diff options
| author | jsing <> | 2021-05-16 15:49:01 +0000 |
|---|---|---|
| committer | jsing <> | 2021-05-16 15:49:01 +0000 |
| commit | 53116d353f285078396d1b6ecfcab1adc7fc65fb (patch) | |
| tree | f2a5491f2301663b615a3ac1744e04873ae10d47 /src/lib | |
| parent | b956c8af241e4753537f76407af2e8b3afabd2f6 (diff) | |
| download | openbsd-53116d353f285078396d1b6ecfcab1adc7fc65fb.tar.gz openbsd-53116d353f285078396d1b6ecfcab1adc7fc65fb.tar.bz2 openbsd-53116d353f285078396d1b6ecfcab1adc7fc65fb.zip | |
Absorb SSL_AEAD_CTX into struct tls12_record_protection.
The information contained in SSL_AEAD_CTX really belongs in the
tls12_record_protection struct. Absorb SSL_AEAD_CTX, using more appropriate
types in the process.
ok tb@
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/libssl/ssl.h | 4 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_locl.h | 24 | ||||
| -rw-r--r-- | src/lib/libssl/tls12_record_layer.c | 108 |
3 files changed, 63 insertions, 73 deletions
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h index 571143040c..f8360e5fe3 100644 --- a/src/lib/libssl/ssl.h +++ b/src/lib/libssl/ssl.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl.h,v 1.190 2021/05/10 17:10:57 tb Exp $ */ | 1 | /* $OpenBSD: ssl.h,v 1.191 2021/05/16 15:49:01 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -614,8 +614,10 @@ void SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version, | |||
| 614 | #define SSL_CTX_set_msg_callback_arg(ctx, arg) SSL_CTX_ctrl((ctx), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg)) | 614 | #define SSL_CTX_set_msg_callback_arg(ctx, arg) SSL_CTX_ctrl((ctx), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg)) |
| 615 | #define SSL_set_msg_callback_arg(ssl, arg) SSL_ctrl((ssl), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg)) | 615 | #define SSL_set_msg_callback_arg(ssl, arg) SSL_ctrl((ssl), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg)) |
| 616 | 616 | ||
| 617 | #ifndef LIBRESSL_INTERNAL | ||
| 617 | struct ssl_aead_ctx_st; | 618 | struct ssl_aead_ctx_st; |
| 618 | typedef struct ssl_aead_ctx_st SSL_AEAD_CTX; | 619 | typedef struct ssl_aead_ctx_st SSL_AEAD_CTX; |
| 620 | #endif | ||
| 619 | 621 | ||
| 620 | #define SSL_MAX_CERT_LIST_DEFAULT 1024*100 /* 100k max cert list :-) */ | 622 | #define SSL_MAX_CERT_LIST_DEFAULT 1024*100 /* 100k max cert list :-) */ |
| 621 | 623 | ||
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h index 2e324e5d31..df115725a0 100644 --- a/src/lib/libssl/ssl_locl.h +++ b/src/lib/libssl/ssl_locl.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_locl.h,v 1.346 2021/05/16 13:56:31 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_locl.h,v 1.347 2021/05/16 15:49:01 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1047,28 +1047,6 @@ typedef struct sess_cert_st { | |||
| 1047 | #define TLSV1_3_ENC_FLAGS (SSL_ENC_FLAG_SIGALGS | \ | 1047 | #define TLSV1_3_ENC_FLAGS (SSL_ENC_FLAG_SIGALGS | \ |
| 1048 | SSL_ENC_FLAG_TLS1_3_CIPHERS) | 1048 | SSL_ENC_FLAG_TLS1_3_CIPHERS) |
| 1049 | 1049 | ||
| 1050 | /* | ||
