libtls: Allow tls_aead_t to change the content type

The actual content type is encrypted with TLS 1.3, the type in the record
header is always Application Data.

src/libtls/tls_aead.c

@@ -51,7 +51,7 @@ typedef struct __attribute__((__packed__)) {
 } sigheader_t;
 
 METHOD(tls_aead_t, encrypt, bool,
-	private_tls_aead_t *this, tls_version_t version, tls_content_type_t type,
+	private_tls_aead_t *this, tls_version_t version, tls_content_type_t *type,
 	uint64_t seq, chunk_t *data)
 {
 	chunk_t assoc, encrypted, iv, plain;
@@ -74,7 +74,7 @@ METHOD(tls_aead_t, encrypt, bool,
 	plain = chunk_skip(encrypted, iv.len);
 	plain.len -= icvlen;
 
-	hdr.type = type;
+	hdr.type = *type;
 	htoun64(&hdr.seq, seq);
 	htoun16(&hdr.version, version);
 	htoun16(&hdr.length, plain.len);
@@ -91,7 +91,7 @@ METHOD(tls_aead_t, encrypt, bool,
 }
 
 METHOD(tls_aead_t, decrypt, bool,
-	private_tls_aead_t *this, tls_version_t version, tls_content_type_t type,
+	private_tls_aead_t *this, tls_version_t version, tls_content_type_t *type,
 	uint64_t seq, chunk_t *data)
 {
 	chunk_t assoc, iv;
@@ -111,7 +111,7 @@ METHOD(tls_aead_t, decrypt, bool,
 		return FALSE;
 	}
 
-	hdr.type = type;
+	hdr.type = *type;
 	htoun64(&hdr.seq, seq);
 	htoun16(&hdr.version, version);
 	htoun16(&hdr.length, data->len - icvlen);

src/libtls/tls_aead.h

@@ -44,13 +44,13 @@ struct tls_aead_t {
 	 * gets updated to the IV for the next record.
 	 *
 	 * @param version		TLS version
-	 * @param type			TLS content type
+	 * @param type			TLS content type (may be changed)
 	 * @param seq			record sequence number
 	 * @param data			data to encrypt, encryption result
 	 * @return				TRUE if successfully encrypted
 	 */
 	bool (*encrypt)(tls_aead_t *this, tls_version_t version,
-					tls_content_type_t type, uint64_t seq, chunk_t *data);
+					tls_content_type_t *type, uint64_t seq, chunk_t *data);
 
 	/**
 	 * Decrypt and verify a TLS record.
@@ -59,13 +59,13 @@ struct tls_aead_t {
 	 * length, decryption is done inline.
 	 *
 	 * @param version		TLS version
-	 * @param type			TLS content type
+	 * @param type			TLS content type (may be changed)
 	 * @param seq			record sequence number
 	 * @param data			data to decrypt, decrypted result
 	 * @return				TRUE if successfully decrypted
 	 */
 	bool (*decrypt)(tls_aead_t *this, tls_version_t version,
-					tls_content_type_t type, uint64_t seq, chunk_t *data);
+					tls_content_type_t *type, uint64_t seq, chunk_t *data);
 
 	/**
 	 * Get the authentication key size.

src/libtls/tls_aead_expl.c

@@ -56,14 +56,14 @@ typedef struct __attribute__((__packed__)) {
 } sigheader_t;
 
 METHOD(tls_aead_t, encrypt, bool,
-	private_tls_aead_t *this, tls_version_t version, tls_content_type_t type,
+	private_tls_aead_t *this, tls_version_t version, tls_content_type_t *type,
 	uint64_t seq, chunk_t *data)
 {
 	chunk_t assoc, mac, padding, iv;
 	uint8_t bs, padlen;
 	sigheader_t hdr;
 
-	hdr.type = type;
+	hdr.type = *type;
 	htoun64(&hdr.seq, seq);
 	htoun16(&hdr.version, version);
 	htoun16(&hdr.length, data->len);
@@ -99,7 +99,7 @@ METHOD(tls_aead_t, encrypt, bool,
 }
 
 METHOD(tls_aead_t, decrypt, bool,
-	private_tls_aead_t *this, tls_version_t version, tls_content_type_t type,
+	private_tls_aead_t *this, tls_version_t version, tls_content_type_t *type,
 	uint64_t seq, chunk_t *data)
 {
 	chunk_t assoc, mac, iv;
@@ -144,7 +144,7 @@ METHOD(tls_aead_t, decrypt, bool,
 	mac = chunk_skip(*data, data->len - bs);
 	data->len -= bs;
 
