TLS13: properly skip over failed decryption of early data
When early data is present but undecryptable (due to lack of keys), it should not result in incrementing the sequence number or the following application data from the client will fail to decrypt. Change-Id: I8016a30508d96c14cbd6a3b9c4af1591a6c437c3 Ping-Bug: 12779 Reviewed-on: https://code.wireshark.org/review/29169 Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
This commit is contained in:
parent
8e3562fc03
commit
fd7ec355ec
|
@ -3982,10 +3982,6 @@ tls_decrypt_aead_record(SslDecryptSession *ssl, SslDecoder *decoder,
|
|||
/* Sequence number is left-padded with zeroes and XORed with write_iv */
|
||||
phton64(nonce + nonce_len - 8, pntoh64(nonce + nonce_len - 8) ^ decoder->seq);
|
||||
ssl_debug_printf("%s seq %" G_GUINT64_FORMAT "\n", G_STRFUNC, decoder->seq);
|
||||
/* sequence number for TLS 1.2 is incremented when calculating AAD. */
|
||||
if (!is_v12) {
|
||||
decoder->seq++; /* Implicit sequence number for TLS 1.3. */
|
||||
}
|
||||
}
|
||||
|
||||
/* Set nonce and additional authentication data */
|
||||
|
@ -4008,9 +4004,7 @@ tls_decrypt_aead_record(SslDecryptSession *ssl, SslDecoder *decoder,
|
|||
if (is_v12) {
|
||||
guchar aad[13];
|
||||
phton64(aad, decoder->seq); /* record sequence number */
|
||||
if (version == TLSV1DOT2_VERSION) {
|
||||
decoder->seq++; /* Implicit sequence number for TLS 1.2. */
|
||||
} else {
|
||||
if (version == DTLSV1DOT2_VERSION) {
|
||||
phton16(aad, decoder->epoch); /* DTLS 1.2 includes epoch. */
|
||||
}
|
||||
aad[8] = ct; /* TLSCompressed.type */
|
||||
|
@ -4072,6 +4066,15 @@ tls_decrypt_aead_record(SslDecryptSession *ssl, SslDecoder *decoder,
|
|||
ssl_debug_printf("Libgcrypt is older than 1.6, unable to verify auth tag!\n");
|
||||
#endif
|
||||
|
||||
/*
|
||||
* Increment the (implicit) sequence number for TLS 1.2/1.3. This is done
|
||||
* after successful authentication to ensure that early data is skipped when
|
||||
* CLIENT_EARLY_TRAFFIC_SECRET keys are unavailable.
|
||||
*/
|
||||
if (version == TLSV1DOT2_VERSION || version == TLSV1DOT3_VERSION) {
|
||||
decoder->seq++;
|
||||
}
|
||||
|
||||
ssl_print_data("Plaintext", out_str->data, ciphertext_len);
|
||||
*outl = ciphertext_len;
|
||||
return TRUE;
|
||||
|
|
Loading…
Reference in New Issue