diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 6462ad0bd..ea34f66b7 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1075,9 +1075,16 @@ static void ssl_mac( md_context_t *md_ctx, unsigned char *secret, #define MAC_PLAINTEXT 1 #define MAC_CIPHERTEXT 2 +#if defined(POLARSSL_ARC4_C) || defined(POLARSSL_CIPHER_NULL_CIPHER) || \ + ( defined(POLARSSL_CIPHER_MODE_CBC) && \ + ( defined(POLARSSL_AES_C) || defined(POLARSSL_CAMELLIA_C) ) ) +#define POLARSSL_SOME_MODES_USE_MAC +#endif + /* * Is MAC applied on ciphertext, cleartext or not at all? */ +#if defined(POLARSSL_SOME_MODES_USE_MAC) static char ssl_get_mac_order( ssl_context *ssl, const ssl_session *session, cipher_mode_t mode ) @@ -1097,19 +1104,21 @@ static char ssl_get_mac_order( ssl_context *ssl, SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) ); return( MAC_CIPHERTEXT ); } +#else + ((void) ssl); + ((void) session); #endif return( MAC_PLAINTEXT ); } -#endif - - /* Unused if AEAD is the only option */ +#else ((void) ssl); ((void) session); - ((void) mode); +#endif return( MAC_NONE ); } +#endif /* POLARSSL_SOME_MODES_USE_MAC */ /* * Encryption/decryption functions @@ -1119,19 +1128,14 @@ static int ssl_encrypt_buf( ssl_context *ssl ) size_t i; const cipher_mode_t mode = cipher_get_cipher_mode( &ssl->transform_out->cipher_ctx_enc ); - char mac_order; SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) ); - mac_order = ssl_get_mac_order( ssl, ssl->session_out, mode ); - /* * Add MAC before if needed */ -#if defined(POLARSSL_ARC4_C) || defined(POLARSSL_CIPHER_NULL_CIPHER) || \ - ( defined(POLARSSL_CIPHER_MODE_CBC) && \ - ( defined(POLARSSL_AES_C) || defined(POLARSSL_CAMELLIA_C) ) ) - if( mac_order == MAC_PLAINTEXT ) +#if defined(POLARSSL_SOME_MODES_USE_MAC) + if( ssl_get_mac_order( ssl, ssl->session_out, mode ) == MAC_PLAINTEXT ) { #if defined(POLARSSL_SSL_PROTO_SSL3) if( ssl->minor_ver == SSL_MINOR_VERSION_0 ) @@ -1367,7 +1371,7 @@ static int ssl_encrypt_buf( ssl_context *ssl ) #endif #if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC) - if( mac_order == MAC_CIPHERTEXT ) + if( ssl_get_mac_order( ssl, ssl->session_out, mode ) == MAC_CIPHERTEXT ) { /* * MAC(MAC_write_key, seq_num + @@ -1428,12 +1432,9 @@ static int ssl_decrypt_buf( ssl_context *ssl ) size_t i; const cipher_mode_t mode = cipher_get_cipher_mode( &ssl->transform_in->cipher_ctx_dec ); -#if defined(POLARSSL_ARC4_C) || defined(POLARSSL_CIPHER_NULL_CIPHER) || \ - ( defined(POLARSSL_CIPHER_MODE_CBC) && \ - ( defined(POLARSSL_AES_C) || defined(POLARSSL_CAMELLIA_C) ) ) +#if defined(POLARSSL_SOME_MODES_USE_MAC) size_t padlen = 0, correct = 1; #endif - char mac_order; SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) ); @@ -1444,8 +1445,6 @@ static int ssl_decrypt_buf( ssl_context *ssl ) return( POLARSSL_ERR_SSL_INVALID_MAC ); } - mac_order = ssl_get_mac_order( ssl, ssl->session_in, mode ); - #if defined(POLARSSL_ARC4_C) || defined(POLARSSL_CIPHER_NULL_CIPHER) if( mode == POLARSSL_MODE_STREAM ) { @@ -1584,7 +1583,7 @@ static int ssl_decrypt_buf( ssl_context *ssl ) * Authenticate before decrypt if enabled */ #if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC) - if( mac_order == MAC_CIPHERTEXT ) + if( ssl_get_mac_order( ssl, ssl->session_in, mode ) == MAC_CIPHERTEXT ) { unsigned char computed_mac[POLARSSL_SSL_MAX_MAC_SIZE]; unsigned char pseudo_hdr[13]; @@ -1675,7 +1674,7 @@ static int ssl_decrypt_buf( ssl_context *ssl ) padlen = 1 + ssl->in_msg[ssl->in_msglen - 1]; if( ssl->in_msglen < ssl->transform_in->maclen + padlen && - mac_order == MAC_PLAINTEXT ) + ssl_get_mac_order( ssl, ssl->session_in, mode ) == MAC_PLAINTEXT ) { #if defined(POLARSSL_SSL_DEBUG_ALL) SSL_DEBUG_MSG( 1, ( "msglen (%d) < maclen (%d) + padlen (%d)", @@ -1770,7 +1769,7 @@ static int ssl_decrypt_buf( ssl_context *ssl ) #if defined(POLARSSL_ARC4_C) || defined(POLARSSL_CIPHER_NULL_CIPHER) || \ ( defined(POLARSSL_CIPHER_MODE_CBC) && \ ( defined(POLARSSL_AES_C) || defined(POLARSSL_CAMELLIA_C) ) ) - if( mac_order == MAC_PLAINTEXT ) + if( ssl_get_mac_order( ssl, ssl->session_in, mode ) == MAC_PLAINTEXT ) { unsigned char tmp[POLARSSL_SSL_MAX_MAC_SIZE];