From 35e7c2f41633d153898933e5ba6cf0580ce70f26 Mon Sep 17 00:00:00 2001
From: tb <>
Date: Wed, 6 Jan 2021 20:15:35 +0000
Subject: Use tls13_secret_{init,cleanup}() for the finished_key

This trades an array on the stack for a dynamically allocated secret in
tls13_{client,server}_finished_send() but has the benefit of wiping out
an intermediate secret on function exit.

ok jsing
---
 src/lib/libssl/tls13_client.c | 10 +++++-----
 src/lib/libssl/tls13_server.c | 10 +++++-----
 2 files changed, 10 insertions(+), 10 deletions(-)

(limited to 'src/lib')

diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c
index 25d78d1332..1f51748147 100644
--- a/src/lib/libssl/tls13_client.c
+++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_client.c,v 1.69 2021/01/05 17:32:39 jsing Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.70 2021/01/06 20:15:35 tb Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  *
@@ -1034,10 +1034,9 @@ tls13_client_finished_send(struct tls13_ctx *ctx, CBB *cbb)
 {
 	struct tls13_secrets *secrets = ctx->hs->secrets;
 	struct tls13_secret context = { .data = "", .len = 0 };
-	struct tls13_secret finished_key;
+	struct tls13_secret finished_key = { .data = NULL, .len = 0 };
 	uint8_t transcript_hash[EVP_MAX_MD_SIZE];
 	size_t transcript_hash_len;
-	uint8_t key[EVP_MAX_MD_SIZE];
 	uint8_t *verify_data;
 	size_t verify_data_len;
 	unsigned int hlen;
@@ -1046,8 +1045,8 @@ tls13_client_finished_send(struct tls13_ctx *ctx, CBB *cbb)
 	SSL *s = ctx->ssl;
 	int ret = 0;
 
-	finished_key.data = key;
-	finished_key.len = EVP_MD_size(ctx->hash);
+	if (!tls13_secret_init(&finished_key, EVP_MD_size(ctx->hash)))
+		goto err;
 
 	if (!tls13_hkdf_expand_label(&finished_key, ctx->hash,
 	    &secrets->client_handshake_traffic, "finished",
@@ -1082,6 +1081,7 @@ tls13_client_finished_send(struct tls13_ctx *ctx, CBB *cbb)
 	ret = 1;
 
  err:
+	tls13_secret_cleanup(&finished_key);
 	HMAC_CTX_free(hmac_ctx);
 
 	return ret;
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c
index 9e5664b79a..f929e132a8 100644
--- a/src/lib/libssl/tls13_server.c
+++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.66 2021/01/05 17:32:39 jsing Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.67 2021/01/06 20:15:35 tb Exp $ */
 /*
  * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -770,10 +770,9 @@ tls13_server_finished_send(struct tls13_ctx *ctx, CBB *cbb)
 {
 	struct tls13_secrets *secrets = ctx->hs->secrets;
 	struct tls13_secret context = { .data = "", .len = 0 };
-	struct tls13_secret finished_key;
+	struct tls13_secret finished_key = { .data = NULL, .len = 0 } ;
 	uint8_t transcript_hash[EVP_MAX_MD_SIZE];
 	size_t transcript_hash_len;
-	uint8_t key[EVP_MAX_MD_SIZE];
 	uint8_t *verify_data;
 	size_t verify_data_len;
 	unsigned int hlen;
@@ -782,8 +781,8 @@ tls13_server_finished_send(struct tls13_ctx *ctx, CBB *cbb)
 	SSL *s = ctx->ssl;
 	int ret = 0;
 
-	finished_key.data = key;
-	finished_key.len = EVP_MD_size(ctx->hash);
+	if (!tls13_secret_init(&finished_key, EVP_MD_size(ctx->hash)))
+		goto err;
 
 	if (!tls13_hkdf_expand_label(&finished_key, ctx->hash,
 	    &secrets->server_handshake_traffic, "finished",
@@ -818,6 +817,7 @@ tls13_server_finished_send(struct tls13_ctx *ctx, CBB *cbb)
 	ret = 1;
 
  err:
+	tls13_secret_cleanup(&finished_key);
 	HMAC_CTX_free(hmac_ctx);
 
 	return ret;
-- 
cgit v1.2.3-55-g6feb