C++-ify SSL_AEAD_CTX.
This adds several utilities as replacements for new and delete and makes
bssl::UniquePtr work with our private types.
Later work can convert more incrementally. I did this one more
aggressively to see how it'd work. Unfortunately, in doing so, I needed
to remove the NULL SSL_AEAD_CTX "method" receiver trick to appease
clang. The null cipher is now represented by a concrete SSL_AEAD_CTX.
The long-lived references to SSL_AEAD_CTX are not yet in types with
constructors, so they still bare Delete rather than UniquePtr for now.
Though this does mean we may be able to move the sequence number into
SSLAEADContext later which is one less object for DTLS to carry around.
Bug: 132
Change-Id: I506b404addafb692055d5709b0ca6d5439a4e6be
Reviewed-on: https://boringssl-review.googlesource.com/18164
Reviewed-by: Adam Langley <agl@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
diff --git a/include/openssl/base.h b/include/openssl/base.h
index d67e997..37d4419 100644
--- a/include/openssl/base.h
+++ b/include/openssl/base.h
@@ -393,7 +393,9 @@
namespace internal {
-template <typename T>
+// The Enable parameter is ignored and only exists so specializations can use
+// SFINAE.
+template <typename T, typename Enable = void>
struct DeleterImpl {};
template <typename T>
diff --git a/ssl/d1_both.cc b/ssl/d1_both.cc
index cc1de90..6db348a 100644
--- a/ssl/d1_both.cc
+++ b/ssl/d1_both.cc
@@ -324,9 +324,9 @@
* the unencrypted epoch (we never renegotiate). Other cases fall through and
* fail with a fatal error. */
if ((rr->type == SSL3_RT_APPLICATION_DATA &&
- ssl->s3->aead_read_ctx != NULL) ||
+ !ssl->s3->aead_read_ctx->is_null_cipher()) ||
(rr->type == SSL3_RT_CHANGE_CIPHER_SPEC &&
- ssl->s3->aead_read_ctx == NULL)) {
+ ssl->s3->aead_read_ctx->is_null_cipher())) {
rr->length = 0;
goto start;
}
@@ -628,14 +628,14 @@
assert(ssl->d1->outgoing_written < ssl->d1->outgoing_messages_len);
assert(msg == &ssl->d1->outgoing_messages[ssl->d1->outgoing_written]);
- /* DTLS renegotiation is unsupported, so only epochs 0 (NULL cipher) and 1
- * (negotiated cipher) exist. */
- assert(ssl->d1->w_epoch == 0 || ssl->d1->w_epoch == 1);
- assert(msg->epoch <= ssl->d1->w_epoch);
enum dtls1_use_epoch_t use_epoch = dtls1_use_current_epoch;
- if (ssl->d1->w_epoch == 1 && msg->epoch == 0) {
+ if (ssl->d1->w_epoch >= 1 && msg->epoch == ssl->d1->w_epoch - 1) {
use_epoch = dtls1_use_previous_epoch;
+ } else if (msg->epoch != ssl->d1->w_epoch) {
+ OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
+ return seal_error;
}
+
size_t overhead = dtls_max_seal_overhead(ssl, use_epoch);
size_t prefix = dtls_seal_prefix_len(ssl, use_epoch);
diff --git a/ssl/d1_lib.cc b/ssl/d1_lib.cc
index 73f9797..2157ab7 100644
--- a/ssl/d1_lib.cc
+++ b/ssl/d1_lib.cc
@@ -111,6 +111,7 @@
dtls_clear_incoming_messages(ssl);
dtls_clear_outgoing_messages(ssl);
+ Delete(ssl->d1->last_aead_write_ctx);
OPENSSL_free(ssl->d1);
ssl->d1 = NULL;
diff --git a/ssl/dtls_method.cc b/ssl/dtls_method.cc
index 426c6a8..245f1c3 100644
--- a/ssl/dtls_method.cc
+++ b/ssl/dtls_method.cc
@@ -78,12 +78,11 @@
