Added sanity check on TLS encrypt to trap against glitching.

2026-01-29 22:12:13 +01:00 · 2022-06-10 12:52:34 -07:00
parent afc63a3bfa
commit 2f4864cab2
4 changed files with 49 additions and 1 deletions
--- a/src/internal.c
+++ b/src/internal.c
@@ -15823,6 +15823,13 @@ static WC_INLINE int Encrypt(WOLFSSL* ssl, byte* out, const byte* input,
                return ENCRYPT_ERROR;
            }

+        #ifdef WOLFSSL_CIPHER_TEXT_CHECK
+            if (ssl->specs.bulk_cipher_algorithm != wolfssl_cipher_null) {
+                XMEMCPY(ssl->encrypt.sanityCheck, input,
+                    min(sz, sizeof(ssl->encrypt.sanityCheck)));
+            }
+        #endif
+
        #ifdef HAVE_FUZZER
            if (ssl->fuzzerCb)
                ssl->fuzzerCb(ssl, input, sz, FUZZ_ENCRYPT, ssl->fuzzerCtx);
@@ -15870,6 +15877,18 @@ static WC_INLINE int Encrypt(WOLFSSL* ssl, byte* out, const byte* input,

        case CIPHER_STATE_END:
        {
+        #ifdef WOLFSSL_CIPHER_TEXT_CHECK
+            if (ssl->specs.bulk_cipher_algorithm != wolfssl_cipher_null &&
+                XMEMCMP(out, ssl->encrypt.sanityCheck,
+                    min(sz, sizeof(ssl->encrypt.sanityCheck))) == 0) {
+
+                WOLFSSL_MSG("Encrypt sanity check failed! Glitch?");
+                return ENCRYPT_ERROR;
+            }
+            ForceZero(ssl->encrypt.sanityCheck,
+                sizeof(ssl->encrypt.sanityCheck));
+        #endif
+
        #if defined(BUILD_AESGCM) || defined(HAVE_AESCCM)
            if (ssl->specs.bulk_cipher_algorithm == wolfssl_aes_ccm ||
                ssl->specs.bulk_cipher_algorithm == wolfssl_aes_gcm)
--- a/src/tls13.c
+++ b/src/tls13.c
@@ -1855,6 +1855,13 @@ static int EncryptTls13(WOLFSSL* ssl, byte* output, const byte* input,
            WOLFSSL_BUFFER(aad, aadSz);
        #endif

+        #ifdef WOLFSSL_CIPHER_TEXT_CHECK
+            if (ssl->specs.bulk_cipher_algorithm != wolfssl_cipher_null) {
+                XMEMCPY(ssl->encrypt.sanityCheck, input,
+                    min(dataSz, sizeof(ssl->encrypt.sanityCheck)));
+            }
+        #endif
+
        #ifdef CIPHER_NONCE
            if (ssl->encrypt.nonce == NULL)
                ssl->encrypt.nonce = (byte*)XMALLOC(AEAD_NONCE_SZ,
@@ -1980,6 +1987,18 @@ static int EncryptTls13(WOLFSSL* ssl, byte* output, const byte* input,
                WOLFSSL_BUFFER(output + dataSz, macSz);
        #endif

+        #ifdef WOLFSSL_CIPHER_TEXT_CHECK
+            if (ssl->specs.bulk_cipher_algorithm != wolfssl_cipher_null &&
+                XMEMCMP(output, ssl->encrypt.sanityCheck,
+                    min(dataSz, sizeof(ssl->encrypt.sanityCheck))) == 0) {
+
+                WOLFSSL_MSG("EncryptTls13 sanity check failed! Glitch?");
+                return ENCRYPT_ERROR;
+            }
+            ForceZero(ssl->encrypt.sanityCheck,
+                sizeof(ssl->encrypt.sanityCheck));
+        #endif
+
        #ifdef CIPHER_NONCE
            ForceZero(ssl->encrypt.nonce, AEAD_NONCE_SZ);
        #endif