ssl_tls: reduce the complexity of encryption validation

Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2024-11-25 15:05:45 +01:00 · 2020-08-10 07:10:35 -04:00 · 2020-08-10 07:10:35 -04:00 · ff51721e99
commit ff51721e99
parent 8ec9e136cf
1 changed files with 8 additions and 15 deletions
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -2589,9 +2589,6 @@ static void ssl_extract_add_data_from_record( unsigned char* add_data,
    }
 }

-#define ENCRYPTION_SUCCESS 0xCC
-#define ENCRYPTION_FAIL 0xAA
-
 int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
                             mbedtls_ssl_transform *transform,
                             mbedtls_record *rec,
@ -2604,7 +2601,7 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
    unsigned char add_data[13 + 1 + MBEDTLS_SSL_CID_OUT_LEN_MAX ];
    size_t add_data_len;
    size_t post_avail;
-    int encryption_status = ENCRYPTION_FAIL;
+    int encryption_status = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;

    /* The SSL context is only used for debugging purposes! */
 #if !defined(MBEDTLS_DEBUG_C)
@ -2774,7 +2771,7 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
            return( ret );
        }

-        if( ( ret = mbedtls_cipher_crypt( &transform->cipher_ctx,
+        if( ( ret = encryption_status = mbedtls_cipher_crypt( &transform->cipher_ctx,
                                   transform->iv_enc, transform->ivlen,
                                   data, rec->data_len,
                                   data, &olen ) ) != 0 )
@ -2783,7 +2780,7 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
            return( ret );
        }
 #else
-        if( ( ret = mbedtls_cipher_crypt( &transform->cipher_ctx_enc,
+        if( ( ret = encryption_status = mbedtls_cipher_crypt( &transform->cipher_ctx_enc,
                                   transform->iv_enc, transform->ivlen,
                                   data, rec->data_len,
                                   data, &olen ) ) != 0 )
@ -2797,7 +2794,6 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
        }
-        encryption_status = ENCRYPTION_SUCCESS;
    }
    else
 #endif /* MBEDTLS_ARC4_C || MBEDTLS_CIPHER_NULL_CIPHER */
@ -2874,7 +2870,7 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
            return( ret );
        }

-        if( ( ret = mbedtls_cipher_auth_encrypt( &transform->cipher_ctx,
+        if( ( ret = encryption_status = mbedtls_cipher_auth_encrypt( &transform->cipher_ctx,
                   iv, transform->ivlen,
                   add_data, add_data_len,       /* add data     */
                   data, rec->data_len,          /* source       */
@ -2885,7 +2881,7 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
            return( ret );
        }
 #else
-        if( ( ret = mbedtls_cipher_auth_encrypt( &transform->cipher_ctx_enc,
+        if( ( ret = encryption_status = mbedtls_cipher_auth_encrypt( &transform->cipher_ctx_enc,
                   iv, transform->ivlen,
                   add_data, add_data_len,       /* add data     */
                   data, rec->data_len,          /* source       */
@ -2896,7 +2892,6 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
            return( ret );
        }
 #endif
-        encryption_status = ENCRYPTION_SUCCESS;

        MBEDTLS_SSL_DEBUG_BUF( 4, "after encrypt: tag",
                               data + rec->data_len, transform->taglen );
@ -2981,7 +2976,7 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
            return( ret );
        }

-        if( ( ret = mbedtls_cipher_crypt( &transform->cipher_ctx,
+        if( ( ret = encryption_status = mbedtls_cipher_crypt( &transform->cipher_ctx,
                                   transform->iv_enc,
                                   transform->ivlen,
                                   data, rec->data_len,
@ -2991,7 +2986,7 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
            return( ret );
        }
 #else
-        if( ( ret = mbedtls_cipher_crypt( &transform->cipher_ctx_enc,
+        if( ( ret = encryption_status = mbedtls_cipher_crypt( &transform->cipher_ctx_enc,
                                   transform->iv_enc,
                                   transform->ivlen,
                                   data, rec->data_len,
@ -3002,8 +2997,6 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
        }
 #endif

-        encryption_status = ENCRYPTION_SUCCESS;
-
        if( rec->data_len != olen )
        {
            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
@ -3092,7 +3085,7 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,

    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) );

-    if( encryption_status == ENCRYPTION_SUCCESS )
+    if( encryption_status == 0 )
    {
        return( 0 );
    }