From f5cd79d2dfd1b28f356a27f34aff8fb972192ec8 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Mon, 30 Sep 2024 15:27:18 +0200 Subject: [PATCH] nts: check TLS session in NKSN_GetKeys() Make sure the TLS session is not NULL in NKSN_GetKeys() before trying to export the keys in case some future code tried to call the function outside of the NTS-KE message handler. --- nts_ke_session.c | 3 +++ test/unit/nts_ke_session.c | 7 +++++++ 2 files changed, 10 insertions(+) diff --git a/nts_ke_session.c b/nts_ke_session.c index 6ad662a..3d78805 100644 --- a/nts_ke_session.c +++ b/nts_ke_session.c @@ -888,6 +888,9 @@ NKSN_GetKeys(NKSN_Instance inst, SIV_Algorithm algorithm, SIV_Algorithm exporter uint8_t _pad; } context; + if (!inst->tls_session) + return 0; + if (length <= 0 || length > sizeof (c2s->key) || length > sizeof (s2c->key)) { DEBUG_LOG("Invalid algorithm"); return 0; diff --git a/test/unit/nts_ke_session.c b/test/unit/nts_ke_session.c index c2db4a2..d10a57d 100644 --- a/test/unit/nts_ke_session.c +++ b/test/unit/nts_ke_session.c @@ -176,6 +176,7 @@ test_unit(void) const char *cert, *key; int sock_fds[2], i; uint32_t cert_id; + NKE_Key c2s, s2c; LCL_Initialise(); TST_RegisterDummyDrivers(); @@ -200,6 +201,9 @@ test_unit(void) TEST_CHECK(NKSN_StartSession(server, sock_fds[0], "client", server_cred, 4.0)); TEST_CHECK(NKSN_StartSession(client, sock_fds[1], "server", client_cred, 4.0)); + TEST_CHECK(!NKSN_GetKeys(server, AEAD_AES_SIV_CMAC_256, 0, 0, &c2s, &s2c)); + TEST_CHECK(!NKSN_GetKeys(client, AEAD_AES_SIV_CMAC_256, 0, 0, &c2s, &s2c)); + send_message(client); request_received = response_received = 0; @@ -211,6 +215,9 @@ test_unit(void) TEST_CHECK(NKSN_IsStopped(server)); TEST_CHECK(NKSN_IsStopped(client)); + TEST_CHECK(!NKSN_GetKeys(server, AEAD_AES_SIV_CMAC_256, 0, 0, &c2s, &s2c)); + TEST_CHECK(!NKSN_GetKeys(client, AEAD_AES_SIV_CMAC_256, 0, 0, &c2s, &s2c)); + TEST_CHECK(request_received); TEST_CHECK(response_received);