static void dtls1_received_flight(SSL *ssl) { dtls1_stop_timer(ssl); }
-static int dtls1_set_read_state(SSL *ssl, SSL_AEAD_CTX *aead_ctx) {
+static int dtls1_set_read_state(SSL *ssl, UniquePtr<SSLAEADContext> aead_ctx) {
/* Cipher changes are illegal when there are buffered incoming messages. */
if (dtls_has_incoming_messages(ssl)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_BUFFERED_MESSAGES_ON_CIPHER_CHANGE);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
- SSL_AEAD_CTX_free(aead_ctx);
return 0;
}
@@ -91,19 +90,20 @@
OPENSSL_memset(&ssl->d1->bitmap, 0, sizeof(ssl->d1->bitmap));
OPENSSL_memset(ssl->s3->read_sequence, 0, sizeof(ssl->s3->read_sequence));
- SSL_AEAD_CTX_free(ssl->s3->aead_read_ctx);
- ssl->s3->aead_read_ctx = aead_ctx;
+ Delete(ssl->s3->aead_read_ctx);
+ ssl->s3->aead_read_ctx = aead_ctx.release();
return 1;
}
-static int dtls1_set_write_state(SSL *ssl, SSL_AEAD_CTX *aead_ctx) {
+static int dtls1_set_write_state(SSL *ssl, UniquePtr<SSLAEADContext> aead_ctx) {
ssl->d1->w_epoch++;
OPENSSL_memcpy(ssl->d1->last_write_sequence, ssl->s3->write_sequence,
sizeof(ssl->s3->write_sequence));
OPENSSL_memset(ssl->s3->write_sequence, 0, sizeof(ssl->s3->write_sequence));
- SSL_AEAD_CTX_free(ssl->s3->aead_write_ctx);
- ssl->s3->aead_write_ctx = aead_ctx;
+ Delete(ssl->d1->last_aead_write_ctx);
+ ssl->d1->last_aead_write_ctx = ssl->s3->aead_write_ctx;
+ ssl->s3->aead_write_ctx = aead_ctx.release();
return 1;
}
diff --git a/ssl/dtls_record.cc b/ssl/dtls_record.cc
index 5546471..5c77165 100644
--- a/ssl/dtls_record.cc
+++ b/ssl/dtls_record.cc
@@ -217,8 +217,9 @@
}
/* Decrypt the body in-place. */
- if (!SSL_AEAD_CTX_open(ssl->s3->aead_read_ctx, out, type, version, sequence,
- (uint8_t *)CBS_data(&body), CBS_len(&body))) {
+ if (!ssl->s3->aead_read_ctx->Open(out, type, version, sequence,
+ (uint8_t *)CBS_data(&body),
+ CBS_len(&body))) {
/* Bad packets are silently dropped in DTLS. See section 4.2.1 of RFC 6347.
* Clear the error queue of any errors decryption may have added. Drop the
* entire packet as it must not have come from the peer.
@@ -253,13 +254,11 @@
return ssl_open_record_success;
}
-static const SSL_AEAD_CTX *get_write_aead(const SSL *ssl,
- enum dtls1_use_epoch_t use_epoch) {
+static const SSLAEADContext *get_write_aead(const SSL *ssl,
+ enum dtls1_use_epoch_t use_epoch) {
if (use_epoch == dtls1_use_previous_epoch) {
- /* DTLS renegotiation is unsupported, so only epochs 0 (NULL cipher) and 1
- * (negotiated cipher) exist. */
- assert(ssl->d1->w_epoch == 1);
- return NULL;
+ assert(ssl->d1->w_epoch >= 1);
+ return ssl->d1->last_aead_write_ctx;
}
return ssl->s3->aead_write_ctx;
@@ -267,13 +266,12 @@
size_t dtls_max_seal_overhead(const SSL *ssl,
enum dtls1_use_epoch_t use_epoch) {
- return DTLS1_RT_HEADER_LENGTH +
- SSL_AEAD_CTX_max_overhead(get_write_aead(ssl, use_epoch));
+ return DTLS1_RT_HEADER_LENGTH + get_write_aead(ssl, use_epoch)->MaxOverhead();
}
size_t dtls_seal_prefix_len(const SSL *ssl, enum dtls1_use_epoch_t use_epoch) {
return DTLS1_RT_HEADER_LENGTH +
- SSL_AEAD_CTX_explicit_nonce_len(get_write_aead(ssl, use_epoch));
