diff options
| author | jsing <> | 2014-06-13 11:52:03 +0000 |
|---|---|---|
| committer | jsing <> | 2014-06-13 11:52:03 +0000 |
| commit | 180e6a8c04e46f1d6ee66dace2f5340c553c9d4c (patch) | |
| tree | 429d2914dd3a540337d3b93bafbe6b0493e99de7 | |
| parent | 87e30739835137951cf48dfa7f692aae2f40dc40 (diff) | |
| download | openbsd-180e6a8c04e46f1d6ee66dace2f5340c553c9d4c.tar.gz openbsd-180e6a8c04e46f1d6ee66dace2f5340c553c9d4c.tar.bz2 openbsd-180e6a8c04e46f1d6ee66dace2f5340c553c9d4c.zip | |
Add support for handling SSL_CIPHER_ALGORITHM2_AEAD ciphers, which are
those that use EVP_AEAD instead ov EVP_CIPHER. This means being able to
change cipher state with an EVP_AEAD and being able to encrypt/decrypt
TLS using the EVP_AEAD. This has no change on existing
non-SSL_CIPHER_ALGORITHM2_AEAD ciphers.
Based on Adam Langley's chromium patches.
Rides the recent libssl bump.
Tested by sthen@
| -rw-r--r-- | src/lib/libssl/src/ssl/ssl.h | 6 | ||||
| -rw-r--r-- | src/lib/libssl/src/ssl/ssl3.h | 3 | ||||
| -rw-r--r-- | src/lib/libssl/src/ssl/ssl_err.c | 8 | ||||
| -rw-r--r-- | src/lib/libssl/src/ssl/t1_enc.c | 265 | ||||
| -rw-r--r-- | src/lib/libssl/ssl.h | 6 | ||||
| -rw-r--r-- | src/lib/libssl/ssl3.h | 3 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_err.c | 8 | ||||
| -rw-r--r-- | src/lib/libssl/t1_enc.c | 265 |
8 files changed, 498 insertions, 66 deletions
diff --git a/src/lib/libssl/src/ssl/ssl.h b/src/lib/libssl/src/ssl/ssl.h index 826d7c1696..1a2bdf7628 100644 --- a/src/lib/libssl/src/ssl/ssl.h +++ b/src/lib/libssl/src/ssl/ssl.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl.h,v 1.54 2014/06/13 10:52:24 jsing Exp $ */ | 1 | /* $OpenBSD: ssl.h,v 1.55 2014/06/13 11:52:03 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -2081,9 +2081,11 @@ void ERR_load_SSL_strings(void); | |||
| 2081 | #define SSL_F_SSL_USE_RSAPRIVATEKEY_FILE 206 | 2081 | #define SSL_F_SSL_USE_RSAPRIVATEKEY_FILE 206 |
| 2082 | #define SSL_F_SSL_VERIFY_CERT_CHAIN 207 | 2082 | #define SSL_F_SSL_VERIFY_CERT_CHAIN 207 |
| 2083 | #define SSL_F_SSL_WRITE 208 | 2083 | #define SSL_F_SSL_WRITE 208 |
| 2084 | #define SSL_F_TLS1_AEAD_CTX_INIT 339 | ||
| 2084 | #define SSL_F_TLS1_CERT_VERIFY_MAC 286 | 2085 | #define SSL_F_TLS1_CERT_VERIFY_MAC 286 |
| 2085 | #define SSL_F_TLS1_CHANGE_CIPHER_STATE_CIPHER 338 | ||
| 2086 | #define SSL_F_TLS1_CHANGE_CIPHER_STATE 209 | 2086 | #define SSL_F_TLS1_CHANGE_CIPHER_STATE 209 |
| 2087 | #define SSL_F_TLS1_CHANGE_CIPHER_STATE_AEAD 340 | ||
| 2088 | #define SSL_F_TLS1_CHANGE_CIPHER_STATE_CIPHER 338 | ||
| 2087 | #define SSL_F_TLS1_CHECK_SERVERHELLO_TLSEXT 274 | 2089 | #define SSL_F_TLS1_CHECK_SERVERHELLO_TLSEXT 274 |
| 2088 | #define SSL_F_TLS1_ENC 210 | 2090 | #define SSL_F_TLS1_ENC 210 |
| 2089 | #define SSL_F_TLS1_EXPORT_KEYING_MATERIAL 314 | 2091 | #define SSL_F_TLS1_EXPORT_KEYING_MATERIAL 314 |
diff --git a/src/lib/libssl/src/ssl/ssl3.h b/src/lib/libssl/src/ssl/ssl3.h index 7fd00be2d3..235c359af2 100644 --- a/src/lib/libssl/src/ssl/ssl3.h +++ b/src/lib/libssl/src/ssl/ssl3.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl3.h,v 1.22 2014/06/13 04:29:13 miod Exp $ */ | 1 | /* $OpenBSD: ssl3.h,v 1.23 2014/06/13 11:52:03 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -488,6 +488,7 @@ typedef struct ssl3_state_st { | |||
| 488 | unsigned char *key_block; | 488 | unsigned char *key_block; |
| 489 | 489 | ||
| 490 | const EVP_CIPHER *new_sym_enc; | 490 | const EVP_CIPHER *new_sym_enc; |
| 491 | const EVP_AEAD *new_aead; | ||
| 491 | const EVP_MD *new_hash; | 492 | const EVP_MD *new_hash; |
| 492 | int new_mac_pkey_type; | 493 | int new_mac_pkey_type; |
| 493 | int new_mac_secret_size; | 494 | int new_mac_secret_size; |
diff --git a/src/lib/libssl/src/ssl/ssl_err.c b/src/lib/libssl/src/ssl/ssl_err.c index 0f18b1bc5f..9abd28bf88 100644 --- a/src/lib/libssl/src/ssl/ssl_err.c +++ b/src/lib/libssl/src/ssl/ssl_err.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_err.c,v 1.24 2014/06/13 04:29:13 miod Exp $ */ | 1 | /* $OpenBSD: ssl_err.c,v 1.25 2014/06/13 11:52:03 jsing Exp $ */ |
| 2 | /* ==================================================================== | 2 | /* ==================================================================== |
| 3 | * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved. | 3 | * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved. |
| 4 | * | 4 | * |
| @@ -137,7 +137,6 @@ static ERR_STRING_DATA SSL_str_functs[]= { | |||
| 137 | {ERR_FUNC(SSL_F_SSL3_ADD_CERT_TO_BUF), "SSL3_ADD_CERT_TO_BUF"}, | 137 | {ERR_FUNC(SSL_F_SSL3_ADD_CERT_TO_BUF), "SSL3_ADD_CERT_TO_BUF"}, |
| 138 | {ERR_FUNC(SSL_F_SSL3_CALLBACK_CTRL), "SSL3_CALLBACK_CTRL"}, | 138 | {ERR_FUNC(SSL_F_SSL3_CALLBACK_CTRL), "SSL3_CALLBACK_CTRL"}, |
| 139 | {ERR_FUNC(SSL_F_SSL3_CHANGE_CIPHER_STATE), "SSL3_CHANGE_CIPHER_STATE"}, | 139 | {ERR_FUNC(SSL_F_SSL3_CHANGE_CIPHER_STATE), "SSL3_CHANGE_CIPHER_STATE"}, |
| 140 | {ERR_FUNC(SSL_F_TLS1_CHANGE_CIPHER_STATE_CIPHER), "TLS1_CHANGE_CIPHER_STATE_CIPHER"}, | ||
| 141 | {ERR_FUNC(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM), "SSL3_CHECK_CERT_AND_ALGORITHM"}, | 140 | {ERR_FUNC(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM), "SSL3_CHECK_CERT_AND_ALGORITHM"}, |
| 142 | {ERR_FUNC(SSL_F_SSL3_CHECK_CLIENT_HELLO), "SSL3_CHECK_CLIENT_HELLO"}, | 141 | {ERR_FUNC(SSL_F_SSL3_CHECK_CLIENT_HELLO), "SSL3_CHECK_CLIENT_HELLO"}, |
