commit de047adfb422d0802bd5c3a6c82c17a08f075025
author Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Fri May 03 09:46:14 2019 +0200
committer Jarno Lamsa <jarno.lamsa@arm.com> Fri Aug 23 12:45:33 2019 +0300
tree d1b384404118aa3a17c41593e8f4b823862afbdd
parent 85680c49efb0e75068afba761ad9c1737cba520a

Improve signature of ssl_compute_master()

Make it more explicit what's used. Unfortunately, we still need ssl as a
parameter for debugging, and because calc_verify wants it as a parameter (for
all TLS versions except SSL3 it would actually only need handshake, but SSL3
also accesses session_negotiate).

It's also because of calc_verify that we can't make it const yet, but see next
commit.

library/ssl_tls.c

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index a78d6e5..15ce501 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -1579,13 +1579,27 @@
 
 /*
  * Compute master secret if needed
+ *
+ * Parameters:
+ * [in/out] handshake
+ *          [in] resume, premaster, extended_ms, calc_verify, tls_prf
+ *               (PSA-PSK) ciphersuite_info
+ *          [out] premaster (cleared)
+ * [in] minor_ver (to compute hash_len)
+ * [in] hash_alg (to compute hash_len)
+ * [out] master
+ * [in] ssl: optionally used for debugging, EMS and PSA-PSK
+ *      debug: conf->f_dbg, conf->p_dbg
+ *      EMS: passed to calc_verify (debug + (SSL3) session_negotiate)
+ *      PSA-PSA: conf
  */
-static int ssl_compute_master( mbedtls_ssl_context *ssl )
+static int ssl_compute_master( mbedtls_ssl_handshake_params *handshake,
+                               int minor_ver,
+                               mbedtls_md_type_t hash_alg,
+                               unsigned char *master,
+                               mbedtls_ssl_context *ssl )
 {
     int ret;
-    mbedtls_ssl_handshake_params *handshake = ssl->handshake;
-    mbedtls_ssl_session *session = ssl->session_negotiate;
-    const mbedtls_ssl_ciphersuite_t *ciphersuite_info = handshake->ciphersuite_info;
 
     /* cf. RFC 5246, Section 8.1:
      * "The master secret is always exactly 48 bytes in length." */
@@ -1611,6 +1625,19 @@
     unsigned char const *salt = handshake->randbytes;
     size_t salt_len = 64;
 
+#if !defined(MBEDTLS_DEBUG_C) &&                    \
+    !defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) && \
+    !(defined(MBEDTLS_USE_PSA_CRYPTO) &&            \
+      defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED))
+    (void) ssl;
+#endif
+#if !defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) || !defined(MBEDTLS_SSL_PROTO_TLS1_2)
+    (void) minor_ver;
+#if defined(MBEDTLS_SHA512_C)
+    (void) hash_alg;
+#endif
+#endif
+
     if( handshake->resume != 0 )
     {
         MBEDTLS_SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );
@@ -1618,18 +1645,18 @@
     }
 
 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
-    if( ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED )
+    if( handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED )
     {
         MBEDTLS_SSL_DEBUG_MSG( 3, ( "using extended master secret" ) );
 
         lbl  = "extended master secret";
         salt = session_hash;
-        ssl->handshake->calc_verify( ssl, session_hash );
+        handshake->calc_verify( ssl, session_hash );
 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
-        if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
+        if( minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
         {
 #if defined(MBEDTLS_SHA512_C)
-            if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
+            if( hash_alg == MBEDTLS_MD_SHA384 )
             {
                 salt_len = 48;
             }
@@ -1646,9 +1673,9 @@
 #endif /* MBEDTLS_SSL_EXTENDED_MS_ENABLED */
 
 #if defined(MBEDTLS_USE_PSA_CRYPTO) &&          \
-defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
-    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK &&
-        ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 &&
+    defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
+    if( handshake->ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK &&
+        minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 &&
         ssl_use_opaque_psk( ssl ) == 1 )
     {
         /* Perform PSK-to-MS expansion in a single step. */
@@ -1661,10 +1688,10 @@
         MBEDTLS_SSL_DEBUG_MSG( 2, ( "perform PSA-based PSK-to-MS expansion" ) );
 
         psk = ssl->conf->psk_opaque;
-        if( ssl->handshake->psk_opaque != 0 )
-            psk = ssl->handshake->psk_opaque;
+        if( handshake->psk_opaque != 0 )
+            psk = handshake->psk_opaque;
 
-        if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
+        if( hash_alg == MBEDTLS_MD_SHA384 )
             alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384);
         else
             alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256);
@@ -1681,7 +1708,7 @@
         }
 
         status = psa_key_derivation_output_bytes( &derivation,
-                                                  session->master,
+                                                  master,
                                                   master_secret_len );
         if( status != PSA_SUCCESS )
         {
@@ -1698,7 +1725,7 @@
     {
         ret = handshake->tls_prf( handshake->premaster, handshake->pmslen,
                                   lbl, salt, salt_len,
-                                  session->master,
+                                  master,
                                   master_secret_len );
         if( ret != 0 )
         {
@@ -1732,7 +1759,11 @@
         return( ret );
     }
 
-    ret = ssl_compute_master( ssl );
+    ret = ssl_compute_master( ssl->handshake,
+                              ssl->minor_ver,
+                              ciphersuite_info->mac,
+                              ssl->session_negotiate->master,
+                              ssl );
     if( ret != 0 )
     {
         MBEDTLS_SSL_DEBUG_RET( 1, "ssl_compute_master", ret );