1 files changed, 79 insertions, 5 deletions

diff --git a/src/charon/plugins/eap_tls/tls/tls_protection.c b/src/charon/plugins/eap_tls/tls/tls_protection.c
index d0bb1e030..75fae0a71 100644
--- a/src/charon/plugins/eap_tls/tls/tls_protection.c
+++ b/src/charon/plugins/eap_tls/tls/tls_protection.c
@@ -106,7 +106,82 @@ static chunk_t sigheader(u_int32_t seq, u_int8_t type,
 METHOD(tls_protection_t, process, status_t,
 	private_tls_protection_t *this, tls_content_type_t type, chunk_t data)
 {
-	this->seq_in++;
+	if (this->crypter_in)
+	{
+		chunk_t iv, next_iv = chunk_empty;
+		u_int8_t bs, padding_length;
+
+		bs = this->crypter_in->get_block_size(this->crypter_in);
+		if (data.len < bs || data.len % bs)
+		{
+			DBG1(DBG_IKE, "encrypted TLS record not multiple of block size");
+			return FAILED;
+		}
+		if (this->iv_in.len)
+		{	/* < TLSv1.1 uses IV from key derivation/last block */
+			iv = this->iv_in;
+			next_iv = chunk_clone(chunk_create(data.ptr + data.len - bs, bs));
+		}
+		else
+		{	/* TLSv1.1 uses random IVs, prepended to record */
+			iv = chunk_create(data.ptr, bs);
+			data = chunk_skip(data, bs);
+			if (data.len < bs)
+			{
+				DBG1(DBG_IKE, "TLS record too short to decrypt");
+				return FAILED;
+			}
+		}
+		this->crypter_in->decrypt(this->crypter_in, data, iv, NULL);
+
+		if (next_iv.len)
+		{	/* next record IV is last ciphertext block of this record */
+			memcpy(this->iv_in.ptr, next_iv.ptr, next_iv.len);
+			free(next_iv.ptr);
+		}
+
+		padding_length = data.ptr[data.len - 1];
+		if (padding_length >= data.len)
+		{
+			DBG1(DBG_IKE, "invalid TLS record padding");
+			return FAILED;
+		}
+		data.len -= padding_length + 1;
+	}
+	if (this->signer_in)
+	{
+		chunk_t mac, macdata, header;
+		u_int8_t bs;
+
+		bs = this->signer_in->get_block_size(this->signer_in);
+		if (data.len <= bs)
+		{
+			DBG1(DBG_IKE, "TLS record too short to verify MAC");
+			return FAILED;
+		}
+		mac = chunk_skip(data, data.len - bs);
+		data.len -= bs;
+
+		header = sigheader(this->seq_in, type,
+						   this->tls->get_version(this->tls), data.len);
+		macdata = chunk_cat("mc", header, data);
+		if (!this->signer_in->verify_signature(this->signer_in, macdata, mac))
+		{
+			DBG1(DBG_IKE, "TLS record MAC verification failed");
+			free(macdata.ptr);
+			return FAILED;
+		}
+		free(macdata.ptr);
+	}
+
+	if (type == TLS_CHANGE_CIPHER_SPEC)
+	{
+		this->seq_in = 0;
+	}
+	else
+	{
+		this->seq_in++;
+	}
 	return this->compression->process(this->compression, type, data);
 }
 
@@ -145,11 +220,11 @@ METHOD(tls_protection_t, build, status_t,
 				memset(padding.ptr, padding_length, padding.len);
 
 				if (this->iv_out.len)
-				{	/* < TLSv1.2 uses IV from key derivation/last block */
+				{	/* < TLSv1.1 uses IV from key derivation/last block */
 					iv = this->iv_out;
 				}
 				else
-				{	/* TLSv1.2 uses random IVs, prepended to record */
+				{	/* TLSv1.1 uses random IVs, prepended to record */
 					if (!this->rng)
 					{
 						DBG1(DBG_IKE, "no RNG supported to generate TLS IV");
@@ -162,8 +237,7 @@ METHOD(tls_protection_t, build, status_t,
 				*data = chunk_cat("mmcc", *data, mac, padding,
 								  chunk_from_thing(padding_length));
 				/* encrypt inline */
-				this->crypter_out->encrypt(this->crypter_out, *data,
-										   this->iv_out, NULL);
+				this->crypter_out->encrypt(this->crypter_out, *data, iv, NULL);
 
 				if (this->iv_out.len)
 				{	/* next record IV is last ciphertext block of this record */