From ba2bcdd8826341bb55937a6544acda080b1d1ac3 Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Wed, 22 Apr 2020 15:44:31 +0200 Subject: [PATCH] libtls: Allow tls_aead_t to change the content type The actual content type is encrypted with TLS 1.3, the type in the record header is always Application Data. --- src/libtls/tls_aead.c | 8 ++++---- src/libtls/tls_aead.h | 8 ++++---- src/libtls/tls_aead_expl.c | 8 ++++---- src/libtls/tls_aead_impl.c | 8 ++++---- src/libtls/tls_aead_null.c | 8 ++++---- src/libtls/tls_protection.c | 4 ++-- 6 files changed, 22 insertions(+), 22 deletions(-) diff --git a/src/libtls/tls_aead.c b/src/libtls/tls_aead.c index f1daa6f453..e0c7d3be39 100644 --- a/src/libtls/tls_aead.c +++ b/src/libtls/tls_aead.c @@ -51,7 +51,7 @@ typedef struct __attribute__((__packed__)) { } sigheader_t; METHOD(tls_aead_t, encrypt, bool, - private_tls_aead_t *this, tls_version_t version, tls_content_type_t type, + private_tls_aead_t *this, tls_version_t version, tls_content_type_t *type, uint64_t seq, chunk_t *data) { chunk_t assoc, encrypted, iv, plain; @@ -74,7 +74,7 @@ METHOD(tls_aead_t, encrypt, bool, plain = chunk_skip(encrypted, iv.len); plain.len -= icvlen; - hdr.type = type; + hdr.type = *type; htoun64(&hdr.seq, seq); htoun16(&hdr.version, version); htoun16(&hdr.length, plain.len); @@ -91,7 +91,7 @@ METHOD(tls_aead_t, encrypt, bool, } METHOD(tls_aead_t, decrypt, bool, - private_tls_aead_t *this, tls_version_t version, tls_content_type_t type, + private_tls_aead_t *this, tls_version_t version, tls_content_type_t *type, uint64_t seq, chunk_t *data) { chunk_t assoc, iv; @@ -111,7 +111,7 @@ METHOD(tls_aead_t, decrypt, bool, return FALSE; } - hdr.type = type; + hdr.type = *type; htoun64(&hdr.seq, seq); htoun16(&hdr.version, version); htoun16(&hdr.length, data->len - icvlen); diff --git a/src/libtls/tls_aead.h b/src/libtls/tls_aead.h index 389a498a54..e067a13f62 100644 --- a/src/libtls/tls_aead.h +++ b/src/libtls/tls_aead.h @@ -44,13 +44,13 @@ struct tls_aead_t { * gets updated to the IV for the next record. * * @param version TLS version - * @param type TLS content type + * @param type TLS content type (may be changed) * @param seq record sequence number * @param data data to encrypt, encryption result * @return TRUE if successfully encrypted */ bool (*encrypt)(tls_aead_t *this, tls_version_t version, - tls_content_type_t type, uint64_t seq, chunk_t *data); + tls_content_type_t *type, uint64_t seq, chunk_t *data); /** * Decrypt and verify a TLS record. @@ -59,13 +59,13 @@ struct tls_aead_t { * length, decryption is done inline. * * @param version TLS version - * @param type TLS content type + * @param type TLS content type (may be changed) * @param seq record sequence number * @param data data to decrypt, decrypted result * @return TRUE if successfully decrypted */ bool (*decrypt)(tls_aead_t *this, tls_version_t version, - tls_content_type_t type, uint64_t seq, chunk_t *data); + tls_content_type_t *type, uint64_t seq, chunk_t *data); /** * Get the authentication key size. diff --git a/src/libtls/tls_aead_expl.c b/src/libtls/tls_aead_expl.c index 201c9bcf89..9a2c411604 100644 --- a/src/libtls/tls_aead_expl.c +++ b/src/libtls/tls_aead_expl.c @@ -56,14 +56,14 @@ typedef struct __attribute__((__packed__)) { } sigheader_t; METHOD(tls_aead_t, encrypt, bool, - private_tls_aead_t *this, tls_version_t version, tls_content_type_t type, + private_tls_aead_t *this, tls_version_t version, tls_content_type_t *type, uint64_t seq, chunk_t *data) { chunk_t assoc, mac, padding, iv; uint8_t bs, padlen; sigheader_t hdr; - hdr.type = type; + hdr.type = *type; htoun64(&hdr.seq, seq); htoun16(&hdr.version, version); htoun16(&hdr.length, data->len); @@ -99,7 +99,7 @@ METHOD(tls_aead_t, encrypt, bool, } METHOD(tls_aead_t, decrypt, bool, - private_tls_aead_t *this, tls_version_t version, tls_content_type_t type, + private_tls_aead_t *this, tls_version_t version, tls_content_type_t *type, uint64_t seq, chunk_t *data) { chunk_t assoc, mac, iv; @@ -144,7 +144,7 @@ METHOD(tls_aead_t, decrypt, bool, mac = chunk_skip(*data, data->len - bs); data->len -= bs; - hdr.type = type; + hdr.type = *type; htoun64(&hdr.seq, seq); htoun16(&hdr.version, version); htoun16(&hdr.length, data->len); diff --git a/src/libtls/tls_aead_impl.c b/src/libtls/tls_aead_impl.c index 8f83cb456f..1b0ec86ab4 100644 --- a/src/libtls/tls_aead_impl.c +++ b/src/libtls/tls_aead_impl.c @@ -55,13 +55,13 @@ typedef struct __attribute__((__packed__)) { METHOD(tls_aead_t, encrypt, bool, private_tls_aead_t *this, tls_version_t version, - tls_content_type_t type, uint64_t seq, chunk_t *data) + tls_content_type_t *type, uint64_t seq, chunk_t *data) { chunk_t assoc, mac, padding; uint8_t bs, padlen; sigheader_t hdr; - hdr.type = type; + hdr.type = *type; htoun64(&hdr.seq, seq); htoun16(&hdr.version, version); htoun16(&hdr.length, data->len); @@ -95,7 +95,7 @@ METHOD(tls_aead_t, encrypt, bool, METHOD(tls_aead_t, decrypt, bool, private_tls_aead_t *this, tls_version_t version, - tls_content_type_t type, uint64_t seq, chunk_t *data) + tls_content_type_t *type, uint64_t seq, chunk_t *data) { chunk_t assoc, mac, iv; uint8_t bs, padlen; @@ -135,7 +135,7 @@ METHOD(tls_aead_t, decrypt, bool, mac = chunk_skip(*data, data->len - bs); data->len -= bs; - hdr.type = type; + hdr.type = *type; htoun64(&hdr.seq, seq); htoun16(&hdr.version, version); htoun16(&hdr.length, data->len); diff --git a/src/libtls/tls_aead_null.c b/src/libtls/tls_aead_null.c index cb4c106336..0f929333a4 100644 --- a/src/libtls/tls_aead_null.c +++ b/src/libtls/tls_aead_null.c @@ -45,12 +45,12 @@ typedef struct __attribute__((__packed__)) { METHOD(tls_aead_t, encrypt, bool, private_tls_aead_t *this, tls_version_t version, - tls_content_type_t type, uint64_t seq, chunk_t *data) + tls_content_type_t *type, uint64_t seq, chunk_t *data) { chunk_t assoc, mac; sigheader_t hdr; - hdr.type = type; + hdr.type = *type; htoun64(&hdr.seq, seq); htoun16(&hdr.version, version); htoun16(&hdr.length, data->len); @@ -67,7 +67,7 @@ METHOD(tls_aead_t, encrypt, bool, METHOD(tls_aead_t, decrypt, bool, private_tls_aead_t *this, tls_version_t version, - tls_content_type_t type, uint64_t seq, chunk_t *data) + tls_content_type_t *type, uint64_t seq, chunk_t *data) { chunk_t assoc, mac; sigheader_t hdr; @@ -80,7 +80,7 @@ METHOD(tls_aead_t, decrypt, bool, mac = chunk_skip(*data, data->len - mac.len); data->len -= mac.len; - hdr.type = type; + hdr.type = *type; htoun64(&hdr.seq, seq); htoun16(&hdr.version, version); htoun16(&hdr.length, data->len); diff --git a/src/libtls/tls_protection.c b/src/libtls/tls_protection.c index cea3eca149..1666d664a9 100644 --- a/src/libtls/tls_protection.c +++ b/src/libtls/tls_protection.c @@ -76,7 +76,7 @@ METHOD(tls_protection_t, process, status_t, if (this->aead_in) { if (!this->aead_in->decrypt(this->aead_in, this->version, - type, this->seq_in, &data)) + &type, this->seq_in, &data)) { DBG1(DBG_TLS, "TLS record decryption failed"); this->alert->add(this->alert, TLS_FATAL, TLS_BAD_RECORD_MAC); @@ -111,7 +111,7 @@ METHOD(tls_protection_t, build, status_t, if (this->aead_out) { if (!this->aead_out->encrypt(this->aead_out, this->version, - *type, this->seq_out, data)) + type, this->seq_out, data)) { DBG1(DBG_TLS, "TLS record encryption failed"); chunk_free(data); -- 2.47.2