diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 4871885d4..08d4fd357 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -2344,7 +2344,6 @@ static int ssl_rsa_generate_partial_pms( mbedtls_ssl_context *ssl, { volatile int ret; - ssl->handshake->premaster_generated = MBEDTLS_SSL_FI_FLAG_UNSET; /* * Generate (part of) the pre-master secret as * struct { @@ -2396,7 +2395,6 @@ static int ssl_rsa_encrypt_partial_pms( mbedtls_ssl_context *ssl, MBEDTLS_SSL_MINOR_VERSION_0 ? 0 : 2; mbedtls_pk_context *peer_pk = NULL; - ssl->handshake->premaster_generated = MBEDTLS_SSL_FI_FLAG_UNSET; if( buflen < len_bytes ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small for encrypted pms" ) ); diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 7d0079794..e70dd12b9 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -3980,7 +3980,6 @@ static int ssl_parse_encrypted_pms( mbedtls_ssl_context *ssl, unsigned int diff; volatile unsigned int pmscounter = 0; - ssl->handshake->premaster_generated = MBEDTLS_SSL_FI_FLAG_UNSET; /* In case of a failure in decryption, the decryption may write less than * 2 bytes of output, but we always read the first two bytes. It doesn't * matter in the end because diff will be nonzero in that case due to diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 4fc6aa832..20683366c 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1974,7 +1974,6 @@ int mbedtls_ssl_build_pms( mbedtls_ssl_context *ssl ) mbedtls_ssl_ciphersuite_handle_t ciphersuite_info = mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake ); - ssl->handshake->premaster_generated = MBEDTLS_SSL_FI_FLAG_UNSET; #if defined(MBEDTLS_USE_TINYCRYPT) if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || @@ -2159,7 +2158,6 @@ int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exch unsigned char *end = p + sizeof( ssl->handshake->premaster ); const unsigned char *psk = ssl->conf->psk; size_t psk_len = ssl->conf->psk_len; - ssl->handshake->premaster_generated = MBEDTLS_SSL_FI_FLAG_UNSET; /* If the psk callback was called, use its result */ if( ssl->handshake->psk != NULL ) @@ -7977,7 +7975,9 @@ int mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl ) mbedtls_platform_enforce_volatile_reads(); if( ssl->handshake->resume ) { + /* When doing session resume, no premaster or peer authentication */ ssl->handshake->peer_authenticated = MBEDTLS_SSL_FI_FLAG_SET; + ssl->handshake->premaster_generated = MBEDTLS_SSL_FI_FLAG_SET; } else { @@ -7997,13 +7997,41 @@ int mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl ) else { ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED; + goto cleanup; } } else { ret = MBEDTLS_ERR_SSL_PEER_VERIFY_FAILED; + goto cleanup; } + if( ssl->handshake->hello_random_set == MBEDTLS_SSL_FI_FLAG_SET && + ssl->handshake->key_derivation_done == MBEDTLS_SSL_FI_FLAG_SET && + ssl->handshake->premaster_generated == MBEDTLS_SSL_FI_FLAG_SET ) + { + mbedtls_platform_enforce_volatile_reads(); + if( ssl->handshake->hello_random_set == MBEDTLS_SSL_FI_FLAG_SET && + ssl->handshake->key_derivation_done == MBEDTLS_SSL_FI_FLAG_SET && + ssl->handshake->premaster_generated == MBEDTLS_SSL_FI_FLAG_SET ) + { + ret = 0; + } + else + { + ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED; + goto cleanup; + } + } + else + { + MBEDTLS_SSL_DEBUG_MSG( 3, ( "hello random %d", ssl->handshake->hello_random_set ) ); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "key_derivation_done %d", ssl->handshake->key_derivation_done ) ); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "premaster_generated %d", ssl->handshake->premaster_generated ) ); + ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR; + } + +cleanup: #if defined(MBEDTLS_SSL_PROTO_DTLS) if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) && ssl->handshake->flight != NULL )