| 143 | {ERR_FUNC(SSL_F_SSL3_CLIENT_HELLO), "SSL3_CLIENT_HELLO"}, | 142 | {ERR_FUNC(SSL_F_SSL3_CLIENT_HELLO), "SSL3_CLIENT_HELLO"}, |
| @@ -277,8 +276,11 @@ static ERR_STRING_DATA SSL_str_functs[]= { | |||
| 277 | {ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE), "SSL_use_RSAPrivateKey_file"}, | 276 | {ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE), "SSL_use_RSAPrivateKey_file"}, |
| 278 | {ERR_FUNC(SSL_F_SSL_VERIFY_CERT_CHAIN), "SSL_VERIFY_CERT_CHAIN"}, | 277 | {ERR_FUNC(SSL_F_SSL_VERIFY_CERT_CHAIN), "SSL_VERIFY_CERT_CHAIN"}, |
| 279 | {ERR_FUNC(SSL_F_SSL_WRITE), "SSL_write"}, | 278 | {ERR_FUNC(SSL_F_SSL_WRITE), "SSL_write"}, |
| 279 | {ERR_FUNC(SSL_F_TLS1_AEAD_CTX_INIT), "TLS1_AEAD_CTX_INIT"}, | ||
| 280 | {ERR_FUNC(SSL_F_TLS1_CERT_VERIFY_MAC), "tls1_cert_verify_mac"}, | 280 | {ERR_FUNC(SSL_F_TLS1_CERT_VERIFY_MAC), "tls1_cert_verify_mac"}, |
| 281 | {ERR_FUNC(SSL_F_TLS1_CHANGE_CIPHER_STATE), "TLS1_CHANGE_CIPHER_STATE"}, | 281 | {ERR_FUNC(SSL_F_TLS1_CHANGE_CIPHER_STATE), "TLS1_CHANGE_CIPHER_STATE"}, |
| 282 | {ERR_FUNC(SSL_F_TLS1_CHANGE_CIPHER_STATE_AEAD), "TLS1_CHANGE_CIPHER_STATE_AEAD"}, | ||
| 283 | {ERR_FUNC(SSL_F_TLS1_CHANGE_CIPHER_STATE_CIPHER), "TLS1_CHANGE_CIPHER_STATE_CIPHER"}, | ||
| 282 | {ERR_FUNC(SSL_F_TLS1_CHECK_SERVERHELLO_TLSEXT), "TLS1_CHECK_SERVERHELLO_TLSEXT"}, | 284 | {ERR_FUNC(SSL_F_TLS1_CHECK_SERVERHELLO_TLSEXT), "TLS1_CHECK_SERVERHELLO_TLSEXT"}, |
| 283 | {ERR_FUNC(SSL_F_TLS1_ENC), "TLS1_ENC"}, | 285 | {ERR_FUNC(SSL_F_TLS1_ENC), "TLS1_ENC"}, |
| 284 | {ERR_FUNC(SSL_F_TLS1_EXPORT_KEYING_MATERIAL), "TLS1_EXPORT_KEYING_MATERIAL"}, | 286 | {ERR_FUNC(SSL_F_TLS1_EXPORT_KEYING_MATERIAL), "TLS1_EXPORT_KEYING_MATERIAL"}, |
diff --git a/src/lib/libssl/src/ssl/t1_enc.c b/src/lib/libssl/src/ssl/t1_enc.c index 6d2e21c412..0ddb2d09b2 100644 --- a/src/lib/libssl/src/ssl/t1_enc.c +++ b/src/lib/libssl/src/ssl/t1_enc.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: t1_enc.c,v 1.55 2014/06/13 04:29:13 miod Exp $ */ | 1 | /* $OpenBSD: t1_enc.c,v 1.56 2014/06/13 11:52:03 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -296,6 +296,69 @@ tls1_generate_key_block(SSL *s, unsigned char *km, unsigned char *tmp, int num) | |||
| 296 | } | 296 | } |
| 297 | 297 | ||
| 298 | /* | 298 | /* |
| 299 | * tls1_aead_ctx_init allocates aead_ctx, if needed. It returns 1 on success | ||
| 300 | * and 0 on failure. | ||
| 301 | */ | ||
| 302 | static int | ||
| 303 | tls1_aead_ctx_init(SSL_AEAD_CTX **aead_ctx) | ||
| 304 | { | ||
| 305 | if (*aead_ctx != NULL) { | ||
| 306 | EVP_AEAD_CTX_cleanup(&(*aead_ctx)->ctx); | ||
| 307 | return (1); | ||
| 308 | } | ||
| 309 | |||
| 310 | *aead_ctx = malloc(sizeof(SSL_AEAD_CTX)); | ||
| 311 | if (*aead_ctx == NULL) { | ||
| 312 | SSLerr(SSL_F_TLS1_AEAD_CTX_INIT, ERR_R_MALLOC_FAILURE); | ||
| 313 | return (0); | ||
| 314 | } | ||
| 315 | |||
| 316 | return (1); | ||
| 317 | } | ||
| 318 | |||
| 319 | static int | ||
| 320 | tls1_change_cipher_state_aead(SSL *s, char is_read, const unsigned char *key, | ||
| 321 | unsigned key_len, const unsigned char *iv, unsigned iv_len) | ||
| 322 | { | ||
| 323 | const EVP_AEAD *aead = s->s3->tmp.new_aead; | ||
| 324 | SSL_AEAD_CTX *aead_ctx; | ||
| 325 | |||
| 326 | if (is_read) { | ||
| 327 | if (!tls1_aead_ctx_init(&s->aead_read_ctx)) | ||
| 328 | return 0; | ||
| 329 | aead_ctx = s->aead_read_ctx; | ||
| 330 | } else { | ||
| 331 | if (!tls1_aead_ctx_init(&s->aead_write_ctx)) | ||
| 332 | return 0; | ||
| 333 | aead_ctx = s->aead_write_ctx; | ||
| 334 | } | ||
| 335 | |||
| 336 | if (!EVP_AEAD_CTX_init(&aead_ctx->ctx, aead, key, key_len, | ||
| 337 | EVP_AEAD_DEFAULT_TAG_LENGTH, NULL)) | ||
| 338 | return (0); | ||
| 339 | if (iv_len > sizeof(aead_ctx->fixed_nonce)) { | ||
| 340 | SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE_AEAD, | ||
| 341 | ERR_R_INTERNAL_ERROR); | ||
| 342 | return (0); | ||
| 343 | } | ||
| 344 | memcpy(aead_ctx->fixed_nonce, iv, iv_len); | ||
| 345 | aead_ctx->fixed_nonce_len = iv_len; | ||
| 346 | aead_ctx->variable_nonce_len = 8; /* always the case, currently. */ | ||
| 347 | aead_ctx->variable_nonce_in_record = | ||
| 348 | (s->s3->tmp.new_cipher->algorithm2 & | ||
| 349 | SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD) != 0; | ||
| 350 | if (aead_ctx->variable_nonce_len + aead_ctx->fixed_nonce_len != | ||
| 351 | EVP_AEAD_nonce_length(aead)) { | ||
| 352 | SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE_AEAD, | ||
| 353 | ERR_R_INTERNAL_ERROR); | ||
| 354 | return (0); | ||
| 355 | } | ||
| 356 | aead_ctx->tag_len = EVP_AEAD_max_overhead(aead); | ||
| 357 | |||
| 358 | return (1); | ||
| 359 | } | ||
| 360 | |||
| 361 | /* | ||
| 299 | * tls1_change_cipher_state_cipher performs the work needed to switch cipher | 362 | * tls1_change_cipher_state_cipher performs the work needed to switch cipher |
| 300 | * states when using EVP_CIPHER. The argument is_read is true iff this function | 363 | * states when using EVP_CIPHER. The argument is_read is true iff this function |
| 301 | * is being called due to reading, as opposed to writing, a ChangeCipherSpec | 364 | * is being called due to reading, as opposed to writing, a ChangeCipherSpec |
| @@ -456,6 +519,7 @@ tls1_change_cipher_state(SSL *s, int which) | |||
| 456 | int mac_secret_size, key_len, iv_len; | 519 | int mac_secret_size, key_len, iv_len; |
| 457 | unsigned char *key_block, *seq; | 520 | unsigned char *key_block, *seq; |
| 458 | const EVP_CIPHER *cipher; | 521 | const EVP_CIPHER *cipher; |
