From 357d096a2963b8e5253ea53b6ab34e3fc706bea3 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Thu, 5 Jan 2017 12:34:46 +0000
Subject: Teach TLSProxy how to re-encrypt a TLSv1.3 message after changes

This enables us to make changes to in-flight TLSv1.3 messages that appear
after the ServerHello.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)
---
 util/TLSProxy/Message.pm | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

(limited to 'util')

diff --git a/util/TLSProxy/Message.pm b/util/TLSProxy/Message.pm
index 438209fc40..7cb7b28aec 100644
--- a/util/TLSProxy/Message.pm
+++ b/util/TLSProxy/Message.pm
@@ -367,7 +367,7 @@ sub ciphersuite
 }
 
 #Update all the underlying records with the modified data from this message
-#Note: Does not currently support re-encrypting
+#Note: Only supports re-encrypting for TLSv1.3
 sub repack
 {
     my $self = shift;
@@ -410,8 +410,14 @@ sub repack
         #  use an explicit override field instead.)
         $rec->decrypt_len(length($rec->decrypt_data));
         $rec->len($rec->len + length($msgdata) - $old_length);
-        # Don't support re-encryption.
-        $rec->data($rec->decrypt_data);
+        # Only support re-encryption for TLSv1.3.
+        if (TLSProxy::Proxy->is_tls13() && $rec->encrypted()) {
+            #Add content type (1 byte) and 16 tag bytes
+            $rec->data($rec->decrypt_data
+                .pack("C", TLSProxy::Record::RT_HANDSHAKE).("\0"x16));
+        } else {
+            $rec->data($rec->decrypt_data);
+        }
 
         #Update the fragment len in case we changed it above
         ${$self->message_frag_lens}[0] = length($msgdata)
-- 
cgit v1.2.3