Fail early in legacy exporter if master secret is not available

The exporter depends on having a master secret. If the handshake is
not completed, it is neither guaranteed that a shared ciphersuite was
selected (in which case tls1_PRF() will currently NULL deref) or that
a master secret was set up (in which case the exporter will succeed
with a predictable value). Neither outcome is desirable, so error out
early instead of entering the sausage factory unprepared. This aligns
the legacy exporter with the TLSv1.3 exporter in that regard.

with/ok jsing

1 files changed, 6 insertions, 1 deletions

diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c
index b84a5347f1..8f3e9649b0 100644
--- a/src/lib/libssl/t1_enc.c
+++ b/src/lib/libssl/t1_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_enc.c,v 1.131 2021/01/28 17:00:39 jsing Exp $ */
+/* $OpenBSD: t1_enc.c,v 1.132 2021/02/03 15:14:44 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -619,6 +619,11 @@ tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen,
         size_t vallen, currentvalpos;
         int rv;
 
+        if (!SSL_is_init_finished(s)) {
+                SSLerror(s, SSL_R_BAD_STATE);
+                return 0;
+        }
+
         /* construct PRF arguments
          * we construct the PRF argument ourself rather than passing separate
          * values into the TLS PRF to ensure that the concatenation of values