Move AEAD handling into the new TLSv1.2 record layer.

ok tb@
author: jsing <> 2021-01-28 17:00:39 +0000
committer: jsing <> 2021-01-28 17:00:39 +0000
commit: a725f1fa33a05b1c6fb09538cefdc4f99001e637 (patch)
tree: 7bef75b2e33f0547bd41212a8a2355d0bd970a54 /src/lib/libssl/t1_enc.c
parent: d16bc813d87147c8edf94917bd5db436277f2e72 (diff)
download: openbsd-a725f1fa33a05b1c6fb09538cefdc4f99001e637.tar.gz
openbsd-a725f1fa33a05b1c6fb09538cefdc4f99001e637.tar.bz2
openbsd-a725f1fa33a05b1c6fb09538cefdc4f99001e637.zip
1 files changed, 5 insertions, 89 deletions
diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c
index a0b377389b..b84a5347f1 100644
--- a/src/lib/libssl/t1_enc.c
+++ b/src/lib/libssl/t1_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_enc.c,v 1.130 2021/01/26 14:22:20 jsing Exp $ */
+/* $OpenBSD: t1_enc.c,v 1.131 2021/01/28 17:00:39 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -311,90 +311,6 @@ tls1_generate_key_block(SSL *s, uint8_t *key_block, size_t key_block_len)
 }
 /*
- * tls1_aead_ctx_init allocates aead_ctx, if needed. It returns 1 on success
- * and 0 on failure.
- */
-static int
-tls1_aead_ctx_init(SSL_AEAD_CTX **aead_ctx)
-{
-        if (*aead_ctx != NULL) {
-                EVP_AEAD_CTX_cleanup(&(*aead_ctx)->ctx);
-                return (1);
-        }
-        *aead_ctx = malloc(sizeof(SSL_AEAD_CTX));
-        if (*aead_ctx == NULL) {
-                SSLerrorx(ERR_R_MALLOC_FAILURE);
-                return (0);
-        }
-        return (1);
-}
-static int
-tls1_change_cipher_state_aead(SSL *s, char is_read, const unsigned char *key,
-    unsigned int key_len, const unsigned char *iv, unsigned int iv_len)
-{
-        const EVP_AEAD *aead = S3I(s)->tmp.new_aead;
-        SSL_AEAD_CTX *aead_ctx;
-        /* XXX - Need to avoid clearing write state for DTLS. */
-        if (SSL_is_dtls(s))
-                return 0;
-        if (is_read) {
-                ssl_clear_cipher_read_state(s);
-                if (!tls1_aead_ctx_init(&s->internal->aead_read_ctx))
-                        return 0;
-                aead_ctx = s->internal->aead_read_ctx;
-                if (!tls12_record_layer_set_read_aead(s->internal->rl, aead_ctx))
-                        return 0;
-        } else {
-                ssl_clear_cipher_write_state(s);
-                if (!tls1_aead_ctx_init(&s->internal->aead_write_ctx))
-                        return 0;
-                aead_ctx = s->internal->aead_write_ctx;
-                if (!tls12_record_layer_set_write_aead(s->internal->rl, aead_ctx))
-                        return 0;
-        }
-        if (!EVP_AEAD_CTX_init(&aead_ctx->ctx, aead, key, key_len,
-            EVP_AEAD_DEFAULT_TAG_LENGTH, NULL))
-                return (0);
-        if (iv_len > sizeof(aead_ctx->fixed_nonce)) {
-                SSLerrorx(ERR_R_INTERNAL_ERROR);
-                return (0);
-        }
-        memcpy(aead_ctx->fixed_nonce, iv, iv_len);
-        aead_ctx->fixed_nonce_len = iv_len;
-        aead_ctx->variable_nonce_len = 8;  /* always the case, currently. */
