mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-26 09:35:43 +01:00
ssl: Don't access non-existent encrypt_then_mac field
When MBEDTLS_SSL_ENCRYPT_THEN_MAC is enabled, but not
MBEDTLS_SSL_SOME_MODES_USE_MAC, mbedtls_ssl_derive_keys() and
build_transforms() will attempt to use a non-existent `encrypt_then_mac`
field in the ssl_transform.
Compile [ 93.7%]: ssl_tls.c
[Error] ssl_tls.c@865,14: 'mbedtls_ssl_transform {aka struct mbedtls_ssl_transform}' ha
s no member named 'encrypt_then_mac'
[ERROR] ./mbed-os/features/mbedtls/src/ssl_tls.c: In function 'mbedtls_ssl_derive_keys'
:
./mbed-os/features/mbedtls/src/ssl_tls.c:865:14: error: 'mbedtls_ssl_transform {aka str
uct mbedtls_ssl_transform}' has no member named 'encrypt_then_mac'
transform->encrypt_then_mac = session->encrypt_then_mac;
^~
Change mbedtls_ssl_derive_keys() and build_transforms() to only access
`encrypt_then_mac` if `encrypt_then_mac` is actually present.
Add a regression test to detect when we have regressions with
configurations that do not include any MAC ciphersuites.
Fixes d56ed2491b
("Reduce size of `ssl_transform` if no MAC ciphersuite is enabled")
This commit is contained in:
parent
a1491fe74f
commit
2de07f1dd1
@ -953,7 +953,8 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
|
|||||||
|
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> derive keys" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> derive keys" ) );
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
|
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) && \
|
||||||
|
defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
|
||||||
transform->encrypt_then_mac = session->encrypt_then_mac;
|
transform->encrypt_then_mac = session->encrypt_then_mac;
|
||||||
#endif
|
#endif
|
||||||
transform->minor_ver = ssl->minor_ver;
|
transform->minor_ver = ssl->minor_ver;
|
||||||
|
@ -953,6 +953,20 @@ component_test_no_max_fragment_length_small_ssl_out_content_len () {
|
|||||||
if_build_succeeded tests/ssl-opt.sh -f "Max fragment length\|Large buffer"
|
if_build_succeeded tests/ssl-opt.sh -f "Max fragment length\|Large buffer"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
component_test_when_no_ciphersuites_have_mac () {
|
||||||
|
msg "build: when no ciphersuites have MAC"
|
||||||
|
scripts/config.pl unset MBEDTLS_CIPHER_NULL_CIPHER
|
||||||
|
scripts/config.pl unset MBEDTLS_ARC4_C
|
||||||
|
scripts/config.pl unset MBEDTLS_CIPHER_MODE_CBC
|
||||||
|
make
|
||||||
|
|
||||||
|
msg "test: !MBEDTLS_SSL_SOME_MODES_USE_MAC"
|
||||||
|
make test
|
||||||
|
|
||||||
|
msg "test ssl-opt.sh: !MBEDTLS_SSL_SOME_MODES_USE_MAC"
|
||||||
|
if_build_succeeded tests/ssl-opt.sh
|
||||||
|
}
|
||||||
|
|
||||||
component_test_null_entropy () {
|
component_test_null_entropy () {
|
||||||
msg "build: default config with MBEDTLS_TEST_NULL_ENTROPY (ASan build)"
|
msg "build: default config with MBEDTLS_TEST_NULL_ENTROPY (ASan build)"
|
||||||
scripts/config.pl set MBEDTLS_TEST_NULL_ENTROPY
|
scripts/config.pl set MBEDTLS_TEST_NULL_ENTROPY
|
||||||
|
@ -159,7 +159,8 @@ static int build_transforms( mbedtls_ssl_transform *t_in,
|
|||||||
* Setup transforms
|
* Setup transforms
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
|
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) && \
|
||||||
|
defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
|
||||||
t_out->encrypt_then_mac = etm;
|
t_out->encrypt_then_mac = etm;
|
||||||
t_in->encrypt_then_mac = etm;
|
t_in->encrypt_then_mac = etm;
|
||||||
#else
|
#else
|
||||||
|
Loading…
Reference in New Issue
Block a user