From fcd92a15935245e973ad525798718590262c6a83 Mon Sep 17 00:00:00 2001
From: tb <>
Date: Fri, 14 Oct 2022 06:56:33 +0000
Subject: Error out if the out secret wasn't properly initialized

Calling HKDF_expand() with a length of 0 happens to succeed due to a quirk
in the API inherited from BoringSSL.  This hides caller-side errors during
development.  Error out to catch such mistakes early on.

ok jsing
---
 src/lib/libssl/tls13_key_schedule.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/lib/libssl/tls13_key_schedule.c b/src/lib/libssl/tls13_key_schedule.c
index d88faab0b1..2c23be8d3e 100644
--- a/src/lib/libssl/tls13_key_schedule.c
+++ b/src/lib/libssl/tls13_key_schedule.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_key_schedule.c,v 1.15 2022/07/07 17:09:45 tb Exp $ */
+/* $OpenBSD: tls13_key_schedule.c,v 1.16 2022/10/14 06:56:33 tb Exp $ */
 /*
  * Copyright (c) 2018, Bob Beck <beck@openbsd.org>
  *
@@ -175,7 +175,11 @@ tls13_hkdf_expand_label_with_length(struct tls13_secret *out,
 	int ret;
 
 	if (!CBB_init(&cbb, 256))
-		return 0;
+		goto err;
+
+	if (out->data == NULL || out->len == 0)
+		goto err;
+
 	if (!CBB_add_u16(&cbb, out->len))
 		goto err;
 	if (!CBB_add_u8_length_prefixed(&cbb, &child))
-- 
cgit v1.2.3-55-g6feb