mirror of
https://github.com/strongswan/strongswan.git
synced 2025-10-19 00:01:57 -04:00
libtls: Allow tls_aead_t to change the content type
The actual content type is encrypted with TLS 1.3, the type in the record header is always Application Data.
This commit is contained in:
parent
0d43b39931
commit
ba2bcdd882
@ -51,7 +51,7 @@ typedef struct __attribute__((__packed__)) {
|
|||||||
} sigheader_t;
|
} sigheader_t;
|
||||||
|
|
||||||
METHOD(tls_aead_t, encrypt, bool,
|
METHOD(tls_aead_t, encrypt, bool,
|
||||||
private_tls_aead_t *this, tls_version_t version, tls_content_type_t type,
|
private_tls_aead_t *this, tls_version_t version, tls_content_type_t *type,
|
||||||
uint64_t seq, chunk_t *data)
|
uint64_t seq, chunk_t *data)
|
||||||
{
|
{
|
||||||
chunk_t assoc, encrypted, iv, plain;
|
chunk_t assoc, encrypted, iv, plain;
|
||||||
@ -74,7 +74,7 @@ METHOD(tls_aead_t, encrypt, bool,
|
|||||||
plain = chunk_skip(encrypted, iv.len);
|
plain = chunk_skip(encrypted, iv.len);
|
||||||
plain.len -= icvlen;
|
plain.len -= icvlen;
|
||||||
|
|
||||||
hdr.type = type;
|
hdr.type = *type;
|
||||||
htoun64(&hdr.seq, seq);
|
htoun64(&hdr.seq, seq);
|
||||||
htoun16(&hdr.version, version);
|
htoun16(&hdr.version, version);
|
||||||
htoun16(&hdr.length, plain.len);
|
htoun16(&hdr.length, plain.len);
|
||||||
@ -91,7 +91,7 @@ METHOD(tls_aead_t, encrypt, bool,
|
|||||||
}
|
}
|
||||||
|
|
||||||
METHOD(tls_aead_t, decrypt, bool,
|
METHOD(tls_aead_t, decrypt, bool,
|
||||||
private_tls_aead_t *this, tls_version_t version, tls_content_type_t type,
|
private_tls_aead_t *this, tls_version_t version, tls_content_type_t *type,
|
||||||
uint64_t seq, chunk_t *data)
|
uint64_t seq, chunk_t *data)
|
||||||
{
|
{
|
||||||
chunk_t assoc, iv;
|
chunk_t assoc, iv;
|
||||||
@ -111,7 +111,7 @@ METHOD(tls_aead_t, decrypt, bool,
|
|||||||
return FALSE;
|
return FALSE;
|
||||||
}
|
}
|
||||||
|
|
||||||
hdr.type = type;
|
hdr.type = *type;
|
||||||
htoun64(&hdr.seq, seq);
|
htoun64(&hdr.seq, seq);
|
||||||
htoun16(&hdr.version, version);
|
htoun16(&hdr.version, version);
|
||||||
htoun16(&hdr.length, data->len - icvlen);
|
htoun16(&hdr.length, data->len - icvlen);
|
||||||
|
@ -44,13 +44,13 @@ struct tls_aead_t {
|
|||||||
* gets updated to the IV for the next record.
|
* gets updated to the IV for the next record.
|
||||||
*
|
*
|
||||||
* @param version TLS version
|
* @param version TLS version
|
||||||
* @param type TLS content type
|
* @param type TLS content type (may be changed)
|
||||||
* @param seq record sequence number
|
* @param seq record sequence number
|
||||||
* @param data data to encrypt, encryption result
|
* @param data data to encrypt, encryption result
|
||||||
* @return TRUE if successfully encrypted
|
* @return TRUE if successfully encrypted
|
||||||
*/
|
*/
|
||||||
bool (*encrypt)(tls_aead_t *this, tls_version_t version,
|
bool (*encrypt)(tls_aead_t *this, tls_version_t version,
|
||||||
tls_content_type_t type, uint64_t seq, chunk_t *data);
|
tls_content_type_t *type, uint64_t seq, chunk_t *data);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Decrypt and verify a TLS record.
|
* Decrypt and verify a TLS record.
|
||||||
@ -59,13 +59,13 @@ struct tls_aead_t {
|
|||||||
* length, decryption is done inline.
|
* length, decryption is done inline.
|
||||||
*
|
*
|
||||||
* @param version TLS version
|
* @param version TLS version
|
||||||
* @param type TLS content type
|
* @param type TLS content type (may be changed)
|
||||||
* @param seq record sequence number
|
* @param seq record sequence number
|
||||||
* @param data data to decrypt, decrypted result
|
* @param data data to decrypt, decrypted result
|
||||||
* @return TRUE if successfully decrypted
|
* @return TRUE if successfully decrypted
|
||||||
*/
|
*/
|
||||||
bool (*decrypt)(tls_aead_t *this, tls_version_t version,
|
bool (*decrypt)(tls_aead_t *this, tls_version_t version,
|
||||||
tls_content_type_t type, uint64_t seq, chunk_t *data);
|
tls_content_type_t *type, uint64_t seq, chunk_t *data);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Get the authentication key size.
