From 43140dd2d9a01de0fff0ae59aec0e1d7cda76474 Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Fri, 30 Apr 2021 19:26:45 +0000
Subject: Clean up and harden TLSv1.2 master key derivation.

The master key and its length are only stored in one location, so it makes
no sense to handle these outside of the derivation function (the current
'out' argument is unused). This simplifies the various call sites.

If derivation fails for some reason, fail hard rather than continuing on
and hoping that something deals with this correctly later.

ok inoguchi@ tb@
---
 src/lib/libssl/tls12_lib.c | 25 ++++++++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

(limited to 'src/lib/libssl/tls12_lib.c')

diff --git a/src/lib/libssl/tls12_lib.c b/src/lib/libssl/tls12_lib.c
index 520f41678d..e7171ba833 100644
--- a/src/lib/libssl/tls12_lib.c
+++ b/src/lib/libssl/tls12_lib.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: tls12_lib.c,v 1.1 2021/04/25 13:15:23 jsing Exp $ */
+/*	$OpenBSD: tls12_lib.c,v 1.2 2021/04/30 19:26:45 jsing Exp $ */
 /*
  * Copyright (c) 2021 Joel Sing <jsing@openbsd.org>
  *
@@ -90,3 +90,26 @@ tls12_derive_peer_finished(SSL *s)
 		    &S3I(s)->hs.peer_finished_len);
 	}
 }
+
+int
+tls12_derive_master_secret(SSL *s, uint8_t *premaster_secret,
+    size_t premaster_secret_len)
+{
+	s->session->master_key_length = 0;
+
+	if (premaster_secret_len == 0)
+		return 0;
+
+	CTASSERT(sizeof(s->session->master_key) == SSL_MAX_MASTER_KEY_LENGTH);
+
+	if (!tls1_PRF(s, premaster_secret, premaster_secret_len,
+	    TLS_MD_MASTER_SECRET_CONST, TLS_MD_MASTER_SECRET_CONST_SIZE,
+	    s->s3->client_random, SSL3_RANDOM_SIZE, NULL, 0,
+	    s->s3->server_random, SSL3_RANDOM_SIZE, NULL, 0,
+	    s->session->master_key, sizeof(s->session->master_key)))
+		return 0;
+
+	s->session->master_key_length = SSL_MAX_MASTER_KEY_LENGTH;
+
+	return 1;
+}
-- 
cgit v1.2.3-55-g6feb