From 21701305cec7ae0388ef3f869e9dd31aaf219e0f Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 19 Mar 2018 19:06:08 +0100 Subject: [PATCH 1/2] Robustness fix in mbedtls_ssl_derive_keys In mbedtls_ssl_derive_keys, don't call mbedtls_md_hmac_starts in ciphersuites that don't use HMAC. This doesn't change the behavior of the code, but avoids relying on an uncaught error when attempting to start an HMAC operation that hadn't been initialized. --- library/ssl_tls.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 236e52d76..729b7669e 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -855,8 +855,13 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) defined(MBEDTLS_SSL_PROTO_TLS1_2) if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 ) { - mbedtls_md_hmac_starts( &transform->md_ctx_enc, mac_enc, mac_key_len ); - mbedtls_md_hmac_starts( &transform->md_ctx_dec, mac_dec, mac_key_len ); + /* For HMAC-based ciphersuites, initialize the HMAC transforms. + For AEAD-based ciphersuites, there is nothing to do here. */ + if( mac_key_len != 0 ) + { + mbedtls_md_hmac_starts( &transform->md_ctx_enc, mac_enc, mac_key_len ); + mbedtls_md_hmac_starts( &transform->md_ctx_dec, mac_dec, mac_key_len ); + } } else #endif From f3df741d8f2b216850961616bb75b67c56e9ec5c Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Sat, 31 Mar 2018 22:57:03 +0200 Subject: [PATCH 2/2] Add ChangeLog entry to credit independent contribution Also: fixes #1437 --- ChangeLog | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ChangeLog b/ChangeLog index 932e28065..5107035e6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -24,6 +24,9 @@ Bugfix Changes * Clarify the documentation of mbedtls_ssl_setup. + * Improve robustness of mbedtls_ssl_derive_keys against the use of + HMAC functions with non-HMAC ciphersuites. Independently contributed + by Jiayuan Chen in #1377. Fixes #1437. = mbed TLS 2.7.1 branch released 2018-02-23