From d7aa8e179565f101bc0987052e9429e4a87058a8 Mon Sep 17 00:00:00 2001 From: David Garske Date: Wed, 13 Jan 2021 11:10:12 -0800 Subject: [PATCH 1/3] Fix for issue where mac digest changes between early data and server_hello, which can leave section of response uninitialized. ZD11424 --- src/tls13.c | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/src/tls13.c b/src/tls13.c index 3b639d332..08ea1fd5a 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -1545,7 +1545,7 @@ static WC_INLINE void BuildTls13Nonce(WOLFSSL* ssl, byte* nonce, const byte* iv, } #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) -/* Encrypt with ChaCha20 and create authenication tag with Poly1305. +/* Encrypt with ChaCha20 and create authentication tag with Poly1305. * * ssl The SSL/TLS object. * output The buffer to write encrypted data and authentication tag into. @@ -1600,7 +1600,7 @@ static int ChaCha20Poly1305_Encrypt(WOLFSSL* ssl, byte* output, #endif #ifdef HAVE_NULL_CIPHER -/* Create authenication tag and copy data over input. +/* Create authentication tag and copy data over input. * * ssl The SSL/TLS object. * output The buffer to copy data into. @@ -1826,7 +1826,7 @@ static int EncryptTls13(WOLFSSL* ssl, byte* output, const byte* input, } #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) -/* Decrypt with ChaCha20 and check authenication tag with Poly1305. +/* Decrypt with ChaCha20 and check authentication tag with Poly1305. * * ssl The SSL/TLS object. * output The buffer to write decrypted data into. @@ -7190,13 +7190,8 @@ int DoTls13HandShakeMsgType(WOLFSSL* ssl, byte* input, word32* inOutIdx, ENCRYPT_AND_DECRYPT_SIDE, 1)) != 0) { return ret; } - #ifdef WOLFSSL_EARLY_DATA - if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0) - return ret; - #else if ((ret = SetKeysSide(ssl, ENCRYPT_AND_DECRYPT_SIDE)) != 0) return ret; - #endif } if (type == finished) { From 5a4dfc1a29c7338f96a568370822f7e01a76cdd5 Mon Sep 17 00:00:00 2001 From: Sean Parkinson Date: Thu, 14 Jan 2021 09:44:09 +1000 Subject: [PATCH 2/3] Don't set encrypt side if sending early data Make check to see if early data has been or is going to be sent. Last message encrypted with this key is EndOfEarlyData message. --- src/tls13.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/tls13.c b/src/tls13.c index 08ea1fd5a..8af7c41b3 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -7190,6 +7190,13 @@ int DoTls13HandShakeMsgType(WOLFSSL* ssl, byte* input, word32* inOutIdx, ENCRYPT_AND_DECRYPT_SIDE, 1)) != 0) { return ret; } + #ifdef WOLFSSL_EARLY_DATA + if (ssl->earlyData != no_early_data) { + if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0) + return ret; + } + else + #endif if ((ret = SetKeysSide(ssl, ENCRYPT_AND_DECRYPT_SIDE)) != 0) return ret; } From eda1b52ee28eae7ff9e4b25537c62666f36d11e4 Mon Sep 17 00:00:00 2001 From: Sean Parkinson Date: Fri, 15 Jan 2021 11:27:26 +1000 Subject: [PATCH 3/3] TLS 1.3 integrity only: initialize HMAC Ensure the HMAC object is initialized when allocated. --- src/keys.c | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/src/keys.c b/src/keys.c index 19ec9f797..deb62ed43 100644 --- a/src/keys.c +++ b/src/keys.c @@ -2909,6 +2909,15 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs, return MEMORY_E; } + if (enc) { + if (wc_HmacInit(enc->hmac, heap, devId) != 0) { + WOLFSSL_MSG("HmacInit failed in SetKeys"); + XFREE(enc->hmac, heap, DYNAMIC_TYPE_CIPHER); + enc->hmac = NULL; + return ASYNC_INIT_E; + } + } + if (dec && dec->hmac == NULL) { dec->hmac = (Hmac*)XMALLOC(sizeof(Hmac), heap, DYNAMIC_TYPE_CIPHER); @@ -2916,15 +2925,11 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs, return MEMORY_E; } - if (enc) { - if (wc_HmacInit(enc->hmac, heap, devId) != 0) { - WOLFSSL_MSG("HmacInit failed in SetKeys"); - return ASYNC_INIT_E; - } - } if (dec) { if (wc_HmacInit(dec->hmac, heap, devId) != 0) { WOLFSSL_MSG("HmacInit failed in SetKeys"); + XFREE(dec->hmac, heap, DYNAMIC_TYPE_CIPHER); + dec->hmac = NULL; return ASYNC_INIT_E; } }