cuberite/polarssl
1
0
Fork 0
mirror of https://github.com/cuberite/polarssl.git synced 2025-10-30 19:20:40 -04:00
Code Issues Packages Projects Releases Wiki Activity

Robustness fix in mbedtls_ssl_derive_keys

Browse Source 
In mbedtls_ssl_derive_keys, don't call mbedtls_md_hmac_starts in
ciphersuites that don't use HMAC. This doesn't change the behavior of
the code, but avoids relying on an uncaught error when attempting to
start an HMAC operation that hadn't been initialized.
This commit is contained in:
Gilles Peskine 2018-03-19 19:06:08 +01:00
parent 4ba87fc958
commit 039fd12834
1 changed files with 7 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
library/ssl_tls.c
View File

@ -855,8 +855,13 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
defined(MBEDTLS_SSL_PROTO_TLS1_2) defined(MBEDTLS_SSL_PROTO_TLS1_2)
if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 ) if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 )
{ {
mbedtls_md_hmac_starts( &transform->md_ctx_enc, mac_enc, mac_key_len ); /* For HMAC-based ciphersuites, initialize the HMAC transforms.
mbedtls_md_hmac_starts( &transform->md_ctx_dec, mac_dec, mac_key_len ); For AEAD-based ciphersuites, there is nothing to do here. */
if( mac_key_len != 0 )
{
mbedtls_md_hmac_starts( &transform->md_ctx_enc, mac_enc, mac_key_len );
mbedtls_md_hmac_starts( &transform->md_ctx_dec, mac_dec, mac_key_len );
}
} }
else else
#endif #endif