-	hdr.type = type;
+	hdr.type = *type;
 	htoun64(&hdr.seq, seq);
 	htoun16(&hdr.version, version);
 	htoun16(&hdr.length, data->len);

src/libtls/tls_aead_impl.c

@@ -55,13 +55,13 @@ typedef struct __attribute__((__packed__)) {
 
 METHOD(tls_aead_t, encrypt, bool,
 	private_tls_aead_t *this, tls_version_t version,
-	tls_content_type_t type, uint64_t seq, chunk_t *data)
+	tls_content_type_t *type, uint64_t seq, chunk_t *data)
 {
 	chunk_t assoc, mac, padding;
 	uint8_t bs, padlen;
 	sigheader_t hdr;
 
-	hdr.type = type;
+	hdr.type = *type;
 	htoun64(&hdr.seq, seq);
 	htoun16(&hdr.version, version);
 	htoun16(&hdr.length, data->len);
@@ -95,7 +95,7 @@ METHOD(tls_aead_t, encrypt, bool,
 
 METHOD(tls_aead_t, decrypt, bool,
 	private_tls_aead_t *this, tls_version_t version,
-	tls_content_type_t type, uint64_t seq, chunk_t *data)
+	tls_content_type_t *type, uint64_t seq, chunk_t *data)
 {
 	chunk_t assoc, mac, iv;
 	uint8_t bs, padlen;
@@ -135,7 +135,7 @@ METHOD(tls_aead_t, decrypt, bool,
 	mac = chunk_skip(*data, data->len - bs);
 	data->len -= bs;
 
-	hdr.type = type;
+	hdr.type = *type;
 	htoun64(&hdr.seq, seq);
 	htoun16(&hdr.version, version);
 	htoun16(&hdr.length, data->len);

src/libtls/tls_aead_null.c

@@ -45,12 +45,12 @@ typedef struct __attribute__((__packed__)) {
 
 METHOD(tls_aead_t, encrypt, bool,
 	private_tls_aead_t *this, tls_version_t version,
-	tls_content_type_t type, uint64_t seq, chunk_t *data)
+	tls_content_type_t *type, uint64_t seq, chunk_t *data)
 {
 	chunk_t assoc, mac;
 	sigheader_t hdr;
 
-	hdr.type = type;
+	hdr.type = *type;
 	htoun64(&hdr.seq, seq);
 	htoun16(&hdr.version, version);
 	htoun16(&hdr.length, data->len);
@@ -67,7 +67,7 @@ METHOD(tls_aead_t, encrypt, bool,
 
 METHOD(tls_aead_t, decrypt, bool,
 	private_tls_aead_t *this, tls_version_t version,
-	tls_content_type_t type, uint64_t seq, chunk_t *data)
+	tls_content_type_t *type, uint64_t seq, chunk_t *data)
 {
 	chunk_t assoc, mac;
 	sigheader_t hdr;
@@ -80,7 +80,7 @@ METHOD(tls_aead_t, decrypt, bool,
 	mac = chunk_skip(*data, data->len - mac.len);
 	data->len -= mac.len;
 
-	hdr.type = type;
+	hdr.type = *type;
 	htoun64(&hdr.seq, seq);
 	htoun16(&hdr.version, version);
 	htoun16(&hdr.length, data->len);

src/libtls/tls_protection.c

@@ -76,7 +76,7 @@ METHOD(tls_protection_t, process, status_t,
 	if (this->aead_in)
 	{
 		if (!this->aead_in->decrypt(this->aead_in, this->version,
-									type, this->seq_in, &data))
+									&type, this->seq_in, &data))
 		{
 			DBG1(DBG_TLS, "TLS record decryption failed");
 			this->alert->add(this->alert, TLS_FATAL, TLS_BAD_RECORD_MAC);
@@ -111,7 +111,7 @@ METHOD(tls_protection_t, build, status_t,
 		if (this->aead_out)
 		{
 			if (!this->aead_out->encrypt(this->aead_out, this->version,
-										 *type, this->seq_out, data))
+										 type, this->seq_out, data))
 			{
 				DBG1(DBG_TLS, "TLS record encryption failed");
 				chunk_free(data);