| 522 | const EVP_AEAD *aead; | ||
| 459 | char is_read, use_client_keys; | 523 | char is_read, use_client_keys; |
| 460 | int is_export; | 524 | int is_export; |
| 461 | 525 | ||
| @@ -465,6 +529,7 @@ tls1_change_cipher_state(SSL *s, int which) | |||
| 465 | 529 | ||
| 466 | is_export = SSL_C_IS_EXPORT(s->s3->tmp.new_cipher); | 530 | is_export = SSL_C_IS_EXPORT(s->s3->tmp.new_cipher); |
| 467 | cipher = s->s3->tmp.new_sym_enc; | 531 | cipher = s->s3->tmp.new_sym_enc; |
| 532 | aead = s->s3->tmp.new_aead; | ||
| 468 | 533 | ||
| 469 | /* | 534 | /* |
| 470 | * is_read is true if we have just read a ChangeCipherSpec message, | 535 | * is_read is true if we have just read a ChangeCipherSpec message, |
| @@ -526,17 +591,21 @@ tls1_change_cipher_state(SSL *s, int which) | |||
| 526 | memset(seq, 0, SSL3_SEQUENCE_SIZE); | 591 | memset(seq, 0, SSL3_SEQUENCE_SIZE); |
| 527 | } | 592 | } |
| 528 | 593 | ||
| 529 | key_len = EVP_CIPHER_key_length(cipher); | 594 | if (aead != NULL) { |
| 530 | if (is_export) { | 595 | key_len = EVP_AEAD_key_length(aead); |
| 531 | if (key_len > SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) | 596 | iv_len = SSL_CIPHER_AEAD_FIXED_NONCE_LEN(s->s3->tmp.new_cipher); |
| 597 | } else { | ||
| 598 | key_len = EVP_CIPHER_key_length(cipher); | ||
| 599 | iv_len = EVP_CIPHER_iv_length(cipher); | ||
| 600 | |||
| 601 | if (is_export && | ||
| 602 | key_len > SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) | ||
| 532 | key_len = SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher); | 603 | key_len = SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher); |
| 533 | } | ||
| 534 | 604 | ||
| 535 | /* If GCM mode only part of IV comes from PRF. */ | 605 | /* If GCM mode only part of IV comes from PRF. */ |
| 536 | if (EVP_CIPHER_mode(cipher) == EVP_CIPH_GCM_MODE) | 606 | if (EVP_CIPHER_mode(cipher) == EVP_CIPH_GCM_MODE) |
| 537 | iv_len = EVP_GCM_TLS_FIXED_IV_LEN; | 607 | iv_len = EVP_GCM_TLS_FIXED_IV_LEN; |
| 538 | else | 608 | } |
| 539 | iv_len = EVP_CIPHER_iv_length(cipher); | ||
| 540 | 609 | ||
| 541 | mac_secret_size = s->s3->tmp.new_mac_secret_size; | 610 | mac_secret_size = s->s3->tmp.new_mac_secret_size; |
| 542 | 611 | ||
| @@ -577,6 +646,11 @@ tls1_change_cipher_state(SSL *s, int which) | |||
| 577 | s->s3->write_mac_secret_size = mac_secret_size; | 646 | s->s3->write_mac_secret_size = mac_secret_size; |
| 578 | } | 647 | } |
| 579 | 648 | ||
| 649 | if (aead != NULL) { | ||
| 650 | return tls1_change_cipher_state_aead(s, is_read, key, key_len, | ||
| 651 | iv, iv_len); | ||
| 652 | } | ||
| 653 | |||
| 580 | return tls1_change_cipher_state_cipher(s, is_read, use_client_keys, | 654 | return tls1_change_cipher_state_cipher(s, is_read, use_client_keys, |
| 581 | mac_secret, mac_secret_size, key, key_len, iv, iv_len); | 655 | mac_secret, mac_secret_size, key, key_len, iv, iv_len); |
| 582 | 656 | ||
| @@ -592,8 +666,9 @@ tls1_setup_key_block(SSL *s) | |||
| 592 | unsigned char *key_block, *tmp_block = NULL; | 666 | unsigned char *key_block, *tmp_block = NULL; |
| 593 | int mac_type = NID_undef, mac_secret_size = 0; | 667 | int mac_type = NID_undef, mac_secret_size = 0; |
| 594 | int key_block_len, key_len, iv_len; | 668 | int key_block_len, key_len, iv_len; |
| 595 | const EVP_CIPHER *cipher; | 669 | const EVP_CIPHER *cipher = NULL; |
| 596 | const EVP_MD *mac; | 670 | const EVP_AEAD *aead = NULL; |
| 671 | const EVP_MD *mac = NULL; | ||
| 597 | SSL_COMP *comp; | 672 | SSL_COMP *comp; |
| 598 | int ret = 0; | 673 | int ret = 0; |
| 599 | 674 | ||
| @@ -606,24 +681,36 @@ tls1_setup_key_block(SSL *s) | |||
| 606 | return (0); | 681 | return (0); |
| 607 | } | 682 | } |
| 608 | 683 | ||
| 609 | if (!ssl_cipher_get_evp(s->session, &cipher, &mac, &mac_type, | 684 | if (s->session->cipher && |
| 610 | &mac_secret_size)) { | 685 | (s->session->cipher->algorithm2 & SSL_CIPHER_ALGORITHM2_AEAD)) { |
| 611 | SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK, | 686 | if (!ssl_cipher_get_evp_aead(s->session, &aead)) { |
| 612 | SSL_R_CIPHER_OR_HASH_UNAVAILABLE); | 687 | SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK, |
| 613 | return (0); | 688 | SSL_R_CIPHER_OR_HASH_UNAVAILABLE); |
| 614 | } | 689 | return (0); |
| 615 | 690 | } | |
| 616 | key_len = EVP_CIPHER_key_length(cipher); | 691 | key_len = EVP_AEAD_key_length(aead); |
| 617 | 692 | iv_len = SSL_CIPHER_AEAD_FIXED_NONCE_LEN(s->session->cipher); | |
| 618 | if (EVP_CIPHER_mode(cipher) == EVP_CIPH_GCM_MODE) | 693 | } else { |
| 619 | iv_len = EVP_GCM_TLS_FIXED_IV_LEN; | 694 | if (!ssl_cipher_get_evp(s->session, &cipher, &mac, &mac_type, |
| 620 | else | 695 | &mac_secret_size)) { |
| 696 | SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK, | ||
| 697 | SSL_R_CIPHER_OR_HASH_UNAVAILABLE); | ||
| 698 | return (0); | ||
| 699 | } | ||
| 700 | key_len = EVP_CIPHER_key_length(cipher); | ||
| 621 | iv_len = EVP_CIPHER_iv_length(cipher); | 701 | iv_len = EVP_CIPHER_iv_length(cipher); |
| 622 | 702 | ||
| 703 | /* If GCM mode only part of IV comes from PRF. */ | ||
| 704 | if (EVP_CIPHER_mode(cipher) == EVP_CIPH_GCM_MODE) | ||
| 705 | iv_len = EVP_GCM_TLS_FIXED_IV_LEN; | ||
| 706 | } | ||
| 707 | |||
| 708 | s->s3->tmp.new_aead = aead; | ||
| 623 | s->s3->tmp.new_sym_enc = cipher; | 709 | s->s3->tmp.new_sym_enc = cipher; |
| 624 | s->s3->tmp.new_hash = mac; | 710 | s->s3->tmp.new_hash = mac; |
