From 039fd128349e3f19d80aa60ea228a2498a8fbc44 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 19 Mar 2018 19:06:08 +0100 Subject: [PATCH 1/2] Robustness fix in mbedtls_ssl_derive_keys In mbedtls_ssl_derive_keys, don't call mbedtls_md_hmac_starts in ciphersuites that don't use HMAC. This doesn't change the behavior of the code, but avoids relying on an uncaught error when attempting to start an HMAC operation that hadn't been initialized. --- library/ssl_tls.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 3802e230e..a5b9d63f5 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -855,8 +855,13 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) defined(MBEDTLS_SSL_PROTO_TLS1_2) if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 ) { - mbedtls_md_hmac_starts( &transform->md_ctx_enc, mac_enc, mac_key_len ); - mbedtls_md_hmac_starts( &transform->md_ctx_dec, mac_dec, mac_key_len ); + /* For HMAC-based ciphersuites, initialize the HMAC transforms. + For AEAD-based ciphersuites, there is nothing to do here. */ + if( mac_key_len != 0 ) + { + mbedtls_md_hmac_starts( &transform->md_ctx_enc, mac_enc, mac_key_len ); + mbedtls_md_hmac_starts( &transform->md_ctx_dec, mac_dec, mac_key_len ); + } } else #endif From c96ccf4b3f2fc0c1336390cae25e4852d4d3411a Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Sat, 31 Mar 2018 22:57:03 +0200 Subject: [PATCH 2/2] Add ChangeLog entry to credit independent contribution Also: fixes #1437 --- ChangeLog | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ChangeLog b/ChangeLog index aaf34fcef..0293e49dd 100644 --- a/ChangeLog +++ b/ChangeLog @@ -54,6 +54,9 @@ Changes Wilson #481 * Improve the documentation of mbedtls_net_accept(). Contributed by Ivan Krylov. + * Improve robustness of mbedtls_ssl_derive_keys against the use of + HMAC functions with non-HMAC ciphersuites. Independently contributed + by Jiayuan Chen in #1377. Fixes #1437. = mbed TLS 2.8.0 branch released 2018-03-16