+ get_write_aead(ssl, use_epoch)->ExplicitNonceLen();
}
int dtls_seal_record(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out,
@@ -288,14 +286,12 @@
/* Determine the parameters for the current epoch. */
uint16_t epoch = ssl->d1->w_epoch;
- SSL_AEAD_CTX *aead = ssl->s3->aead_write_ctx;
+ SSLAEADContext *aead = ssl->s3->aead_write_ctx;
uint8_t *seq = ssl->s3->write_sequence;
if (use_epoch == dtls1_use_previous_epoch) {
- /* DTLS renegotiation is unsupported, so only epochs 0 (NULL cipher) and 1
- * (negotiated cipher) exist. */
- assert(ssl->d1->w_epoch == 1);
+ assert(ssl->d1->w_epoch >= 1);
epoch = ssl->d1->w_epoch - 1;
- aead = NULL;
+ aead = ssl->d1->last_aead_write_ctx;
seq = ssl->d1->last_write_sequence;
}
@@ -315,9 +311,9 @@
OPENSSL_memcpy(&out[5], &seq[2], 6);
size_t ciphertext_len;
- if (!SSL_AEAD_CTX_seal(aead, out + DTLS1_RT_HEADER_LENGTH, &ciphertext_len,
- max_out - DTLS1_RT_HEADER_LENGTH, type, wire_version,
- &out[3] /* seq */, in, in_len) ||
+ if (!aead->Seal(out + DTLS1_RT_HEADER_LENGTH, &ciphertext_len,
+ max_out - DTLS1_RT_HEADER_LENGTH, type, wire_version,
+ &out[3] /* seq */, in, in_len) ||
!ssl_record_sequence_update(&seq[2], 6)) {
return 0;
}
diff --git a/ssl/internal.h b/ssl/internal.h
index d7a3af8..b09f27d 100644
--- a/ssl/internal.h
+++ b/ssl/internal.h
@@ -148,7 +148,12 @@
#include <openssl/base.h>
+#include <type_traits>
+#include <utility>
+
#include <openssl/aead.h>
+#include <openssl/err.h>
+#include <openssl/mem.h>
#include <openssl/ssl.h>
#include <openssl/stack.h>
@@ -167,6 +172,54 @@
struct SSL_HANDSHAKE;
+/* C++ utilities. */
+
+/* New behaves like |new| but uses |OPENSSL_malloc| for memory allocation. It
+ * returns nullptr on allocation error. It only implements single-object
+ * allocation and not new T[n].
+ *
+ * Note: unlike |new|, this does not support non-public constructors. */
+template <typename T, typename... Args>
+T *New(Args &&... args) {
+ T *t = reinterpret_cast<T *>(OPENSSL_malloc(sizeof(T)));
+ if (t == nullptr) {
+ OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
+ return nullptr;
+ }
+ new (t) T(std::forward<Args>(args)...);
+ return t;
+}
+
+/* Delete behaves like |delete| but uses |OPENSSL_free| to release memory.
+ *
+ * Note: unlike |delete| this does not support non-public destructors. */
+template <typename T>
+void Delete(T *t) {
+ if (t != nullptr) {
+ t->~T();
+ OPENSSL_free(t);
+ }
+}
+
+/* Register all types with non-trivial destructors with |UniquePtr|. Types with
+ * trivial destructors may be C structs which require a |BORINGSSL_MAKE_DELETER|
+ * registration. */
+namespace internal {
+template <typename T>
+struct DeleterImpl<T, typename std::enable_if<
+ !std::is_trivially_destructible<T>::value>::type> {
+ static void Free(T *t) { Delete(t); }
+};
+}
+
+/* MakeUnique behaves like |std::make_unique| but returns nullptr on allocation
+ * error. */
+template <typename T, typename... Args>
+UniquePtr<T> MakeUnique(Args &&... args) {
+ return UniquePtr<T>(New<T>(std::forward<Args>(args)...));
+}
+
+
/* Protocol versions.
*
* Due to DTLS's historical wire version differences and to support multiple
@@ -395,110 +448,118 @@
/* Encryption layer. */
-/* SSL_AEAD_CTX contains information about an AEAD that is being used to encrypt
- * an SSL connection. */
-struct SSL_AEAD_CTX {
- const SSL_CIPHER *cipher;
- EVP_AEAD_CTX ctx;
- /* fixed_nonce contains any bytes of the nonce that are fixed for all
+/* SSLAEADContext contains information about an AEAD that is being used to
+ * encrypt an SSL connection. */
+class SSLAEADContext {
+ public:
+ SSLAEADContext(uint16_t version, const SSL_CIPHER *cipher);
+ ~SSLAEADContext();
+ SSLAEADContext(const SSLAEADContext &&) = delete;
+ SSLAEADContext &operator=(const SSLAEADContext &&) = delete;
+
+ /* CreateNullCipher creates an |SSLAEADContext| for the null cipher. */
+ static UniquePtr<SSLAEADContext> CreateNullCipher();
+
+ /* Create creates an |SSLAEADContext| using the supplied key material. It
+ * returns nullptr on error. Only one of |Open| or |Seal| may be used with the
+ * resulting object, depending on |direction|. |version| is the normalized
+ * protocol version, so DTLS 1.0 is represented as 0x0301, not 0xffef. */
+ static UniquePtr<SSLAEADContext> Create(
+ enum evp_aead_direction_t direction, uint16_t version, int is_dtls,
+ const SSL_CIPHER *cipher, const uint8_t *enc_key, size_t enc_key_len,
+ const uint8_t *mac_key, size_t mac_key_len, const uint8_t *fixed_iv,
+ size_t fixed_iv_len);
+
+ uint16_t version() const { return version_; }
+ const SSL_CIPHER *cipher() const { return cipher_; }
+
+ /* is_null_cipher returns true if this is the null cipher. */
+ bool is_null_cipher() const { return !cipher_; }
+
+ /* ExplicitNonceLen returns the length of the explicit nonce. */
+ size_t ExplicitNonceLen() const;
+
+ /* MaxOverhead returns the maximum overhead of calling |Seal|. */
+ size_t MaxOverhead() const;
+
+ /* MaxSuffixLen returns the maximum suffix length written by |SealScatter|.
+ * |extra_in_len| should equal the argument of the same name passed to
+ * |SealScatter|. */
+ size_t MaxSuffixLen(size_t extra_in_len) const;
+
+ /* Open authenticates and decrypts |in_len| bytes from |in| in-place. On
+ * success, it sets |*out| to the plaintext in |in| and returns true.
+ * Otherwise, it returns false. The output will always be |ExplicitNonceLen|
+ * bytes ahead of |in|. */
+ bool Open(CBS *out, uint8_t type, uint16_t wire_version,
+ const uint8_t seqnum[8], uint8_t *in, size_t in_len);
+
+ /* Seal encrypts and authenticates |in_len| bytes from |in| and writes the
+ * result to |out|. It returns true on success and false on error.
+ *
+ * If |in| and |out| alias then |out| + |ExplicitNonceLen| must be == |in|. */
+ bool Seal(uint8_t *out, size_t *out_len, size_t max_out, uint8_t type,
+ uint16_t wire_version, const uint8_t seqnum[8], const uint8_t *in,
+ size_t in_len);
+
+ /* SealScatter encrypts and authenticates |in_len| bytes from |in| and splits
+ * the result between |out_prefix|, |out| and |out_suffix|. It returns one on
+ * success and zero on error.
+ *
+ * On successful return, exactly |ExplicitNonceLen| bytes are written to
+ * |out_prefix|, |in_len| bytes to |out|, and up to |MaxSuffixLen| bytes to
+ * |out_suffix|. |*out_suffix_len| is set to the actual number of bytes
+ * written to |out_suffix|.
+ *
+ * |extra_in| may point to an additional plaintext buffer. If present,
+ * |extra_in_len| additional bytes are encrypted and authenticated, and the
+ * ciphertext is written to the beginning of |out_suffix|. |MaxSuffixLen|
+ * may be used to size |out_suffix| accordingly.
