Clean up and harden TLSv1.2 master key derivation.

The master key and its length are only stored in one location, so it makes no sense to handle these outside of the derivation function (the current 'out' argument is unused). This simplifies the various call sites. If derivation fails for some reason, fail hard rather than continuing on and hoping that something deals with this correctly later. ok inoguchi@ tb@
author: jsing <> 2021-04-30 19:26:45 +0000
committer: jsing <> 2021-04-30 19:26:45 +0000
commit: 43140dd2d9a01de0fff0ae59aec0e1d7cda76474 (patch)
tree: 3facea5851b6c8afd6d09865048a1f9e6e0c0c8b /src/lib/libssl/ssl_clnt.c
parent: 83b76ed417b8b5f76bcd75ebddd3441a55c890ce (diff)
download: openbsd-43140dd2d9a01de0fff0ae59aec0e1d7cda76474.tar.gz
openbsd-43140dd2d9a01de0fff0ae59aec0e1d7cda76474.tar.bz2
openbsd-43140dd2d9a01de0fff0ae59aec0e1d7cda76474.zip
1 files changed, 12 insertions, 17 deletions
diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c
index c129bb6d66..a38d1f1ed4 100644
--- a/src/lib/libssl/ssl_clnt.c
+++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.93 2021/04/25 13:15:22 jsing Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.94 2021/04/30 19:26:44 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -2001,9 +2001,8 @@ ssl3_send_client_kex_rsa(SSL *s, SESS_CERT *sess_cert, CBB *cbb)
        if (!CBB_flush(cbb))
                goto err;
-        s->session->master_key_length =
+        if (!tls12_derive_master_secret(s, pms, sizeof(pms)))
-            tls1_generate_master_secret(s,
+                goto err;
-                s->session->master_key, pms, sizeof(pms));
        ret = 1;
@@ -2055,10 +2054,8 @@ ssl3_send_client_kex_dhe(SSL *s, SESS_CERT *sess_cert, CBB *cbb)
                goto err;
        }
-        /* Generate master key from the result. */
+        if (!tls12_derive_master_secret(s, key, key_len))
-        s->session->master_key_length =
+                goto err;
-            tls1_generate_master_secret(s,
-                s->session->master_key, key, key_len);
        if (!CBB_add_u16_length_prefixed(cbb, &dh_Yc))
                goto err;
@@ -2104,8 +2101,8 @@ ssl3_send_client_kex_ecdhe_ecp(SSL *s, SESS_CERT *sc, CBB *cbb)
        if (!ssl_kex_derive_ecdhe_ecp(ecdh, sc->peer_ecdh_tmp, &key, &key_len))
                goto err;
-        s->session->master_key_length = tls1_generate_master_secret(s,
+        if (!tls12_derive_master_secret(s, key, key_len))
-                s->session->master_key, key, key_len);
+                goto err;
        ret = 1;
@@ -2142,10 +2139,8 @@ ssl3_send_client_kex_ecdhe_ecx(SSL *s, SESS_CERT *sc, CBB *cbb)
        if (!CBB_flush(cbb))
                goto err;
-        /* Generate master key from the result. */
+        if (!tls12_derive_master_secret(s, shared_key, X25519_KEY_LENGTH))
-        s->session->master_key_length =
+                goto err;
-            tls1_generate_master_secret(s,
-                s->session->master_key, shared_key, X25519_KEY_LENGTH);
        ret = 1;
@@ -2276,9 +2271,9 @@ ssl3_send_client_kex_gost(SSL *s, SESS_CERT *sess_cert, CBB *cbb)
                s->s3->flags |= TLS1_FLAGS_SKIP_CERT_VERIFY;
        }
        EVP_PKEY_CTX_free(pkey_ctx);
-        s->session->master_key_length =
-            tls1_generate_master_secret(s,
+        if (!tls12_derive_master_secret(s, premaster_secret, 32))
