diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index 8b430de9d1..8146cf6f36 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -1063,7 +1063,7 @@ static int ssl_tls13_prepare_finished_message( mbedtls_ssl_context *ssl ) if( ret != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, "calculate_verify_data failed", ret ); + MBEDTLS_SSL_DEBUG_RET( 1, "calculate_verify_data failed", ret ); return( ret ); } diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index 45fb5ed193..357b3fb0c9 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -654,7 +654,10 @@ int mbedtls_ssl_tls13_calculate_verify_data( mbedtls_ssl_context* ssl, unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE]; size_t transcript_len; - unsigned char const *base_key = NULL; + unsigned char *base_key = NULL; + size_t base_key_len = 0; + mbedtls_ssl_tls13_handshake_secrets *tls13_hs_secrets = + &ssl->handshake->tls13_hs_secrets; mbedtls_md_type_t const md_type = ssl->handshake->ciphersuite_info->mac; const mbedtls_md_info_t* const md_info = @@ -663,8 +666,22 @@ int mbedtls_ssl_tls13_calculate_verify_data( mbedtls_ssl_context* ssl, MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_tls13_calculate_verify_data" ) ); + if( from == MBEDTLS_SSL_IS_CLIENT ) + { + base_key = tls13_hs_secrets->client_handshake_traffic_secret; + base_key_len = sizeof( tls13_hs_secrets->client_handshake_traffic_secret ); + } + else + { + base_key = tls13_hs_secrets->server_handshake_traffic_secret; + base_key_len = sizeof( tls13_hs_secrets->server_handshake_traffic_secret ); + } + if( dst_len < md_size ) - return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); + { + ret = MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; + goto exit; + } ret = mbedtls_ssl_get_handshake_transcript( ssl, md_type, transcript, sizeof( transcript ), @@ -676,11 +693,6 @@ int mbedtls_ssl_tls13_calculate_verify_data( mbedtls_ssl_context* ssl, } MBEDTLS_SSL_DEBUG_BUF( 4, "handshake hash", transcript, transcript_len ); - if( from == MBEDTLS_SSL_IS_CLIENT ) - base_key = ssl->handshake->tls13_hs_secrets.client_handshake_traffic_secret; - else - base_key = ssl->handshake->tls13_hs_secrets.server_handshake_traffic_secret; - ret = ssl_tls13_calc_finished_core( md_type, base_key, transcript, dst ); if( ret != 0 ) goto exit; @@ -690,7 +702,8 @@ int mbedtls_ssl_tls13_calculate_verify_data( mbedtls_ssl_context* ssl, MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_tls13_calculate_verify_data" ) ); exit: - + /* Erase handshake secrets */ + mbedtls_platform_zeroize( base_key, base_key_len ); mbedtls_platform_zeroize( transcript, sizeof( transcript ) ); return( ret ); } @@ -1164,6 +1177,9 @@ int mbedtls_ssl_tls13_generate_application_keys( handshake->tls13_master_secrets.app, transcript, transcript_len, app_secrets ); + /* Erase master secrets */ + mbedtls_platform_zeroize( &ssl->handshake->tls13_master_secrets, + sizeof( ssl->handshake->tls13_master_secrets ) ); if( ret != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, @@ -1225,7 +1241,9 @@ int mbedtls_ssl_tls13_generate_application_keys( MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= derive application traffic keys" ) ); cleanup: - + /* randbytes is not used again */ + mbedtls_platform_zeroize( ssl->handshake->randbytes, + sizeof( ssl->handshake->randbytes ) ); mbedtls_platform_zeroize( transcript, sizeof( transcript ) ); return( ret ); }