my $have_IPv6 = 0;
my $IP_factory;
+my $is_tls13 = 0;
+
sub new
{
my $class = shift;
$self->{record_list} = [];
$self->{message_list} = [];
$self->{clientflags} = "";
+ $is_tls13 = 0;
TLSProxy::Message->clear();
TLSProxy::Record->clear();
}
return $ret;
}
-
+sub is_tls13
+{
+ my $class = shift;
+ if (@_) {
+ $is_tls13 = shift;
+ }
+ return $is_tls13;
+}
1;
if (($server && $server_encrypting)
|| (!$server && $client_encrypting)) {
- if ($version != VERS_TLS_1_3() && $etm) {
+ if (!TLSProxy::Proxy->is_tls13() && $etm) {
$record->decryptETM();
} else {
$record->decrypt();
my $data = $self->data;
#Throw away any IVs
- if ($self->version >= VERS_TLS_1_3()) {
+ if (TLSProxy::Proxy->is_tls13()) {
+ #A TLS1.3 client, when processing the server's initial flight, could
+ #respond with either an encrypted or an unencrypted alert.
+ if ($self->content_type() == RT_ALERT) {
+ #TODO(TLS1.3): Eventually it is sufficient just to check the record
+ #content type. If an alert is encrypted it will have a record
+ #content type of application data. However we haven't done the
+ #record layer changes yet, so it's a bit more complicated. For now
+ #we will additionally check if the data length is 2 (1 byte for
+ #alert level, 1 byte for alert description). If it is, then this is
+ #an unecrypted alert, so don't try to decrypt
+ return $data if (length($data) == 2);
+ }
#8 bytes for a GCM IV
$data = substr($data, 8);
$mactaglen = 16;
if ($server_version == TLSProxy::Record::VERS_TLS_1_3_DRAFT) {
TLSProxy::Record->server_encrypting(1);
TLSProxy::Record->client_encrypting(1);
+ TLSProxy::Proxy->is_tls13(1);
}
print " Server Version:".$server_version."\n";
projects / openssl.git / commitdiff