-                s->session->master_key, premaster_secret, 32);
+                goto err;
        ret = 1;
author	jsing <>	2021-04-30 19:26:45 +0000
committer	jsing <>	2021-04-30 19:26:45 +0000
commit	43140dd2d9a01de0fff0ae59aec0e1d7cda76474 (patch)
tree	3facea5851b6c8afd6d09865048a1f9e6e0c0c8b /src/lib/libssl/ssl_clnt.c
parent	83b76ed417b8b5f76bcd75ebddd3441a55c890ce (diff)
download	openbsd-43140dd2d9a01de0fff0ae59aec0e1d7cda76474.tar.gz openbsd-43140dd2d9a01de0fff0ae59aec0e1d7cda76474.tar.bz2 openbsd-43140dd2d9a01de0fff0ae59aec0e1d7cda76474.zip

diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c index c129bb6d66..a38d1f1ed4 100644 --- a/src/lib/libssl/ssl_clnt.c +++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_clnt.c,v 1.93 2021/04/25 13:15:22 jsing Exp $ */	1	/* $OpenBSD: ssl_clnt.c,v 1.94 2021/04/30 19:26:44 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -2001,9 +2001,8 @@ ssl3_send_client_kex_rsa(SSL s, SESS_CERT sess_cert, CBB *cbb)
2001	if (!CBB_flush(cbb))	2001	if (!CBB_flush(cbb))
2002	goto err;	2002	goto err;
2003		2003
2004	s->session->master_key_length =	2004	if (!tls12_derive_master_secret(s, pms, sizeof(pms)))
2005	tls1_generate_master_secret(s,	2005	goto err;
2006	s->session->master_key, pms, sizeof(pms));
2007		2006
2008	ret = 1;	2007	ret = 1;
2009		2008
@@ -2055,10 +2054,8 @@ ssl3_send_client_kex_dhe(SSL s, SESS_CERT sess_cert, CBB *cbb)
2055	goto err;	2054	goto err;
2056	}	2055	}
2057		2056
2058	/* Generate master key from the result. */	2057	if (!tls12_derive_master_secret(s, key, key_len))
2059	s->session->master_key_length =	2058	goto err;
2060	tls1_generate_master_secret(s,
2061	s->session->master_key, key, key_len);
2062		2059
2063	if (!CBB_add_u16_length_prefixed(cbb, &dh_Yc))	2060	if (!CBB_add_u16_length_prefixed(cbb, &dh_Yc))
2064	goto err;	2061	goto err;
@@ -2104,8 +2101,8 @@ ssl3_send_client_kex_ecdhe_ecp(SSL s, SESS_CERT sc, CBB *cbb)
2104		2101
2105	if (!ssl_kex_derive_ecdhe_ecp(ecdh, sc->peer_ecdh_tmp, &key, &key_len))	2102	if (!ssl_kex_derive_ecdhe_ecp(ecdh, sc->peer_ecdh_tmp, &key, &key_len))
2106	goto err;	2103	goto err;
2107	s->session->master_key_length = tls1_generate_master_secret(s,	2104	if (!tls12_derive_master_secret(s, key, key_len))
2108	s->session->master_key, key, key_len);	2105	goto err;
2109		2106
2110	ret = 1;	2107	ret = 1;
2111		2108
@@ -2142,10 +2139,8 @@ ssl3_send_client_kex_ecdhe_ecx(SSL s, SESS_CERT sc, CBB *cbb)
2142	if (!CBB_flush(cbb))	2139	if (!CBB_flush(cbb))
2143	goto err;	2140	goto err;
2144		2141
2145	/* Generate master key from the result. */	2142	if (!tls12_derive_master_secret(s, shared_key, X25519_KEY_LENGTH))
2146	s->session->master_key_length =	2143	goto err;
2147	tls1_generate_master_secret(s,
2148	s->session->master_key, shared_key, X25519_KEY_LENGTH);
2149		2144
2150	ret = 1;	2145	ret = 1;
2151		2146
@@ -2276,9 +2271,9 @@ ssl3_send_client_kex_gost(SSL s, SESS_CERT sess_cert, CBB *cbb)
2276	s->s3->flags \|= TLS1_FLAGS_SKIP_CERT_VERIFY;	2271	s->s3->flags \|= TLS1_FLAGS_SKIP_CERT_VERIFY;
2277	}	2272	}
2278	EVP_PKEY_CTX_free(pkey_ctx);	2273	EVP_PKEY_CTX_free(pkey_ctx);
2279	s->session->master_key_length =	2274
2280	tls1_generate_master_secret(s,	2275	if (!tls12_derive_master_secret(s, premaster_secret, 32))
2281	s->session->master_key, premaster_secret, 32);	2276	goto err;
2282		2277
2283	ret = 1;	2278	ret = 1;
2284		2279