallen, currentvalpos; int rv; + if (!SSL_is_init_finished(s)) { + SSLerror(s, SSL_R_BAD_STATE); + return 0; + } + /* construct PRF arguments * we construct the PRF argument ourself rather than passing separate * values into the TLS PRF to ensure that the concatenation of values -- 2.20.1