|
* Get the authentication key size.
|
||||||
|
@ -56,14 +56,14 @@ typedef struct __attribute__((__packed__)) {
|
|||||||
} sigheader_t;
|
} sigheader_t;
|
||||||
|
|
||||||
METHOD(tls_aead_t, encrypt, bool,
|
METHOD(tls_aead_t, encrypt, bool,
|
||||||
private_tls_aead_t *this, tls_version_t version, tls_content_type_t type,
|
private_tls_aead_t *this, tls_version_t version, tls_content_type_t *type,
|
||||||
uint64_t seq, chunk_t *data)
|
uint64_t seq, chunk_t *data)
|
||||||
{
|
{
|
||||||
chunk_t assoc, mac, padding, iv;
|
chunk_t assoc, mac, padding, iv;
|
||||||
uint8_t bs, padlen;
|
uint8_t bs, padlen;
|
||||||
sigheader_t hdr;
|
sigheader_t hdr;
|
||||||
|
|
||||||
hdr.type = type;
|
hdr.type = *type;
|
||||||
htoun64(&hdr.seq, seq);
|
htoun64(&hdr.seq, seq);
|
||||||
htoun16(&hdr.version, version);
|
htoun16(&hdr.version, version);
|
||||||
htoun16(&hdr.length, data->len);
|
htoun16(&hdr.length, data->len);
|
||||||
@ -99,7 +99,7 @@ METHOD(tls_aead_t, encrypt, bool,
|
|||||||
}
|
}
|
||||||
|
|
||||||
METHOD(tls_aead_t, decrypt, bool,
|
METHOD(tls_aead_t, decrypt, bool,
|
||||||
private_tls_aead_t *this, tls_version_t version, tls_content_type_t type,
|
private_tls_aead_t *this, tls_version_t version, tls_content_type_t *type,
|
||||||
uint64_t seq, chunk_t *data)
|
uint64_t seq, chunk_t *data)
|
||||||
{
|
{
|
||||||
chunk_t assoc, mac, iv;
|
chunk_t assoc, mac, iv;
|
||||||
@ -144,7 +144,7 @@ METHOD(tls_aead_t, decrypt, bool,
|
|||||||
mac = chunk_skip(*data, data->len - bs);
|
mac = chunk_skip(*data, data->len - bs);
|
||||||
data->len -= bs;
|
data->len -= bs;
|
||||||
|
|
||||||
hdr.type = type;
|
hdr.type = *type;
|
||||||
htoun64(&hdr.seq, seq);
|
htoun64(&hdr.seq, seq);
|
||||||
htoun16(&hdr.version, version);
|
htoun16(&hdr.version, version);
|
||||||
htoun16(&hdr.length, data->len);
|
htoun16(&hdr.length, data->len);
|
||||||
|
@ -55,13 +55,13 @@ typedef struct __attribute__((__packed__)) {
|
|||||||
|
|
||||||
METHOD(tls_aead_t, encrypt, bool,
|
METHOD(tls_aead_t, encrypt, bool,
|
||||||
private_tls_aead_t *this, tls_version_t version,
|
private_tls_aead_t *this, tls_version_t version,
|
||||||
tls_content_type_t type, uint64_t seq, chunk_t *data)
|
tls_content_type_t *type, uint64_t seq, chunk_t *data)
|
||||||
{
|
{
|
||||||
chunk_t assoc, mac, padding;
|
chunk_t assoc, mac, padding;
|
||||||
uint8_t bs, padlen;
|
uint8_t bs, padlen;
|
||||||
sigheader_t hdr;
|
sigheader_t hdr;
|
||||||
|
|
||||||
hdr.type = type;
|
hdr.type = *type;
|
||||||
htoun64(&hdr.seq, seq);
|
htoun64(&hdr.seq, seq);
|
||||||
htoun16(&hdr.version, version);
|
htoun16(&hdr.version, version);
|
||||||
htoun16(&hdr.length, data->len);
|
htoun16(&hdr.length, data->len);
|
||||||
@ -95,7 +95,7 @@ METHOD(tls_aead_t, encrypt, bool,
|
|||||||
|
|
||||||
METHOD(tls_aead_t, decrypt, bool,
|
METHOD(tls_aead_t, decrypt, bool,
|
||||||
private_tls_aead_t *this, tls_version_t version,
|
private_tls_aead_t *this, tls_version_t version,
|
||||||
tls_content_type_t type, uint64_t seq, chunk_t *data)
|
tls_content_type_t *type, uint64_t seq, chunk_t *data)
|
||||||
{
|
{
|
||||||
chunk_t assoc, mac, iv;
|
chunk_t assoc, mac, iv;
|
||||||
uint8_t bs, padlen;
|
uint8_t bs, padlen;
|
||||||
@ -135,7 +135,7 @@ METHOD(tls_aead_t, decrypt, bool,
|
|||||||
