commit 707728dfca9f841e39fe7acd98f464692f13e3e0
author Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Mon May 06 12:05:58 2019 +0200
committer Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Tue May 07 09:59:41 2019 +0200
tree 700e53bf3eca10cff98e898755c0f7a4426c21d5
parent bcf258e07731b452e58be99bfffb753d08a7e936

Move handling of randbytes to derive_keys()

library/ssl_tls.c

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index b2f6594..b3cef5d 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -616,7 +616,6 @@
 static int ssl_populate_transform( mbedtls_ssl_context *ssl )
 {
     int ret = 0;
-    unsigned char tmp[64];
     unsigned char keyblk[256];
     unsigned char *key1;
     unsigned char *key2;
@@ -633,8 +632,6 @@
     mbedtls_ssl_transform *transform = ssl->transform_negotiate;
     mbedtls_ssl_handshake_params *handshake = ssl->handshake;
 
-    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> derive keys" ) );
-
 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
     transform->encrypt_then_mac = session->encrypt_then_mac;
 #endif
@@ -658,14 +655,6 @@
     }
 
     /*
-     * Swap the client and server random values.
-     */
-    memcpy( tmp, handshake->randbytes, 64 );
-    memcpy( handshake->randbytes, tmp + 32, 32 );
-    memcpy( handshake->randbytes + 32, tmp, 32 );
-    mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
-
-    /*
      *  SSLv3:
      *    key block =
      *      MD5( master + SHA1( 'A'    + master + randbytes ) ) +
@@ -691,9 +680,6 @@
     MBEDTLS_SSL_DEBUG_BUF( 4, "random bytes", handshake->randbytes, 64 );
     MBEDTLS_SSL_DEBUG_BUF( 4, "key block", keyblk, 256 );
 
-    mbedtls_platform_zeroize( handshake->randbytes,
-                              sizeof( handshake->randbytes ) );
-
     /*
      * Determine the appropriate key, IV and MAC length.
      */
@@ -1024,8 +1010,6 @@
     }
 #endif /* MBEDTLS_ZLIB_SUPPORT */
 
-    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= derive keys" ) );
-
     return( 0 );
 }
 
@@ -1165,6 +1149,9 @@
     const mbedtls_ssl_ciphersuite_t * const ciphersuite_info =
         ssl->handshake->ciphersuite_info;
 
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> derive keys" ) );
+
+    /* Set PRF, calc_verify and calc_finished function pointers */
     ret = ssl_set_handshake_prfs( ssl->handshake,
                                   ssl->minor_ver,
                                   ciphersuite_info->mac );
@@ -1174,6 +1161,7 @@
         return( ret );
     }
 
+    /* Compute master secret if needed */
     ret = ssl_compute_master( ssl->handshake,
                               ssl->session_negotiate->master,
                               ssl );
@@ -1183,7 +1171,32 @@
         return( ret );
     }
 
-    return( ssl_populate_transform( ssl ) );
+    /* Swap the client and server random values:
+     * - MS derivation wanted client+server (RFC 5246 8.1)
+     * - key derivation wants server+client (RFC 5246 6.3) */
+    {
+        unsigned char tmp[64];
+        memcpy( tmp, ssl->handshake->randbytes, 64 );
+        memcpy( ssl->handshake->randbytes, tmp + 32, 32 );
+        memcpy( ssl->handshake->randbytes + 32, tmp, 32 );
+        mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
+    }
+
+    /* Populate transform structure */
+    ret = ssl_populate_transform( ssl );
+    if( ret != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "ssl_populate_transform", ret );
+        return( ret );
+    }
+
+    /* We no longer need Server/ClientHello.random values */
+    mbedtls_platform_zeroize( ssl->handshake->randbytes,
+                      sizeof( ssl->handshake->randbytes ) );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= derive keys" ) );
+
+    return( 0 );
 }
 
 #if defined(MBEDTLS_SSL_PROTO_SSL3)