diff --git a/src/internal.c b/src/internal.c index c47f1e45d..6f4179e3b 100644 --- a/src/internal.c +++ b/src/internal.c @@ -10772,7 +10772,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, if (IsEncryptionOn(ssl, 0)) { args->idx += ssl->keys.padSz; #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY) - if (ssl->options.encThenMac) + if (ssl->options.startedETMRead) args->idx += MacSize(ssl); #endif } @@ -10999,7 +10999,7 @@ static int DoCertificateStatus(WOLFSSL* ssl, byte* input, word32* inOutIdx, if (IsEncryptionOn(ssl, 0)) { #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY) - if (ssl->options.encThenMac) { + if (ssl->options.startedETMRead) { word32 digestSz = MacSize(ssl); if (*inOutIdx + ssl->keys.padSz + digestSz > size) return BUFFER_E; @@ -11041,7 +11041,7 @@ static int DoHelloRequest(WOLFSSL* ssl, const byte* input, word32* inOutIdx, if (IsEncryptionOn(ssl, 0)) { #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY) - if (ssl->options.encThenMac) { + if (ssl->options.startedETMRead) { word32 digestSz = MacSize(ssl); if (*inOutIdx + ssl->keys.padSz + digestSz > totalSz) return BUFFER_E; @@ -11089,7 +11089,7 @@ int DoFinished(WOLFSSL* ssl, const byte* input, word32* inOutIdx, word32 size, /* check against totalSz */ #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY) - if (ssl->options.encThenMac) { + if (ssl->options.startedETMRead) { if (*inOutIdx + size + ssl->keys.padSz + MacSize(ssl) > totalSz) return BUFFER_E; } @@ -11131,7 +11131,7 @@ int DoFinished(WOLFSSL* ssl, const byte* input, word32* inOutIdx, word32 size, /* force input exhaustion at ProcessReply consuming padSz */ *inOutIdx += size + ssl->keys.padSz; #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY) - if (ssl->options.encThenMac) + if (ssl->options.startedETMRead) *inOutIdx += MacSize(ssl); #endif @@ -11522,7 +11522,7 @@ static int DoHandShakeMsgType(WOLFSSL* ssl, byte* input, word32* inOutIdx, expectedIdx = *inOutIdx + size + (ssl->keys.encryptionOn ? ssl->keys.padSz : 0); #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY) - if (ssl->options.encThenMac && ssl->keys.encryptionOn) + if (ssl->options.startedETMRead && ssl->keys.encryptionOn) expectedIdx += MacSize(ssl); #endif @@ -11703,7 +11703,7 @@ static int DoHandShakeMsgType(WOLFSSL* ssl, byte* input, word32* inOutIdx, if (IsEncryptionOn(ssl, 0)) { *inOutIdx += ssl->keys.padSz; #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY) - if (ssl->options.encThenMac) + if (ssl->options.startedETMRead) *inOutIdx += MacSize(ssl); #endif } @@ -11740,7 +11740,7 @@ static int DoHandShakeMsgType(WOLFSSL* ssl, byte* input, word32* inOutIdx, #endif if (IsEncryptionOn(ssl, 0)) { #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY) - if (ssl->options.encThenMac) { + if (ssl->options.startedETMRead) { word32 digestSz = MacSize(ssl); if (*inOutIdx + ssl->keys.padSz + digestSz > totalSz) return BUFFER_E; @@ -12267,7 +12267,7 @@ static int DoDtlsHandShakeMsg(WOLFSSL* ssl, byte* input, word32* inOutIdx, *inOutIdx += fragSz; if(type == finished ) { #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY) - if (ssl->options.encThenMac) { + if (ssl->options.startedETMRead) { word32 digestSz = MacSize(ssl); if (*inOutIdx + ssl->keys.padSz + digestSz > totalSz) return BUFFER_E; @@ -13292,7 +13292,7 @@ static int SanityCheckCipherText(WOLFSSL* ssl, word32 encryptSz) #ifndef WOLFSSL_AEAD_ONLY if (ssl->specs.cipher_type == block) { #ifdef HAVE_ENCRYPT_THEN_MAC - if (ssl->options.encThenMac) { + if (ssl->options.startedETMRead) { if ((encryptSz - MacSize(ssl)) % ssl->specs.block_size) { WOLFSSL_MSG("Block ciphertext not block size"); return SANITY_CIPHER_E; @@ -13517,7 +13517,7 @@ int DoApplicationData(WOLFSSL* ssl, byte* input, word32* inOutIdx) dataSz = msgSz - ivExtra - ssl->keys.padSz; #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY) - if (ssl->options.encThenMac) + if (ssl->options.startedETMRead) dataSz -= MacSize(ssl); #endif if (dataSz < 0) { @@ -13553,7 +13553,7 @@ int DoApplicationData(WOLFSSL* ssl, byte* input, word32* inOutIdx) idx += ssl->keys.padSz; #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY) - if (ssl->options.encThenMac) + if (ssl->options.startedETMRead) idx += MacSize(ssl); #endif @@ -13589,7 +13589,7 @@ static int