| 1051 | * ssl_aead_ctx_st contains information about an AEAD that is being used to | ||
| 1052 | * encrypt an SSL connection. | ||
| 1053 | */ | ||
| 1054 | struct ssl_aead_ctx_st { | ||
| 1055 | EVP_AEAD_CTX ctx; | ||
| 1056 | /* | ||
| 1057 | * fixed_nonce contains any bytes of the nonce that are fixed for all | ||
| 1058 | * records. | ||
| 1059 | */ | ||
| 1060 | unsigned char fixed_nonce[12]; | ||
| 1061 | unsigned char fixed_nonce_len; | ||
| 1062 | unsigned char variable_nonce_len; | ||
| 1063 | unsigned char xor_fixed_nonce; | ||
| 1064 | unsigned char tag_len; | ||
| 1065 | /* | ||
| 1066 | * variable_nonce_in_record is non-zero if the variable nonce | ||
| 1067 | * for a record is included as a prefix before the ciphertext. | ||
| 1068 | */ | ||
| 1069 | char variable_nonce_in_record; | ||
| 1070 | }; | ||
| 1071 | |||
| 1072 | extern const SSL_CIPHER ssl3_ciphers[]; | 1050 | extern const SSL_CIPHER ssl3_ciphers[]; |
| 1073 | 1051 | ||
| 1074 | const char *ssl_version_string(int ver); | 1052 | const char *ssl_version_string(int ver); |
diff --git a/src/lib/libssl/tls12_record_layer.c b/src/lib/libssl/tls12_record_layer.c index 82a14f7147..06d1af9def 100644 --- a/src/lib/libssl/tls12_record_layer.c +++ b/src/lib/libssl/tls12_record_layer.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls12_record_layer.c,v 1.29 2021/05/16 15:21:10 jsing Exp $ */ | 1 | /* $OpenBSD: tls12_record_layer.c,v 1.30 2021/05/16 15:49:01 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2020 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2020 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -22,13 +22,23 @@ | |||
| 22 | 22 | ||
| 23 | #include "ssl_locl.h" | 23 | #include "ssl_locl.h" |
| 24 | 24 | ||
| 25 | #define TLS12_RECORD_SEQ_NUM_LEN 8 | 25 | #define TLS12_RECORD_SEQ_NUM_LEN 8 |
| 26 | #define TLS12_AEAD_FIXED_NONCE_MAX_LEN 12 | ||
| 26 | 27 | ||
| 27 | struct tls12_record_protection { | 28 | struct tls12_record_protection { |
| 28 | uint16_t epoch; | 29 | uint16_t epoch; |
| 29 | uint8_t seq_num[TLS12_RECORD_SEQ_NUM_LEN]; | 30 | uint8_t seq_num[TLS12_RECORD_SEQ_NUM_LEN]; |
| 30 | 31 | ||
| 31 | SSL_AEAD_CTX *aead_ctx; | 32 | EVP_AEAD_CTX *aead_ctx; |
| 33 | |||
| 34 | uint8_t *aead_fixed_nonce; | ||
| 35 | size_t aead_fixed_nonce_len; | ||
| 36 | |||
| 37 | size_t aead_variable_nonce_len; | ||
| 38 | size_t aead_tag_len; | ||
| 39 | |||
| 40 | int aead_xor_nonces; | ||
| 41 | int aead_variable_nonce_in_record; | ||
| 32 | 42 | ||
| 33 | EVP_CIPHER_CTX *cipher_ctx; | 43 | EVP_CIPHER_CTX *cipher_ctx; |
| 34 | EVP_MD_CTX *hash_ctx; | 44 | EVP_MD_CTX *hash_ctx; |
| @@ -49,10 +59,12 @@ static void | |||
| 49 | tls12_record_protection_clear(struct tls12_record_protection *rp) | 59 | tls12_record_protection_clear(struct tls12_record_protection *rp) |
| 50 | { | 60 | { |
| 51 | if (rp->aead_ctx != NULL) { | 61 | if (rp->aead_ctx != NULL) { |
| 52 | EVP_AEAD_CTX_cleanup(&rp->aead_ctx->ctx); | 62 | EVP_AEAD_CTX_cleanup(rp->aead_ctx); |
| 53 | freezero(rp->aead_ctx, sizeof(*rp->aead_ctx)); | 63 | freezero(rp->aead_ctx, sizeof(*rp->aead_ctx)); |
