提交 20b65c7b 编写于 作者: M Matt Caswell

Fix some TLSProxy warnings

After the client processes the server's initial flight in TLS1.3 it may
respond with either an encrypted, or an unencrypted alert. We needed to
teach TLSProxy about this so that it didn't issue spurious warnings.
Reviewed-by: NRich Salz <rsalz@openssl.org>
上级 5abeaf35
...@@ -23,6 +23,8 @@ use TLSProxy::NewSessionTicket; ...@@ -23,6 +23,8 @@ use TLSProxy::NewSessionTicket;
my $have_IPv6 = 0; my $have_IPv6 = 0;
my $IP_factory; my $IP_factory;
my $is_tls13 = 0;
sub new sub new
{ {
my $class = shift; my $class = shift;
...@@ -103,6 +105,7 @@ sub clearClient ...@@ -103,6 +105,7 @@ sub clearClient
$self->{record_list} = []; $self->{record_list} = [];
$self->{message_list} = []; $self->{message_list} = [];
$self->{clientflags} = ""; $self->{clientflags} = "";
$is_tls13 = 0;
TLSProxy::Message->clear(); TLSProxy::Message->clear();
TLSProxy::Record->clear(); TLSProxy::Record->clear();
...@@ -503,5 +506,12 @@ sub fill_known_data ...@@ -503,5 +506,12 @@ sub fill_known_data
} }
return $ret; return $ret;
} }
sub is_tls13
{
my $class = shift;
if (@_) {
$is_tls13 = shift;
}
return $is_tls13;
}
1; 1;
...@@ -111,7 +111,7 @@ sub get_records ...@@ -111,7 +111,7 @@ sub get_records
if (($server && $server_encrypting) if (($server && $server_encrypting)
|| (!$server && $client_encrypting)) { || (!$server && $client_encrypting)) {
if ($version != VERS_TLS_1_3() && $etm) { if (!TLSProxy::Proxy->is_tls13() && $etm) {
$record->decryptETM(); $record->decryptETM();
} else { } else {
$record->decrypt(); $record->decrypt();
...@@ -229,7 +229,19 @@ sub decrypt() ...@@ -229,7 +229,19 @@ sub decrypt()
my $data = $self->data; my $data = $self->data;
#Throw away any IVs #Throw away any IVs
if ($self->version >= VERS_TLS_1_3()) { if (TLSProxy::Proxy->is_tls13()) {
#A TLS1.3 client, when processing the server's initial flight, could
#respond with either an encrypted or an unencrypted alert.
if ($self->content_type() == RT_ALERT) {
#TODO(TLS1.3): Eventually it is sufficient just to check the record
#content type. If an alert is encrypted it will have a record
#content type of application data. However we haven't done the
#record layer changes yet, so it's a bit more complicated. For now
#we will additionally check if the data length is 2 (1 byte for
#alert level, 1 byte for alert description). If it is, then this is
#an unecrypted alert, so don't try to decrypt
return $data if (length($data) == 2);
}
#8 bytes for a GCM IV #8 bytes for a GCM IV
$data = substr($data, 8); $data = substr($data, 8);
$mactaglen = 16; $mactaglen = 16;
......
...@@ -98,6 +98,7 @@ sub parse ...@@ -98,6 +98,7 @@ sub parse
if ($server_version == TLSProxy::Record::VERS_TLS_1_3_DRAFT) { if ($server_version == TLSProxy::Record::VERS_TLS_1_3_DRAFT) {
TLSProxy::Record->server_encrypting(1); TLSProxy::Record->server_encrypting(1);
TLSProxy::Record->client_encrypting(1); TLSProxy::Record->client_encrypting(1);
TLSProxy::Proxy->is_tls13(1);
} }
print " Server Version:".$server_version."\n"; print " Server Version:".$server_version."\n";
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册