| 625 | s->s3->tmp.new_mac_pkey_type = mac_type; | 711 | s->s3->tmp.new_mac_pkey_type = mac_type; |
| 626 | s->s3->tmp.new_mac_secret_size = mac_secret_size; | 712 | s->s3->tmp.new_mac_secret_size = mac_secret_size; |
| 713 | |||
| 627 | key_block_len = (mac_secret_size + key_len + iv_len) * 2; | 714 | key_block_len = (mac_secret_size + key_len + iv_len) * 2; |
| 628 | 715 | ||
| 629 | ssl3_cleanup_key_block(s); | 716 | ssl3_cleanup_key_block(s); |
| @@ -664,6 +751,7 @@ tls1_setup_key_block(SSL *s) | |||
| 664 | } | 751 | } |
| 665 | 752 | ||
| 666 | ret = 1; | 753 | ret = 1; |
| 754 | |||
| 667 | err: | 755 | err: |
| 668 | if (tmp_block) { | 756 | if (tmp_block) { |
| 669 | OPENSSL_cleanse(tmp_block, key_block_len); | 757 | OPENSSL_cleanse(tmp_block, key_block_len); |
| @@ -684,11 +772,135 @@ err: | |||
| 684 | int | 772 | int |
| 685 | tls1_enc(SSL *s, int send) | 773 | tls1_enc(SSL *s, int send) |
| 686 | { | 774 | { |
| 687 | SSL3_RECORD *rec; | 775 | const SSL_AEAD_CTX *aead; |
| 776 | const EVP_CIPHER *enc; | ||
| 688 | EVP_CIPHER_CTX *ds; | 777 | EVP_CIPHER_CTX *ds; |
| 778 | SSL3_RECORD *rec; | ||
| 689 | unsigned long l; | 779 | unsigned long l; |
| 690 | int bs, i, j, k, pad = 0, ret, mac_size = 0; | 780 | int bs, i, j, k, pad = 0, ret, mac_size = 0; |
| 691 | const EVP_CIPHER *enc; | 781 | |
| 782 | if (send) { | ||
| 783 | aead = s->aead_write_ctx; | ||
| 784 | rec = &s->s3->wrec; | ||
| 785 | } else { | ||
| 786 | aead = s->aead_read_ctx; | ||
| 787 | rec = &s->s3->rrec; | ||
| 788 | } | ||
| 789 | |||
| 790 | if (aead) { | ||
| 791 | unsigned char ad[13], *seq, *in, *out, nonce[16]; | ||
| 792 | unsigned nonce_used; | ||
| 793 | ssize_t n; | ||
| 794 | |||
| 795 | seq = send ? s->s3->write_sequence : s->s3->read_sequence; | ||
| 796 | |||
| 797 | if (SSL_IS_DTLS(s)) { | ||
| 798 | unsigned char dtlsseq[9], *p = dtlsseq; | ||
| 799 | |||
| 800 | s2n(send ? s->d1->w_epoch : s->d1->r_epoch, p); | ||
| 801 | memcpy(p, &seq[2], 6); | ||
| 802 | memcpy(ad, dtlsseq, 8); | ||
| 803 | } else { | ||
| 804 | memcpy(ad, seq, SSL3_SEQUENCE_SIZE); | ||
| 805 | for (i = 7; i >= 0; i--) { | ||
| 806 | ++seq[i]; | ||
| 807 | if (seq[i] != 0) | ||
| 808 | break; | ||
| 809 | } | ||
| 810 | } | ||
| 811 | |||
| 812 | ad[8] = rec->type; | ||
| 813 | ad[9] = (unsigned char)(s->version >> 8); | ||
| 814 | ad[10] = (unsigned char)(s->version); | ||
| 815 | |||
| 816 | if (aead->fixed_nonce_len + | ||
| 817 | aead->variable_nonce_len > sizeof(nonce) || | ||
| 818 | aead->variable_nonce_len > 8) | ||
| 819 | return -1; /* internal error - should never happen. */ | ||
| 820 | |||
| 821 | memcpy(nonce, aead->fixed_nonce, aead->fixed_nonce_len); | ||
| 822 | nonce_used = aead->fixed_nonce_len; | ||
| 823 | |||
| 824 | if (send) { | ||
| 825 | size_t len = rec->length; | ||
| 826 | size_t eivlen = 0; | ||
| 827 | in = rec->input; | ||
| 828 | out = rec->data; | ||
| 829 | |||
| 830 | /* | ||
| 831 | * When sending we use the sequence number as the | ||
| 832 | * variable part of the nonce. | ||
| 833 | */ | ||
| 834 | if (aead->variable_nonce_len > 8) | ||
| 835 | return -1; | ||
| 836 | memcpy(nonce + nonce_used, ad, | ||
| 837 | aead->variable_nonce_len); | ||
| 838 | nonce_used += aead->variable_nonce_len; | ||
| 839 | |||
| 840 | /* | ||
| 841 | * In do_ssl3_write, rec->input is moved forward by | ||
| 842 | * variable_nonce_len in order to leave space for the | ||
| 843 | * variable nonce. Thus we can copy the sequence number | ||
| 844 | * bytes into place without overwriting any of the | ||
| 845 | * plaintext. | ||
| 846 | */ | ||
| 847 | if (aead->variable_nonce_in_record) { | ||
| 848 | memcpy(out, ad, aead->variable_nonce_len); | ||
| 849 | len -= aead->variable_nonce_len; | ||
| 850 | eivlen = aead->variable_nonce_len; | ||
| 851 | } | ||
| 852 | |||
| 853 | ad[11] = len >> 8; | ||
| 854 | ad[12] = len & 0xff; | ||
| 855 | |||
| 856 | if (!EVP_AEAD_CTX_seal(&aead->ctx, | ||
| 857 | out + eivlen, &n, len + aead->tag_len, nonce, | ||
| 858 | nonce_used, in + eivlen, len, ad, sizeof(ad))) | ||
| 859 | return -1; | ||
| 860 | if (n >= 0 && aead->variable_nonce_in_record) | ||
| 861 | n += aead->variable_nonce_len; | ||
| 862 | } else { | ||
| 863 | /* receive */ | ||
| 864 | size_t len = rec->length; | ||
| 865 | |||
| 866 | if (rec->data != rec->input) | ||
| 867 | return -1; /* internal error - should never happen. */ | ||
| 868 | out = in = rec->input; | ||
| 869 | |||
| 870 | if (len < aead->variable_nonce_len) | ||
| 871 | return 0; | ||
| 872 | memcpy(nonce + nonce_used, | ||
| 873 | aead->variable_nonce_in_record ? in : ad, | ||
| 874 | aead->variable_nonce_len); | ||
| 875 | nonce_used += aead->variable_nonce_len; | ||
| 876 | |||
| 877 | if (aead->variable_nonce_in_record) { | ||
| 878 | in += aead->variable_nonce_len; | ||
| 879 | len -= aead->variable_nonce_len; | ||
| 880 | out += aead->variable_nonce_len; | ||
| 881 | } | ||
| 882 | |||
| 883 | if (len < aead->tag_len) | ||
| 884 | return 0; | ||
| 885 | len -= aead->tag_len; | ||
| 886 | |||
| 887 | ad[11] = len >> 8; | ||
| 888 | ad[12] = len & 0xff; | ||
| 889 | |||
| 890 | if (!EVP_AEAD_CTX_open(&aead->ctx, out, &n, len, nonce, | ||
| 891 | nonce_used, in, len + aead->tag_len, ad, | ||
| 892 | sizeof(ad))) | ||
| 893 | return -1; | ||
| 894 | |||
| 895 | rec->data = rec->input = out; | ||
| 896 | } | ||
| 897 | |||
| 898 | if (n == -1) | ||
| 899 | return -1; | ||
| 900 | rec->length = n; | ||
