wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-30 18:57:27 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2540 from SparkiDev/etm_rehand

Browse Source 
Fix Encrypt-Then-MAC when rehandshaking
This commit is contained in:
toddouska
2019-11-04 11:41:44 -08:00
committed by GitHub
parent e2fb359538 4be36ef2bd
commit f4afa4bc87
2 changed files with 49 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

84
src/internal.c
View File

@ -10772,7 +10772,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
if (IsEncryptionOn(ssl, 0)) {
args->idx += ssl->keys.padSz;
#if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
if (ssl->options.encThenMac)
if (ssl->options.startedETMRead)
args->idx += MacSize(ssl);
#endif
}
@ -10999,7 +10999,7 @@ static int DoCertificateStatus(WOLFSSL* ssl, byte* input, word32* inOutIdx,
if (IsEncryptionOn(ssl, 0)) {
#if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
if (ssl->options.encThenMac) {
if (ssl->options.startedETMRead) {
word32 digestSz = MacSize(ssl);
if (*inOutIdx + ssl->keys.padSz + digestSz > size)
return BUFFER_E;
@ -11041,7 +11041,7 @@ static int DoHelloRequest(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
if (IsEncryptionOn(ssl, 0)) {
#if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
if (ssl->options.encThenMac) {
if (ssl->options.startedETMRead) {
word32 digestSz = MacSize(ssl);
if (*inOutIdx + ssl->keys.padSz + digestSz > totalSz)
return BUFFER_E;
@ -11089,7 +11089,7 @@ int DoFinished(WOLFSSL* ssl, const byte* input, word32* inOutIdx, word32 size,
/* check against totalSz */
#if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
if (ssl->options.encThenMac) {
if (ssl->options.startedETMRead) {
if (*inOutIdx + size + ssl->keys.padSz + MacSize(ssl) > totalSz)
return BUFFER_E;
}
@ -11131,7 +11131,7 @@ int DoFinished(WOLFSSL* ssl, const byte* input, word32* inOutIdx, word32 size,
/* force input exhaustion at ProcessReply consuming padSz */
*inOutIdx += size + ssl->keys.padSz;
#if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
if (ssl->options.encThenMac)
if (ssl->options.startedETMRead)
*inOutIdx += MacSize(ssl);
#endif
@ -11522,7 +11522,7 @@ static int DoHandShakeMsgType(WOLFSSL* ssl, byte* input, word32* inOutIdx,
expectedIdx = *inOutIdx + size +
(ssl->keys.encryptionOn ? ssl->keys.padSz : 0);
#if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
if (ssl->options.encThenMac && ssl->keys.encryptionOn)
if (ssl->options.startedETMRead && ssl->keys.encryptionOn)
expectedIdx += MacSize(ssl);
#endif
@ -11703,7 +11703,7 @@ static int DoHandShakeMsgType(WOLFSSL* ssl, byte* input, word32* inOutIdx,
if (IsEncryptionOn(ssl, 0)) {
*inOutIdx += ssl->keys.padSz;
#if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
if (ssl->options.encThenMac)
if (ssl->options.startedETMRead)
*inOutIdx += MacSize(ssl);
#endif
}
@ -11740,7 +11740,7 @@ static int DoHandShakeMsgType(WOLFSSL* ssl, byte* input, word32* inOutIdx,
#endif
if (IsEncryptionOn(ssl, 0)) {
#if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
if (ssl->options.encThenMac) {
if (ssl->options.startedETMRead) {
word32 digestSz = MacSize(ssl);
if (*inOutIdx + ssl->keys.padSz + digestSz > totalSz)
return BUFFER_E;
