tls13: keys: Do not use handshake->premaster

`handshake->premaster` was used to store the
(EC)DHE shared secret but in TLS 1.3 there is
no need to store it in a context.

Futhermore, `handshake->premaster` and more
specifically its sizing is TLS 1.2 specific
thus better to not use it in TLS 1.3.

Allocate a buffer to store the shared secret
instead. Allocation instead of a stack buffer
as the maintenance of the size of such buffer
is harder (new elliptic curve for ECDHE,
support for FFDHE ... ).

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
This commit is contained in:
Ronald Cron 2022-10-05 17:20:21 +02:00
parent 4c7edb2b9b
commit 3b056202d3
2 changed files with 30 additions and 12 deletions

View file

@ -600,8 +600,6 @@ struct mbedtls_ssl_handshake_params
size_t ecrs_n; /*!< place for saving a length */ size_t ecrs_n; /*!< place for saving a length */
#endif #endif
size_t pmslen; /*!< premaster length */
mbedtls_ssl_ciphersuite_t const *ciphersuite_info; mbedtls_ssl_ciphersuite_t const *ciphersuite_info;
void (*update_checksum)(mbedtls_ssl_context *, const unsigned char *, size_t); void (*update_checksum)(mbedtls_ssl_context *, const unsigned char *, size_t);
@ -853,8 +851,11 @@ struct mbedtls_ssl_handshake_params
unsigned char randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN + unsigned char randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN +
MBEDTLS_SERVER_HELLO_RANDOM_LEN]; MBEDTLS_SERVER_HELLO_RANDOM_LEN];
/*!< random bytes */ /*!< random bytes */
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
unsigned char premaster[MBEDTLS_PREMASTER_SIZE]; unsigned char premaster[MBEDTLS_PREMASTER_SIZE];
/*!< premaster secret */ /*!< premaster secret */
size_t pmslen; /*!< premaster length */
#endif
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
int extensions_present; /*!< extension presence; Each bitfield int extensions_present; /*!< extension presence; Each bitfield

View file

@ -1253,6 +1253,8 @@ int mbedtls_ssl_tls13_key_schedule_stage_handshake( mbedtls_ssl_context *ssl )
mbedtls_ssl_handshake_params *handshake = ssl->handshake; mbedtls_ssl_handshake_params *handshake = ssl->handshake;
psa_algorithm_t const hash_alg = mbedtls_hash_info_psa_from_md( psa_algorithm_t const hash_alg = mbedtls_hash_info_psa_from_md(
handshake->ciphersuite_info->mac ); handshake->ciphersuite_info->mac );
unsigned char *shared_secret = NULL;
size_t shared_secret_len = 0;
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED) #if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED)
/* /*
@ -1267,17 +1269,28 @@ int mbedtls_ssl_tls13_key_schedule_stage_handshake( mbedtls_ssl_context *ssl )
#if defined(MBEDTLS_ECDH_C) #if defined(MBEDTLS_ECDH_C)
/* Compute ECDH shared secret. */ /* Compute ECDH shared secret. */
psa_status_t status = PSA_ERROR_GENERIC_ERROR; psa_status_t status = PSA_ERROR_GENERIC_ERROR;
psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
status = psa_get_key_attributes( handshake->ecdh_psa_privkey,
&key_attributes );
if( status != PSA_SUCCESS )
ret = psa_ssl_status_to_mbedtls( status );
shared_secret_len = PSA_BITS_TO_BYTES(
psa_get_key_bits( &key_attributes ) );
shared_secret = mbedtls_calloc( 1, shared_secret_len );
if( shared_secret == NULL )
return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
status = psa_raw_key_agreement( status = psa_raw_key_agreement(
PSA_ALG_ECDH, handshake->ecdh_psa_privkey, PSA_ALG_ECDH, handshake->ecdh_psa_privkey,
handshake->ecdh_psa_peerkey, handshake->ecdh_psa_peerkey_len, handshake->ecdh_psa_peerkey, handshake->ecdh_psa_peerkey_len,
handshake->premaster, sizeof( handshake->premaster ), shared_secret, shared_secret_len, &shared_secret_len );
&handshake->pmslen );
if( status != PSA_SUCCESS ) if( status != PSA_SUCCESS )
{ {
ret = psa_ssl_status_to_mbedtls( status ); ret = psa_ssl_status_to_mbedtls( status );
MBEDTLS_SSL_DEBUG_RET( 1, "psa_raw_key_agreement", ret ); MBEDTLS_SSL_DEBUG_RET( 1, "psa_raw_key_agreement", ret );
return( ret ); goto cleanup;
} }
status = psa_destroy_key( handshake->ecdh_psa_privkey ); status = psa_destroy_key( handshake->ecdh_psa_privkey );
@ -1285,7 +1298,7 @@ int mbedtls_ssl_tls13_key_schedule_stage_handshake( mbedtls_ssl_context *ssl )
{ {
ret = psa_ssl_status_to_mbedtls( status ); ret = psa_ssl_status_to_mbedtls( status );
MBEDTLS_SSL_DEBUG_RET( 1, "psa_destroy_key", ret ); MBEDTLS_SSL_DEBUG_RET( 1, "psa_destroy_key", ret );
return( ret ); goto cleanup;
} }
handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
@ -1306,22 +1319,26 @@ int mbedtls_ssl_tls13_key_schedule_stage_handshake( mbedtls_ssl_context *ssl )
*/ */
ret = mbedtls_ssl_tls13_evolve_secret( hash_alg, ret = mbedtls_ssl_tls13_evolve_secret( hash_alg,
handshake->tls13_master_secrets.early, handshake->tls13_master_secrets.early,
handshake->premaster, handshake->pmslen, shared_secret, shared_secret_len,
handshake->tls13_master_secrets.handshake ); handshake->tls13_master_secrets.handshake );
if( ret != 0 ) if( ret != 0 )
{ {
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_evolve_secret", ret ); MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_evolve_secret", ret );
return( ret ); goto cleanup;
} }
MBEDTLS_SSL_DEBUG_BUF( 4, "Handshake secret", MBEDTLS_SSL_DEBUG_BUF( 4, "Handshake secret",
handshake->tls13_master_secrets.handshake, handshake->tls13_master_secrets.handshake,
PSA_HASH_LENGTH( hash_alg ) ); PSA_HASH_LENGTH( hash_alg ) );
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED) cleanup:
mbedtls_platform_zeroize( handshake->premaster, sizeof( handshake->premaster ) ); if( shared_secret != NULL )
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED */ {
return( 0 ); mbedtls_platform_zeroize( shared_secret, shared_secret_len );
mbedtls_free( shared_secret );
}
return( ret );
} }
/* Generate application traffic keys since any records following a 1-RTT Finished message /* Generate application traffic keys since any records following a 1-RTT Finished message