| 901 | |||
| 902 | return 1; | ||
| 903 | } | ||
| 692 | 904 | ||
| 693 | if (send) { | 905 | if (send) { |
| 694 | if (EVP_MD_CTX_md(s->write_hash)) { | 906 | if (EVP_MD_CTX_md(s->write_hash)) { |
| @@ -730,7 +942,6 @@ tls1_enc(SSL *s, int send) | |||
| 730 | enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx); | 942 | enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx); |
| 731 | } | 943 | } |
| 732 | 944 | ||
| 733 | |||
| 734 | if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) { | 945 | if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) { |
| 735 | memmove(rec->data, rec->input, rec->length); | 946 | memmove(rec->data, rec->input, rec->length); |
| 736 | rec->input = rec->data; | 947 | rec->input = rec->data; |
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h index 826d7c1696..1a2bdf7628 100644 --- a/src/lib/libssl/ssl.h +++ b/src/lib/libssl/ssl.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl.h,v 1.54 2014/06/13 10:52:24 jsing Exp $ */ | 1 | /* $OpenBSD: ssl.h,v 1.55 2014/06/13 11:52:03 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -2081,9 +2081,11 @@ void ERR_load_SSL_strings(void); | |||
| 2081 | #define SSL_F_SSL_USE_RSAPRIVATEKEY_FILE 206 | 2081 | #define SSL_F_SSL_USE_RSAPRIVATEKEY_FILE 206 |
| 2082 | #define SSL_F_SSL_VERIFY_CERT_CHAIN 207 | 2082 | #define SSL_F_SSL_VERIFY_CERT_CHAIN 207 |
| 2083 | #define SSL_F_SSL_WRITE 208 | 2083 | #define SSL_F_SSL_WRITE 208 |
| 2084 | #define SSL_F_TLS1_AEAD_CTX_INIT 339 | ||
| 2084 | #define SSL_F_TLS1_CERT_VERIFY_MAC 286 | 2085 | #define SSL_F_TLS1_CERT_VERIFY_MAC 286 |
| 2085 | #define SSL_F_TLS1_CHANGE_CIPHER_STATE_CIPHER 338 | ||
| 2086 | #define SSL_F_TLS1_CHANGE_CIPHER_STATE 209 | 2086 | #define SSL_F_TLS1_CHANGE_CIPHER_STATE 209 |
| 2087 | #define SSL_F_TLS1_CHANGE_CIPHER_STATE_AEAD 340 | ||
| 2088 | #define SSL_F_TLS1_CHANGE_CIPHER_STATE_CIPHER 338 | ||
| 2087 | #define SSL_F_TLS1_CHECK_SERVERHELLO_TLSEXT 274 | 2089 | #define SSL_F_TLS1_CHECK_SERVERHELLO_TLSEXT 274 |
| 2088 | #define SSL_F_TLS1_ENC 210 | 2090 | #define SSL_F_TLS1_ENC 210 |
| 2089 | #define SSL_F_TLS1_EXPORT_KEYING_MATERIAL 314 | 2091 | #define SSL_F_TLS1_EXPORT_KEYING_MATERIAL 314 |
diff --git a/src/lib/libssl/ssl3.h b/src/lib/libssl/ssl3.h index 7fd00be2d3..235c359af2 100644 --- a/src/lib/libssl/ssl3.h +++ b/src/lib/libssl/ssl3.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl3.h,v 1.22 2014/06/13 04:29:13 miod Exp $ */ | 1 | /* $OpenBSD: ssl3.h,v 1.23 2014/06/13 11:52:03 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -488,6 +488,7 @@ typedef struct ssl3_state_st { | |||
| 488 | unsigned char *key_block; | 488 | unsigned char *key_block; |
| 489 | 489 | ||
| 490 | const EVP_CIPHER *new_sym_enc; | 490 | const EVP_CIPHER *new_sym_enc; |
| 491 | const EVP_AEAD *new_aead; | ||
| 491 | const EVP_MD *new_hash; | 492 | const EVP_MD *new_hash; |
| 492 | int new_mac_pkey_type; | 493 | int new_mac_pkey_type; |
| 493 | int new_mac_secret_size; | 494 | int new_mac_secret_size; |
diff --git a/src/lib/libssl/ssl_err.c b/src/lib/libssl/ssl_err.c index 0f18b1bc5f..9abd28bf88 100644 --- a/src/lib/libssl/ssl_err.c +++ b/src/lib/libssl/ssl_err.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_err.c,v 1.24 2014/06/13 04:29:13 miod Exp $ */ | 1 | /* $OpenBSD: ssl_err.c,v 1.25 2014/06/13 11:52:03 jsing Exp $ */ |
| 2 | /* ==================================================================== | 2 | /* ==================================================================== |
| 3 | * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved. | 3 | * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved. |
| 4 | * | 4 | * |
| @@ -137,7 +137,6 @@ static ERR_STRING_DATA SSL_str_functs[]= { | |||
| 137 | {ERR_FUNC(SSL_F_SSL3_ADD_CERT_TO_BUF), "SSL3_ADD_CERT_TO_BUF"}, | 137 | {ERR_FUNC(SSL_F_SSL3_ADD_CERT_TO_BUF), "SSL3_ADD_CERT_TO_BUF"}, |
| 138 | {ERR_FUNC(SSL_F_SSL3_CALLBACK_CTRL), "SSL3_CALLBACK_CTRL"}, | 138 | {ERR_FUNC(SSL_F_SSL3_CALLBACK_CTRL), "SSL3_CALLBACK_CTRL"}, |
| 139 | {ERR_FUNC(SSL_F_SSL3_CHANGE_CIPHER_STATE), "SSL3_CHANGE_CIPHER_STATE"}, | 139 | {ERR_FUNC(SSL_F_SSL3_CHANGE_CIPHER_STATE), "SSL3_CHANGE_CIPHER_STATE"}, |
| 140 | {ERR_FUNC(SSL_F_TLS1_CHANGE_CIPHER_STATE_CIPHER), "TLS1_CHANGE_CIPHER_STATE_CIPHER"}, | ||
| 141 | {ERR_FUNC(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM), "SSL3_CHECK_CERT_AND_ALGORITHM"}, | 140 | {ERR_FUNC(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM), "SSL3_CHECK_CERT_AND_ALGORITHM"}, |
| 142 | {ERR_FUNC(SSL_F_SSL3_CHECK_CLIENT_HELLO), "SSL3_CHECK_CLIENT_HELLO"}, | 141 | {ERR_FUNC(SSL_F_SSL3_CHECK_CLIENT_HELLO), "SSL3_CHECK_CLIENT_HELLO"}, |
| 143 | {ERR_FUNC(SSL_F_SSL3_CLIENT_HELLO), "SSL3_CLIENT_HELLO"}, | 142 | {ERR_FUNC(SSL_F_SSL3_CLIENT_HELLO), "SSL3_CLIENT_HELLO"}, |
| @@ -277,8 +276,11 @@ static ERR_STRING_DATA SSL_str_functs[]= { | |||
| 277 | {ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE), "SSL_use_RSAPrivateKey_file"}, | 276 | {ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE), "SSL_use_RSAPrivateKey_file"}, |
| 278 | {ERR_FUNC(SSL_F_SSL_VERIFY_CERT_CHAIN), "SSL_VERIFY_CERT_CHAIN"}, | 277 | {ERR_FUNC(SSL_F_SSL_VERIFY_CERT_CHAIN), "SSL_VERIFY_CERT_CHAIN"}, |
| 279 | {ERR_FUNC(SSL_F_SSL_WRITE), "SSL_write"}, | 278 | {ERR_FUNC(SSL_F_SSL_WRITE), "SSL_write"}, |
| 279 | {ERR_FUNC(SSL_F_TLS1_AEAD_CTX_INIT), "TLS1_AEAD_CTX_INIT"}, | ||