@ -12267,7 +12267,7 @@ static int DoDtlsHandShakeMsg(WOLFSSL* ssl, byte* input, word32* inOutIdx,
*inOutIdx += fragSz;
if(type == finished ) {
#if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
if (ssl->options.encThenMac) {
if (ssl->options.startedETMRead) {
word32 digestSz = MacSize(ssl);
if (*inOutIdx + ssl->keys.padSz + digestSz > totalSz)
return BUFFER_E;
@ -13292,7 +13292,7 @@ static int SanityCheckCipherText(WOLFSSL* ssl, word32 encryptSz)
#ifndef WOLFSSL_AEAD_ONLY
if (ssl->specs.cipher_type == block) {
#ifdef HAVE_ENCRYPT_THEN_MAC
if (ssl->options.encThenMac) {
if (ssl->options.startedETMRead) {
if ((encryptSz - MacSize(ssl)) % ssl->specs.block_size) {
WOLFSSL_MSG("Block ciphertext not block size");
return SANITY_CIPHER_E;
@ -13517,7 +13517,7 @@ int DoApplicationData(WOLFSSL* ssl, byte* input, word32* inOutIdx)
dataSz = msgSz - ivExtra - ssl->keys.padSz;
#if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
if (ssl->options.encThenMac)
if (ssl->options.startedETMRead)
dataSz -= MacSize(ssl);
#endif
if (dataSz < 0) {
@ -13553,7 +13553,7 @@ int DoApplicationData(WOLFSSL* ssl, byte* input, word32* inOutIdx)
idx += ssl->keys.padSz;
#if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
if (ssl->options.encThenMac)
if (ssl->options.startedETMRead)
idx += MacSize(ssl);
#endif
@ -13589,7 +13589,7 @@ static int DoAlert(WOLFSSL* ssl, byte* input, word32* inOutIdx, int* type,
if (IsEncryptionOn(ssl, 0)) {
dataSz -= ssl->keys.padSz;
#if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
if (ssl->options.encThenMac)
if (ssl->options.startedETMRead)
dataSz -= MacSize(ssl);
#endif
}
@ -13637,7 +13637,7 @@ static int DoAlert(WOLFSSL* ssl, byte* input, word32* inOutIdx, int* type,
if (IsEncryptionOn(ssl, 0)) {
*inOutIdx += ssl->keys.padSz;
#if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
if (ssl->options.encThenMac)
if (ssl->options.startedETMRead)
*inOutIdx += MacSize(ssl);
#endif
}
@ -14054,7 +14054,7 @@ int ProcessReply(WOLFSSL* ssl)
case verifyEncryptedMessage:
#if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
if (IsEncryptionOn(ssl, 0) && ssl->keys.decryptedCur == 0 &&
!atomicUser && ssl->options.encThenMac) {
!atomicUser && ssl->options.startedETMRead) {
ret = VerifyMacEnc(ssl, ssl->buffers.inputBuffer.buffer +
ssl->buffers.inputBuffer.idx,
ssl->curSize, ssl->curRL.type);
@ -14113,7 +14113,7 @@ int ProcessReply(WOLFSSL* ssl)
if (atomicUser) {
#ifdef ATOMIC_USER
#if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
if (ssl->options.encThenMac) {
if (ssl->options.startedETMRead) {
ret = ssl->ctx->VerifyDecryptCb(ssl,
in->buffer + in->idx, in->buffer + in->idx,
ssl->curSize - MacSize(ssl),
@ -14135,7 +14135,7 @@ int ProcessReply(WOLFSSL* ssl)
if (!ssl->options.tls1_3) {
#ifndef WOLFSSL_NO_TLS12
#if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
if (ssl->options.encThenMac) {
if (ssl->options.startedETMRead) {
word32 digestSz = MacSize(ssl);
ret = Decrypt(ssl,
in->buffer + in->idx,
@ -14255,7 +14255,7 @@ int ProcessReply(WOLFSSL* ssl)
{
if (!atomicUser
#if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
&& !ssl->options.encThenMac
&& !ssl->options.startedETMRead
#endif
) {
ret = VerifyMac(ssl, ssl->buffers.inputBuffer.buffer +
