Clean up and harden TLSv1.2 master key derivation.

The master key and its length are only stored in one location, so it makes no sense to handle these outside of the derivation function (the current 'out' argument is unused). This simplifies the various call sites. If derivation fails for some reason, fail hard rather than continuing on and hoping that something deals with this correctly later. ok inoguchi@ tb@
author: jsing <> 2021-04-30 19:26:45 +0000
committer: jsing <> 2021-04-30 19:26:45 +0000
commit: 43140dd2d9a01de0fff0ae59aec0e1d7cda76474 (patch)
tree: 3facea5851b6c8afd6d09865048a1f9e6e0c0c8b /src/lib/libssl/ssl_srvr.c
parent: 83b76ed417b8b5f76bcd75ebddd3441a55c890ce (diff)
download: openbsd-43140dd2d9a01de0fff0ae59aec0e1d7cda76474.tar.gz
openbsd-43140dd2d9a01de0fff0ae59aec0e1d7cda76474.tar.bz2
openbsd-43140dd2d9a01de0fff0ae59aec0e1d7cda76474.zip
1 files changed, 11 insertions, 15 deletions
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c
index 2c15081f45..32ffa88f15 100644
--- a/src/lib/libssl/ssl_srvr.c
+++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.104 2021/04/25 13:15:22 jsing Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.105 2021/04/30 19:26:45 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1797,9 +1797,8 @@ ssl3_get_client_kex_rsa(SSL *s, CBS *cbs)
                p = fakekey;
        }
-        s->session->master_key_length =
+        if (!tls12_derive_master_secret(s, p, SSL_MAX_MASTER_KEY_LENGTH))
-            tls1_generate_master_secret(s,
+                goto err;
-                s->session->master_key, p, SSL_MAX_MASTER_KEY_LENGTH);
        freezero(pms, pms_len);
@@ -1867,8 +1866,8 @@ ssl3_get_client_kex_dhe(SSL *s, CBS *cbs)
                goto fatal_err;
        }
-        s->session->master_key_length = tls1_generate_master_secret(s,
+        if (!tls12_derive_master_secret(s, key, key_len))
-            s->session->master_key, key, key_len);
+                goto err;
        DH_free(S3I(s)->tmp.dh);
        S3I(s)->tmp.dh = NULL;
@@ -1928,8 +1927,8 @@ ssl3_get_client_kex_ecdhe_ecp(SSL *s, CBS *cbs)
        /* Derive the shared secret and compute master secret. */
        if (!ssl_kex_derive_ecdhe_ecp(ecdh, ecdh_peer, &key, &key_len))
                goto err;
-        s->session->master_key_length = tls1_generate_master_secret(s,
+        if (!tls12_derive_master_secret(s, key, key_len))
-            s->session->master_key, key, key_len);
+                goto err;
        EC_KEY_free(S3I(s)->tmp.ecdh);
        S3I(s)->tmp.ecdh = NULL;
@@ -1966,9 +1965,8 @@ ssl3_get_client_kex_ecdhe_ecx(SSL *s, CBS *cbs)
        freezero(S3I(s)->tmp.x25519, X25519_KEY_LENGTH);
        S3I(s)->tmp.x25519 = NULL;
-        s->session->master_key_length =
+        if (!tls12_derive_master_secret(s, shared_key, X25519_KEY_LENGTH))
-            tls1_generate_master_secret(
+                goto err;
-                s, s->session->master_key, shared_key, X25519_KEY_LENGTH);
        ret = 1;
@@ -2033,10 +2031,8 @@ ssl3_get_client_kex_gost(SSL *s, CBS *cbs)
                goto gerr;
        }
-        /* Generate master secret */
+        if (!tls12_derive_master_secret(s, premaster_secret, 32))
-        s->session->master_key_length =
+                goto err;
-            tls1_generate_master_secret(
-                s, s->session->master_key, premaster_secret, 32);
        /* Check if pubkey from client certificate was used */
        if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1,
author	jsing <>	2021-04-30 19:26:45 +0000
committer	jsing <>	2021-04-30 19:26:45 +0000
commit	43140dd2d9a01de0fff0ae59aec0e1d7cda76474 (patch)
tree	3facea5851b6c8afd6d09865048a1f9e6e0c0c8b /src/lib/libssl/ssl_srvr.c
parent	83b76ed417b8b5f76bcd75ebddd3441a55c890ce (diff)
download	openbsd-43140dd2d9a01de0fff0ae59aec0e1d7cda76474.tar.gz openbsd-43140dd2d9a01de0fff0ae59aec0e1d7cda76474.tar.bz2 openbsd-43140dd2d9a01de0fff0ae59aec0e1d7cda76474.zip