| 280 | {ERR_FUNC(SSL_F_TLS1_CERT_VERIFY_MAC), "tls1_cert_verify_mac"}, | 280 | {ERR_FUNC(SSL_F_TLS1_CERT_VERIFY_MAC), "tls1_cert_verify_mac"}, |
| 281 | {ERR_FUNC(SSL_F_TLS1_CHANGE_CIPHER_STATE), "TLS1_CHANGE_CIPHER_STATE"}, | 281 | {ERR_FUNC(SSL_F_TLS1_CHANGE_CIPHER_STATE), "TLS1_CHANGE_CIPHER_STATE"}, |
| 282 | {ERR_FUNC(SSL_F_TLS1_CHANGE_CIPHER_STATE_AEAD), "TLS1_CHANGE_CIPHER_STATE_AEAD"}, | ||
| 283 | {ERR_FUNC(SSL_F_TLS1_CHANGE_CIPHER_STATE_CIPHER), "TLS1_CHANGE_CIPHER_STATE_CIPHER"}, | ||
| 282 | {ERR_FUNC(SSL_F_TLS1_CHECK_SERVERHELLO_TLSEXT), "TLS1_CHECK_SERVERHELLO_TLSEXT"}, | 284 | {ERR_FUNC(SSL_F_TLS1_CHECK_SERVERHELLO_TLSEXT), "TLS1_CHECK_SERVERHELLO_TLSEXT"}, |
| 283 | {ERR_FUNC(SSL_F_TLS1_ENC), "TLS1_ENC"}, | 285 | {ERR_FUNC(SSL_F_TLS1_ENC), "TLS1_ENC"}, |
| 284 | {ERR_FUNC(SSL_F_TLS1_EXPORT_KEYING_MATERIAL), "TLS1_EXPORT_KEYING_MATERIAL"}, | 286 | {ERR_FUNC(SSL_F_TLS1_EXPORT_KEYING_MATERIAL), "TLS1_EXPORT_KEYING_MATERIAL"}, |
diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c index 6d2e21c412..0ddb2d09b2 100644 --- a/src/lib/libssl/t1_enc.c +++ b/src/lib/libssl/t1_enc.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: t1_enc.c,v 1.55 2014/06/13 04:29:13 miod Exp $ */ | 1 | /* $OpenBSD: t1_enc.c,v 1.56 2014/06/13 11:52:03 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -296,6 +296,69 @@ tls1_generate_key_block(SSL *s, unsigned char *km, unsigned char *tmp, int num) | |||
| 296 | } | 296 | } |
| 297 | 297 | ||
| 298 | /* | 298 | /* |
| 299 | * tls1_aead_ctx_init allocates aead_ctx, if needed. It returns 1 on success | ||
| 300 | * and 0 on failure. | ||
| 301 | */ | ||
| 302 | static int | ||
| 303 | tls1_aead_ctx_init(SSL_AEAD_CTX **aead_ctx) | ||
| 304 | { | ||
| 305 | if (*aead_ctx != NULL) { | ||
| 306 | EVP_AEAD_CTX_cleanup(&(*aead_ctx)->ctx); | ||
| 307 | return (1); | ||
| 308 | } | ||
| 309 | |||
| 310 | *aead_ctx = malloc(sizeof(SSL_AEAD_CTX)); | ||
| 311 | if (*aead_ctx == NULL) { | ||
| 312 | SSLerr(SSL_F_TLS1_AEAD_CTX_INIT, ERR_R_MALLOC_FAILURE); | ||
| 313 | return (0); | ||
| 314 | } | ||
| 315 | |||
| 316 | return (1); | ||
| 317 | } | ||
| 318 | |||
| 319 | static int | ||
| 320 | tls1_change_cipher_state_aead(SSL *s, char is_read, const unsigned char *key, | ||
| 321 | unsigned key_len, const unsigned char *iv, unsigned iv_len) | ||
| 322 | { | ||
| 323 | const EVP_AEAD *aead = s->s3->tmp.new_aead; | ||
| 324 | SSL_AEAD_CTX *aead_ctx; | ||
| 325 | |||
| 326 | if (is_read) { | ||
| 327 | if (!tls1_aead_ctx_init(&s->aead_read_ctx)) | ||
| 328 | return 0; | ||
| 329 | aead_ctx = s->aead_read_ctx; | ||
| 330 | } else { | ||
| 331 | if (!tls1_aead_ctx_init(&s->aead_write_ctx)) | ||
| 332 | return 0; | ||
| 333 | aead_ctx = s->aead_write_ctx; | ||
| 334 | } | ||
| 335 | |||
| 336 | if (!EVP_AEAD_CTX_init(&aead_ctx->ctx, aead, key, key_len, | ||
| 337 | EVP_AEAD_DEFAULT_TAG_LENGTH, NULL)) | ||
| 338 | return (0); | ||
| 339 | if (iv_len > sizeof(aead_ctx->fixed_nonce)) { | ||
| 340 | SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE_AEAD, | ||
| 341 | ERR_R_INTERNAL_ERROR); | ||
| 342 | return (0); | ||
| 343 | } | ||
| 344 | memcpy(aead_ctx->fixed_nonce, iv, iv_len); | ||
| 345 | aead_ctx->fixed_nonce_len = iv_len; | ||
| 346 | aead_ctx->variable_nonce_len = 8; /* always the case, currently. */ | ||
| 347 | aead_ctx->variable_nonce_in_record = | ||
| 348 | (s->s3->tmp.new_cipher->algorithm2 & | ||
| 349 | SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD) != 0; | ||
| 350 | if (aead_ctx->variable_nonce_len + aead_ctx->fixed_nonce_len != | ||
| 351 | EVP_AEAD_nonce_length(aead)) { | ||
| 352 | SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE_AEAD, | ||
| 353 | ERR_R_INTERNAL_ERROR); | ||
| 354 | return (0); | ||
| 355 | } | ||
| 356 | aead_ctx->tag_len = EVP_AEAD_max_overhead(aead); | ||
| 357 | |||
| 358 | return (1); | ||
| 359 | } | ||
| 360 | |||
| 361 | /* | ||
| 299 | * tls1_change_cipher_state_cipher performs the work needed to switch cipher | 362 | * tls1_change_cipher_state_cipher performs the work needed to switch cipher |
| 300 | * states when using EVP_CIPHER. The argument is_read is true iff this function | 363 | * states when using EVP_CIPHER. The argument is_read is true iff this function |
| 301 | * is being called due to reading, as opposed to writing, a ChangeCipherSpec | 364 | * is being called due to reading, as opposed to writing, a ChangeCipherSpec |
| @@ -456,6 +519,7 @@ tls1_change_cipher_state(SSL *s, int which) | |||
| 456 | int mac_secret_size, key_len, iv_len; | 519 | int mac_secret_size, key_len, iv_len; |
| 457 | unsigned char *key_block, *seq; | 520 | unsigned char *key_block, *seq; |
| 458 | const EVP_CIPHER *cipher; | 521 | const EVP_CIPHER *cipher; |
| 522 | const EVP_AEAD *aead; | ||
| 459 | char is_read, use_client_keys; | 523 | char is_read, use_client_keys; |
| 460 | int is_export; | 524 | int is_export; |
| 461 | 525 | ||
| @@ -465,6 +529,7 @@ tls1_change_cipher_state(SSL *s, int which) | |||
| 465 | 529 | ||
| 466 | is_export = SSL_C_IS_EXPORT(s->s3->tmp.new_cipher); | 530 | is_export = SSL_C_IS_EXPORT(s->s3->tmp.new_cipher); |
| 467 | cipher = s->s3->tmp.new_sym_enc; | 531 | cipher = s->s3->tmp.new_sym_enc; |
| 532 | aead = s->s3->tmp.new_aead; | ||
| 468 | 533 | ||
| 469 | /* | 534 | /* |
| 470 | * is_read is true if we have just read a ChangeCipherSpec message, | 535 | * is_read is true if we have just read a ChangeCipherSpec message, |
| @@ -526,17 +591,21 @@ tls1_change_cipher_state(SSL *s, int which) | |||
