From 19d8ef405cd373a7e6f65077b752bc8bf2d7ea10 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Wed, 20 Nov 2019 10:33:17 -0800 Subject: [PATCH 1/4] Maintenance: DTLS When encrypting with AES-GCM, AES-CCM, or PolyChacha, do not increment the DTLS sequence number. The sequence number should only be incremented in BuildMessage. This was done because the sequence number used to be incremented after calculating the HMAC or after the encrypt for AEAD ciphers. The HMAC has been separated from the sequence increment. --- src/internal.c | 6 ------ 1 file changed, 6 deletions(-) diff --git a/src/internal.c b/src/internal.c index ef64900dd..e71abdba4 100644 --- a/src/internal.c +++ b/src/internal.c @@ -12529,7 +12529,6 @@ static int ChachaAEADEncrypt(WOLFSSL* ssl, byte* out, const byte* input, #ifdef WOLFSSL_DTLS if (ssl->options.dtls) { additionalSrc -= DTLS_HANDSHAKE_EXTRA; - DtlsSEQIncrement(ssl, CUR_ORDER); } #endif @@ -13069,11 +13068,6 @@ static WC_INLINE int Encrypt(WOLFSSL* ssl, byte* out, const byte* input, word16 #endif if (ssl->encrypt.nonce) ForceZero(ssl->encrypt.nonce, AESGCM_NONCE_SZ); - - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) - DtlsSEQIncrement(ssl, CUR_ORDER); - #endif } #endif /* BUILD_AESGCM || HAVE_AESCCM */ break; From 188eb45433f7fbaeb733235b0d4b2a9d3cf6bc3e Mon Sep 17 00:00:00 2001 From: John Safranek Date: Wed, 20 Nov 2019 13:08:01 -0800 Subject: [PATCH 2/4] Maintenance: DTLS Removed redundant sequence increment when sending the Server Hello message. --- src/internal.c | 4 ---- 1 file changed, 4 deletions(-) diff --git a/src/internal.c b/src/internal.c index e71abdba4..cd4954713 100644 --- a/src/internal.c +++ b/src/internal.c @@ -22925,10 +22925,6 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, if ((ret = DtlsMsgPoolSave(ssl, output, sendSz)) != 0) return ret; } - - if (ssl->options.dtls) { - DtlsSEQIncrement(ssl, CUR_ORDER); - } #endif if (ssl->options.groupMessages) From 71690fc73abef7598ecef9b2dbf566fa498c25e3 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Wed, 20 Nov 2019 13:29:16 -0800 Subject: [PATCH 3/4] Maintenance: DTLS 1. Updated the window scrolling. There was a couple off-by-one errors in the DTLS window handling. They canceled each other out, but there was a rare case where they would shift too much. --- src/internal.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/internal.c b/src/internal.c index cd4954713..5e834bc7d 100644 --- a/src/internal.c +++ b/src/internal.c @@ -12102,7 +12102,7 @@ static WC_INLINE int DtlsCheckWindow(WOLFSSL* ssl) return 0; } - if (window[idx] & (1 << (newDiff - 1))) { + if (window[idx] & (1 << newDiff)) { WOLFSSL_MSG("Current record sequence number already received."); return 0; } @@ -12209,7 +12209,7 @@ static WC_INLINE int DtlsUpdateWindow(WOLFSSL* ssl) word32 newDiff = diff % DTLS_WORD_BITS; if (idx < WOLFSSL_DTLS_WINDOW_WORDS) - window[idx] |= (1 << (newDiff - 1)); + window[idx] |= (1 << newDiff); } else { if (diff >= DTLS_SEQ_BITS) @@ -12231,7 +12231,7 @@ static WC_INLINE int DtlsUpdateWindow(WOLFSSL* ssl) else { temp |= (oldWindow[i-idx] << newDiff); window[i] = temp; - temp = oldWindow[i-idx] >> (DTLS_WORD_BITS - newDiff); + temp = oldWindow[i-idx] >> (DTLS_WORD_BITS - newDiff - 1); } } } From ce0136e9682b81582f412647faa13ba00ad5bcf6 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Wed, 20 Nov 2019 13:55:57 -0800 Subject: [PATCH 4/4] Maintenance: Integers In TFM and Integer, rshb() shouldn't try to shift a value that is 0. This leads to using a negative offset to a pointer, but isn't used. --- wolfcrypt/src/integer.c | 2 ++ wolfcrypt/src/tfm.c | 2 ++ 2 files changed, 4 insertions(+) diff --git a/wolfcrypt/src/integer.c b/wolfcrypt/src/integer.c index e94c36e11..7c1536eda 100644 --- a/wolfcrypt/src/integer.c +++ b/wolfcrypt/src/integer.c @@ -572,6 +572,8 @@ void mp_rshb (mp_int *c, int x) mp_digit r, rr; mp_digit D = x; + if (mp_iszero(c)) return; + /* mask */ mask = (((mp_digit)1) << D) - 1; diff --git a/wolfcrypt/src/tfm.c b/wolfcrypt/src/tfm.c index f0fb014ac..e6713f9ca 100644 --- a/wolfcrypt/src/tfm.c +++ b/wolfcrypt/src/tfm.c @@ -3174,6 +3174,8 @@ void fp_rshb(fp_int *c, int x) fp_digit r, rr; fp_digit D = x; + if (fp_iszero(c)) return; + /* mask */ mask = (((fp_digit)1) << D) - 1;