Add special AES-GCM AEAD for TLS 1.3.
This change adds an AES-GCM AEAD that enforces nonce uniqueness inside
the FIPS module, like we have for TLS 1.2. While TLS 1.3 has not yet
been mentioned in the FIPS 140 IG, we expect it to be in the next ~12
months and so are preparing for that.
Change-Id: I65a7d8196b08dc0033bdde5c844a73059da13d9e
Reviewed-on: https://boringssl-review.googlesource.com/29224
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Reviewed-by: David Benjamin <davidben@google.com>
diff --git a/ssl/ssl_cipher.cc b/ssl/ssl_cipher.cc
index 8536f89..fdc1d2c 100644
--- a/ssl/ssl_cipher.cc
+++ b/ssl/ssl_cipher.cc
@@ -578,15 +578,26 @@
*out_fixed_iv_len = 0;
const int is_tls12 = version == TLS1_2_VERSION && !is_dtls;
+ const int is_tls13 = version == TLS1_3_VERSION && !is_dtls;
if (cipher->algorithm_mac == SSL_AEAD) {
if (cipher->algorithm_enc == SSL_AES128GCM) {
- *out_aead =
- is_tls12 ? EVP_aead_aes_128_gcm_tls12() : EVP_aead_aes_128_gcm();
+ if (is_tls12) {
+ *out_aead = EVP_aead_aes_128_gcm_tls12();
+ } else if (is_tls13) {
+ *out_aead = EVP_aead_aes_128_gcm_tls13();
+ } else {
+ *out_aead = EVP_aead_aes_128_gcm();
+ }
*out_fixed_iv_len = 4;
} else if (cipher->algorithm_enc == SSL_AES256GCM) {
- *out_aead =
- is_tls12 ? EVP_aead_aes_256_gcm_tls12() : EVP_aead_aes_256_gcm();
+ if (is_tls12) {
+ *out_aead = EVP_aead_aes_256_gcm_tls12();
+ } else if (is_tls13) {
+ *out_aead = EVP_aead_aes_256_gcm_tls13();
+ } else {
+ *out_aead = EVP_aead_aes_256_gcm();
+ }
*out_fixed_iv_len = 4;
} else if (cipher->algorithm_enc == SSL_CHACHA20POLY1305) {
*out_aead = EVP_aead_chacha20_poly1305();