| 54 | } | 64 | } |
| 55 | 65 | ||
| 66 | freezero(rp->aead_fixed_nonce, rp->aead_fixed_nonce_len); | ||
| 67 | |||
| 56 | EVP_CIPHER_CTX_free(rp->cipher_ctx); | 68 | EVP_CIPHER_CTX_free(rp->cipher_ctx); |
| 57 | EVP_MD_CTX_free(rp->hash_ctx); | 69 | EVP_MD_CTX_free(rp->hash_ctx); |
| 58 | 70 | ||
| @@ -218,7 +230,7 @@ tls12_record_layer_write_overhead(struct tls12_record_layer *rl, | |||
| 218 | *overhead = 0; | 230 | *overhead = 0; |
| 219 | 231 | ||
| 220 | if (rl->write->aead_ctx != NULL) { | 232 | if (rl->write->aead_ctx != NULL) { |
| 221 | *overhead = rl->write->aead_ctx->tag_len; | 233 | *overhead = rl->write->aead_tag_len; |
| 222 | } else if (rl->write->cipher_ctx != NULL) { | 234 | } else if (rl->write->cipher_ctx != NULL) { |
| 223 | eiv_len = 0; | 235 | eiv_len = 0; |
| 224 | if (rl->version != TLS1_VERSION) { | 236 | if (rl->version != TLS1_VERSION) { |
| @@ -395,7 +407,7 @@ tls12_record_layer_ccs_aead(struct tls12_record_layer *rl, | |||
| 395 | struct tls12_record_protection *rp, int is_write, CBS *mac_key, CBS *key, | 407 | struct tls12_record_protection *rp, int is_write, CBS *mac_key, CBS *key, |
| 396 | CBS *iv) | 408 | CBS *iv) |
| 397 | { | 409 | { |
| 398 | size_t aead_nonce_len, fixed_nonce_len; | 410 | size_t aead_nonce_len; |
| 399 | 411 | ||
| 400 | if (!tls12_record_protection_unused(rp)) | 412 | if (!tls12_record_protection_unused(rp)) |
| 401 | return 0; | 413 | return 0; |
| @@ -406,36 +418,34 @@ tls12_record_layer_ccs_aead(struct tls12_record_layer *rl, | |||
| 406 | /* AES GCM cipher suites use variable nonce in record. */ | 418 | /* AES GCM cipher suites use variable nonce in record. */ |
| 407 | if (rl->aead == EVP_aead_aes_128_gcm() || | 419 | if (rl->aead == EVP_aead_aes_128_gcm() || |
| 408 | rl->aead == EVP_aead_aes_256_gcm()) | 420 | rl->aead == EVP_aead_aes_256_gcm()) |
| 409 | rp->aead_ctx->variable_nonce_in_record = 1; | 421 | rp->aead_variable_nonce_in_record = 1; |
| 410 | 422 | ||
| 411 | /* ChaCha20 Poly1305 XORs the fixed and variable nonces. */ | 423 | /* ChaCha20 Poly1305 XORs the fixed and variable nonces. */ |
| 412 | if (rl->aead == EVP_aead_chacha20_poly1305()) | 424 | if (rl->aead == EVP_aead_chacha20_poly1305()) |
| 413 | rp->aead_ctx->xor_fixed_nonce = 1; | 425 | rp->aead_xor_nonces = 1; |
| 414 | 426 | ||
| 415 | if (!CBS_write_bytes(iv, rp->aead_ctx->fixed_nonce, | 427 | if (!CBS_stow(iv, &rp->aead_fixed_nonce, &rp->aead_fixed_nonce_len)) |
| 416 | sizeof(rp->aead_ctx->fixed_nonce), &fixed_nonce_len)) | ||
| 417 | return 0; | 428 | return 0; |
| 418 | 429 | ||
| 419 | rp->aead_ctx->fixed_nonce_len = fixed_nonce_len; | 430 | rp->aead_tag_len = EVP_AEAD_max_overhead(rl->aead); |
| 420 | rp->aead_ctx->tag_len = EVP_AEAD_max_overhead(rl->aead); | 431 | rp->aead_variable_nonce_len = 8; |
| 421 | rp->aead_ctx->variable_nonce_len = 8; | ||
| 422 | 432 | ||
| 423 | aead_nonce_len = EVP_AEAD_nonce_length(rl->aead); | 433 | aead_nonce_len = EVP_AEAD_nonce_length(rl->aead); |
| 424 | 434 | ||
| 425 | if (rp->aead_ctx->xor_fixed_nonce) { | 435 | if (rp->aead_xor_nonces) { |
| 426 | /* Fixed nonce length must match, variable must not exceed. */ | 436 | /* Fixed nonce length must match, variable must not exceed. */ |
| 427 | if (rp->aead_ctx->fixed_nonce_len != aead_nonce_len) | 437 | if (rp->aead_fixed_nonce_len != aead_nonce_len) |
| 428 | return 0; | 438 | return 0; |
| 429 | if (rp->aead_ctx->variable_nonce_len > aead_nonce_len) | 439 | if (rp->aead_variable_nonce_len > aead_nonce_len) |
| 430 | return 0; | 440 | return 0; |
| 431 | } else { | 441 | } else { |
| 432 | /* Concatenated nonce length must equal AEAD nonce length. */ | 442 | /* Concatenated nonce length must equal AEAD nonce length. */ |
| 433 | if (rp->aead_ctx->fixed_nonce_len + | 443 | if (rp->aead_fixed_nonce_len + |
| 434 | rp->aead_ctx->variable_nonce_len != aead_nonce_len) | 444 | rp->aead_variable_nonce_len != aead_nonce_len) |
| 435 | return 0; | 445 | return 0; |
| 436 | } | 446 | } |
| 437 | 447 | ||
| 438 | if (!EVP_AEAD_CTX_init(&rp->aead_ctx->ctx, rl->aead, CBS_data(key), | 448 | if (!EVP_AEAD_CTX_init(rp->aead_ctx, rl->aead, CBS_data(key), |
| 439 | CBS_len(key), EVP_AEAD_DEFAULT_TAG_LENGTH, NULL)) | 449 | CBS_len(key), EVP_AEAD_DEFAULT_TAG_LENGTH, NULL)) |
| 440 | return 0; | 450 | return 0; |
| 441 | 451 | ||
| @@ -770,21 +780,21 @@ tls12_record_layer_write_mac(struct tls12_record_layer *rl, CBB *cbb, | |||
| 770 | 780 | ||
| 771 | static int | 781 | static int |
| 772 | tls12_record_layer_aead_concat_nonce(struct tls12_record_layer *rl, | 782 | tls12_record_layer_aead_concat_nonce(struct tls12_record_layer *rl, |
| 773 | const SSL_AEAD_CTX *aead, const uint8_t *seq_num, | 783 | struct tls12_record_protection *rp, const uint8_t *seq_num, |
| 774 | uint8_t **out, size_t *out_len) | 784 | uint8_t **out, size_t *out_len) |
| 775 | { | 785 | { |
| 776 | CBB cbb; | 786 | CBB cbb; |
| 777 | 787 | ||
| 778 | if (aead->variable_nonce_len > SSL3_SEQUENCE_SIZE) | 788 | if (rp->aead_variable_nonce_len > SSL3_SEQUENCE_SIZE) |
| 779 | return 0; | 789 | return 0; |
| 780 | 790 | ||
| 781 | /* Fixed nonce and variable nonce (sequence number) are concatenated. */ | 791 | /* Fixed nonce and variable nonce (sequence number) are concatenated. */ |
| 782 | if (!CBB_init(&cbb, 16)) | 792 | if (!CBB_init(&cbb, 16)) |
| 783 | goto err; | 793 | goto err; |
| 784 | if (!CBB_add_bytes(&cbb, aead->fixed_nonce, | 794 | if (!CBB_add_bytes(&cbb, rp->aead_fixed_nonce, |
| 785 | aead->fixed_nonce_len)) | 795 | rp->aead_fixed_nonce_len)) |
| 786 | goto err; | 796 | goto err; |
| 787 | if (!CBB_add_bytes(&cbb, seq_num, aead->variable_nonce_len)) | 797 | if (!CBB_add_bytes(&cbb, seq_num, rp->aead_variable_nonce_len)) |
| 788 | goto err; | 798 | goto err; |
| 789 | if (!CBB_finish(&cbb, out, out_len)) | 799 | if (!CBB_finish(&cbb, out, out_len)) |
| 790 | goto err; | 800 | goto err; |
| @@ -799,7 +809,7 @@ tls12_record_layer_aead_concat_nonce(struct tls12_record_layer *rl, | |||
| 799 | 809 | ||
| 800 | static int | 810 | static int |
| 801 | tls12_record_layer_aead_xored_nonce(struct tls12_record_layer *rl, | 811 | tls12_record_layer_aead_xored_nonce(struct tls12_record_layer *rl, |
| 802 | const SSL_AEAD_CTX *aead, const uint8_t *seq_num, | 812 | struct tls12_record_protection *rp, const uint8_t *seq_num, |
| 803 | uint8_t **out, size_t *out_len) | 813 | uint8_t **out, size_t *out_len) |
| 804 | { | 814 | { |
| 805 | uint8_t *nonce = NULL; | 815 | uint8_t *nonce = NULL; |
| @@ -808,9 +818,9 @@ tls12_record_layer_aead_xored_nonce(struct tls12_record_layer *rl, | |||
| 808 | CBB cbb; | 818 | CBB cbb; |
| 809 | int i; | 819 | int i; |
| 810 | 820 | ||
| 811 | if (aead->variable_nonce_len > SSL3_SEQUENCE_SIZE) | 821 | if (rp->aead_variable_nonce_len > SSL3_SEQUENCE_SIZE) |
| 812 | return 0; | 822 | return 0; |
| 813 | if (aead->fixed_nonce_len < aead->variable_nonce_len) | 823 | if (rp->aead_fixed_nonce_len < rp->aead_variable_nonce_len) |
| 814 | return 0; | 824 | return 0; |
| 815 | 825 | ||
| 816 | /* | 826 | /* |
| @@ -820,15 +830,15 @@ tls12_record_layer_aead_xored_nonce(struct tls12_record_layer *rl, | |||
| 820 | if (!CBB_init(&cbb, 16)) | 830 | if (!CBB_init(&cbb, 16)) |
| 821 | goto err; | 831 | goto err; |
| 822 | if (!CBB_add_space(&cbb, &pad, | 832 | if (!CBB_add_space(&cbb, &pad, |
| 823 | aead->fixed_nonce_len - aead->variable_nonce_len)) | 833 | rp->aead_fixed_nonce_len - rp->aead_variable_nonce_len)) |
| 824 | goto err; | 834 | goto err; |
| 825 | if (!CBB_add_bytes(&cbb, seq_num, aead->variable_nonce_len)) | 835 | if (!CBB_add_bytes(&cbb, seq_num, rp->aead_variable_nonce_len)) |
| 826 | goto err; | 836 | goto err; |
| 827 | if (!CBB_finish(&cbb, &nonce, &nonce_len)) | 837 | if (!CBB_finish(&cbb, &nonce, &nonce_len)) |
| 828 | goto err; | 838 | goto err; |
| 829 | 839 | ||
| 830 | for (i = 0; i < aead->fixed_nonce_len; i++) | 840 | for (i = 0; i < rp->aead_fixed_nonce_len; i++) |
| 831 | nonce[i] ^= aead->fixed_nonce[i]; | 841 | nonce[i] ^= rp->aead_fixed_nonce[i]; |
| 832 | 842 | ||
| 833 | *out = nonce; | 843 | *out = nonce; |
| 834 | *out_len = nonce_len; | 844 | *out_len = nonce_len; |
| @@ -861,7 +871,7 @@ tls12_record_layer_open_record_protected_aead(struct tls12_record_layer *rl, | |||
| 861 | uint8_t content_type, CBS *seq_num, CBS *fragment, uint8_t **out, | 871 | uint8_t content_type, CBS *seq_num, CBS *fragment, uint8_t **out, |
| 862 | size_t *out_len) | 872 | size_t *out_len) |
| 863 | { | 873 | { |
| 864 | const SSL_AEAD_CTX *aead = rl->read->aead_ctx; | 874 | struct tls12_record_protection *rp = rl->read; |
| 865 | uint8_t *header = NULL, *nonce = NULL; | 875 | uint8_t *header = NULL, *nonce = NULL; |
| 866 | size_t header_len = 0, nonce_len = 0; | 876 | size_t header_len = 0, nonce_len = 0; |
| 867 | uint8_t *plain; | 877 | uint8_t *plain; |
| @@ -870,25 +880,25 @@ tls12_record_layer_open_record_protected_aead(struct tls12_record_layer *rl, | |||
| 870 | int ret = 0; | 880 | int ret = 0; |
| 871 | 881 | ||
| 872 | /* XXX - move to nonce allocated in record layer, matching TLSv1.3 */ | 882 | /* XXX - move to nonce allocated in record layer, matching TLSv1.3 */ |
| 873 | if (aead->xor_fixed_nonce) { | 883 | if (rp->aead_xor_nonces) { |
| 874 | if (!tls12_record_layer_aead_xored_nonce(rl, aead, | 884 | if (!tls12_record_layer_aead_xored_nonce(rl, rp, |
| 875 | CBS_data(seq_num), &nonce, &nonce_len)) | 885 | CBS_data(seq_num), &nonce, &nonce_len)) |
| 876 | goto err; | 886 | goto err; |
| 877 | } else if (aead->variable_nonce_in_record) { | 887 | } else if (rp->aead_variable_nonce_in_record) { |
| 878 | if (!CBS_get_bytes(fragment, &var_nonce, | 888 | if (!CBS_get_bytes(fragment, &var_nonce, |
| 879 | aead->variable_nonce_len)) | 889 | rp->aead_variable_nonce_len)) |
| 880 | goto err; | 890 | goto err; |
| 881 | if (!tls12_record_layer_aead_concat_nonce(rl, aead, | 891 | if (!tls12_record_layer_aead_concat_nonce(rl, rp, |
| 882 | CBS_data(&var_nonce), &nonce, &nonce_len)) | 892 | CBS_data(&var_nonce), &nonce, &nonce_len)) |
| 883 | goto err; | 893 | goto err; |
| 884 | } else { | 894 | } else { |
| 885 | if (!tls12_record_layer_aead_concat_nonce(rl, aead, | 895 | if (!tls12_record_layer_aead_concat_nonce(rl, rp, |
| 886 | CBS_data(seq_num), &nonce, &nonce_len)) | 896 | CBS_data(seq_num), &nonce, &nonce_len)) |
| 887 | goto err; | 897 | goto err; |
| 888 | } | 898 | } |
| 889 | 899 | ||
| 890 | /* XXX EVP_AEAD_max_tag_len vs EVP_AEAD_CTX_tag_len. */ | 900 | /* XXX EVP_AEAD_max_tag_len vs EVP_AEAD_CTX_tag_len. */ |
| 891 | if (CBS_len(fragment) < aead->tag_len) { | 901 | if (CBS_len(fragment) < rp->aead_tag_len) { |
| 892 | rl->alert_desc = SSL_AD_BAD_RECORD_MAC; | 902 | rl->alert_desc = SSL_AD_BAD_RECORD_MAC; |
| 893 | goto err; | 903 | goto err; |
| 894 | } | 904 | } |
| @@ -899,13 +909,13 @@ tls12_record_layer_open_record_protected_aead(struct tls12_record_layer *rl, | |||
| 899 | 909 | ||
| 900 | /* XXX - decrypt/process in place for now. */ | 910 | /* XXX - decrypt/process in place for now. */ |
| 901 | plain = (uint8_t *)CBS_data(fragment); | 911 | plain = (uint8_t *)CBS_data(fragment); |
| 902 | plain_len = CBS_len(fragment) - aead->tag_len; | 912 | plain_len = CBS_len(fragment) - rp->aead_tag_len; |
| 903 | 913 | ||
| 904 | if (!tls12_record_layer_pseudo_header(rl, content_type, plain_len, | 914 | if (!tls12_record_layer_pseudo_header(rl, content_type, plain_len, |
| 905 | seq_num, &header, &header_len)) | 915 | seq_num, &header, &header_len)) |
| 906 | goto err; | 916 | goto err; |
| 907 | 917 | ||
| 908 | if (!EVP_AEAD_CTX_open(&aead->ctx, plain, out_len, plain_len, | 918 | if (!EVP_AEAD_CTX_open(rp->aead_ctx, plain, out_len, plain_len, |
| 909 | nonce, nonce_len, CBS_data(fragment), CBS_len(fragment), | 919 | nonce, nonce_len, CBS_data(fragment), CBS_len(fragment), |
| 910 | header, header_len)) { | 920 | header, header_len)) { |
| 911 | rl->alert_desc = SSL_AD_BAD_RECORD_MAC; | 921 | rl->alert_desc = SSL_AD_BAD_RECORD_MAC; |
| @@ -1125,7 +1135,7 @@ tls12_record_layer_seal_record_protected_aead(struct tls12_record_layer *rl, | |||
| 1125 | uint8_t content_type, CBS *seq_num, const uint8_t *content, | 1135 | uint8_t content_type, CBS *seq_num, const uint8_t *content, |
| 1126 | size_t content_len, CBB *out) | 1136 | size_t content_len, CBB *out) |
| 1127 | { | 1137 | { |
| 1128 | const SSL_AEAD_CTX *aead = rl->write->aead_ctx; | 1138 | struct tls12_record_protection *rp = rl->write; |
| 1129 | uint8_t *header = NULL, *nonce = NULL; | 1139 | uint8_t *header = NULL, *nonce = NULL; |
| 1130 | size_t header_len = 0, nonce_len = 0; | 1140 | size_t header_len = 0, nonce_len = 0; |
| 1131 | size_t enc_record_len, out_len; | 1141 | size_t enc_record_len, out_len; |
| @@ -1133,20 +1143,20 @@ tls12_record_layer_seal_record_protected_aead(struct tls12_record_layer *rl, | |||
| 1133 | int ret = 0; | 1143 | int ret = 0; |
| 1134 | 1144 | ||
| 1135 | /* XXX - move to nonce allocated in record layer, matching TLSv1.3 */ | 1145 | /* XXX - move to nonce allocated in record layer, matching TLSv1.3 */ |
| 1136 | if (aead->xor_fixed_nonce) { | 1146 | if (rp->aead_xor_nonces) { |
| 1137 | if (!tls12_record_layer_aead_xored_nonce(rl, aead, | 1147 | if (!tls12_record_layer_aead_xored_nonce(rl, rp, |
| 1138 | CBS_data(seq_num), &nonce, &nonce_len)) | 1148 | CBS_data(seq_num), &nonce, &nonce_len)) |
| 1139 | goto err; | 1149 | goto err; |
| 1140 | } else { | 1150 | } else { |
| 1141 | if (!tls12_record_layer_aead_concat_nonce(rl, aead, | 1151 | if (!tls12_record_layer_aead_concat_nonce(rl, rp, |
| 1142 | CBS_data(seq_num), &nonce, &nonce_len)) | 1152 | CBS_data(seq_num), &nonce, &nonce_len)) |
| 1143 | goto err; | 1153 | goto err; |
| 1144 | } | 1154 | } |
| 1145 | 1155 | ||
| 1146 | if (aead->variable_nonce_in_record) { | 1156 | if (rp->aead_variable_nonce_in_record) { |
| 1147 | /* XXX - length check? */ | 1157 | /* XXX - length check? */ |
| 1148 | if (!CBB_add_bytes(out, CBS_data(seq_num), | 1158 | if (!CBB_add_bytes(out, CBS_data(seq_num), |
| 1149 | aead->variable_nonce_len)) | 1159 | rp->aead_variable_nonce_len)) |
| 1150 | goto err; | 1160 | goto err; |
| 1151 | } | 1161 | } |
| 1152 | 1162 | ||
| @@ -1155,13 +1165,13 @@ tls12_record_layer_seal_record_protected_aead(struct tls12_record_layer *rl, | |||
| 1155 | goto err; | 1165 | goto err; |
| 1156 | 1166 | ||
| 1157 | /* XXX EVP_AEAD_max_tag_len vs EVP_AEAD_CTX_tag_len. */ | 1167 | /* XXX EVP_AEAD_max_tag_len vs EVP_AEAD_CTX_tag_len. */ |
| 1158 | enc_record_len = content_len + aead->tag_len; | 1168 | enc_record_len = content_len + rp->aead_tag_len; |
| 1159 | if (enc_record_len > SSL3_RT_MAX_ENCRYPTED_LENGTH) | 1169 | if (enc_record_len > SSL3_RT_MAX_ENCRYPTED_LENGTH) |
| 1160 | goto err; | 1170 | goto err; |
| 1161 | if (!CBB_add_space(out, &enc_data, enc_record_len)) | 1171 | if (!CBB_add_space(out, &enc_data, enc_record_len)) |
| 1162 | goto err; | 1172 | goto err; |
| 1163 | 1173 | ||
| 1164 | if (!EVP_AEAD_CTX_seal(&aead->ctx, enc_data, &out_len, enc_record_len, | 1174 | if (!EVP_AEAD_CTX_seal(rp->aead_ctx, enc_data, &out_len, enc_record_len, |
| 1165 | nonce, nonce_len, content, content_len, header, header_len)) | 1175 | nonce, nonce_len, content, content_len, header, header_len)) |
| 1166 | goto err; | 1176 | goto err; |
| 1167 | 1177 | ||