@ -14314,7 +14314,7 @@ int ProcessReply(WOLFSSL* ssl)
case runProcessingOneMessage:
#if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
if (IsEncryptionOn(ssl, 0) && ssl->options.encThenMac) {
if (IsEncryptionOn(ssl, 0) && ssl->options.startedETMRead) {
if (ssl->buffers.inputBuffer.length - ssl->keys.padSz -
ssl->buffers.inputBuffer.idx -
MacSize(ssl) > MAX_PLAINTEXT_SZ) {
@ -14469,7 +14469,7 @@ int ProcessReply(WOLFSSL* ssl)
ssl->buffers.inputBuffer.idx += ssl->keys.padSz;
ssl->curSize -= (word16) ssl->buffers.inputBuffer.idx;
#if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
if (ssl->options.encThenMac) {
if (ssl->options.startedETMRead) {
word32 digestSz = MacSize(ssl);
ssl->buffers.inputBuffer.idx += digestSz;
ssl->curSize -= digestSz;
@ -14492,6 +14492,10 @@ int ProcessReply(WOLFSSL* ssl)
if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0)
return ret;
#if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
ssl->options.startedETMRead = ssl->options.encThenMac;
#endif
#ifdef WOLFSSL_DTLS
if (ssl->options.dtls) {
WOLFSSL_DTLS_PEERSEQ* peerSeq = ssl->keys.peerSeq;
@ -14590,7 +14594,7 @@ int ProcessReply(WOLFSSL* ssl)
if (IsEncryptionOn(ssl, 0)) {
WOLFSSL_MSG("Bundled encrypted messages, remove middle pad");
#if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
if (ssl->options.encThenMac) {
if (ssl->options.startedETMRead) {
word32 digestSz = MacSize(ssl);
if (ssl->buffers.inputBuffer.idx >=
ssl->keys.padSz + digestSz) {
@ -15116,7 +15120,7 @@ int BuildMessage(WOLFSSL* ssl, byte* output, int outSz, const byte* input,
}
args->sz += 1; /* pad byte */
#if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
if (ssl->options.encThenMac) {
if (ssl->options.startedETMWrite) {
args->pad = (args->sz - args->headerSz -
args->digestSz) % blockSz;
}
@ -15197,7 +15201,7 @@ int BuildMessage(WOLFSSL* ssl, byte* output, int outSz, const byte* input,
word32 i;
#if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
if (ssl->options.encThenMac)
if (ssl->options.startedETMWrite)
tmpIdx = args->idx;
else
#endif
@ -15216,7 +15220,7 @@ int BuildMessage(WOLFSSL* ssl, byte* output, int outSz, const byte* input,
/* User Record Layer Callback handling */
#ifdef ATOMIC_USER
#if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
if (ssl->options.encThenMac) {
if (ssl->options.startedETMWrite) {
if (ssl->ctx->EncryptMacCb) {
ret = ssl->ctx->EncryptMacCb(ssl, output + args->idx +
args->pad + 1, type, 0,
@ -15244,7 +15248,7 @@ int BuildMessage(WOLFSSL* ssl, byte* output, int outSz, const byte* input,
#ifndef WOLFSSL_AEAD_ONLY
if (ssl->specs.cipher_type != aead
#if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
&& !ssl->options.encThenMac
&& !ssl->options.startedETMWrite
#endif
) {
#ifdef HAVE_TRUNCATED_HMAC
@ -15289,7 +15293,7 @@ int BuildMessage(WOLFSSL* ssl, byte* output, int outSz, const byte* input,
case BUILD_MSG_ENCRYPT:
{
#if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
if (ssl->options.encThenMac) {
if (ssl->options.startedETMWrite) {
ret = Encrypt(ssl, output + args->headerSz,
output + args->headerSz,
args->size - args->digestSz, asyncOkay);
@ -15308,7 +15312,7 @@ int BuildMessage(WOLFSSL* ssl, byte* output, int outSz, const byte* input,
