decrypt authenticates and decrypts the record if protection is active at this stage. The returned plaintext might overlap with the input.
(record []byte)
| 345 | // decrypt authenticates and decrypts the record if protection is active at |
| 346 | // this stage. The returned plaintext might overlap with the input. |
| 347 | func (hc *halfConn) decrypt(record []byte) ([]byte, recordType, error) { |
| 348 | var plaintext []byte |
| 349 | typ := recordType(record[0]) |
| 350 | payload := record[recordHeaderLen:] |
| 351 | |
| 352 | // In TLS 1.3, change_cipher_spec messages are to be ignored without being |
| 353 | // decrypted. See RFC 8446, Appendix D.4. |
| 354 | if hc.version == VersionTLS13 && typ == recordTypeChangeCipherSpec { |
| 355 | return payload, typ, nil |
| 356 | } |
| 357 | |
| 358 | paddingGood := byte(255) |
| 359 | paddingLen := 0 |
| 360 | |
| 361 | explicitNonceLen := hc.explicitNonceLen() |
| 362 | |
| 363 | if hc.cipher != nil { |
| 364 | switch c := hc.cipher.(type) { |
| 365 | case cipher.Stream: |
| 366 | c.XORKeyStream(payload, payload) |
| 367 | case aead: |
| 368 | if len(payload) < explicitNonceLen { |
| 369 | return nil, 0, alertBadRecordMAC |
| 370 | } |
| 371 | nonce := payload[:explicitNonceLen] |
| 372 | if len(nonce) == 0 { |
| 373 | nonce = hc.seq[:] |
| 374 | } |
| 375 | payload = payload[explicitNonceLen:] |
| 376 | |
| 377 | var additionalData []byte |
| 378 | if hc.version == VersionTLS13 { |
| 379 | additionalData = record[:recordHeaderLen] |
| 380 | } else { |
| 381 | additionalData = append(hc.scratchBuf[:0], hc.seq[:]...) |
| 382 | additionalData = append(additionalData, record[:3]...) |
| 383 | n := len(payload) - c.Overhead() |
| 384 | additionalData = append(additionalData, byte(n>>8), byte(n)) |
| 385 | } |
| 386 | |
| 387 | var err error |
| 388 | plaintext, err = c.Open(payload[:0], nonce, payload, additionalData) |
| 389 | if err != nil { |
| 390 | return nil, 0, alertBadRecordMAC |
| 391 | } |
| 392 | case cbcMode: |
| 393 | blockSize := c.BlockSize() |
| 394 | minPayload := explicitNonceLen + roundUp(hc.mac.Size()+1, blockSize) |
| 395 | if len(payload)%blockSize != 0 || len(payload) < minPayload { |
| 396 | return nil, 0, alertBadRecordMAC |
| 397 | } |
| 398 | |
| 399 | if explicitNonceLen > 0 { |
| 400 | c.SetIV(payload[:explicitNonceLen]) |
| 401 | payload = payload[explicitNonceLen:] |
| 402 | } |
| 403 | c.CryptBlocks(payload, payload) |
| 404 |
no test coverage detected