Harden tls12_finished_verify_data() by checking master key length.

Require master key length to be greater than zero if we're asked to derive verify data for a finished or peer finished message. ok tb@
author: jsing <> 2021-05-02 15:57:29 +0000
committer: jsing <> 2021-05-02 15:57:29 +0000
commit: ad1f7415eb38a81db6b28cde559a74f7686f8da2 (patch)
tree: 48e1fb50f3b74c891b963be1d708c5ed38f3c485 /src/lib
parent: 2f89d7839a55a48505ab2b34d0fe67064819920f (diff)
download: openbsd-ad1f7415eb38a81db6b28cde559a74f7686f8da2.tar.gz
openbsd-ad1f7415eb38a81db6b28cde559a74f7686f8da2.tar.bz2
openbsd-ad1f7415eb38a81db6b28cde559a74f7686f8da2.zip
1 files changed, 4 insertions, 1 deletions
diff --git a/src/lib/libssl/tls12_lib.c b/src/lib/libssl/tls12_lib.c
index e7171ba833..f30f3a7b46 100644
--- a/src/lib/libssl/tls12_lib.c
+++ b/src/lib/libssl/tls12_lib.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: tls12_lib.c,v 1.2 2021/04/30 19:26:45 jsing Exp $ */
+/*      $OpenBSD: tls12_lib.c,v 1.3 2021/05/02 15:57:29 jsing Exp $ */
 /*
 * Copyright (c) 2021 Joel Sing <jsing@openbsd.org>
 *
@@ -27,6 +27,9 @@ tls12_finished_verify_data(SSL *s, const char *finished_label,
        *out_len = 0;
+        if (s->session->master_key_length <= 0)
+                return 0;
        if (verify_data_len < TLS1_FINISH_MAC_LENGTH)
                return 0;
author	jsing <>	2021-05-02 15:57:29 +0000
committer	jsing <>	2021-05-02 15:57:29 +0000
commit	ad1f7415eb38a81db6b28cde559a74f7686f8da2 (patch)
tree	48e1fb50f3b74c891b963be1d708c5ed38f3c485 /src/lib
parent	2f89d7839a55a48505ab2b34d0fe67064819920f (diff)
download	openbsd-ad1f7415eb38a81db6b28cde559a74f7686f8da2.tar.gz openbsd-ad1f7415eb38a81db6b28cde559a74f7686f8da2.tar.bz2 openbsd-ad1f7415eb38a81db6b28cde559a74f7686f8da2.zip