case BUILD_MSG_ENCRYPTED_VERIFY_MAC:
{
#if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
if (ssl->options.encThenMac) {
if (ssl->options.startedETMWrite) {
WOLFSSL_MSG("Calculate MAC of Encrypted Data");
#ifdef HAVE_TRUNCATED_HMAC
@ -15403,6 +15407,10 @@ int SendFinished(WOLFSSL* ssl)
if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0)
return ret;
#if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
ssl->options.startedETMWrite = ssl->options.encThenMac;
#endif
/* check for available size */
outputSz = sizeof(input) + MAX_MSG_EXTRA;
if ((ret = CheckAvailableSize(ssl, outputSz)) != 0)
@ -19057,8 +19065,10 @@ exit_dpk:
if (IsEncryptionOn(ssl, 0)) {
*inOutIdx += ssl->keys.padSz;
#if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
if (ssl->options.encThenMac && ssl->specs.cipher_type == block)
if (ssl->options.startedETMWrite &&
ssl->specs.cipher_type == block) {
*inOutIdx += MacSize(ssl);
}
#endif
}
@ -19344,7 +19354,7 @@ exit_dpk:
if (IsEncryptionOn(ssl, 0)) {
*inOutIdx += ssl->keys.padSz;
#if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
if (ssl->options.encThenMac)
if (ssl->options.startedETMRead)
*inOutIdx += MacSize(ssl);
#endif
}
@ -20405,7 +20415,7 @@ static int DoServerKeyExchange(WOLFSSL* ssl, const byte* input,
if (IsEncryptionOn(ssl, 0)) {
args->idx += ssl->keys.padSz;
#if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
if (ssl->options.encThenMac)
if (ssl->options.startedETMRead)
args->idx += MacSize(ssl);
#endif
}
@ -22577,7 +22587,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
if (IsEncryptionOn(ssl, 0)) {
*inOutIdx += ssl->keys.padSz;
#if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
if (ssl->options.encThenMac)
if (ssl->options.startedETMRead)
*inOutIdx += MacSize(ssl);
#endif
}
@ -25451,10 +25461,10 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
#endif
#ifdef HAVE_SECURE_RENEGOTIATION
if (ssl->secure_renegotiation && ssl->secure_renegotiation->enabled &&
IsEncryptionOn(ssl, 0)) {
ssl->secure_renegotiation->startScr = 1;
}
if (ssl->secure_renegotiation && ssl->secure_renegotiation->enabled &&
IsEncryptionOn(ssl, 0)) {
ssl->secure_renegotiation->startScr = 1;
}
#endif
WOLFSSL_LEAVE("DoClientHello", ret);
WOLFSSL_END(WC_FUNC_CLIENT_HELLO_DO);
@ -25777,7 +25787,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
if (IsEncryptionOn(ssl, 0)) {
args->idx += ssl->keys.padSz;
#if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
if (ssl->options.encThenMac)
if (ssl->options.startedETMRead)
args->idx += MacSize(ssl);
#endif
}
@ -27420,7 +27430,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
if (IsEncryptionOn(ssl, 0)) {
args->idx += ssl->keys.padSz;
#if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
if (ssl->options.encThenMac)
if (ssl->options.startedETMRead)
args->idx += MacSize(ssl);
#endif
}

2
wolfssl/internal.h
View File

@ -3361,6 +3361,8 @@ typedef struct Options {
#ifdef HAVE_ENCRYPT_THEN_MAC
word16 disallowEncThenMac:1; /* Don't do Encrypt-Then-MAC */
word16 encThenMac:1; /* Doing Encrypt-Then-MAC */
word16 startedETMRead:1; /* Doing Encrypt-Then-MAC read */
word16 startedETMWrite:1; /* Doing Encrypt-Then-MAC write */
#endif
/* need full byte values for this section */