From b8c484088c98ed37205e9ada1e012d8a901f2381 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 8 Feb 2021 20:28:22 +0100 Subject: [PATCH] Fix psa_destroy_key called after mbedtls_psa_crypto_free Move the call to destroy the PSK to before freeing the SSL session data and calling rng_free(), which deinitializes the PSA subsystem. This particular ordering was chosen to make the ssl_client2 more similar to ssl_server2. This fixes the client failing on the psa_destroy_key() call in `ssl-opt.sh -f 'opaque psk on client'`. Signed-off-by: Gilles Peskine --- programs/ssl/ssl_client2.c | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 8f2b2c159..7d904d128 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -3002,19 +3002,6 @@ exit: #endif #endif /* MBEDTLS_X509_CRT_PARSE_C */ - mbedtls_ssl_session_free( &saved_session ); - mbedtls_ssl_free( &ssl ); - mbedtls_ssl_config_free( &conf ); - rng_free( &rng ); - if( session_data != NULL ) - mbedtls_platform_zeroize( session_data, session_data_len ); - mbedtls_free( session_data ); -#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) - if( context_buf != NULL ) - mbedtls_platform_zeroize( context_buf, context_buf_len ); - mbedtls_free( context_buf ); -#endif - #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) && \ defined(MBEDTLS_USE_PSA_CRYPTO) if( opt.psk_opaque != 0 ) @@ -3036,6 +3023,19 @@ exit: #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED && MBEDTLS_USE_PSA_CRYPTO */ + mbedtls_ssl_session_free( &saved_session ); + mbedtls_ssl_free( &ssl ); + mbedtls_ssl_config_free( &conf ); + rng_free( &rng ); + if( session_data != NULL ) + mbedtls_platform_zeroize( session_data, session_data_len ); + mbedtls_free( session_data ); +#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) + if( context_buf != NULL ) + mbedtls_platform_zeroize( context_buf, context_buf_len ); + mbedtls_free( context_buf ); +#endif + #if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C) #if defined(MBEDTLS_MEMORY_DEBUG) mbedtls_memory_buffer_alloc_status();