TLS13: properly skip over failed decryption of early data

When early data is present but undecryptable (due to lack of keys), it should not result in incrementing the sequence number or the following application data from the client will fail to decrypt. Change-Id: I8016a30508d96c14cbd6a3b9c4af1591a6c437c3 Ping-Bug: 12779 Reviewed-on: https://code.wireshark.org/review/29169 Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
2018-08-17 00:36:07 +02:00 · 2018-08-17 00:36:07 +02:00 · fd7ec355ec
parent 8e3562fc03
commit fd7ec355ec
1 changed files with 10 additions and 7 deletions
--- a/epan/dissectors/packet-ssl-utils.c
+++ b/epan/dissectors/packet-ssl-utils.c
@ -3982,10 +3982,6 @@ tls_decrypt_aead_record(SslDecryptSession *ssl, SslDecoder *decoder,
        /* Sequence number is left-padded with zeroes and XORed with write_iv */
        phton64(nonce + nonce_len - 8, pntoh64(nonce + nonce_len - 8) ^ decoder->seq);
        ssl_debug_printf("%s seq %" G_GUINT64_FORMAT "\n", G_STRFUNC, decoder->seq);
-        /* sequence number for TLS 1.2 is incremented when calculating AAD. */
-        if (!is_v12) {
-            decoder->seq++;         /* Implicit sequence number for TLS 1.3. */
-        }
    }

    /* Set nonce and additional authentication data */
@ -4008,9 +4004,7 @@ tls_decrypt_aead_record(SslDecryptSession *ssl, SslDecoder *decoder,
    if (is_v12) {
        guchar aad[13];
        phton64(aad, decoder->seq);         /* record sequence number */
-        if (version == TLSV1DOT2_VERSION) {
-            decoder->seq++;                 /* Implicit sequence number for TLS 1.2. */
-        } else {
+        if (version == DTLSV1DOT2_VERSION) {
            phton16(aad, decoder->epoch);   /* DTLS 1.2 includes epoch. */
        }
        aad[8] = ct;                        /* TLSCompressed.type */
@ -4072,6 +4066,15 @@ tls_decrypt_aead_record(SslDecryptSession *ssl, SslDecoder *decoder,
    ssl_debug_printf("Libgcrypt is older than 1.6, unable to verify auth tag!\n");
 #endif

+    /*
+     * Increment the (implicit) sequence number for TLS 1.2/1.3. This is done
+     * after successful authentication to ensure that early data is skipped when
+     * CLIENT_EARLY_TRAFFIC_SECRET keys are unavailable.
+     */
+    if (version == TLSV1DOT2_VERSION || version == TLSV1DOT3_VERSION) {
+        decoder->seq++;
+    }
+
    ssl_print_data("Plaintext", out_str->data, ciphertext_len);
    *outl = ciphertext_len;
    return TRUE;