DoAlert(WOLFSSL* ssl, byte* input, word32* inOutIdx, int* type, if (IsEncryptionOn(ssl, 0)) { dataSz -= ssl->keys.padSz; #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY) - if (ssl->options.encThenMac) + if (ssl->options.startedETMRead) dataSz -= MacSize(ssl); #endif } @@ -13637,7 +13637,7 @@ static int DoAlert(WOLFSSL* ssl, byte* input, word32* inOutIdx, int* type, if (IsEncryptionOn(ssl, 0)) { *inOutIdx += ssl->keys.padSz; #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY) - if (ssl->options.encThenMac) + if (ssl->options.startedETMRead) *inOutIdx += MacSize(ssl); #endif } @@ -14054,7 +14054,7 @@ int ProcessReply(WOLFSSL* ssl) case verifyEncryptedMessage: #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY) if (IsEncryptionOn(ssl, 0) && ssl->keys.decryptedCur == 0 && - !atomicUser && ssl->options.encThenMac) { + !atomicUser && ssl->options.startedETMRead) { ret = VerifyMacEnc(ssl, ssl->buffers.inputBuffer.buffer + ssl->buffers.inputBuffer.idx, ssl->curSize, ssl->curRL.type); @@ -14113,7 +14113,7 @@ int ProcessReply(WOLFSSL* ssl) if (atomicUser) { #ifdef ATOMIC_USER #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY) - if (ssl->options.encThenMac) { + if (ssl->options.startedETMRead) { ret = ssl->ctx->VerifyDecryptCb(ssl, in->buffer + in->idx, in->buffer + in->idx, ssl->curSize - MacSize(ssl), @@ -14135,7 +14135,7 @@ int ProcessReply(WOLFSSL* ssl) if (!ssl->options.tls1_3) { #ifndef WOLFSSL_NO_TLS12 #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY) - if (ssl->options.encThenMac) { + if (ssl->options.startedETMRead) { word32 digestSz = MacSize(ssl); ret = Decrypt(ssl, in->buffer + in->idx, @@ -14255,7 +14255,7 @@ int ProcessReply(WOLFSSL* ssl) { if (!atomicUser #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY) - && !ssl->options.encThenMac + && !ssl->options.startedETMRead #endif ) { ret = VerifyMac(ssl, ssl->buffers.inputBuffer.buffer + @@ -14314,7 +14314,7 @@ int ProcessReply(WOLFSSL* ssl) case runProcessingOneMessage: #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY) - if (IsEncryptionOn(ssl, 0) && ssl->options.encThenMac) { + if (IsEncryptionOn(ssl, 0) && ssl->options.startedETMRead) { if (ssl->buffers.inputBuffer.length - ssl->keys.padSz - ssl->buffers.inputBuffer.idx - MacSize(ssl) > MAX_PLAINTEXT_SZ) { @@ -14469,7 +14469,7 @@ int ProcessReply(WOLFSSL* ssl) ssl->buffers.inputBuffer.idx += ssl->keys.padSz; ssl->curSize -= (word16) ssl->buffers.inputBuffer.idx; #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY) - if (ssl->options.encThenMac) { + if (ssl->options.startedETMRead) { word32 digestSz = MacSize(ssl); ssl->buffers.inputBuffer.idx += digestSz; ssl->curSize -= digestSz; @@ -14492,6 +14492,10 @@ int ProcessReply(WOLFSSL* ssl) if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0) return ret; + #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY) + ssl->options.startedETMRead = ssl->options.encThenMac; + #endif + #ifdef WOLFSSL_DTLS if (ssl->options.dtls) { WOLFSSL_DTLS_PEERSEQ* peerSeq = ssl->keys.peerSeq; @@ -14590,7 +14594,7 @@ int ProcessReply(WOLFSSL* ssl) if (IsEncryptionOn(ssl, 0)) { WOLFSSL_MSG("Bundled encrypted messages, remove middle pad"); #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY) - if (ssl->options.encThenMac) { + if (ssl->options.startedETMRead) { word32 digestSz = MacSize(ssl); if (ssl->buffers.inputBuffer.idx >= ssl->keys.padSz + digestSz) { @@ -15116,7 +15120,7 @@ int BuildMessage(WOLFSSL* ssl, byte* output, int outSz, const byte* input, } args->sz += 1; /* pad byte */ #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY) - if (ssl->options.encThenMac) { + if (ssl->options.startedETMWrite) { args->pad = (args->sz - args->headerSz - args->digestSz) % blockSz; } @@ -15197,7 +15201,7 @@ int BuildMessage(WOLFSSL* ssl, byte* output, int outSz, const byte* input, word32 i; #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY) - if (ssl->options.encThenMac) + if (ssl->options.startedETMWrite) tmpIdx = args->idx; else #endif @@ -15216,7 +15220,7 @@ int BuildMessage(WOLFSSL* ssl, byte* output, int outSz, const byte* input, /* User Record Layer Callback handling */ #ifdef ATOMIC_USER #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY) - if (ssl->options.encThenMac) { + if (ssl->options.startedETMWrite) { if (ssl->ctx->EncryptMacCb) { ret = ssl->ctx->EncryptMacCb(ssl, output + args->idx + args->pad + 1, type, 0, @@ -15244,7 +15248,7 @@ int BuildMessage(WOLFSSL* ssl, byte* output, int outSz, const byte* input, #ifndef WOLFSSL_AEAD_ONLY if (ssl->specs.cipher_type != aead #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY) - && !ssl->options.encThenMac + && !ssl->options.startedETMWrite #endif ) { #ifdef HAVE_TRUNCATED_HMAC @@ -15289,7 +15293,7 @@ int BuildMessage(WOLFSSL* ssl, byte* output, int outSz, const byte* input, case BUILD_MSG_ENCRYPT: { #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY) - if (ssl->options.encThenMac) { + if (ssl->options.startedETMWrite) { ret = Encrypt(ssl, output + args->headerSz, output + args->headerSz, args->size - args->digestSz, asyncOkay); @@ -15308,7 +15312,7 @@ int BuildMessage(WOLFSSL* ssl, byte* output, int outSz, const byte* input, case BUILD_MSG_ENCRYPTED_VERIFY_MAC: { #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY) - if (ssl->options.encThenMac) { + if (ssl->options.startedETMWrite) { WOLFSSL_MSG("Calculate MAC of Encrypted Data"); #ifdef HAVE_TRUNCATED_HMAC @@ -15403,6 +15407,10 @@ int SendFinished(WOLFSSL* ssl) if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0) return ret; + #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY) + ssl->options.startedETMWrite = ssl->options.encThenMac; + #endif + /* check for available size */ outputSz = sizeof(input) + MAX_MSG_EXTRA; if ((ret = CheckAvailableSize(ssl, outputSz)) != 0) @@ -19057,8 +19065,10 @@ exit_dpk: if (IsEncryptionOn(ssl, 0)) { *inOutIdx += ssl->keys.padSz; #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY) - if (ssl->options.encThenMac && ssl->specs.cipher_type == block) + if (ssl->options.startedETMWrite && + ssl->specs.cipher_type == block) { *inOutIdx += MacSize(ssl); + } #endif } @@ -19344,7 +19354,7 @@ exit_dpk: if (IsEncryptionOn(ssl, 0)) { *inOutIdx += ssl->keys.padSz; #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY) - if (ssl->options.encThenMac) + if (ssl->options.startedETMRead) *inOutIdx += MacSize(ssl); #endif } @@ -20405,7 +20415,7 @@ static int DoServerKeyExchange(WOLFSSL* ssl, const byte* input, if (IsEncryptionOn(ssl, 0)) { args->idx += ssl->keys.padSz; #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY) - if (ssl->options.encThenMac) + if (ssl->options.startedETMRead) args->idx += MacSize(ssl); #endif } @@ -22577,7 +22587,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, if (IsEncryptionOn(ssl, 0)) { *inOutIdx += ssl->keys.padSz; #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY) - if (ssl->options.encThenMac) + if (ssl->options.startedETMRead) *inOutIdx += MacSize(ssl); #endif } @@ -25451,10 +25461,10 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, #endif #ifdef HAVE_SECURE_RENEGOTIATION - if (ssl->secure_renegotiation && ssl->secure_renegotiation->enabled && - IsEncryptionOn(ssl, 0)) { - ssl->secure_renegotiation->startScr = 1; - } + if (ssl->secure_renegotiation && ssl->secure_renegotiation->enabled && + IsEncryptionOn(ssl, 0)) { + ssl->secure_renegotiation->startScr = 1; + } #endif WOLFSSL_LEAVE("DoClientHello", ret); WOLFSSL_END(WC_FUNC_CLIENT_HELLO_DO); @@ -25777,7 +25787,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, if (IsEncryptionOn(ssl, 0)) { args->idx += ssl->keys.padSz; #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY) - if (ssl->options.encThenMac) + if (ssl->options.startedETMRead) args->idx += MacSize(ssl); #endif } @@ -27420,7 +27430,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, if (IsEncryptionOn(ssl, 0)) { args->idx += ssl->keys.padSz; #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY) - if (ssl->options.encThenMac) + if (ssl->options.startedETMRead) args->idx += MacSize(ssl); #endif } diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 383cfa404..ba9e13929 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -3361,6 +3361,8 @@ typedef struct Options { #ifdef HAVE_ENCRYPT_THEN_MAC word16 disallowEncThenMac:1; /* Don't do Encrypt-Then-MAC */ word16 encThenMac:1; /* Doing Encrypt-Then-MAC */ + word16 startedETMRead:1; /* Doing Encrypt-Then-MAC read */ + word16 startedETMWrite:1; /* Doing Encrypt-Then-MAC write */ #endif /* need full byte values for this section */