commit 67f0a1e833b63797b9446f0fb0d5fb7f2bc64dbd
author Jarno Lamsa <jarno.lamsa@arm.com> Wed Dec 18 16:28:51 2019 +0200
committer Jarno Lamsa <jarno.lamsa@arm.com> Thu Dec 19 09:43:19 2019 +0200
tree 2309e75e4b9753f399bdac35f88c86e68c1d798a
parent 98801af26b9bf8e543e93bd279439ba58977c1c1

Protect setting of premaster_generated flag

The flag is used for tracking if the premaster has
been succesfully generated. Note that when resuming
a session, the flag should not be used when trying to
notice if all the key generation/derivation has been done.

library/ssl_cli.c

diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index 6b95cfa..08c65d2 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -2342,8 +2342,9 @@
                                          unsigned char* out,
                                          unsigned add_length_tag )
 {
-    int ret;
+    volatile int ret;
 
+    ssl->handshake->premaster_generated = MBEDTLS_SSL_FI_FLAG_UNSET;
     /*
      * Generate (part of) the pre-master secret as
      *  struct {
@@ -2364,14 +2365,21 @@
                                mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ),
                                ssl->conf->transport, out );
 
-    if( ( ret = mbedtls_ssl_conf_get_frng( ssl->conf )
-          ( mbedtls_ssl_conf_get_prng( ssl->conf ), out + 2, 46 ) ) != 0 )
+    ret = mbedtls_ssl_conf_get_frng( ssl->conf )
+          ( mbedtls_ssl_conf_get_prng( ssl->conf ), out + 2, 46 );
+
+    if( ret == 0 )
     {
-        MBEDTLS_SSL_DEBUG_RET( 1, "f_rng", ret );
-        return( ret );
+        mbedtls_platform_enforce_volatile_reads();
+        if( ret == 0 )
+        {
+            ssl->handshake->premaster_generated = MBEDTLS_SSL_FI_FLAG_SET;
+            return( 0 );
+        }
     }
 
-    return( 0 );
+    MBEDTLS_SSL_DEBUG_RET( 1, "f_rng", ret );
+    return( ret );
 }
 
 /*
@@ -2383,11 +2391,12 @@
                                         unsigned char *out, size_t buflen,
                                         size_t *olen )
 {
-    int ret;
+    volatile int ret;
     size_t len_bytes = mbedtls_ssl_get_minor_ver( ssl ) ==
         MBEDTLS_SSL_MINOR_VERSION_0 ? 0 : 2;
     mbedtls_pk_context *peer_pk = NULL;
 
+    ssl->handshake->premaster_generated = MBEDTLS_SSL_FI_FLAG_UNSET;
     if( buflen < len_bytes )
     {
         MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small for encrypted pms" ) );
@@ -2427,16 +2436,27 @@
         goto cleanup;
     }
 
-    if( ( ret = mbedtls_pk_encrypt( peer_pk,
+    ret = mbedtls_pk_encrypt( peer_pk,
                             ppms, 48, out + len_bytes,
                             olen, buflen - len_bytes,
                             mbedtls_ssl_conf_get_frng( ssl->conf ),
-                            mbedtls_ssl_conf_get_prng( ssl->conf ) ) ) != 0 )
+                            mbedtls_ssl_conf_get_prng( ssl->conf ) );
+
+    if( ret == 0 )
+    {
+        mbedtls_platform_enforce_volatile_reads();
+        if( ret == 0 )
+        {
+            ssl->handshake->premaster_generated = MBEDTLS_SSL_FI_FLAG_SET;
+        }
+    }
+    else
     {
         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_rsa_pkcs1_encrypt", ret );
         goto cleanup;
     }
 
+
 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
     defined(MBEDTLS_SSL_PROTO_TLS1_2)
     if( len_bytes == 2 )