| 526 | memset(seq, 0, SSL3_SEQUENCE_SIZE); | 591 | memset(seq, 0, SSL3_SEQUENCE_SIZE); |
| 527 | } | 592 | } |
| 528 | 593 | ||
| 529 | key_len = EVP_CIPHER_key_length(cipher); | 594 | if (aead != NULL) { |
| 530 | if (is_export) { | 595 | key_len = EVP_AEAD_key_length(aead); |
| 531 | if (key_len > SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) | 596 | iv_len = SSL_CIPHER_AEAD_FIXED_NONCE_LEN(s->s3->tmp.new_cipher); |
| 597 | } else { | ||
| 598 | key_len = EVP_CIPHER_key_length(cipher); | ||
| 599 | iv_len = EVP_CIPHER_iv_length(cipher); | ||
| 600 | |||
| 601 | if (is_export && | ||
| 602 | key_len > SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) | ||
| 532 | key_len = SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher); | 603 | key_len = SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher); |
| 533 | } | ||
| 534 | 604 | ||
| 535 | /* If GCM mode only part of IV comes from PRF. */ | 605 | /* If GCM mode only part of IV comes from PRF. */ |
| 536 | if (EVP_CIPHER_mode(cipher) == EVP_CIPH_GCM_MODE) | 606 | if (EVP_CIPHER_mode(cipher) == EVP_CIPH_GCM_MODE) |
| 537 | iv_len = EVP_GCM_TLS_FIXED_IV_LEN; | 607 | iv_len = EVP_GCM_TLS_FIXED_IV_LEN; |
| 538 | else | 608 | } |
| 539 | iv_len = EVP_CIPHER_iv_length(cipher); | ||
| 540 | 609 | ||
| 541 | mac_secret_size = s->s3->tmp.new_mac_secret_size; | 610 | mac_secret_size = s->s3->tmp.new_mac_secret_size; |
| 542 | 611 | ||
| @@ -577,6 +646,11 @@ tls1_change_cipher_state(SSL *s, int which) | |||
| 577 | s->s3->write_mac_secret_size = mac_secret_size; | 646 | s->s3->write_mac_secret_size = mac_secret_size; |
| 578 | } | 647 | } |
| 579 | 648 | ||
| 649 | if (aead != NULL) { | ||
| 650 | return tls1_change_cipher_state_aead(s, is_read, key, key_len, | ||
| 651 | iv, iv_len); | ||
| 652 | } | ||
| 653 | |||
| 580 | return tls1_change_cipher_state_cipher(s, is_read, use_client_keys, | 654 | return tls1_change_cipher_state_cipher(s, is_read, use_client_keys, |
| 581 | mac_secret, mac_secret_size, key, key_len, iv, iv_len); | 655 | mac_secret, mac_secret_size, key, key_len, iv, iv_len); |
| 582 | 656 | ||
| @@ -592,8 +666,9 @@ tls1_setup_key_block(SSL *s) | |||
| 592 | unsigned char *key_block, *tmp_block = NULL; | 666 | unsigned char *key_block, *tmp_block = NULL; |
| 593 | int mac_type = NID_undef, mac_secret_size = 0; | 667 | int mac_type = NID_undef, mac_secret_size = 0; |
| 594 | int key_block_len, key_len, iv_len; | 668 | int key_block_len, key_len, iv_len; |
| 595 | const EVP_CIPHER *cipher; | 669 | const EVP_CIPHER *cipher = NULL; |
| 596 | const EVP_MD *mac; | 670 | const EVP_AEAD *aead = NULL; |
| 671 | const EVP_MD *mac = NULL; | ||
| 597 | SSL_COMP *comp; | 672 | SSL_COMP *comp; |
| 598 | int ret = 0; | 673 | int ret = 0; |
| 599 | 674 | ||
| @@ -606,24 +681,36 @@ tls1_setup_key_block(SSL *s) | |||
| 606 | return (0); | 681 | return (0); |
| 607 | } | 682 | } |
| 608 | 683 | ||
| 609 | if (!ssl_cipher_get_evp(s->session, &cipher, &mac, &mac_type, | 684 | if (s->session->cipher && |
| 610 | &mac_secret_size)) { | 685 | (s->session->cipher->algorithm2 & SSL_CIPHER_ALGORITHM2_AEAD)) { |
| 611 | SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK, | 686 | if (!ssl_cipher_get_evp_aead(s->session, &aead)) { |
| 612 | SSL_R_CIPHER_OR_HASH_UNAVAILABLE); | 687 | SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK, |
| 613 | return (0); | 688 | SSL_R_CIPHER_OR_HASH_UNAVAILABLE); |
| 614 | } | 689 | return (0); |
| 615 | 690 | } | |
| 616 | key_len = EVP_CIPHER_key_length(cipher); | 691 | key_len = EVP_AEAD_key_length(aead); |
| 617 | 692 | iv_len = SSL_CIPHER_AEAD_FIXED_NONCE_LEN(s->session->cipher); | |
| 618 | if (EVP_CIPHER_mode(cipher) == EVP_CIPH_GCM_MODE) | 693 | } else { |
| 619 | iv_len = EVP_GCM_TLS_FIXED_IV_LEN; | 694 | if (!ssl_cipher_get_evp(s->session, &cipher, &mac, &mac_type, |
| 620 | else | 695 | &mac_secret_size)) { |
| 696 | SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK, | ||
| 697 | SSL_R_CIPHER_OR_HASH_UNAVAILABLE); | ||
| 698 | return (0); | ||
| 699 | } | ||
| 700 | key_len = EVP_CIPHER_key_length(cipher); | ||
| 621 | iv_len = EVP_CIPHER_iv_length(cipher); | 701 | iv_len = EVP_CIPHER_iv_length(cipher); |
| 622 | 702 | ||
| 703 | /* If GCM mode only part of IV comes from PRF. */ | ||
| 704 | if (EVP_CIPHER_mode(cipher) == EVP_CIPH_GCM_MODE) | ||
| 705 | iv_len = EVP_GCM_TLS_FIXED_IV_LEN; | ||
| 706 | } | ||
| 707 | |||
| 708 | s->s3->tmp.new_aead = aead; | ||
| 623 | s->s3->tmp.new_sym_enc = cipher; | 709 | s->s3->tmp.new_sym_enc = cipher; |
| 624 | s->s3->tmp.new_hash = mac; | 710 | s->s3->tmp.new_hash = mac; |
| 625 | s->s3->tmp.new_mac_pkey_type = mac_type; | 711 | s->s3->tmp.new_mac_pkey_type = mac_type; |
| 626 | s->s3->tmp.new_mac_secret_size = mac_secret_size; | 712 | s->s3->tmp.new_mac_secret_size = mac_secret_size; |
| 713 | |||
| 627 | key_block_len = (mac_secret_size + key_len + iv_len) * 2; | 714 | key_block_len = (mac_secret_size + key_len + iv_len) * 2; |
| 628 | 715 | ||
| 629 | ssl3_cleanup_key_block(s); | 716 | ssl3_cleanup_key_block(s); |
| @@ -664,6 +751,7 @@ tls1_setup_key_block(SSL *s) | |||
| 664 | } | 751 | } |
| 665 | 752 | ||
| 666 | ret = 1; | 753 | ret = 1; |
| 754 | |||
| 667 | err: | 755 | err: |
| 668 | if (tmp_block) { | 756 | if (tmp_block) { |
| 669 | OPENSSL_cleanse(tmp_block, key_block_len); | 757 | OPENSSL_cleanse(tmp_block, key_block_len); |
