Harden tls12_finished_verify_data() by checking master key length.

Require master key length to be greater than zero if we're asked to derive verify data for a finished or peer finished message. ok tb@
author: jsing <> 2021-05-02 15:57:29 +0000
committer: jsing <> 2021-05-02 15:57:29 +0000
commit: 95894891643b71343cea462391dd9b572d549079 (patch)
tree: 48e1fb50f3b74c891b963be1d708c5ed38f3c485 /src/lib/libssl/tls12_lib.c
parent: 11742e8bc2d14b2bb2eb9e732820f0b626fe8d57 (diff)
download: openbsd-95894891643b71343cea462391dd9b572d549079.tar.gz
openbsd-95894891643b71343cea462391dd9b572d549079.tar.bz2
openbsd-95894891643b71343cea462391dd9b572d549079.zip
1 files changed, 4 insertions, 1 deletions
diff --git a/src/lib/libssl/tls12_lib.c b/src/lib/libssl/tls12_lib.c
index e7171ba833..f30f3a7b46 100644
--- a/src/lib/libssl/tls12_lib.c
+++ b/src/lib/libssl/tls12_lib.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: tls12_lib.c,v 1.2 2021/04/30 19:26:45 jsing Exp $ */
+/*      $OpenBSD: tls12_lib.c,v 1.3 2021/05/02 15:57:29 jsing Exp $ */
 /*
 * Copyright (c) 2021 Joel Sing <jsing@openbsd.org>
 *
@@ -27,6 +27,9 @@ tls12_finished_verify_data(SSL *s, const char *finished_label,
        *out_len = 0;
+        if (s->session->master_key_length <= 0)
+                return 0;
        if (verify_data_len < TLS1_FINISH_MAC_LENGTH)
                return 0;
author	jsing <>	2021-05-02 15:57:29 +0000
committer	jsing <>	2021-05-02 15:57:29 +0000
commit	95894891643b71343cea462391dd9b572d549079 (patch)
tree	48e1fb50f3b74c891b963be1d708c5ed38f3c485 /src/lib/libssl/tls12_lib.c
parent	11742e8bc2d14b2bb2eb9e732820f0b626fe8d57 (diff)
download	openbsd-95894891643b71343cea462391dd9b572d549079.tar.gz openbsd-95894891643b71343cea462391dd9b572d549079.tar.bz2 openbsd-95894891643b71343cea462391dd9b572d549079.zip