mac = chunk_skip(*data, data->len - bs);
|
mac = chunk_skip(*data, data->len - bs);
|
||||||
data->len -= bs;
|
data->len -= bs;
|
||||||
|
|
||||||
hdr.type = type;
|
hdr.type = *type;
|
||||||
htoun64(&hdr.seq, seq);
|
htoun64(&hdr.seq, seq);
|
||||||
htoun16(&hdr.version, version);
|
htoun16(&hdr.version, version);
|
||||||
htoun16(&hdr.length, data->len);
|
htoun16(&hdr.length, data->len);
|
||||||
|
@ -45,12 +45,12 @@ typedef struct __attribute__((__packed__)) {
|
|||||||
|
|
||||||
METHOD(tls_aead_t, encrypt, bool,
|
METHOD(tls_aead_t, encrypt, bool,
|
||||||
private_tls_aead_t *this, tls_version_t version,
|
private_tls_aead_t *this, tls_version_t version,
|
||||||
tls_content_type_t type, uint64_t seq, chunk_t *data)
|
tls_content_type_t *type, uint64_t seq, chunk_t *data)
|
||||||
{
|
{
|
||||||
chunk_t assoc, mac;
|
chunk_t assoc, mac;
|
||||||
sigheader_t hdr;
|
sigheader_t hdr;
|
||||||
|
|
||||||
hdr.type = type;
|
hdr.type = *type;
|
||||||
htoun64(&hdr.seq, seq);
|
htoun64(&hdr.seq, seq);
|
||||||
htoun16(&hdr.version, version);
|
htoun16(&hdr.version, version);
|
||||||
htoun16(&hdr.length, data->len);
|
htoun16(&hdr.length, data->len);
|
||||||
@ -67,7 +67,7 @@ METHOD(tls_aead_t, encrypt, bool,
|
|||||||
|
|
||||||
METHOD(tls_aead_t, decrypt, bool,
|
METHOD(tls_aead_t, decrypt, bool,
|
||||||
private_tls_aead_t *this, tls_version_t version,
|
private_tls_aead_t *this, tls_version_t version,
|
||||||
tls_content_type_t type, uint64_t seq, chunk_t *data)
|
tls_content_type_t *type, uint64_t seq, chunk_t *data)
|
||||||
{
|
{
|
||||||
chunk_t assoc, mac;
|
chunk_t assoc, mac;
|
||||||
sigheader_t hdr;
|
sigheader_t hdr;
|
||||||
@ -80,7 +80,7 @@ METHOD(tls_aead_t, decrypt, bool,
|
|||||||
mac = chunk_skip(*data, data->len - mac.len);
|
mac = chunk_skip(*data, data->len - mac.len);
|
||||||
data->len -= mac.len;
|
data->len -= mac.len;
|
||||||
|
|
||||||
hdr.type = type;
|
hdr.type = *type;
|
||||||
htoun64(&hdr.seq, seq);
|
htoun64(&hdr.seq, seq);
|
||||||
htoun16(&hdr.version, version);
|
htoun16(&hdr.version, version);
|
||||||
htoun16(&hdr.length, data->len);
|
htoun16(&hdr.length, data->len);
|
||||||
|
@ -76,7 +76,7 @@ METHOD(tls_protection_t, process, status_t,
|
|||||||
if (this->aead_in)
|
if (this->aead_in)
|
||||||
{
|
{
|
||||||
if (!this->aead_in->decrypt(this->aead_in, this->version,
|
if (!this->aead_in->decrypt(this->aead_in, this->version,
|
||||||
type, this->seq_in, &data))
|
&type, this->seq_in, &data))
|
||||||
{
|
{
|
||||||
DBG1(DBG_TLS, "TLS record decryption failed");
|
DBG1(DBG_TLS, "TLS record decryption failed");
|
||||||
this->alert->add(this->alert, TLS_FATAL, TLS_BAD_RECORD_MAC);
|
this->alert->add(this->alert, TLS_FATAL, TLS_BAD_RECORD_MAC);
|
||||||
@ -111,7 +111,7 @@ METHOD(tls_protection_t, build, status_t,
|
|||||||
if (this->aead_out)
|
if (this->aead_out)
|
||||||
{
|
{
|
||||||
if (!this->aead_out->encrypt(this->aead_out, this->version,
|
if (!this->aead_out->encrypt(this->aead_out, this->version,
|
||||||
*type, this->seq_out, data))
|
type, this->seq_out, data))
|
||||||
{
|
{
|
||||||
DBG1(DBG_TLS, "TLS record encryption failed");
|
DBG1(DBG_TLS, "TLS record encryption failed");
|
||||||
chunk_free(data);
|
chunk_free(data);
|
||||||
|
Loading…
x
Reference in New Issue
Block a user