| @@ -684,11 +772,135 @@ err: | |||
| 684 | int | 772 | int |
| 685 | tls1_enc(SSL *s, int send) | 773 | tls1_enc(SSL *s, int send) |
| 686 | { | 774 | { |
| 687 | SSL3_RECORD *rec; | 775 | const SSL_AEAD_CTX *aead; |
| 776 | const EVP_CIPHER *enc; | ||
| 688 | EVP_CIPHER_CTX *ds; | 777 | EVP_CIPHER_CTX *ds; |
| 778 | SSL3_RECORD *rec; | ||
| 689 | unsigned long l; | 779 | unsigned long l; |
| 690 | int bs, i, j, k, pad = 0, ret, mac_size = 0; | 780 | int bs, i, j, k, pad = 0, ret, mac_size = 0; |
| 691 | const EVP_CIPHER *enc; | 781 | |
| 782 | if (send) { | ||
| 783 | aead = s->aead_write_ctx; | ||
| 784 | rec = &s->s3->wrec; | ||
| 785 | } else { | ||
| 786 | aead = s->aead_read_ctx; | ||
| 787 | rec = &s->s3->rrec; | ||
| 788 | } | ||
| 789 | |||
| 790 | if (aead) { | ||
| 791 | unsigned char ad[13], *seq, *in, *out, nonce[16]; | ||
| 792 | unsigned nonce_used; | ||
| 793 | ssize_t n; | ||
| 794 | |||
| 795 | seq = send ? s->s3->write_sequence : s->s3->read_sequence; | ||
| 796 | |||
| 797 | if (SSL_IS_DTLS(s)) { | ||
| 798 | unsigned char dtlsseq[9], *p = dtlsseq; | ||
| 799 | |||
| 800 | s2n(send ? s->d1->w_epoch : s->d1->r_epoch, p); | ||
| 801 | memcpy(p, &seq[2], 6); | ||
| 802 | memcpy(ad, dtlsseq, 8); | ||
| 803 | } else { | ||
| 804 | memcpy(ad, seq, SSL3_SEQUENCE_SIZE); | ||
| 805 | for (i = 7; i >= 0; i--) { | ||
| 806 | ++seq[i]; | ||
| 807 | if (seq[i] != 0) | ||
| 808 | break; | ||
| 809 | } | ||
| 810 | } | ||
| 811 | |||
| 812 | ad[8] = rec->type; | ||
| 813 | ad[9] = (unsigned char)(s->version >> 8); | ||
| 814 | ad[10] = (unsigned char)(s->version); | ||
| 815 | |||
| 816 | if (aead->fixed_nonce_len + | ||
| 817 | aead->variable_nonce_len > sizeof(nonce) || | ||
| 818 | aead->variable_nonce_len > 8) | ||
| 819 | return -1; /* internal error - should never happen. */ | ||
| 820 | |||
| 821 | memcpy(nonce, aead->fixed_nonce, aead->fixed_nonce_len); | ||
| 822 | nonce_used = aead->fixed_nonce_len; | ||
| 823 | |||
| 824 | if (send) { | ||
| 825 | size_t len = rec->length; | ||
| 826 | size_t eivlen = 0; | ||
| 827 | in = rec->input; | ||
| 828 | out = rec->data; | ||
| 829 | |||
| 830 | /* | ||
| 831 | * When sending we use the sequence number as the | ||
| 832 | * variable part of the nonce. | ||
| 833 | */ | ||
| 834 | if (aead->variable_nonce_len > 8) | ||
| 835 | return -1; | ||
| 836 | memcpy(nonce + nonce_used, ad, | ||
| 837 | aead->variable_nonce_len); | ||
| 838 | nonce_used += aead->variable_nonce_len; | ||
| 839 | |||
| 840 | /* | ||
| 841 | * In do_ssl3_write, rec->input is moved forward by | ||
| 842 | * variable_nonce_len in order to leave space for the | ||
| 843 | * variable nonce. Thus we can copy the sequence number | ||
| 844 | * bytes into place without overwriting any of the | ||
| 845 | * plaintext. | ||
| 846 | */ | ||
| 847 | if (aead->variable_nonce_in_record) { | ||
| 848 | memcpy(out, ad, aead->variable_nonce_len); | ||
| 849 | len -= aead->variable_nonce_len; | ||
| 850 | eivlen = aead->variable_nonce_len; | ||
| 851 | } | ||
| 852 | |||
| 853 | ad[11] = len >> 8; | ||
| 854 | ad[12] = len & 0xff; | ||
| 855 | |||
| 856 | if (!EVP_AEAD_CTX_seal(&aead->ctx, | ||
| 857 | out + eivlen, &n, len + aead->tag_len, nonce, | ||
| 858 | nonce_used, in + eivlen, len, ad, sizeof(ad))) | ||
| 859 | return -1; | ||
| 860 | if (n >= 0 && aead->variable_nonce_in_record) | ||
| 861 | n += aead->variable_nonce_len; | ||
| 862 | } else { | ||
| 863 | /* receive */ | ||
| 864 | size_t len = rec->length; | ||
| 865 | |||
| 866 | if (rec->data != rec->input) | ||
| 867 | return -1; /* internal error - should never happen. */ | ||
| 868 | out = in = rec->input; | ||
| 869 | |||
| 870 | if (len < aead->variable_nonce_len) | ||
| 871 | return 0; | ||
| 872 | memcpy(nonce + nonce_used, | ||
| 873 | aead->variable_nonce_in_record ? in : ad, | ||
| 874 | aead->variable_nonce_len); | ||
| 875 | nonce_used += aead->variable_nonce_len; | ||
| 876 | |||
| 877 | if (aead->variable_nonce_in_record) { | ||
| 878 | in += aead->variable_nonce_len; | ||
| 879 | len -= aead->variable_nonce_len; | ||
| 880 | out += aead->variable_nonce_len; | ||
| 881 | } | ||
| 882 | |||
| 883 | if (len < aead->tag_len) | ||
| 884 | return 0; | ||
| 885 | len -= aead->tag_len; | ||
| 886 | |||
| 887 | ad[11] = len >> 8; | ||
| 888 | ad[12] = len & 0xff; | ||
| 889 | |||
| 890 | if (!EVP_AEAD_CTX_open(&aead->ctx, out, &n, len, nonce, | ||
| 891 | nonce_used, in, len + aead->tag_len, ad, | ||
| 892 | sizeof(ad))) | ||
| 893 | return -1; | ||
| 894 | |||
| 895 | rec->data = rec->input = out; | ||
| 896 | } | ||
| 897 | |||
| 898 | if (n == -1) | ||
| 899 | return -1; | ||
| 900 | rec->length = n; | ||
| 901 | |||
| 902 | return 1; | ||
| 903 | } | ||
| 692 | 904 | ||
| 693 | if (send) { | 905 | if (send) { |
| 694 | if (EVP_MD_CTX_md(s->write_hash)) { | 906 | if (EVP_MD_CTX_md(s->write_hash)) { |
| @@ -730,7 +942,6 @@ tls1_enc(SSL *s, int send) | |||
| 730 | enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx); | 942 | enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx); |
| 731 | } | 943 | } |
| 732 | 944 | ||
| 733 | |||
| 734 | if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) { | 945 | if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) { |
| 735 | memmove(rec->data, rec->input, rec->length); | 946 | memmove(rec->data, rec->input, rec->length); |
| 736 | rec->input = rec->data; | 947 | rec->input = rec->data; |