DTLS1_3: Deserialize Header (AE)AD

DTLS1.3 uses unified_header without necrypted sequence as a AD for AEAD Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
author: Frantisek Krenzelok <krenzelok.frantisek@gmail.com> 2023-01-10 15:06:18 +0100
committer: Frantisek Krenzelok <krenzelok.frantisek@gmail.com> 2023-02-20 16:32:13 +0100
commit: bac6e555630763e631f9cd45528f46a23fe4377e (patch)
tree: 9a0d0cf376ab66cf7212d2554aa9327b916158e8
parent: caf3be8fdb3fe115406b5523633bf6ffdc8bb615 (diff)
download: gnutls-bac6e555630763e631f9cd45528f46a23fe4377e.tar.gz
4 files changed, 36 insertions, 13 deletions
diff --git a/lib/cipher.c b/lib/cipher.c
index eb032dd37f..9f06c7ccf9 100644
--- a/lib/cipher.c
+++ b/lib/cipher.c
@@ -64,7 +64,7 @@ decrypt_packet_tls13(gnutls_session_t session,
 		     gnutls_datum_t * ciphertext,
 		     gnutls_datum_t * plain,
 		     content_type_t *type, record_parameters_st * params,
-		     uint64_t sequence);
+		     uint64_t sequence, uint8_t dtls13_header);
 
 static int
 encrypt_packet_tls13(gnutls_session_t session,
@@ -156,7 +156,7 @@ _gnutls_decrypt(gnutls_session_t session,
 		gnutls_datum_t *output,
 		content_type_t *type,
 		record_parameters_st *params,
-		uint64_t sequence)
+		uint64_t sequence, uint8_t dtls13_header)
 {
 	int ret;
 	const version_entry_st *vers = get_version(session);
@@ -168,7 +168,7 @@ _gnutls_decrypt(gnutls_session_t session,
 		ret =
 		    decrypt_packet_tls13(session, ciphertext,
 					 output, type, params,
-					 sequence);
+					 sequence, dtls13_header);
 	else
 		ret =
 		    decrypt_packet(session, ciphertext,
@@ -825,7 +825,7 @@ decrypt_packet_tls13(gnutls_session_t session,
 		     gnutls_datum_t *ciphertext,
 		     gnutls_datum_t *plain,
 		     content_type_t *type, record_parameters_st *params,
-		     uint64_t sequence)
+		     uint64_t sequence, uint8_t dtls13_header)
 {
 	uint8_t nonce[MAX_CIPHER_IV_SIZE];
 	size_t length, length_to_decrypt;
@@ -836,6 +836,7 @@ decrypt_packet_tls13(gnutls_session_t session,
 	unsigned j;
 	volatile unsigned length_set;
 	uint8_t aad[5];
+	ssize_t aad_size;
 
 	if (unlikely(ver == NULL))
 		return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
@@ -880,15 +881,32 @@ decrypt_packet_tls13(gnutls_session_t session,
 		    gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
 	}
 
-	aad[0] = GNUTLS_APPLICATION_DATA;
 	if (session->internals.transport == GNUTLS_STREAM) {
+		aad[0] = GNUTLS_APPLICATION_DATA;
 		aad[1] = 0x03;
 		aad[2] = 0x03;
+		_gnutls_write_uint16(ciphertext->size, &aad[3]);
+		aad_size = 5;
 	} else {
-		aad[1] = 0xfe;
-		aad[2] = 0xfc;
+		/* Deserialize the DTLS1.3 Header */
+		aad[0] = dtls13_header;
+		aad_size = 1;
+
+		// Connection Id will be resolved here
+
+		if (dtls13_header & 0x08) {
+			_gnutls_write_uint16(sequence, &aad[aad_size]);
+			aad_size += 2;
+		} else {
+			aad[aad_size] = sequence;
+			aad_size++;
+		}
+
+		if(dtls13_header & 0x04) {
+			_gnutls_write_uint16(length_to_decrypt, &aad[aad_size]);
+			aad_size += 2;
+		}
 	}
-	_gnutls_write_uint16(ciphertext->size, &aad[3]);
 
 	ret = gnutls_aead_cipher_decrypt(&params->read.ctx.aead,
 					 nonce, iv_size,
diff --git a/lib/cipher.h b/lib/cipher.h
index 43cdde22f4..c5e195280d 100644
--- a/lib/cipher.h
+++ b/lib/cipher.h
@@ -32,7 +32,7 @@ int _gnutls_encrypt(gnutls_session_t session,
 int _gnutls_decrypt(gnutls_session_t session,
 		    gnutls_datum_t * ciphertext, gnutls_datum_t * output,
 		    content_type_t *type, record_parameters_st * params,
-		    uint64_t sequence);
+		    uint64_t sequence, uint8_t dtls13_header);
 
 #define MAX_PREAMBLE_SIZE 16
 
diff --git a/lib/dtls-sw.c b/lib/dtls-sw.c
index 2511fb34a2..366b52ea88 100644
--- a/lib/dtls-sw.c
+++ b/lib/dtls-sw.c
@@ -49,12 +49,16 @@ void _dtls_reset_window(struct record_parameters_st *rp)
  * packet is detected it returns a negative value (but no sensible error code).
  * Otherwise zero.
  */
-int _dtls_record_check(struct record_parameters_st *rp, uint64_t seq_num)
+int _dtls_record_check(struct record_parameters_st *rp, uint64_t seq_num,
+		       uint16_t epoch, const version_entry_st *ver)
 {
-	if ((seq_num >> DTLS_EPOCH_SHIFT) != rp->epoch) {
-		return gnutls_assert_val(-1);
+	if (!ver->tls13_sem) {
+		epoch = seq_num >> DTLS_EPOCH_SHIFT;
 	}
 
+	if (epoch != rp->epoch)
+		return gnutls_assert_val(-1);
+
 	seq_num &= DTLS_SEQ_NUM_MASK;
 
 	/*
diff --git a/lib/dtls.h b/lib/dtls.h
index 7d9fb40094..dde7d5abe5 100644
--- a/lib/dtls.h
+++ b/lib/dtls.h
@@ -30,7 +30,8 @@
 #include <constate.h>
 
 int _dtls_transmit(gnutls_session_t session);
-int _dtls_record_check(struct record_parameters_st *rp, uint64_t seq_num);
+int _dtls_record_check(struct record_parameters_st *rp, uint64_t seq_num,
+		       uint16_t epoch, const version_entry_st *ver);
 void _dtls_reset_hsk_state(gnutls_session_t session);
 void _dtls_reset_window(struct record_parameters_st *rp);
author	Frantisek Krenzelok <krenzelok.frantisek@gmail.com>	2023-01-10 15:06:18 +0100
committer	Frantisek Krenzelok <krenzelok.frantisek@gmail.com>	2023-02-20 16:32:13 +0100
commit	bac6e555630763e631f9cd45528f46a23fe4377e (patch)
tree	9a0d0cf376ab66cf7212d2554aa9327b916158e8
parent	caf3be8fdb3fe115406b5523633bf6ffdc8bb615 (diff)
download	gnutls-bac6e555630763e631f9cd45528f46a23fe4377e.tar.gz