Merge pull request #5256 from yuhaoth/pr/clean-up-secrets-after-done
TLS1.3 MVP: Erase secrets when they are not necessary anymore.
diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index 8b430de..8146cf6 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -1063,7 +1063,7 @@
if( ret != 0 )
{
- MBEDTLS_SSL_DEBUG_RET( 1, "calculate_verify_data failed", ret );
+ MBEDTLS_SSL_DEBUG_RET( 1, "calculate_verify_data failed", ret );
return( ret );
}
diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c
index 45fb5ed..357b3fb 100644
--- a/library/ssl_tls13_keys.c
+++ b/library/ssl_tls13_keys.c
@@ -654,7 +654,10 @@
unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE];
size_t transcript_len;
- unsigned char const *base_key = NULL;
+ unsigned char *base_key = NULL;
+ size_t base_key_len = 0;
+ mbedtls_ssl_tls13_handshake_secrets *tls13_hs_secrets =
+ &ssl->handshake->tls13_hs_secrets;
mbedtls_md_type_t const md_type = ssl->handshake->ciphersuite_info->mac;
const mbedtls_md_info_t* const md_info =
@@ -663,8 +666,22 @@
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_tls13_calculate_verify_data" ) );
+ if( from == MBEDTLS_SSL_IS_CLIENT )
+ {
+ base_key = tls13_hs_secrets->client_handshake_traffic_secret;
+ base_key_len = sizeof( tls13_hs_secrets->client_handshake_traffic_secret );
+ }
+ else
+ {
+ base_key = tls13_hs_secrets->server_handshake_traffic_secret;
+ base_key_len = sizeof( tls13_hs_secrets->server_handshake_traffic_secret );
+ }
+
if( dst_len < md_size )
- return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
+ {
+ ret = MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
+ goto exit;
+ }
ret = mbedtls_ssl_get_handshake_transcript( ssl, md_type,
transcript, sizeof( transcript ),
@@ -676,11 +693,6 @@
}
MBEDTLS_SSL_DEBUG_BUF( 4, "handshake hash", transcript, transcript_len );
- if( from == MBEDTLS_SSL_IS_CLIENT )
- base_key = ssl->handshake->tls13_hs_secrets.client_handshake_traffic_secret;
- else
- base_key = ssl->handshake->tls13_hs_secrets.server_handshake_traffic_secret;
-
ret = ssl_tls13_calc_finished_core( md_type, base_key, transcript, dst );
if( ret != 0 )
goto exit;
@@ -690,7 +702,8 @@
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_tls13_calculate_verify_data" ) );
exit:
-
+ /* Erase handshake secrets */
+ mbedtls_platform_zeroize( base_key, base_key_len );
mbedtls_platform_zeroize( transcript, sizeof( transcript ) );
return( ret );
}
@@ -1164,6 +1177,9 @@
handshake->tls13_master_secrets.app,
transcript, transcript_len,
app_secrets );
+ /* Erase master secrets */
+ mbedtls_platform_zeroize( &ssl->handshake->tls13_master_secrets,
+ sizeof( ssl->handshake->tls13_master_secrets ) );
if( ret != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1,
@@ -1225,7 +1241,9 @@
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= derive application traffic keys" ) );
cleanup:
-
+ /* randbytes is not used again */
+ mbedtls_platform_zeroize( ssl->handshake->randbytes,
+ sizeof( ssl->handshake->randbytes ) );
mbedtls_platform_zeroize( transcript, sizeof( transcript ) );
return( ret );
}
