cuberite/polarssl
1
0
Fork 0
mirror of https://github.com/cuberite/polarssl.git synced 2025-10-30 19:20:40 -04:00
Code Issues Packages Projects Releases Wiki Activity

Move erase handshake secrets

Browse Source 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
This commit is contained in:
Jerry Yu 2021-12-10 10:19:34 +08:00
parent 27224f58be
commit 4a2fa5d0aa
3 changed files with 12 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
library/ssl_tls13_client.c
View File

@ -1646,7 +1646,6 @@ static int ssl_tls13_flush_buffers( mbedtls_ssl_context *ssl )
*/ */
static int ssl_tls13_handshake_wrapup( mbedtls_ssl_context *ssl ) static int ssl_tls13_handshake_wrapup( mbedtls_ssl_context *ssl )
{ {
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Switch to application keys for inbound traffic" ) ); MBEDTLS_SSL_DEBUG_MSG( 1, ( "Switch to application keys for inbound traffic" ) );
mbedtls_ssl_set_inbound_transform ( ssl, ssl->transform_application ); mbedtls_ssl_set_inbound_transform ( ssl, ssl->transform_application );

6
library/ssl_tls13_generic.c
View File

@ -1060,11 +1060,7 @@ static int ssl_tls13_prepare_finished_message( mbedtls_ssl_context *ssl )
sizeof( ssl->handshake->state_local.finished_out.digest ), sizeof( ssl->handshake->state_local.finished_out.digest ),
&ssl->handshake->state_local.finished_out.digest_len, &ssl->handshake->state_local.finished_out.digest_len,
ssl->conf->endpoint ); ssl->conf->endpoint );
if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
{
mbedtls_platform_zeroize( &ssl->handshake->tls13_hs_secrets,
sizeof( ssl->handshake->tls13_hs_secrets ) );
}
if( ret != 0 ) if( ret != 0 )
{ {
MBEDTLS_SSL_DEBUG_RET( 1, "calculate_verify_data failed", ret ); MBEDTLS_SSL_DEBUG_RET( 1, "calculate_verify_data failed", ret );

12
library/ssl_tls13_keys.c
View File

@ -654,7 +654,8 @@ int mbedtls_ssl_tls13_calculate_verify_data( mbedtls_ssl_context* ssl,
unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE]; unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE];
size_t transcript_len; size_t transcript_len;
unsigned char const *base_key = NULL; unsigned char *base_key = NULL;
size_t base_key_len;
mbedtls_md_type_t const md_type = ssl->handshake->ciphersuite_info->mac; mbedtls_md_type_t const md_type = ssl->handshake->ciphersuite_info->mac;
const mbedtls_md_info_t* const md_info = const mbedtls_md_info_t* const md_info =
@ -677,9 +678,15 @@ int mbedtls_ssl_tls13_calculate_verify_data( mbedtls_ssl_context* ssl,
MBEDTLS_SSL_DEBUG_BUF( 4, "handshake hash", transcript, transcript_len ); MBEDTLS_SSL_DEBUG_BUF( 4, "handshake hash", transcript, transcript_len );
if( from == MBEDTLS_SSL_IS_CLIENT ) if( from == MBEDTLS_SSL_IS_CLIENT )
{
base_key = ssl->handshake->tls13_hs_secrets.client_handshake_traffic_secret; base_key = ssl->handshake->tls13_hs_secrets.client_handshake_traffic_secret;
base_key_len = sizeof( ssl->handshake->tls13_hs_secrets.client_handshake_traffic_secret );
}
else else
{
base_key = ssl->handshake->tls13_hs_secrets.server_handshake_traffic_secret; base_key = ssl->handshake->tls13_hs_secrets.server_handshake_traffic_secret;
base_key_len = sizeof( ssl->handshake->tls13_hs_secrets.server_handshake_traffic_secret );
}
ret = ssl_tls13_calc_finished_core( md_type, base_key, transcript, dst ); ret = ssl_tls13_calc_finished_core( md_type, base_key, transcript, dst );
if( ret != 0 ) if( ret != 0 )
@ -690,7 +697,8 @@ int mbedtls_ssl_tls13_calculate_verify_data( mbedtls_ssl_context* ssl,
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_tls13_calculate_verify_data" ) ); MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_tls13_calculate_verify_data" ) );
exit: exit:
/* Erase handshake secrets */
mbedtls_platform_zeroize( base_key, base_key_len );
mbedtls_platform_zeroize( transcript, sizeof( transcript ) ); mbedtls_platform_zeroize( transcript, sizeof( transcript ) );
return( ret ); return( ret );
} }