commit 580fba143101b4c1403d45dc9f8c4691aa68320f
author Hanno Becker <hanno.becker@arm.com> Tue Nov 13 20:50:45 2018 +0000
committer Hanno Becker <hanno.becker@arm.com> Fri Nov 16 11:24:59 2018 +0000
tree d1ade695c715f4eb544a9d6903bfbd9b7daffa2d
parent 24658c4ba1b9aa1a81117e38f1a959327a07a51a

Dynamically allocate `A(i) + seed` buffer for TLS-1.2 PRF

include/psa/crypto_struct.h

diff --git a/include/psa/crypto_struct.h b/include/psa/crypto_struct.h
index 2d7bb26..f11b87c 100644
--- a/include/psa/crypto_struct.h
+++ b/include/psa/crypto_struct.h
@@ -154,8 +154,8 @@
     size_t key_len;
 
     /* `A(i) + seed` in the notation of RFC 5246, Sect. 5 */
-    uint8_t Ai_with_seed[PSA_HASH_MAX_SIZE + 64];
-    size_t seed_length;
+    uint8_t *Ai_with_seed;
+    size_t Ai_with_seed_len;
 
     /* `HMAC_hash( prk, A(i) + seed )` in the notation of RFC 5246, Sect. 5. */
     uint8_t output_block[PSA_HASH_MAX_SIZE];

library/psa_crypto.c

diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index ef46237..2030315 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -3272,6 +3272,13 @@
                              generator->ctx.tls12_prf.key_len );
             mbedtls_free( generator->ctx.tls12_prf.key );
         }
+
+        if( generator->ctx.tls12_prf.Ai_with_seed != NULL )
+        {
+            mbedtls_zeroize( generator->ctx.tls12_prf.Ai_with_seed,
+                             generator->ctx.tls12_prf.Ai_with_seed_len );
+            mbedtls_free( generator->ctx.tls12_prf.Ai_with_seed );
+        }
     }
     else
 #endif /* MBEDTLS_MD_C */
@@ -3420,7 +3427,7 @@
                                   /* This omits the (so far undefined)
                                    * first hash_length bytes. */
                                   tls12_prf->Ai_with_seed + hash_length,
-                                  tls12_prf->seed_length );
+                                  tls12_prf->Ai_with_seed_len - hash_length );
         if( status != PSA_SUCCESS )
             goto cleanup;
         status = psa_hmac_finish_internal( &hmac,
@@ -3463,7 +3470,7 @@
 
     status = psa_hash_update( &hmac.hash_ctx,
                               tls12_prf->Ai_with_seed,
-                              hash_length + tls12_prf->seed_length );
+                              tls12_prf->Ai_with_seed_len );
     if( status != PSA_SUCCESS )
         goto cleanup;
 
@@ -3694,6 +3701,8 @@
     size_t label_length )
 {
     uint8_t hash_length = PSA_HASH_SIZE( hash_alg );
+    size_t Ai_with_seed_len = hash_length + salt_length + label_length;
+    int overflow;
 
     tls12_prf->key = mbedtls_calloc( 1, key_len );
     if( tls12_prf->key == NULL )
@@ -3701,14 +3710,22 @@
     tls12_prf->key_len = key_len;
     memcpy( tls12_prf->key, key, key_len );
 
+    overflow = ( salt_length + label_length               < salt_length ) ||
+               ( salt_length + label_length + hash_length < hash_length );
+    if( overflow )
+        return( PSA_ERROR_INVALID_ARGUMENT );
+
+    tls12_prf->Ai_with_seed = mbedtls_calloc( 1, Ai_with_seed_len );
+    if( tls12_prf->Ai_with_seed == NULL )
+        return( PSA_ERROR_INSUFFICIENT_MEMORY );
+    tls12_prf->Ai_with_seed_len = Ai_with_seed_len;
+
     /* Write `label + seed' at the end of the `A(i) + seed` buffer,
      * leaving the initial `hash_length` bytes unspecified for now. */
     memcpy( tls12_prf->Ai_with_seed + hash_length, label, label_length );
     memcpy( tls12_prf->Ai_with_seed + hash_length + label_length,
             salt, salt_length );
 
-    tls12_prf->seed_length = label_length + salt_length;
-
     /* The first block gets generated when
      * psa_generator_read() is called. */
     tls12_prf->block_number    = 0;