-        aead_ctx->variable_nonce_in_record =
-            (S3I(s)->hs.new_cipher->algorithm2 &
-            SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD) != 0;
-        aead_ctx->xor_fixed_nonce =
-            S3I(s)->hs.new_cipher->algorithm_enc == SSL_CHACHA20POLY1305;
-        aead_ctx->tag_len = EVP_AEAD_max_overhead(aead);
-        if (aead_ctx->xor_fixed_nonce) {
-                if (aead_ctx->fixed_nonce_len != EVP_AEAD_nonce_length(aead) ||
-                    aead_ctx->variable_nonce_len > EVP_AEAD_nonce_length(aead)) {
-                        SSLerrorx(ERR_R_INTERNAL_ERROR);
-                        return (0);
-                }
-        } else {
-                if (aead_ctx->variable_nonce_len + aead_ctx->fixed_nonce_len !=
-                    EVP_AEAD_nonce_length(aead)) {
-                        SSLerrorx(ERR_R_INTERNAL_ERROR);
-                        return (0);
-                }
-        }
-        return (1);
-}
-/*
 * tls1_change_cipher_state_cipher performs the work needed to switch cipher
 * states when using EVP_CIPHER. The argument is_read is true iff this function
 * is being called due to reading, as opposed to writing, a ChangeCipherSpec
@@ -566,10 +482,8 @@ tls1_change_cipher_state(SSL *s, int which)
                        goto err;
        }
-        if (aead != NULL) {
+        if (aead != NULL)
-                return tls1_change_cipher_state_aead(s, is_read, key, key_len,
+                return 1;
-                    iv, iv_len);
-        }
        return tls1_change_cipher_state_cipher(s, is_read,
            mac_secret, mac_secret_size, key, key_len, iv, iv_len);
@@ -617,6 +531,8 @@ tls1_setup_key_block(SSL *s)
        S3I(s)->tmp.new_mac_pkey_type = mac_type;
        S3I(s)->tmp.new_mac_secret_size = mac_secret_size;
+        tls12_record_layer_set_aead(s->internal->rl, aead);
        tls1_cleanup_key_block(s);
        if ((key_block = reallocarray(NULL, mac_secret_size + key_len + iv_len,
author	jsing <>	2021-01-28 17:00:39 +0000
committer	jsing <>	2021-01-28 17:00:39 +0000
commit	a725f1fa33a05b1c6fb09538cefdc4f99001e637 (patch)
tree	7bef75b2e33f0547bd41212a8a2355d0bd970a54 /src/lib/libssl/t1_enc.c
parent	d16bc813d87147c8edf94917bd5db436277f2e72 (diff)
download	openbsd-a725f1fa33a05b1c6fb09538cefdc4f99001e637.tar.gz openbsd-a725f1fa33a05b1c6fb09538cefdc4f99001e637.tar.bz2 openbsd-a725f1fa33a05b1c6fb09538cefdc4f99001e637.zip

diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c index a0b377389b..b84a5347f1 100644 --- a/src/lib/libssl/t1_enc.c +++ b/src/lib/libssl/t1_enc.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: t1_enc.c,v 1.130 2021/01/26 14:22:20 jsing Exp $ */	1	/* $OpenBSD: t1_enc.c,v 1.131 2021/01/28 17:00:39 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -311,90 +311,6 @@ tls1_generate_key_block(SSL s, uint8_t key_block, size_t key_block_len)
311	}	311	}
312		312
313	/*	313	/*
314	* tls1_aead_ctx_init allocates aead_ctx, if needed. It returns 1 on success
315	* and 0 on failure.
