From: Tobias Brunner Date: Wed, 22 Apr 2020 13:44:31 +0000 (+0200) Subject: libtls: Allow tls_aead_t to change the content type X-Git-Tag: 5.9.2rc1~23^2~106 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ba2bcdd8826341bb55937a6544acda080b1d1ac3;p=thirdparty%2Fstrongswan.git libtls: Allow tls_aead_t to change the content type The actual content type is encrypted with TLS 1.3, the type in the record header is always Application Data. --- diff --git a/src/libtls/tls_aead.c b/src/libtls/tls_aead.c index f1daa6f453..e0c7d3be39 100644 --- a/src/libtls/tls_aead.c +++ b/src/libtls/tls_aead.c @@ -51,7 +51,7 @@ typedef struct __attribute__((__packed__)) { } sigheader_t; METHOD(tls_aead_t, encrypt, bool, - private_tls_aead_t *this, tls_version_t version, tls_content_type_t type, + private_tls_aead_t *this, tls_version_t version, tls_content_type_t *type, uint64_t seq, chunk_t *data) { chunk_t assoc, encrypted, iv, plain; @@ -74,7 +74,7 @@ METHOD(tls_aead_t, encrypt, bool, plain = chunk_skip(encrypted, iv.len); plain.len -= icvlen; - hdr.type = type; + hdr.type = *type; htoun64(&hdr.seq, seq); htoun16(&hdr.version, version); htoun16(&hdr.length, plain.len); @@ -91,7 +91,7 @@ METHOD(tls_aead_t, encrypt, bool, } METHOD(tls_aead_t, decrypt, bool, - private_tls_aead_t *this, tls_version_t version, tls_content_type_t type, + private_tls_aead_t *this, tls_version_t version, tls_content_type_t *type, uint64_t seq, chunk_t *data) { chunk_t assoc, iv; @@ -111,7 +111,7 @@ METHOD(tls_aead_t, decrypt, bool, return FALSE; } - hdr.type = type; + hdr.type = *type; htoun64(&hdr.seq, seq); htoun16(&hdr.version, version); htoun16(&hdr.length, data->len - icvlen); diff --git a/src/libtls/tls_aead.h b/src/libtls/tls_aead.h index 389a498a54..e067a13f62 100644 --- a/src/libtls/tls_aead.h +++ b/src/libtls/tls_aead.h @@ -44,13 +44,13 @@ struct tls_aead_t { * gets updated to the IV for the next record. * * @param version TLS version - * @param type TLS content type + * @param type TLS content type (may be changed) * @param seq record sequence number * @param data data to encrypt, encryption result * @return TRUE if successfully encrypted */ bool (*encrypt)(tls_aead_t *this, tls_version_t version, - tls_content_type_t type, uint64_t seq, chunk_t *data); + tls_content_type_t *type, uint64_t seq, chunk_t *data); /** * Decrypt and verify a TLS record. @@ -59,13 +59,13 @@ struct tls_aead_t { * length, decryption is done inline. * * @param version TLS version - * @param type TLS content type + * @param type TLS content type (may be changed) * @param seq record sequence number * @param data data to decrypt, decrypted result * @return TRUE if successfully decrypted */ bool (*decrypt)(tls_aead_t *this, tls_version_t version, - tls_content_type_t type, uint64_t seq, chunk_t *data); + tls_content_type_t *type, uint64_t seq, chunk_t *data); /** * Get the authentication key size. diff --git a/src/libtls/tls_aead_expl.c b/src/libtls/tls_aead_expl.c index 201c9bcf89..9a2c411604 100644 --- a/src/libtls/tls_aead_expl.c +++ b/src/libtls/tls_aead_expl.c @@ -56,14 +56,14 @@ typedef struct __attribute__((__packed__)) { } sigheader_t; METHOD(tls_aead_t, encrypt, bool, - private_tls_aead_t *this, tls_version_t version, tls_content_type_t type, + private_tls_aead_t *this, tls_version_t version, tls_content_type_t *type, uint64_t seq, chunk_t *data) { chunk_t assoc, mac, padding, iv; uint8_t bs, padlen; sigheader_t hdr; - hdr.type = type; + hdr.type = *type; htoun64(&hdr.seq, seq); htoun16(&hdr.version, version); htoun16(&hdr.length, data->len); @@ -99,7 +99,7 @@ METHOD(tls_aead_t, encrypt, bool, } METHOD(tls_aead_t, decrypt, bool, - private_tls_aead_t *this, tls_version_t version, tls_content_type_t type, + private_tls_aead_t *this, tls_version_t version, tls_content_type_t *type, uint64_t seq, chunk_t *data) { chunk_t assoc, mac, iv; @@ -144,7 +144,7 @@ METHOD(tls_aead_t, decrypt, bool, mac = chunk_skip(*data, data->len - bs); data->len -= bs; - hdr.type = type; + hdr.type = *type; htoun64(&hdr.seq, seq); htoun16(&hdr.version, version); htoun16(&hdr.length, data->len); diff --git a/src/libtls/tls_aead_impl.c b/src/libtls/tls_aead_impl.c index 8f83cb456f..1b0ec86ab4 100644 --- a/src/libtls/tls_aead_impl.c +++ b/src/libtls/tls_aead_impl.c @@ -55,13 +55,13 @@ typedef struct __attribute__((__packed__)) { METHOD(tls_aead_t, encrypt, bool, private_tls_aead_t *this, tls_version_t version, - tls_content_type_t type, uint64_t seq, chunk_t *data) + tls_content_type_t *type, uint64_t seq, chunk_t *data) { chunk_t assoc, mac, padding; uint8_t bs, padlen; sigheader_t hdr; - hdr.type = type; + hdr.type = *type; htoun64(&hdr.seq, seq); htoun16(&hdr.version, version); htoun16(&hdr.length, data->len); @@ -95,7 +95,7 @@ METHOD(tls_aead_t, encrypt, bool, METHOD(tls_aead_t, decrypt, bool, private_tls_aead_t *this, tls_version_t version, - tls_content_type_t type, uint64_t seq, chunk_t *data) + tls_content_type_t *type, uint64_t seq, chunk_t *data) { chunk_t assoc, mac, iv; uint8_t bs, padlen; @@ -135,7 +135,7 @@ METHOD(tls_aead_t, decrypt, bool, mac = chunk_skip(*data, data->len - bs); data->len -= bs; - hdr.type = type; + hdr.type = *type; htoun64(&hdr.seq, seq); htoun16(&hdr.version, version); htoun16(&hdr.length, data->len); diff --git a/src/libtls/tls_aead_null.c b/src/libtls/tls_aead_null.c index cb4c106336..0f929333a4 100644 --- a/src/libtls/tls_aead_null.c +++ b/src/libtls/tls_aead_null.c @@ -45,12 +45,12 @@ typedef struct __attribute__((__packed__)) { METHOD(tls_aead_t, encrypt, bool, private_tls_aead_t *this, tls_version_t version, - tls_content_type_t type, uint64_t seq, chunk_t *data) + tls_content_type_t *type, uint64_t seq, chunk_t *data) { chunk_t assoc, mac; sigheader_t hdr; - hdr.type = type; + hdr.type = *type; htoun64(&hdr.seq, seq); htoun16(&hdr.version, version); htoun16(&hdr.length, data->len); @@ -67,7 +67,7 @@ METHOD(tls_aead_t, encrypt, bool, METHOD(tls_aead_t, decrypt, bool, private_tls_aead_t *this, tls_version_t version, - tls_content_type_t type, uint64_t seq, chunk_t *data) + tls_content_type_t *type, uint64_t seq, chunk_t *data) { chunk_t assoc, mac; sigheader_t hdr; @@ -80,7 +80,7 @@ METHOD(tls_aead_t, decrypt, bool, mac = chunk_skip(*data, data->len - mac.len); data->len -= mac.len; - hdr.type = type; + hdr.type = *type; htoun64(&hdr.seq, seq); htoun16(&hdr.version, version); htoun16(&hdr.length, data->len); diff --git a/src/libtls/tls_protection.c b/src/libtls/tls_protection.c index cea3eca149..1666d664a9 100644 --- a/src/libtls/tls_protection.c +++ b/src/libtls/tls_protection.c @@ -76,7 +76,7 @@ METHOD(tls_protection_t, process, status_t, if (this->aead_in) { if (!this->aead_in->decrypt(this->aead_in, this->version, - type, this->seq_in, &data)) + &type, this->seq_in, &data)) { DBG1(DBG_TLS, "TLS record decryption failed"); this->alert->add(this->alert, TLS_FATAL, TLS_BAD_RECORD_MAC); @@ -111,7 +111,7 @@ METHOD(tls_protection_t, build, status_t, if (this->aead_out) { if (!this->aead_out->encrypt(this->aead_out, this->version, - *type, this->seq_out, data)) + type, this->seq_out, data)) { DBG1(DBG_TLS, "TLS record encryption failed"); chunk_free(data);