Protect setting of premaster_generated flag
The flag is used for tracking if the premaster has
been succesfully generated. Note that when resuming
a session, the flag should not be used when trying to
notice if all the key generation/derivation has been done.
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index e349ed8..3053818 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -3978,7 +3978,9 @@
unsigned char mask;
size_t i, peer_pmslen;
unsigned int diff;
+ volatile unsigned int pmscounter = 0;
+ ssl->handshake->premaster_generated = MBEDTLS_SSL_FI_FLAG_UNSET;
/* In case of a failure in decryption, the decryption may write less than
* 2 bytes of output, but we always read the first two bytes. It doesn't
* matter in the end because diff will be nonzero in that case due to
@@ -4056,7 +4058,19 @@
/* Set pms to either the true or the fake PMS, without
* data-dependent branches. */
for( i = 0; i < ssl->handshake->pmslen; i++ )
+ {
pms[i] = ( mask & fake_pms[i] ) | ( (~mask) & peer_pms[i] );
+ pmscounter++;
+ }
+
+ if( pmscounter == ssl->handshake->pmslen )
+ {
+ mbedtls_platform_enforce_volatile_reads();
+ if( pmscounter == ssl->handshake->pmslen )
+ {
+ ssl->handshake->premaster_generated = MBEDTLS_SSL_FI_FLAG_SET;
+ }
+ }
return( 0 );
}