316	*/
317	static int
318	tls1_aead_ctx_init(SSL_AEAD_CTX **aead_ctx)
319	{
320	if (*aead_ctx != NULL) {
321	EVP_AEAD_CTX_cleanup(&(*aead_ctx)->ctx);
322	return (1);
323	}
324
325	*aead_ctx = malloc(sizeof(SSL_AEAD_CTX));
326	if (*aead_ctx == NULL) {
327	SSLerrorx(ERR_R_MALLOC_FAILURE);
328	return (0);
329	}
330
331	return (1);
332	}
333
334	static int
335	tls1_change_cipher_state_aead(SSL s, char is_read, const unsigned char key,
336	unsigned int key_len, const unsigned char *iv, unsigned int iv_len)
337	{
338	const EVP_AEAD *aead = S3I(s)->tmp.new_aead;
339	SSL_AEAD_CTX *aead_ctx;
340
341	/* XXX - Need to avoid clearing write state for DTLS. */
342	if (SSL_is_dtls(s))
343	return 0;
344
345	if (is_read) {
346	ssl_clear_cipher_read_state(s);
347	if (!tls1_aead_ctx_init(&s->internal->aead_read_ctx))
348	return 0;
349	aead_ctx = s->internal->aead_read_ctx;
350
351	if (!tls12_record_layer_set_read_aead(s->internal->rl, aead_ctx))
352	return 0;
353	} else {
354	ssl_clear_cipher_write_state(s);
355	if (!tls1_aead_ctx_init(&s->internal->aead_write_ctx))
356	return 0;
357	aead_ctx = s->internal->aead_write_ctx;
358
359	if (!tls12_record_layer_set_write_aead(s->internal->rl, aead_ctx))
360	return 0;
361	}
362
363	if (!EVP_AEAD_CTX_init(&aead_ctx->ctx, aead, key, key_len,
364	EVP_AEAD_DEFAULT_TAG_LENGTH, NULL))
365	return (0);
366	if (iv_len > sizeof(aead_ctx->fixed_nonce)) {
367	SSLerrorx(ERR_R_INTERNAL_ERROR);
368	return (0);
369	}
370	memcpy(aead_ctx->fixed_nonce, iv, iv_len);
371	aead_ctx->fixed_nonce_len = iv_len;
372	aead_ctx->variable_nonce_len = 8; /* always the case, currently. */
373	aead_ctx->variable_nonce_in_record =
374	(S3I(s)->hs.new_cipher->algorithm2 &
375	SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD) != 0;
376	aead_ctx->xor_fixed_nonce =
377	S3I(s)->hs.new_cipher->algorithm_enc == SSL_CHACHA20POLY1305;
378	aead_ctx->tag_len = EVP_AEAD_max_overhead(aead);
379
380	if (aead_ctx->xor_fixed_nonce) {
381	if (aead_ctx->fixed_nonce_len != EVP_AEAD_nonce_length(aead) \|\|
382	aead_ctx->variable_nonce_len > EVP_AEAD_nonce_length(aead)) {
383	SSLerrorx(ERR_R_INTERNAL_ERROR);
384	return (0);
385	}
386	} else {
387	if (aead_ctx->variable_nonce_len + aead_ctx->fixed_nonce_len !=
388	EVP_AEAD_nonce_length(aead)) {
389	SSLerrorx(ERR_R_INTERNAL_ERROR);
390	return (0);
391	}
392	}
393
394	return (1);
395	}
396
397	/*
398	* tls1_change_cipher_state_cipher performs the work needed to switch cipher	314	* tls1_change_cipher_state_cipher performs the work needed to switch cipher
399	* states when using EVP_CIPHER. The argument is_read is true iff this function	315	* states when using EVP_CIPHER. The argument is_read is true iff this function
400	* is being called due to reading, as opposed to writing, a ChangeCipherSpec	316	* is being called due to reading, as opposed to writing, a ChangeCipherSpec
@@ -566,10 +482,8 @@ tls1_change_cipher_state(SSL *s, int which)
566	goto err;	482	goto err;
567	}	483	}
568		484
569	if (aead != NULL) {	485	if (aead != NULL)
570	return tls1_change_cipher_state_aead(s, is_read, key, key_len,	486	return 1;
571	iv, iv_len);
572	}
573		487
574	return tls1_change_cipher_state_cipher(s, is_read,	488	return tls1_change_cipher_state_cipher(s, is_read,
575	mac_secret, mac_secret_size, key, key_len, iv, iv_len);	489	mac_secret, mac_secret_size, key, key_len, iv, iv_len);
@@ -617,6 +531,8 @@ tls1_setup_key_block(SSL *s)
617	S3I(s)->tmp.new_mac_pkey_type = mac_type;	531	S3I(s)->tmp.new_mac_pkey_type = mac_type;
618	S3I(s)->tmp.new_mac_secret_size = mac_secret_size;	532	S3I(s)->tmp.new_mac_secret_size = mac_secret_size;
619		533
		534	tls12_record_layer_set_aead(s->internal->rl, aead);
		535
620	tls1_cleanup_key_block(s);	536	tls1_cleanup_key_block(s);
621		537
622	if ((key_block = reallocarray(NULL, mac_secret_size + key_len + iv_len,	538	if ((key_block = reallocarray(NULL, mac_secret_size + key_len + iv_len,