The branch master has been updated
       via  ea9f6890eb54e4b9e8b81cc1318ca3a6fc0c8356 (commit)
       via  dffeec1c10a874d7c7b83c221dbbce82f755edb1 (commit)
      from  dd0164e7565bb14fac193aea4c2c37714bf66d56 (commit)


- Log -----------------------------------------------------------------
commit ea9f6890eb54e4b9e8b81cc1318ca3a6fc0c8356
Author: Tomas Mraz <tm...@fedoraproject.org>
Date:   Thu Aug 6 15:14:29 2020 +0200

    sslapitest: Add test for premature call of SSL_export_keying_material
    
    Reviewed-by: Matt Caswell <m...@openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/12594)

commit dffeec1c10a874d7c7b83c221dbbce82f755edb1
Author: Tomas Mraz <tm...@fedoraproject.org>
Date:   Thu Aug 6 11:20:43 2020 +0200

    Avoid segfault in SSL_export_keying_material if there is no session
    
    Fixes #12588
    
    Reviewed-by: Matt Caswell <m...@openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/12594)

-----------------------------------------------------------------------

Summary of changes:
 ssl/ssl_lib.c     |  3 ++-
 test/sslapitest.c | 17 ++++++++++++++---
 2 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index f957664a48..c72341547a 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -3054,7 +3054,8 @@ int SSL_export_keying_material(SSL *s, unsigned char 
*out, size_t olen,
                                const unsigned char *context, size_t contextlen,
                                int use_context)
 {
-    if (s->version < TLS1_VERSION && s->version != DTLS1_BAD_VER)
+    if (s->session == NULL
+        || (s->version < TLS1_VERSION && s->version != DTLS1_BAD_VER))
         return -1;
 
     return s->method->ssl3_enc->export_keying_material(s, out, olen, label,
diff --git a/test/sslapitest.c b/test/sslapitest.c
index 3d6d83a11a..6f4c11537b 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -5690,9 +5690,20 @@ static int test_export_key_mat(int tst)
         goto end;
 
     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
-                                      NULL))
-            || !TEST_true(create_ssl_connection(serverssl, clientssl,
-                                                SSL_ERROR_NONE)))
+                                      NULL)))
+        goto end;
+
+    /*
+     * Premature call of SSL_export_keying_material should just fail.
+     */
+    if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
+                                                sizeof(ckeymat1), label,
+                                                SMALL_LABEL_LEN + 1, context,
+                                                sizeof(context) - 1, 1), 0))
+        goto end;
+
+    if (!TEST_true(create_ssl_connection(serverssl, clientssl,
+                                         SSL_ERROR_NONE)))
         goto end;
 
     if (tst == 5) {

Reply via email to