Make sure that exporting keying material is allowed

author Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>

Sun, 21 Jan 2018 02:30:36 +0000 (11:30 +0900)

committer Matt Caswell <matt@openssl.org>

Fri, 2 Feb 2018 23:54:14 +0000 (23:54 +0000)
author Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
Sun, 21 Jan 2018 02:30:36 +0000 (11:30 +0900)
committer Matt Caswell <matt@openssl.org>
Fri, 2 Feb 2018 23:54:14 +0000 (23:54 +0000)
diff --git a/ssl/statem/statem.c b/ssl/statem/statem.c

index 45cb9ab092e6d74de2ef4b93405341705fab4494..95c369a88315edb7a1b53a91d72264a3e2f13ffe 100644 (file)
--- a/ssl/statem/statem.c
+++ b/ssl/statem/statem.c
@@ -941,3 +941,13 @@ int ossl_statem_app_data_allowed(SSL *s)
  
      return 0;
  }
+
+/*
+ * This function returns 1 if TLS exporter is ready to export keying
+ * material, or 0 if otherwise.
+ */
+int ossl_statem_export_allowed(SSL *s)
+{
+    return s->s3->previous_server_finished_len != 0
+           && s->statem.hand_state != TLS_ST_SW_FINISHED;
+}
diff --git a/ssl/statem/statem.h b/ssl/statem/statem.h

index e8d9174b8f4451987842a6358e5aa28e950b5292..3242c781e0db3d5262b430c4fb1b979750369378 100644 (file)
--- a/ssl/statem/statem.h
+++ b/ssl/statem/statem.h
@@ -132,6 +132,7 @@ __owur int ossl_statem_skip_early_data(SSL *s);
  void ossl_statem_check_finish_init(SSL *s, int send);
  void ossl_statem_set_hello_verify_done(SSL *s);
  __owur int ossl_statem_app_data_allowed(SSL *s);
+__owur int ossl_statem_export_allowed(SSL *s);
  
  /* Flush the write BIO */
  int statem_flush(SSL *s);
diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c

index f555df54fc44fb0b10d07cee966c09606c0120cc..05355fb71438dece88d46baf4287ee54ce7c70b2 100644 (file)
--- a/ssl/tls13_enc.c
+++ b/ssl/tls13_enc.c
@@ -666,7 +666,7 @@ int tls13_export_keying_material(SSL *s, unsigned char *out, size_t olen,
      unsigned int hashsize, datalen;
      int ret = 0;
  
-    if (ctx == NULL)
+    if (ctx == NULL || !ossl_statem_export_allowed(s))
          goto err;
  
      if (!use_context)
diff --git a/test/tls13secretstest.c b/test/tls13secretstest.c

index 16542c4481e7ec505d920e22243bc93d068e5303..f08b5d372238b620c615746caed0be6f08f75651 100644 (file)
--- a/test/tls13secretstest.c
+++ b/test/tls13secretstest.c
@@ -212,6 +212,11 @@ void ossl_statem_fatal(SSL *s, int al, int func, int reason, const char *file,
  {
  }
  
+int ossl_statem_export_allowed(SSL *s)
+{
+    return 1;
+}
+
  /* End of mocked out code */
  
  static int test_secret(SSL *s, unsigned char *prk,
author	Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
	Sun, 21 Jan 2018 02:30:36 +0000 (11:30 +0900)
committer	Matt Caswell <matt@openssl.org>
	Fri, 2 Feb 2018 23:54:14 +0000 (23:54 +0000)
ssl/statem/statem.c		patch \| blob \| history
ssl/statem/statem.h		patch \| blob \| history
ssl/tls13_enc.c		patch \| blob \| history
test/tls13secretstest.c		patch \| blob \| history