1
0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-07-29 11:41:15 +03:00

Revert "Do not encrypt CCS records"

This reverts commit 96ec831385.

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
This commit is contained in:
Gabor Mezei
2022-06-28 11:55:35 +02:00
parent 96ec831385
commit 05ebf3be74
3 changed files with 17 additions and 30 deletions

View File

@ -1271,8 +1271,7 @@ static inline int mbedtls_ssl_write_handshake_msg( mbedtls_ssl_context *ssl )
int mbedtls_ssl_finish_handshake_msg( mbedtls_ssl_context *ssl, int mbedtls_ssl_finish_handshake_msg( mbedtls_ssl_context *ssl,
size_t buf_len, size_t msg_len ); size_t buf_len, size_t msg_len );
int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, int force_flush, int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, int force_flush );
int encrypt );
int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl ); int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl );
int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ); int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl );

View File

@ -151,9 +151,6 @@ exit:
#define SSL_DONT_FORCE_FLUSH 0 #define SSL_DONT_FORCE_FLUSH 0
#define SSL_FORCE_FLUSH 1 #define SSL_FORCE_FLUSH 1
#define SSL_DONT_ENCRYPT_RECORD 0
#define SSL_ENCRYPT_RECORD 1
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS)
/* Forward declarations for functions related to message buffering. */ /* Forward declarations for functions related to message buffering. */
@ -2327,8 +2324,7 @@ int mbedtls_ssl_flight_transmit( mbedtls_ssl_context *ssl )
} }
/* Actually send the message out */ /* Actually send the message out */
if( ( ret = mbedtls_ssl_write_record( ssl, force_flush, if( ( ret = mbedtls_ssl_write_record( ssl, force_flush ) ) != 0 )
SSL_ENCRYPT_RECORD ) ) != 0 )
{ {
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
return( ret ); return( ret );
@ -2574,8 +2570,7 @@ int mbedtls_ssl_write_handshake_msg_ext( mbedtls_ssl_context *ssl,
else else
#endif #endif
{ {
if( ( ret = mbedtls_ssl_write_record( ssl, force_flush, if( ( ret = mbedtls_ssl_write_record( ssl, force_flush ) ) != 0 )
SSL_ENCRYPT_RECORD ) ) != 0 )
{ {
MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_record", ret ); MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_record", ret );
return( ret ); return( ret );
@ -2615,8 +2610,7 @@ cleanup:
* - ssl->out_msglen: length of the record content (excl headers) * - ssl->out_msglen: length of the record content (excl headers)
* - ssl->out_msg: record content * - ssl->out_msg: record content
*/ */
int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, int force_flush, int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, int force_flush )
int encrypt )
{ {
int ret, done = 0; int ret, done = 0;
size_t len = ssl->out_msglen; size_t len = ssl->out_msglen;
@ -2648,7 +2642,7 @@ int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, int force_flush,
memcpy( ssl->out_ctr, ssl->cur_out_ctr, MBEDTLS_SSL_SEQUENCE_NUMBER_LEN ); memcpy( ssl->out_ctr, ssl->cur_out_ctr, MBEDTLS_SSL_SEQUENCE_NUMBER_LEN );
MBEDTLS_PUT_UINT16_BE( len, ssl->out_len, 0); MBEDTLS_PUT_UINT16_BE( len, ssl->out_len, 0);
if( ssl->transform_out != NULL && encrypt ) if( ssl->transform_out != NULL )
{ {
mbedtls_record rec; mbedtls_record rec;
@ -2720,21 +2714,17 @@ int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, int force_flush,
ssl->out_left += protected_record_size; ssl->out_left += protected_record_size;
ssl->out_hdr += protected_record_size; ssl->out_hdr += protected_record_size;
mbedtls_ssl_update_out_pointers( ssl, encrypt ? ssl->transform_out : NULL ); mbedtls_ssl_update_out_pointers( ssl, ssl->transform_out );
/* Do not increment the counter for CCS records. */ for( i = 8; i > mbedtls_ssl_ep_len( ssl ); i-- )
if( encrypt ) if( ++ssl->cur_out_ctr[i - 1] != 0 )
break;
/* The loop goes to its end iff the counter is wrapping */
if( i == mbedtls_ssl_ep_len( ssl ) )
{ {
for( i = 8; i > mbedtls_ssl_ep_len( ssl ); i-- ) MBEDTLS_SSL_DEBUG_MSG( 1, ( "outgoing message counter would wrap" ) );
if( ++ssl->cur_out_ctr[i - 1] != 0 ) return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
break;
/* The loop goes to its end iff the counter is wrapping */
if( i == mbedtls_ssl_ep_len( ssl ) )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "outgoing message counter would wrap" ) );
return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
}
} }
} }
@ -4822,8 +4812,7 @@ int mbedtls_ssl_send_alert_message( mbedtls_ssl_context *ssl,
ssl->out_msg[0] = level; ssl->out_msg[0] = level;
ssl->out_msg[1] = message; ssl->out_msg[1] = message;
if( ( ret = mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH, if( ( ret = mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH ) ) != 0 )
SSL_ENCRYPT_RECORD ) ) != 0 )
{ {
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
return( ret ); return( ret );
@ -5613,8 +5602,7 @@ static int ssl_write_real( mbedtls_ssl_context *ssl,
ssl->out_msgtype = MBEDTLS_SSL_MSG_APPLICATION_DATA; ssl->out_msgtype = MBEDTLS_SSL_MSG_APPLICATION_DATA;
memcpy( ssl->out_msg, buf, len ); memcpy( ssl->out_msg, buf, len );
if( ( ret = mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH, if( ( ret = mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH ) ) != 0 )
SSL_ENCRYPT_RECORD ) ) != 0 )
{ {
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
return( ret ); return( ret );

View File

@ -1341,7 +1341,7 @@ int mbedtls_ssl_tls13_write_change_cipher_spec( mbedtls_ssl_context *ssl )
ssl->out_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC; ssl->out_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC;
/* Dispatch message */ /* Dispatch message */
MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_write_record( ssl, 0, 0 ) ); MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_write_record( ssl, 0 ) );
cleanup: cleanup: