commit 8ec9e136cfb083e321fb7fcd96250b7cc1eb1a67
author Andrzej Kurek <andrzej.kurek@arm.com> Mon Aug 10 00:26:40 2020 -0400
committer Andrzej Kurek <andrzej.kurek@arm.com> Sun Sep 20 00:29:43 2020 +0200
tree 30cc1f0b55bcae4c78e2f7dabcad0ce09c1ef69c
parent 6c30be8e4b693aba886c57457afc10ec2ef9420b

ssl_tls: Add a flag indicating that encryption succeeded

Protect against encryption skipping by introducing a new flag.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>

library/ssl_tls.c

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index e00dd01..8934518 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -2589,6 +2589,9 @@
     }
 }
 
+#define ENCRYPTION_SUCCESS 0xCC
+#define ENCRYPTION_FAIL 0xAA
+
 int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
                              mbedtls_ssl_transform *transform,
                              mbedtls_record *rec,
@@ -2601,6 +2604,7 @@
     unsigned char add_data[13 + 1 + MBEDTLS_SSL_CID_OUT_LEN_MAX ];
     size_t add_data_len;
     size_t post_avail;
+    int encryption_status = ENCRYPTION_FAIL;
 
     /* The SSL context is only used for debugging purposes! */
 #if !defined(MBEDTLS_DEBUG_C)
@@ -2793,6 +2797,7 @@
             MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
             return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
         }
+        encryption_status = ENCRYPTION_SUCCESS;
     }
     else
 #endif /* MBEDTLS_ARC4_C || MBEDTLS_CIPHER_NULL_CIPHER */
@@ -2891,6 +2896,8 @@
             return( ret );
         }
 #endif
+        encryption_status = ENCRYPTION_SUCCESS;
+
         MBEDTLS_SSL_DEBUG_BUF( 4, "after encrypt: tag",
                                data + rec->data_len, transform->taglen );
 
@@ -2994,6 +3001,9 @@
             return( ret );
         }
 #endif
+
+        encryption_status = ENCRYPTION_SUCCESS;
+
         if( rec->data_len != olen )
         {
             MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
@@ -3082,7 +3092,11 @@
 
     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) );
 
-    return( 0 );
+    if( encryption_status == ENCRYPTION_SUCCESS )
+    {
+        return( 0 );
+    }
+    return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
 }
 
 int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,