mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-03-28 19:21:08 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

TLS1.3: zeroize tls13_early_secrets after its lifetime

Browse Source 
Signed-off-by: Yanray Wang <yanray.wang@arm.com>
This commit is contained in:
Yanray Wang 2022-12-15 15:14:35 +08:00
parent bae9e74d39
commit 16c895dff3
1 changed files with 6 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
library/ssl_tls13_keys.c
View File

@ -1110,10 +1110,10 @@ static int ssl_tls13_generate_early_key(mbedtls_ssl_context *ssl,
size_t transcript_len; size_t transcript_len;
size_t key_len; size_t key_len;
size_t iv_len; size_t iv_len;
mbedtls_ssl_tls13_early_secrets tls13_early_secrets;
mbedtls_ssl_handshake_params *handshake = ssl->handshake; mbedtls_ssl_handshake_params *handshake = ssl->handshake;
const mbedtls_ssl_ciphersuite_t *ciphersuite_info = handshake->ciphersuite_info; const mbedtls_ssl_ciphersuite_t *ciphersuite_info = handshake->ciphersuite_info;
mbedtls_ssl_tls13_early_secrets tls13_early_secrets;
MBEDTLS_SSL_DEBUG_MSG(2, ("=> ssl_tls13_generate_early_key")); MBEDTLS_SSL_DEBUG_MSG(2, ("=> ssl_tls13_generate_early_key"));
@ -1178,6 +1178,10 @@ static int ssl_tls13_generate_early_key(mbedtls_ssl_context *ssl,
traffic_keys->key_len = key_len; traffic_keys->key_len = key_len;
traffic_keys->iv_len = iv_len; traffic_keys->iv_len = iv_len;
/* Erase early secrets */
mbedtls_platform_zeroize(
&tls13_early_secrets, sizeof(mbedtls_ssl_tls13_early_secrets));
MBEDTLS_SSL_DEBUG_BUF(4, "client early write_key", MBEDTLS_SSL_DEBUG_BUF(4, "client early write_key",
traffic_keys->client_write_key, traffic_keys->client_write_key,
traffic_keys->key_len); traffic_keys->key_len);
@ -1189,7 +1193,7 @@ static int ssl_tls13_generate_early_key(mbedtls_ssl_context *ssl,
MBEDTLS_SSL_DEBUG_MSG(2, ("<= ssl_tls13_generate_early_key")); MBEDTLS_SSL_DEBUG_MSG(2, ("<= ssl_tls13_generate_early_key"));
cleanup: cleanup:
/* Erase secret and transcript */ /* Erase early secrets and transcript */
mbedtls_platform_zeroize( mbedtls_platform_zeroize(
&tls13_early_secrets, sizeof(mbedtls_ssl_tls13_early_secrets)); &tls13_early_secrets, sizeof(mbedtls_ssl_tls13_early_secrets));
mbedtls_platform_zeroize(transcript, sizeof(transcript)); mbedtls_platform_zeroize(transcript, sizeof(transcript));