Revert "Do not encrypt CCS records"
This reverts commit 96ec83138540d7399d9e17a68f304425661ee9e5.
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index b9a191f..b1f0c90 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -1271,8 +1271,7 @@
int mbedtls_ssl_finish_handshake_msg( mbedtls_ssl_context *ssl,
size_t buf_len, size_t msg_len );
-int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, int force_flush,
- int encrypt );
+int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, int force_flush );
int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl );
int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl );
diff --git a/library/ssl_msg.c b/library/ssl_msg.c
index c4756d9..4c9a177 100644
--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c
@@ -151,9 +151,6 @@
#define SSL_DONT_FORCE_FLUSH 0
#define SSL_FORCE_FLUSH 1
-#define SSL_DONT_ENCRYPT_RECORD 0
-#define SSL_ENCRYPT_RECORD 1
-
#if defined(MBEDTLS_SSL_PROTO_DTLS)
/* Forward declarations for functions related to message buffering. */
@@ -2327,8 +2324,7 @@
}
/* Actually send the message out */
- if( ( ret = mbedtls_ssl_write_record( ssl, force_flush,
- SSL_ENCRYPT_RECORD ) ) != 0 )
+ if( ( ret = mbedtls_ssl_write_record( ssl, force_flush ) ) != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
return( ret );
@@ -2574,8 +2570,7 @@
else
#endif
{
- if( ( ret = mbedtls_ssl_write_record( ssl, force_flush,
- SSL_ENCRYPT_RECORD ) ) != 0 )
+ if( ( ret = mbedtls_ssl_write_record( ssl, force_flush ) ) != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_record", ret );
return( ret );
@@ -2615,8 +2610,7 @@
* - ssl->out_msglen: length of the record content (excl headers)
* - ssl->out_msg: record content
*/
-int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, int force_flush,
- int encrypt )
+int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, int force_flush )
{
int ret, done = 0;
size_t len = ssl->out_msglen;
@@ -2648,7 +2642,7 @@
memcpy( ssl->out_ctr, ssl->cur_out_ctr, MBEDTLS_SSL_SEQUENCE_NUMBER_LEN );
MBEDTLS_PUT_UINT16_BE( len, ssl->out_len, 0);
- if( ssl->transform_out != NULL && encrypt )
+ if( ssl->transform_out != NULL )
{
mbedtls_record rec;
@@ -2720,21 +2714,17 @@
ssl->out_left += protected_record_size;
ssl->out_hdr += protected_record_size;
- mbedtls_ssl_update_out_pointers( ssl, encrypt ? ssl->transform_out : NULL );
+ mbedtls_ssl_update_out_pointers( ssl, ssl->transform_out );
- /* Do not increment the counter for CCS records. */
- if( encrypt )
+ for( i = 8; i > mbedtls_ssl_ep_len( ssl ); i-- )
+ if( ++ssl->cur_out_ctr[i - 1] != 0 )
+ break;
+
+ /* The loop goes to its end iff the counter is wrapping */
+ if( i == mbedtls_ssl_ep_len( ssl ) )
{
- for( i = 8; i > mbedtls_ssl_ep_len( ssl ); i-- )
- if( ++ssl->cur_out_ctr[i - 1] != 0 )
- break;
-
- /* The loop goes to its end iff the counter is wrapping */
- if( i == mbedtls_ssl_ep_len( ssl ) )
- {
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "outgoing message counter would wrap" ) );
- return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
- }
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "outgoing message counter would wrap" ) );
+ return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
}
}
@@ -4822,8 +4812,7 @@
ssl->out_msg[0] = level;
ssl->out_msg[1] = message;
- if( ( ret = mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH,
- SSL_ENCRYPT_RECORD ) ) != 0 )
+ if( ( ret = mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH ) ) != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
return( ret );
@@ -5613,8 +5602,7 @@
ssl->out_msgtype = MBEDTLS_SSL_MSG_APPLICATION_DATA;
memcpy( ssl->out_msg, buf, len );
- if( ( ret = mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH,
- SSL_ENCRYPT_RECORD ) ) != 0 )
+ if( ( ret = mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH ) ) != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
return( ret );
diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index c7a9a09..f508bca 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -1341,7 +1341,7 @@
ssl->out_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC;
/* Dispatch message */
- MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_write_record( ssl, 0, 0 ) );
+ MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_write_record( ssl, 0 ) );
cleanup: