Absorb SSL_AEAD_CTX into struct tls12_record_protection.

The information contained in SSL_AEAD_CTX really belongs in the tls12_record_protection struct. Absorb SSL_AEAD_CTX, using more appropriate types in the process. ok tb@
author: jsing <> 2021-05-16 15:49:01 +0000
committer: jsing <> 2021-05-16 15:49:01 +0000
commit: eef926460e6a49b0ac6ee67d92f67e11322475c4 (patch)
tree: f2a5491f2301663b615a3ac1744e04873ae10d47 /src/lib
parent: 34ba909d21cc043894c180999c343ac8a837281e (diff)
download: openbsd-eef926460e6a49b0ac6ee67d92f67e11322475c4.tar.gz
openbsd-eef926460e6a49b0ac6ee67d92f67e11322475c4.tar.bz2
openbsd-eef926460e6a49b0ac6ee67d92f67e11322475c4.zip
3 files changed, 63 insertions, 73 deletions
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
index 571143040c..f8360e5fe3 100644
--- a/src/lib/libssl/ssl.h
+++ b/src/lib/libssl/ssl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.h,v 1.190 2021/05/10 17:10:57 tb Exp $ */
+/* $OpenBSD: ssl.h,v 1.191 2021/05/16 15:49:01 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -614,8 +614,10 @@ void SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version,
 #define SSL_CTX_set_msg_callback_arg(ctx, arg) SSL_CTX_ctrl((ctx), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg))
 #define SSL_set_msg_callback_arg(ssl, arg) SSL_ctrl((ssl), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg))
+#ifndef LIBRESSL_INTERNAL
 struct ssl_aead_ctx_st;
 typedef struct ssl_aead_ctx_st SSL_AEAD_CTX;
+#endif
 #define SSL_MAX_CERT_LIST_DEFAULT 1024*100 /* 100k max cert list :-) */
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 2e324e5d31..df115725a0 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.346 2021/05/16 13:56:31 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.347 2021/05/16 15:49:01 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1047,28 +1047,6 @@ typedef struct sess_cert_st {
 #define TLSV1_3_ENC_FLAGS       (SSL_ENC_FLAG_SIGALGS           | \
                                 SSL_ENC_FLAG_TLS1_3_CIPHERS)
-/*
- * ssl_aead_ctx_st contains information about an AEAD that is being used to
- * encrypt an SSL connection.
- */
-struct ssl_aead_ctx_st {
-        EVP_AEAD_CTX ctx;
-        /*
-         * fixed_nonce contains any bytes of the nonce that are fixed for all
-         * records.
-         */
-        unsigned char fixed_nonce[12];
-        unsigned char fixed_nonce_len;
-        unsigned char variable_nonce_len;
-        unsigned char xor_fixed_nonce;
-        unsigned char tag_len;
-        /*
-         * variable_nonce_in_record is non-zero if the variable nonce
-         * for a record is included as a prefix before the ciphertext.
-         */
-        char variable_nonce_in_record;
-};
 extern const SSL_CIPHER ssl3_ciphers[];
 const char *ssl_version_string(int ver);
diff --git a/src/lib/libssl/tls12_record_layer.c b/src/lib/libssl/tls12_record_layer.c
index 82a14f7147..06d1af9def 100644
--- a/src/lib/libssl/tls12_record_layer.c
+++ b/src/lib/libssl/tls12_record_layer.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls12_record_layer.c,v 1.29 2021/05/16 15:21:10 jsing Exp $ */
+/* $OpenBSD: tls12_record_layer.c,v 1.30 2021/05/16 15:49:01 jsing Exp $ */
 /*
 * Copyright (c) 2020 Joel Sing <jsing@openbsd.org>
 *
@@ -22,13 +22,23 @@
 #include "ssl_locl.h"
-#define TLS12_RECORD_SEQ_NUM_LEN 8
+#define TLS12_RECORD_SEQ_NUM_LEN        8
+#define TLS12_AEAD_FIXED_NONCE_MAX_LEN  12
 struct tls12_record_protection {
        uint16_t epoch;
        uint8_t seq_num[TLS12_RECORD_SEQ_NUM_LEN];
-        SSL_AEAD_CTX *aead_ctx;
+        EVP_AEAD_CTX *aead_ctx;
+        uint8_t *aead_fixed_nonce;
+        size_t aead_fixed_nonce_len;
+        size_t aead_variable_nonce_len;
+        size_t aead_tag_len;
+        int aead_xor_nonces;
+        int aead_variable_nonce_in_record;
        EVP_CIPHER_CTX *cipher_ctx;
        EVP_MD_CTX *hash_ctx;
@@ -49,10 +59,12 @@ static void
 tls12_record_protection_clear(struct tls12_record_protection *rp)
 {
        if (rp->aead_ctx != NULL) {
-                EVP_AEAD_CTX_cleanup(&rp->aead_ctx->ctx);
+                EVP_AEAD_CTX_cleanup(rp->aead_ctx);
                freezero(rp->aead_ctx, sizeof(*rp->aead_ctx));
        }
+        freezero(rp->aead_fixed_nonce, rp->aead_fixed_nonce_len);
        EVP_CIPHER_CTX_free(rp->cipher_ctx);
        EVP_MD_CTX_free(rp->hash_ctx);
@@ -218,7 +230,7 @@ tls12_record_layer_write_overhead(struct tls12_record_layer *rl,
        *overhead = 0;
        if (rl->write->aead_ctx != NULL) {
-                *overhead = rl->write->aead_ctx->tag_len;
+                *overhead = rl->write->aead_tag_len;
        } else if (rl->write->cipher_ctx != NULL) {
                eiv_len = 0;
                if (rl->version != TLS1_VERSION) {
@@ -395,7 +407,7 @@ tls12_record_layer_ccs_aead(struct tls12_record_layer *rl,
    struct tls12_record_protection *rp, int is_write, CBS *mac_key, CBS *key,
    CBS *iv)
 {
-        size_t aead_nonce_len, fixed_nonce_len;
+        size_t aead_nonce_len;
        if (!tls12_record_protection_unused(rp))
                return 0;
@@ -406,36 +418,34 @@ tls12_record_layer_ccs_aead(struct tls12_record_layer *rl,
        /* AES GCM cipher suites use variable nonce in record. */
        if (rl->aead == EVP_aead_aes_128_gcm() ||
            rl->aead == EVP_aead_aes_256_gcm())
-                rp->aead_ctx->variable_nonce_in_record = 1;
+                rp->aead_variable_nonce_in_record = 1;
        /* ChaCha20 Poly1305 XORs the fixed and variable nonces. */
        if (rl->aead == EVP_aead_chacha20_poly1305())
-                rp->aead_ctx->xor_fixed_nonce = 1;
+                rp->aead_xor_nonces = 1;
-        if (!CBS_write_bytes(iv, rp->aead_ctx->fixed_nonce,
+        if (!CBS_stow(iv, &rp->aead_fixed_nonce, &rp->aead_fixed_nonce_len))
-            sizeof(rp->aead_ctx->fixed_nonce), &fixed_nonce_len))
                return 0;
-        rp->aead_ctx->fixed_nonce_len = fixed_nonce_len;
+        rp->aead_tag_len = EVP_AEAD_max_overhead(rl->aead);
-        rp->aead_ctx->tag_len = EVP_AEAD_max_overhead(rl->aead);
+        rp->aead_variable_nonce_len = 8;
-        rp->aead_ctx->variable_nonce_len = 8;
        aead_nonce_len = EVP_AEAD_nonce_length(rl->aead);
-        if (rp->aead_ctx->xor_fixed_nonce) {
+        if (rp->aead_xor_nonces) {
                /* Fixed nonce length must match, variable must not exceed. */
-                if (rp->aead_ctx->fixed_nonce_len != aead_nonce_len)
+                if (rp->aead_fixed_nonce_len != aead_nonce_len)
                        return 0;
-                if (rp->aead_ctx->variable_nonce_len > aead_nonce_len)
+                if (rp->aead_variable_nonce_len > aead_nonce_len)
                        return 0;
        } else {
                /* Concatenated nonce length must equal AEAD nonce length. */
-                if (rp->aead_ctx->fixed_nonce_len +
+                if (rp->aead_fixed_nonce_len +
-                    rp->aead_ctx->variable_nonce_len != aead_nonce_len)
+                    rp->aead_variable_nonce_len != aead_nonce_len)
                        return 0;
        }
-        if (!EVP_AEAD_CTX_init(&rp->aead_ctx->ctx, rl->aead, CBS_data(key),
+        if (!EVP_AEAD_CTX_init(rp->aead_ctx, rl->aead, CBS_data(key),
            CBS_len(key), EVP_AEAD_DEFAULT_TAG_LENGTH, NULL))
                return 0;
@@ -770,21 +780,21 @@ tls12_record_layer_write_mac(struct tls12_record_layer *rl, CBB *cbb,
 static int
 tls12_record_layer_aead_concat_nonce(struct tls12_record_layer *rl,
-    const SSL_AEAD_CTX *aead, const uint8_t *seq_num,
+    struct tls12_record_protection *rp, const uint8_t *seq_num,
    uint8_t **out, size_t *out_len)
 {
        CBB cbb;
-        if (aead->variable_nonce_len > SSL3_SEQUENCE_SIZE)
+        if (rp->aead_variable_nonce_len > SSL3_SEQUENCE_SIZE)
                return 0;
        /* Fixed nonce and variable nonce (sequence number) are concatenated. */
        if (!CBB_init(&cbb, 16))
                goto err;
-        if (!CBB_add_bytes(&cbb, aead->fixed_nonce,
+        if (!CBB_add_bytes(&cbb, rp->aead_fixed_nonce,
-            aead->fixed_nonce_len))
+            rp->aead_fixed_nonce_len))
                goto err;
-        if (!CBB_add_bytes(&cbb, seq_num, aead->variable_nonce_len))
+        if (!CBB_add_bytes(&cbb, seq_num, rp->aead_variable_nonce_len))
                goto err;
        if (!CBB_finish(&cbb, out, out_len))
                goto err;
@@ -799,7 +809,7 @@ tls12_record_layer_aead_concat_nonce(struct tls12_record_layer *rl,
 static int
 tls12_record_layer_aead_xored_nonce(struct tls12_record_layer *rl,
-    const SSL_AEAD_CTX *aead, const uint8_t *seq_num,
+    struct tls12_record_protection *rp, const uint8_t *seq_num,
    uint8_t **out, size_t *out_len)
 {
        uint8_t *nonce = NULL;
@@ -808,9 +818,9 @@ tls12_record_layer_aead_xored_nonce(struct tls12_record_layer *rl,
        CBB cbb;
        int i;
-        if (aead->variable_nonce_len > SSL3_SEQUENCE_SIZE)
+        if (rp->aead_variable_nonce_len > SSL3_SEQUENCE_SIZE)
                return 0;
-        if (aead->fixed_nonce_len < aead->variable_nonce_len)
+        if (rp->aead_fixed_nonce_len < rp->aead_variable_nonce_len)
                return 0;
        /*
@@ -820,15 +830,15 @@ tls12_record_layer_aead_xored_nonce(struct tls12_record_layer *rl,
        if (!CBB_init(&cbb, 16))
                goto err;
        if (!CBB_add_space(&cbb, &pad,
-            aead->fixed_nonce_len - aead->variable_nonce_len))
+            rp->aead_fixed_nonce_len - rp->aead_variable_nonce_len))
                goto err;
-        if (!CBB_add_bytes(&cbb, seq_num, aead->variable_nonce_len))
+        if (!CBB_add_bytes(&cbb, seq_num, rp->aead_variable_nonce_len))
                goto err;
        if (!CBB_finish(&cbb, &nonce, &nonce_len))
                goto err;
-        for (i = 0; i < aead->fixed_nonce_len; i++)
+        for (i = 0; i < rp->aead_fixed_nonce_len; i++)
-                nonce[i] ^= aead->fixed_nonce[i];
+                nonce[i] ^= rp->aead_fixed_nonce[i];
        *out = nonce;
        *out_len = nonce_len;
@@ -861,7 +871,7 @@ tls12_record_layer_open_record_protected_aead(struct tls12_record_layer *rl,
    uint8_t content_type, CBS *seq_num, CBS *fragment, uint8_t **out,
    size_t *out_len)
 {
-        const SSL_AEAD_CTX *aead = rl->read->aead_ctx;
+        struct tls12_record_protection *rp = rl->read;
        uint8_t *header = NULL, *nonce = NULL;
        size_t header_len = 0, nonce_len = 0;
        uint8_t *plain;
@@ -870,25 +880,25 @@ tls12_record_layer_open_record_protected_aead(struct tls12_record_layer *rl,
        int ret = 0;
        /* XXX - move to nonce allocated in record layer, matching TLSv1.3 */
-        if (aead->xor_fixed_nonce) {
+        if (rp->aead_xor_nonces) {
-                if (!tls12_record_layer_aead_xored_nonce(rl, aead,
+                if (!tls12_record_layer_aead_xored_nonce(rl, rp,
                    CBS_data(seq_num), &nonce, &nonce_len))
                        goto err;
-        } else if (aead->variable_nonce_in_record) {
+        } else if (rp->aead_variable_nonce_in_record) {
                if (!CBS_get_bytes(fragment, &var_nonce,
-                    aead->variable_nonce_len))
+                    rp->aead_variable_nonce_len))
                        goto err;
-                if (!tls12_record_layer_aead_concat_nonce(rl, aead,
+                if (!tls12_record_layer_aead_concat_nonce(rl, rp,
                    CBS_data(&var_nonce), &nonce, &nonce_len))
                        goto err;
        } else {
-                if (!tls12_record_layer_aead_concat_nonce(rl, aead,
+                if (!tls12_record_layer_aead_concat_nonce(rl, rp,
                    CBS_data(seq_num), &nonce, &nonce_len))
                        goto err;
        }
        /* XXX EVP_AEAD_max_tag_len vs EVP_AEAD_CTX_tag_len. */
-        if (CBS_len(fragment) < aead->tag_len) {
+        if (CBS_len(fragment) < rp->aead_tag_len) {
                rl->alert_desc = SSL_AD_BAD_RECORD_MAC;
                goto err;
        }
@@ -899,13 +909,13 @@ tls12_record_layer_open_record_protected_aead(struct tls12_record_layer *rl,
        /* XXX - decrypt/process in place for now. */
        plain = (uint8_t *)CBS_data(fragment);
-        plain_len = CBS_len(fragment) - aead->tag_len;
+        plain_len = CBS_len(fragment) - rp->aead_tag_len;
        if (!tls12_record_layer_pseudo_header(rl, content_type, plain_len,
            seq_num, &header, &header_len))
                goto err;
-        if (!EVP_AEAD_CTX_open(&aead->ctx, plain, out_len, plain_len,
+        if (!EVP_AEAD_CTX_open(rp->aead_ctx, plain, out_len, plain_len,
            nonce, nonce_len, CBS_data(fragment), CBS_len(fragment),
            header, header_len)) {
                rl->alert_desc = SSL_AD_BAD_RECORD_MAC;
@@ -1125,7 +1135,7 @@ tls12_record_layer_seal_record_protected_aead(struct tls12_record_layer *rl,
    uint8_t content_type, CBS *seq_num, const uint8_t *content,
    size_t content_len, CBB *out)
 {
-        const SSL_AEAD_CTX *aead = rl->write->aead_ctx;
+        struct tls12_record_protection *rp = rl->write;
        uint8_t *header = NULL, *nonce = NULL;
        size_t header_len = 0, nonce_len = 0;
        size_t enc_record_len, out_len;
@@ -1133,20 +1143,20 @@ tls12_record_layer_seal_record_protected_aead(struct tls12_record_layer *rl,
        int ret = 0;
        /* XXX - move to nonce allocated in record layer, matching TLSv1.3 */
-        if (aead->xor_fixed_nonce) {
+        if (rp->aead_xor_nonces) {
-                if (!tls12_record_layer_aead_xored_nonce(rl, aead,
+                if (!tls12_record_layer_aead_xored_nonce(rl, rp,
                    CBS_data(seq_num), &nonce, &nonce_len))
                        goto err;
        } else {
-                if (!tls12_record_layer_aead_concat_nonce(rl, aead,
+                if (!tls12_record_layer_aead_concat_nonce(rl, rp,
                    CBS_data(seq_num), &nonce, &nonce_len))
                        goto err;
        }
-        if (aead->variable_nonce_in_record) {
+        if (rp->aead_variable_nonce_in_record) {
                /* XXX - length check? */
                if (!CBB_add_bytes(out, CBS_data(seq_num),
-                    aead->variable_nonce_len))
+                    rp->aead_variable_nonce_len))
                        goto err;
        }
@@ -1155,13 +1165,13 @@ tls12_record_layer_seal_record_protected_aead(struct tls12_record_layer *rl,
                goto err;
        /* XXX EVP_AEAD_max_tag_len vs EVP_AEAD_CTX_tag_len. */
-        enc_record_len = content_len + aead->tag_len;
+        enc_record_len = content_len + rp->aead_tag_len;
        if (enc_record_len > SSL3_RT_MAX_ENCRYPTED_LENGTH)
                goto err;
        if (!CBB_add_space(out, &enc_data, enc_record_len))
                goto err;
-        if (!EVP_AEAD_CTX_seal(&aead->ctx, enc_data, &out_len, enc_record_len,
+        if (!EVP_AEAD_CTX_seal(rp->aead_ctx, enc_data, &out_len, enc_record_len,
            nonce, nonce_len, content, content_len, header, header_len))
                goto err;
author	jsing <>	2021-05-16 15:49:01 +0000
committer	jsing <>	2021-05-16 15:49:01 +0000
commit	eef926460e6a49b0ac6ee67d92f67e11322475c4 (patch)
tree	f2a5491f2301663b615a3ac1744e04873ae10d47 /src/lib
parent	34ba909d21cc043894c180999c343ac8a837281e (diff)
download	openbsd-eef926460e6a49b0ac6ee67d92f67e11322475c4.tar.gz openbsd-eef926460e6a49b0ac6ee67d92f67e11322475c4.tar.bz2 openbsd-eef926460e6a49b0ac6ee67d92f67e11322475c4.zip