From fd7ec355ec4bf1f7c8129ff01135bb1387959a7e Mon Sep 17 00:00:00 2001 From: Peter Wu Date: Fri, 17 Aug 2018 00:36:07 +0200 Subject: [PATCH] TLS13: properly skip over failed decryption of early data When early data is present but undecryptable (due to lack of keys), it should not result in incrementing the sequence number or the following application data from the client will fail to decrypt. Change-Id: I8016a30508d96c14cbd6a3b9c4af1591a6c437c3 Ping-Bug: 12779 Reviewed-on: https://code.wireshark.org/review/29169 Petri-Dish: Peter Wu Tested-by: Petri Dish Buildbot Reviewed-by: Alexis La Goutte --- epan/dissectors/packet-ssl-utils.c | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/epan/dissectors/packet-ssl-utils.c b/epan/dissectors/packet-ssl-utils.c index 9edb327ed9..b2db4ec2f2 100644 --- a/epan/dissectors/packet-ssl-utils.c +++ b/epan/dissectors/packet-ssl-utils.c @@ -3982,10 +3982,6 @@ tls_decrypt_aead_record(SslDecryptSession *ssl, SslDecoder *decoder, /* Sequence number is left-padded with zeroes and XORed with write_iv */ phton64(nonce + nonce_len - 8, pntoh64(nonce + nonce_len - 8) ^ decoder->seq); ssl_debug_printf("%s seq %" G_GUINT64_FORMAT "\n", G_STRFUNC, decoder->seq); - /* sequence number for TLS 1.2 is incremented when calculating AAD. */ - if (!is_v12) { - decoder->seq++; /* Implicit sequence number for TLS 1.3. */ - } } /* Set nonce and additional authentication data */ @@ -4008,9 +4004,7 @@ tls_decrypt_aead_record(SslDecryptSession *ssl, SslDecoder *decoder, if (is_v12) { guchar aad[13]; phton64(aad, decoder->seq); /* record sequence number */ - if (version == TLSV1DOT2_VERSION) { - decoder->seq++; /* Implicit sequence number for TLS 1.2. */ - } else { + if (version == DTLSV1DOT2_VERSION) { phton16(aad, decoder->epoch); /* DTLS 1.2 includes epoch. */ } aad[8] = ct; /* TLSCompressed.type */ @@ -4072,6 +4066,15 @@ tls_decrypt_aead_record(SslDecryptSession *ssl, SslDecoder *decoder, ssl_debug_printf("Libgcrypt is older than 1.6, unable to verify auth tag!\n"); #endif + /* + * Increment the (implicit) sequence number for TLS 1.2/1.3. This is done + * after successful authentication to ensure that early data is skipped when + * CLIENT_EARLY_TRAFFIC_SECRET keys are unavailable. + */ + if (version == TLSV1DOT2_VERSION || version == TLSV1DOT3_VERSION) { + decoder->seq++; + } + ssl_print_data("Plaintext", out_str->data, ciphertext_len); *outl = ciphertext_len; return TRUE;