1 files changed, 12 insertions, 17 deletions
diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c
index c129bb6d66..a38d1f1ed4 100644
--- a/src/lib/libssl/ssl_clnt.c
+++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.93 2021/04/25 13:15:22 jsing Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.94 2021/04/30 19:26:44 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -2001,9 +2001,8 @@ ssl3_send_client_kex_rsa(SSL *s, SESS_CERT *sess_cert, CBB *cbb)
        if (!CBB_flush(cbb))
                goto err;
-        s->session->master_key_length =
+        if (!tls12_derive_master_secret(s, pms, sizeof(pms)))
-            tls1_generate_master_secret(s,
+                goto err;
-                s->session->master_key, pms, sizeof(pms));
        ret = 1;
@@ -2055,10 +2054,8 @@ ssl3_send_client_kex_dhe(SSL *s, SESS_CERT *sess_cert, CBB *cbb)
                goto err;
        }
-        /* Generate master key from the result. */
+        if (!tls12_derive_master_secret(s, key, key_len))
-        s->session->master_key_length =
+                goto err;
-            tls1_generate_master_secret(s,
-                s->session->master_key, key, key_len);
        if (!CBB_add_u16_length_prefixed(cbb, &dh_Yc))
                goto err;
@@ -2104,8 +2101,8 @@ ssl3_send_client_kex_ecdhe_ecp(SSL *s, SESS_CERT *sc, CBB *cbb)
        if (!ssl_kex_derive_ecdhe_ecp(ecdh, sc->peer_ecdh_tmp, &key, &key_len))
                goto err;
-        s->session->master_key_length = tls1_generate_master_secret(s,
+        if (!tls12_derive_master_secret(s, key, key_len))
-                s->session->master_key, key, key_len);
+                goto err;
        ret = 1;
@@ -2142,10 +2139,8 @@ ssl3_send_client_kex_ecdhe_ecx(SSL *s, SESS_CERT *sc, CBB *cbb)
        if (!CBB_flush(cbb))
                goto err;
-        /* Generate master key from the result. */
+        if (!tls12_derive_master_secret(s, shared_key, X25519_KEY_LENGTH))
-        s->session->master_key_length =
+                goto err;
-            tls1_generate_master_secret(s,
-                s->session->master_key, shared_key, X25519_KEY_LENGTH);
        ret = 1;
@@ -2276,9 +2271,9 @@ ssl3_send_client_kex_gost(SSL *s, SESS_CERT *sess_cert, CBB *cbb)
                s->s3->flags |= TLS1_FLAGS_SKIP_CERT_VERIFY;
        }
        EVP_PKEY_CTX_free(pkey_ctx);
-        s->session->master_key_length =
-            tls1_generate_master_secret(s,
+        if (!tls12_derive_master_secret(s, premaster_secret, 32))
-                s->session->master_key, premaster_secret, 32);
+                goto err;
        ret = 1;

diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c index c129bb6d66..a38d1f1ed4 100644 --- a/src/lib/libssl/ssl_clnt.c +++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_clnt.c,v 1.93 2021/04/25 13:15:22 jsing Exp $ */	1	/* $OpenBSD: ssl_clnt.c,v 1.94 2021/04/30 19:26:44 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -2001,9 +2001,8 @@ ssl3_send_client_kex_rsa(SSL s, SESS_CERT sess_cert, CBB *cbb)
2001	if (!CBB_flush(cbb))	2001	if (!CBB_flush(cbb))
2002	goto err;	2002	goto err;
2003		2003
2004	s->session->master_key_length =	2004	if (!tls12_derive_master_secret(s, pms, sizeof(pms)))
2005	tls1_generate_master_secret(s,	2005	goto err;
2006	s->session->master_key, pms, sizeof(pms));
2007		2006
2008	ret = 1;	2007	ret = 1;
2009		2008
@@ -2055,10 +2054,8 @@ ssl3_send_client_kex_dhe(SSL s, SESS_CERT sess_cert, CBB *cbb)
2055	goto err;	2054	goto err;
2056	}	2055	}
2057		2056
2058	/* Generate master key from the result. */	2057	if (!tls12_derive_master_secret(s, key, key_len))
2059	s->session->master_key_length =	2058	goto err;
2060	tls1_generate_master_secret(s,
2061	s->session->master_key, key, key_len);
2062		2059
2063	if (!CBB_add_u16_length_prefixed(cbb, &dh_Yc))	2060	if (!CBB_add_u16_length_prefixed(cbb, &dh_Yc))
2064	goto err;	2061	goto err;
@@ -2104,8 +2101,8 @@ ssl3_send_client_kex_ecdhe_ecp(SSL s, SESS_CERT sc, CBB *cbb)
2104		2101
2105	if (!ssl_kex_derive_ecdhe_ecp(ecdh, sc->peer_ecdh_tmp, &key, &key_len))	2102	if (!ssl_kex_derive_ecdhe_ecp(ecdh, sc->peer_ecdh_tmp, &key, &key_len))
2106	goto err;	2103	goto err;
2107	s->session->master_key_length = tls1_generate_master_secret(s,	2104	if (!tls12_derive_master_secret(s, key, key_len))
2108	s->session->master_key, key, key_len);	2105	goto err;
2109		2106
2110	ret = 1;	2107	ret = 1;
2111		2108
@@ -2142,10 +2139,8 @@ ssl3_send_client_kex_ecdhe_ecx(SSL s, SESS_CERT sc, CBB *cbb)
2142	if (!CBB_flush(cbb))	2139	if (!CBB_flush(cbb))
2143	goto err;	2140	goto err;
2144		2141
2145	/* Generate master key from the result. */	2142	if (!tls12_derive_master_secret(s, shared_key, X25519_KEY_LENGTH))
2146	s->session->master_key_length =	2143	goto err;
2147	tls1_generate_master_secret(s,
2148	s->session->master_key, shared_key, X25519_KEY_LENGTH);
2149		2144
2150	ret = 1;	2145	ret = 1;
2151		2146
@@ -2276,9 +2271,9 @@ ssl3_send_client_kex_gost(SSL s, SESS_CERT sess_cert, CBB *cbb)
2276	s->s3->flags \|= TLS1_FLAGS_SKIP_CERT_VERIFY;	2271	s->s3->flags \|= TLS1_FLAGS_SKIP_CERT_VERIFY;
2277	}	2272	}
2278	EVP_PKEY_CTX_free(pkey_ctx);	2273	EVP_PKEY_CTX_free(pkey_ctx);
2279	s->session->master_key_length =	2274
2280	tls1_generate_master_secret(s,	2275	if (!tls12_derive_master_secret(s, premaster_secret, 32))
2281	s->session->master_key, premaster_secret, 32);	2276	goto err;
2282		2277
2283	ret = 1;	2278	ret = 1;
2284		2279