From 4d057f61a77f536ab16d26c893523b2406fe7261 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 5 Nov 2018 12:45:16 +0000 Subject: [PATCH] Don't use 48 as a magic number in ssl_derive_keys() In multiple places, it occurrs as the fixed length of the master secret, so use a constant with a descriptive name instead. This is reinforced by the fact the some further occurrences of '48' are semantically different. --- library/ssl_tls.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 7e861a5fb..8f3d203de 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -643,6 +643,10 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) const mbedtls_cipher_info_t *cipher_info; const mbedtls_md_info_t *md_info; + /* cf. RFC 5246, Section 8.1: + * "The master secret is always exactly 48 bytes in length." */ + size_t const master_secret_len = 48; + #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) unsigned char session_hash[48]; #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ @@ -807,14 +811,15 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) salt, salt_len, (unsigned char const *) lbl, (size_t) strlen( lbl ), - 48 ); + master_secret_len ); if( status != PSA_SUCCESS ) { psa_generator_abort( &generator ); return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); } - status = psa_generator_read( &generator, session->master, 48 ); + status = psa_generator_read( &generator, session->master, + master_secret_len ); if( status != PSA_SUCCESS ) { psa_generator_abort( &generator ); @@ -830,7 +835,8 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) { ret = handshake->tls_prf( handshake->premaster, handshake->pmslen, lbl, salt, salt_len, - session->master, 48 ); + session->master, + master_secret_len ); if( ret != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret );