Release TLS 1.3 key shares earlier in TLS 1.2.
This isn't hugely important since the hs object will actually be
released at the end of the handshake, but no sense in holding on to them
longer than needed.
Also release |public_key| when we no longer need it and document what
the fields mean.
Change-Id: If677cb4a915c75405dabe7135205630527afd8bc
Reviewed-on: https://boringssl-review.googlesource.com/10360
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
diff --git a/ssl/handshake_client.c b/ssl/handshake_client.c
index ce736b5..d48b000 100644
--- a/ssl/handshake_client.c
+++ b/ssl/handshake_client.c
@@ -865,6 +865,8 @@
return 1;
}
+ ssl_clear_tls13_state(ssl);
+
if (ssl->s3->tmp.message_type != SSL3_MT_SERVER_HELLO) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE);
diff --git a/ssl/internal.h b/ssl/internal.h
index 482adaa..13dec3a 100644
--- a/ssl/internal.h
+++ b/ssl/internal.h
@@ -896,13 +896,21 @@
uint8_t secret[EVP_MAX_MD_SIZE];
uint8_t traffic_secret_0[EVP_MAX_MD_SIZE];
+ /* groups is the set of active ECDH offers from the client in TLS 1.3. */
SSL_ECDH_CTX *groups;
size_t groups_len;
- /* retry_group is the group ID selected by the server in HelloRetryRequest. */
+
+ /* retry_group is the group ID selected by the server in HelloRetryRequest in
+ * TLS 1.3. */
uint16_t retry_group;
- /* key_share_bytes is the value of the previously sent KeyShare extension. */
+
+ /* key_share_bytes is the value of the previously sent KeyShare extension by
+ * the client in TLS 1.3. */
uint8_t *key_share_bytes;
size_t key_share_bytes_len;
+
+ /* public_key, for servers, is the key share to be sent to the client in TLS
+ * 1.3. */
uint8_t *public_key;
size_t public_key_len;
@@ -968,6 +976,10 @@
int ssl_add_client_hello_body(SSL *ssl, CBB *body);
+/* ssl_clear_tls13_state releases client state only needed for TLS 1.3. It
+ * should be called once the version is known to be TLS 1.2 or earlier. */
+void ssl_clear_tls13_state(SSL *ssl);
+
/* SSLKEYLOGFILE functions. */
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 0febb1c..5871be2 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -2094,6 +2094,7 @@
}
OPENSSL_free(ssl->s3->hs->key_share_bytes);
ssl->s3->hs->key_share_bytes = NULL;
+ ssl->s3->hs->key_share_bytes_len = 0;
groups = &ssl->s3->hs->retry_group;
groups_len = 1;
@@ -2242,6 +2243,10 @@
return 0;
}
+ OPENSSL_free(ssl->s3->hs->public_key);
+ ssl->s3->hs->public_key = NULL;
+ ssl->s3->hs->public_key_len = 0;
+
ssl->s3->new_session->key_exchange_info = group_id;
return 1;
}
diff --git a/ssl/tls13_client.c b/ssl/tls13_client.c
index 20f4bcd..09c013e 100644
--- a/ssl/tls13_client.c
+++ b/ssl/tls13_client.c
@@ -677,3 +677,11 @@
SSL_SESSION_free(session);
return 1;
}
+
+void ssl_clear_tls13_state(SSL *ssl) {
+ ssl_handshake_clear_groups(ssl->s3->hs);
+
+ OPENSSL_free(ssl->s3->hs->key_share_bytes);
+ ssl->s3->hs->key_share_bytes = NULL;
+ ssl->s3->hs->key_share_bytes_len = 0;
+}
