From ff51721e990998f78ba3a2931d25f994d7568a7b Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Mon, 10 Aug 2020 07:10:35 -0400 Subject: [PATCH] ssl_tls: reduce the complexity of encryption validation Signed-off-by: Andrzej Kurek --- library/ssl_tls.c | 23 ++++++++--------------- 1 file changed, 8 insertions(+), 15 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 89345180c..7dfc0afb3 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -2589,9 +2589,6 @@ static void ssl_extract_add_data_from_record( unsigned char* add_data, } } -#define ENCRYPTION_SUCCESS 0xCC -#define ENCRYPTION_FAIL 0xAA - int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl, mbedtls_ssl_transform *transform, mbedtls_record *rec, @@ -2604,7 +2601,7 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl, unsigned char add_data[13 + 1 + MBEDTLS_SSL_CID_OUT_LEN_MAX ]; size_t add_data_len; size_t post_avail; - int encryption_status = ENCRYPTION_FAIL; + int encryption_status = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED; /* The SSL context is only used for debugging purposes! */ #if !defined(MBEDTLS_DEBUG_C) @@ -2774,7 +2771,7 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl, return( ret ); } - if( ( ret = mbedtls_cipher_crypt( &transform->cipher_ctx, + if( ( ret = encryption_status = mbedtls_cipher_crypt( &transform->cipher_ctx, transform->iv_enc, transform->ivlen, data, rec->data_len, data, &olen ) ) != 0 ) @@ -2783,7 +2780,7 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl, return( ret ); } #else - if( ( ret = mbedtls_cipher_crypt( &transform->cipher_ctx_enc, + if( ( ret = encryption_status = mbedtls_cipher_crypt( &transform->cipher_ctx_enc, transform->iv_enc, transform->ivlen, data, rec->data_len, data, &olen ) ) != 0 ) @@ -2797,7 +2794,6 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } - encryption_status = ENCRYPTION_SUCCESS; } else #endif /* MBEDTLS_ARC4_C || MBEDTLS_CIPHER_NULL_CIPHER */ @@ -2874,7 +2870,7 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl, return( ret ); } - if( ( ret = mbedtls_cipher_auth_encrypt( &transform->cipher_ctx, + if( ( ret = encryption_status = mbedtls_cipher_auth_encrypt( &transform->cipher_ctx, iv, transform->ivlen, add_data, add_data_len, /* add data */ data, rec->data_len, /* source */ @@ -2885,7 +2881,7 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl, return( ret ); } #else - if( ( ret = mbedtls_cipher_auth_encrypt( &transform->cipher_ctx_enc, + if( ( ret = encryption_status = mbedtls_cipher_auth_encrypt( &transform->cipher_ctx_enc, iv, transform->ivlen, add_data, add_data_len, /* add data */ data, rec->data_len, /* source */ @@ -2896,7 +2892,6 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl, return( ret ); } #endif - encryption_status = ENCRYPTION_SUCCESS; MBEDTLS_SSL_DEBUG_BUF( 4, "after encrypt: tag", data + rec->data_len, transform->taglen ); @@ -2981,7 +2976,7 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl, return( ret ); } - if( ( ret = mbedtls_cipher_crypt( &transform->cipher_ctx, + if( ( ret = encryption_status = mbedtls_cipher_crypt( &transform->cipher_ctx, transform->iv_enc, transform->ivlen, data, rec->data_len, @@ -2991,7 +2986,7 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl, return( ret ); } #else - if( ( ret = mbedtls_cipher_crypt( &transform->cipher_ctx_enc, + if( ( ret = encryption_status = mbedtls_cipher_crypt( &transform->cipher_ctx_enc, transform->iv_enc, transform->ivlen, data, rec->data_len, @@ -3002,8 +2997,6 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl, } #endif - encryption_status = ENCRYPTION_SUCCESS; - if( rec->data_len != olen ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); @@ -3092,7 +3085,7 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) ); - if( encryption_status == ENCRYPTION_SUCCESS ) + if( encryption_status == 0 ) { return( 0 ); }