From 3d78e08ac0d05c49fb02ce6a2a1d73b9b2a1f21a Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Wed, 23 Nov 2022 18:26:20 +0800 Subject: [PATCH] erase early secrets and transcripts Signed-off-by: Jerry Yu --- library/ssl_tls13_keys.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index 43f6ab681..3d20ab730 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -1124,7 +1124,7 @@ static int ssl_tls13_generate_early_key( mbedtls_ssl_context *ssl, if( ret != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_get_cipher_key_info", ret ); - return( ret ); + goto cleanup; } md_type = ciphersuite_info->mac; @@ -1141,7 +1141,7 @@ static int ssl_tls13_generate_early_key( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_get_handshake_transcript", ret ); - return( ret ); + goto cleanup; } ret = mbedtls_ssl_tls13_derive_early_secrets( @@ -1151,7 +1151,7 @@ static int ssl_tls13_generate_early_key( mbedtls_ssl_context *ssl, { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_derive_early_secrets", ret ); - return( ret ); + goto cleanup; } MBEDTLS_SSL_DEBUG_BUF( @@ -1181,7 +1181,7 @@ static int ssl_tls13_generate_early_key( mbedtls_ssl_context *ssl, if( ret != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_make_traffic_key", ret ); - return( 0 ); + goto cleanup; } traffic_keys->key_len = key_len; traffic_keys->iv_len = iv_len; @@ -1196,7 +1196,12 @@ static int ssl_tls13_generate_early_key( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_tls13_generate_early_key" ) ); - return( 0 ); +cleanup: + /* Erase secret and transcript */ + mbedtls_platform_zeroize( + tls13_early_secrets, sizeof( mbedtls_ssl_tls13_early_secrets ) ); + mbedtls_platform_zeroize( transcript, sizeof( transcript ) ); + return( ret ); } int mbedtls_ssl_tls13_compute_early_transform( mbedtls_ssl_context *ssl )