Google Git
Sign in
boringssl / boringssl.git / 19d6ec9c439323c869e28f4e496329e55179f1ee^! / .
commit19d6ec9c439323c869e28f4e496329e55179f1ee[log] [tgz]
authorDavid Benjamin <davidben@google.com>Fri Oct 07 17:58:46 2022 -0400
committerBoringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com>Tue Oct 11 18:05:55 2022 +0000
tree2a33a990b88541068e8a2a9f33813e3c9fc337cf
parent8927cb8f814ad3cb7cde08f02e826f1eed02bfb0 [diff]
Check for TLS 1.3 in SSL_generate_key_block.

SSL_generate_key_block is specific to TLS 1.2. It will output garbage in
TLS 1.3 (wrong KDF), so fail instead.

Update-Note: SSL_generate_key_block gets a new error case, but callers
that hit this were getting back useless output anyway.

Change-Id: Ib35384f902e03cd4654d25b39ca1808c4d878c3d
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/54705
Auto-Submit: David Benjamin <davidben@google.com>
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>

diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 81934c5..72a28d9 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h

@@ -3931,13 +3931,14 @@
                                const uint8_t **out_write_iv,
                                size_t *out_iv_len);
 
-// SSL_get_key_block_len returns the length of |ssl|'s key block. It is an error
-// to call this function during a handshake.
+// SSL_get_key_block_len returns the length of |ssl|'s key block, for TLS 1.2
+// and below. It is an error to call this function during a handshake, or if
+// |ssl| negotiated TLS 1.3.
 OPENSSL_EXPORT size_t SSL_get_key_block_len(const SSL *ssl);
 
 // SSL_generate_key_block generates |out_len| bytes of key material for |ssl|'s
-// current connection state. It is an error to call this function during a
-// handshake.
+// current connection state, for TLS 1.2 and below. It is an error to call this
+// function during a handshake, or if |ssl| negotiated TLS 1.3.
 OPENSSL_EXPORT int SSL_generate_key_block(const SSL *ssl, uint8_t *out,
                                           size_t out_len);
 

diff --git a/ssl/t1_enc.cc b/ssl/t1_enc.cc
index c8db457..0f6fedb 100644
--- a/ssl/t1_enc.cc
+++ b/ssl/t1_enc.cc

@@ -302,7 +302,7 @@
 
 size_t SSL_get_key_block_len(const SSL *ssl) {
   // See |SSL_generate_key_block|.
-  if (SSL_in_init(ssl)) {
+  if (SSL_in_init(ssl) || ssl_protocol_version(ssl) > TLS1_2_VERSION) {
     return 0;
   }
 
@@ -321,7 +321,7 @@
   // there are points where read and write states are from different epochs.
   // During a handshake, before ChangeCipherSpec, the encryption states may not
   // match |ssl->s3->client_random| and |ssl->s3->server_random|.
-  if (SSL_in_init(ssl)) {
+  if (SSL_in_init(ssl) || ssl_protocol_version(ssl) > TLS1_2_VERSION) {
     OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
     return 0;
   }