Revert "Do not encrypt CCS records"

This reverts commit 96ec83138540d7399d9e17a68f304425661ee9e5. Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2025-02-28 09:39:53 +00:00 · 2022-06-28 11:55:35 +02:00 · 2022-06-28 11:55:35 +02:00 · 05ebf3be74
commit 05ebf3be74
parent 96ec831385
3 changed files with 17 additions and 30 deletions
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@ -1271,8 +1271,7 @@ static inline int mbedtls_ssl_write_handshake_msg( mbedtls_ssl_context *ssl )
 int mbedtls_ssl_finish_handshake_msg( mbedtls_ssl_context *ssl,
                                      size_t buf_len, size_t msg_len );

-int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, int force_flush,
-                              int encrypt );
+int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, int force_flush );
 int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl );

 int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl );
--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c
@ -151,9 +151,6 @@ exit:
 #define SSL_DONT_FORCE_FLUSH 0
 #define SSL_FORCE_FLUSH      1

-#define SSL_DONT_ENCRYPT_RECORD 0
-#define SSL_ENCRYPT_RECORD      1
-
 #if defined(MBEDTLS_SSL_PROTO_DTLS)

 /* Forward declarations for functions related to message buffering. */
@ -2327,8 +2324,7 @@ int mbedtls_ssl_flight_transmit( mbedtls_ssl_context *ssl )
        }

        /* Actually send the message out */
-        if( ( ret = mbedtls_ssl_write_record( ssl, force_flush,
-                                              SSL_ENCRYPT_RECORD ) ) != 0 )
+        if( ( ret = mbedtls_ssl_write_record( ssl, force_flush ) ) != 0 )
        {
            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
            return( ret );
@ -2574,8 +2570,7 @@ int mbedtls_ssl_write_handshake_msg_ext( mbedtls_ssl_context *ssl,
    else
 #endif
    {
-        if( ( ret = mbedtls_ssl_write_record( ssl, force_flush,
-                                              SSL_ENCRYPT_RECORD ) ) != 0 )
+        if( ( ret = mbedtls_ssl_write_record( ssl, force_flush ) ) != 0 )
        {
            MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_record", ret );
            return( ret );
@ -2615,8 +2610,7 @@ cleanup:
 *  - ssl->out_msglen: length of the record content (excl headers)
 *  - ssl->out_msg: record content
 */
-int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, int force_flush,
-                              int encrypt )
+int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, int force_flush )
 {
    int ret, done = 0;
    size_t len = ssl->out_msglen;
@ -2648,7 +2642,7 @@ int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, int force_flush,
        memcpy( ssl->out_ctr, ssl->cur_out_ctr, MBEDTLS_SSL_SEQUENCE_NUMBER_LEN );
        MBEDTLS_PUT_UINT16_BE( len, ssl->out_len, 0);

-        if( ssl->transform_out != NULL && encrypt )
+        if( ssl->transform_out != NULL )
        {
            mbedtls_record rec;

@ -2720,11 +2714,8 @@ int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, int force_flush,

        ssl->out_left += protected_record_size;
        ssl->out_hdr  += protected_record_size;
-        mbedtls_ssl_update_out_pointers( ssl, encrypt ? ssl->transform_out : NULL );
+        mbedtls_ssl_update_out_pointers( ssl, ssl->transform_out );

-        /* Do not increment the counter for CCS records. */
-        if( encrypt )
-        {
        for( i = 8; i > mbedtls_ssl_ep_len( ssl ); i-- )
            if( ++ssl->cur_out_ctr[i - 1] != 0 )
                break;
@ -2736,7 +2727,6 @@ int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, int force_flush,
            return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
        }
    }
-    }

 #if defined(MBEDTLS_SSL_PROTO_DTLS)
    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
@ -4822,8 +4812,7 @@ int mbedtls_ssl_send_alert_message( mbedtls_ssl_context *ssl,
    ssl->out_msg[0] = level;
    ssl->out_msg[1] = message;

-    if( ( ret = mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH,
-                                          SSL_ENCRYPT_RECORD ) ) != 0 )
+    if( ( ret = mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH ) ) != 0 )
    {
        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
        return( ret );
@ -5613,8 +5602,7 @@ static int ssl_write_real( mbedtls_ssl_context *ssl,
        ssl->out_msgtype = MBEDTLS_SSL_MSG_APPLICATION_DATA;
        memcpy( ssl->out_msg, buf, len );

-        if( ( ret = mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH,
-                                              SSL_ENCRYPT_RECORD ) ) != 0 )
+        if( ( ret = mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH ) ) != 0 )
        {
            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
            return( ret );
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@ -1341,7 +1341,7 @@ int mbedtls_ssl_tls13_write_change_cipher_spec( mbedtls_ssl_context *ssl )
    ssl->out_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC;

    /* Dispatch message */
-    MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_write_record( ssl, 0, 0 ) );
+    MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_write_record( ssl, 0 ) );

 cleanup: