diff --git a/library/ssl_tls.c b/library/ssl_tls.c index b2f65944f..b3cef5d60 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -616,7 +616,6 @@ static void ssl_calc_finished_tls_sha384( mbedtls_ssl_context *, unsigned char * static int ssl_populate_transform( mbedtls_ssl_context *ssl ) { int ret = 0; - unsigned char tmp[64]; unsigned char keyblk[256]; unsigned char *key1; unsigned char *key2; @@ -633,8 +632,6 @@ static int ssl_populate_transform( mbedtls_ssl_context *ssl ) mbedtls_ssl_transform *transform = ssl->transform_negotiate; mbedtls_ssl_handshake_params *handshake = ssl->handshake; - MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> derive keys" ) ); - #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) transform->encrypt_then_mac = session->encrypt_then_mac; #endif @@ -657,14 +654,6 @@ static int ssl_populate_transform( mbedtls_ssl_context *ssl ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); } - /* - * Swap the client and server random values. - */ - memcpy( tmp, handshake->randbytes, 64 ); - memcpy( handshake->randbytes, tmp + 32, 32 ); - memcpy( handshake->randbytes + 32, tmp, 32 ); - mbedtls_platform_zeroize( tmp, sizeof( tmp ) ); - /* * SSLv3: * key block = @@ -691,9 +680,6 @@ static int ssl_populate_transform( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_BUF( 4, "random bytes", handshake->randbytes, 64 ); MBEDTLS_SSL_DEBUG_BUF( 4, "key block", keyblk, 256 ); - mbedtls_platform_zeroize( handshake->randbytes, - sizeof( handshake->randbytes ) ); - /* * Determine the appropriate key, IV and MAC length. */ @@ -1024,8 +1010,6 @@ static int ssl_populate_transform( mbedtls_ssl_context *ssl ) } #endif /* MBEDTLS_ZLIB_SUPPORT */ - MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= derive keys" ) ); - return( 0 ); } @@ -1165,6 +1149,9 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) const mbedtls_ssl_ciphersuite_t * const ciphersuite_info = ssl->handshake->ciphersuite_info; + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> derive keys" ) ); + + /* Set PRF, calc_verify and calc_finished function pointers */ ret = ssl_set_handshake_prfs( ssl->handshake, ssl->minor_ver, ciphersuite_info->mac ); @@ -1174,6 +1161,7 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) return( ret ); } + /* Compute master secret if needed */ ret = ssl_compute_master( ssl->handshake, ssl->session_negotiate->master, ssl ); @@ -1183,7 +1171,32 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) return( ret ); } - return( ssl_populate_transform( ssl ) ); + /* Swap the client and server random values: + * - MS derivation wanted client+server (RFC 5246 8.1) + * - key derivation wants server+client (RFC 5246 6.3) */ + { + unsigned char tmp[64]; + memcpy( tmp, ssl->handshake->randbytes, 64 ); + memcpy( ssl->handshake->randbytes, tmp + 32, 32 ); + memcpy( ssl->handshake->randbytes + 32, tmp, 32 ); + mbedtls_platform_zeroize( tmp, sizeof( tmp ) ); + } + + /* Populate transform structure */ + ret = ssl_populate_transform( ssl ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_populate_transform", ret ); + return( ret ); + } + + /* We no longer need Server/ClientHello.random values */ + mbedtls_platform_zeroize( ssl->handshake->randbytes, + sizeof( ssl->handshake->randbytes ) ); + + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= derive keys" ) ); + + return( 0 ); } #if defined(MBEDTLS_SSL_PROTO_SSL3)