+ *
+ * If |in| and |out| alias then |out| must be == |in|. Other arguments may not
+ * alias anything. */
+ bool SealScatter(uint8_t *out_prefix, uint8_t *out, uint8_t *out_suffix,
+ size_t *out_suffix_len, size_t max_out_suffix_len,
+ uint8_t type, uint16_t wire_version, const uint8_t seqnum[8],
+ const uint8_t *in, size_t in_len, const uint8_t *extra_in,
+ size_t extra_in_len);
+
+ bool GetIV(const uint8_t **out_iv, size_t *out_iv_len) const;
+
+ private:
+ /* GetAdditionalData writes the additional data into |out| and returns the
+ * number of bytes written. */
+ size_t GetAdditionalData(uint8_t out[13], uint8_t type, uint16_t wire_version,
+ const uint8_t seqnum[8], size_t plaintext_len);
+
+ const SSL_CIPHER *cipher_;
+ ScopedEVP_AEAD_CTX ctx_;
+ /* fixed_nonce_ contains any bytes of the nonce that are fixed for all
* records. */
- uint8_t fixed_nonce[12];
- uint8_t fixed_nonce_len, variable_nonce_len;
- /* version is the protocol version that should be used with this AEAD. */
- uint16_t version;
- /* variable_nonce_included_in_record is non-zero if the variable nonce
+ uint8_t fixed_nonce_[12];
+ uint8_t fixed_nonce_len_ = 0, variable_nonce_len_ = 0;
+ /* version_ is the protocol version that should be used with this AEAD. */
+ uint16_t version_;
+ /* variable_nonce_included_in_record_ is true if the variable nonce
* for a record is included as a prefix before the ciphertext. */
- unsigned variable_nonce_included_in_record : 1;
- /* random_variable_nonce is non-zero if the variable nonce is
+ bool variable_nonce_included_in_record_ : 1;
+ /* random_variable_nonce_ is true if the variable nonce is
* randomly generated, rather than derived from the sequence
* number. */
- unsigned random_variable_nonce : 1;
- /* omit_length_in_ad is non-zero if the length should be omitted in the
+ bool random_variable_nonce_ : 1;
+ /* omit_length_in_ad_ is true if the length should be omitted in the
* AEAD's ad parameter. */
- unsigned omit_length_in_ad : 1;
- /* omit_version_in_ad is non-zero if the version should be omitted
+ bool omit_length_in_ad_ : 1;
+ /* omit_version_in_ad_ is true if the version should be omitted
* in the AEAD's ad parameter. */
- unsigned omit_version_in_ad : 1;
- /* omit_ad is non-zero if the AEAD's ad parameter should be omitted. */
- unsigned omit_ad : 1;
- /* xor_fixed_nonce is non-zero if the fixed nonce should be XOR'd into the
+ bool omit_version_in_ad_ : 1;
+ /* omit_ad_ is true if the AEAD's ad parameter should be omitted. */
+ bool omit_ad_ : 1;
+ /* xor_fixed_nonce_ is true if the fixed nonce should be XOR'd into the
* variable nonce rather than prepended. */
- unsigned xor_fixed_nonce : 1;
+ bool xor_fixed_nonce_ : 1;
};
-/* SSL_AEAD_CTX_new creates a newly-allocated |SSL_AEAD_CTX| using the supplied
- * key material. It returns NULL on error. Only one of |SSL_AEAD_CTX_open| or
- * |SSL_AEAD_CTX_seal| may be used with the resulting object, depending on
- * |direction|. |version| is the normalized protocol version, so DTLS 1.0 is
- * represented as 0x0301, not 0xffef. */
-SSL_AEAD_CTX *SSL_AEAD_CTX_new(enum evp_aead_direction_t direction,
- uint16_t version, int is_dtls,
- const SSL_CIPHER *cipher, const uint8_t *enc_key,
- size_t enc_key_len, const uint8_t *mac_key,
- size_t mac_key_len, const uint8_t *fixed_iv,
- size_t fixed_iv_len);
-
-/* SSL_AEAD_CTX_free frees |ctx|. */
-void SSL_AEAD_CTX_free(SSL_AEAD_CTX *ctx);
-
-/* SSL_AEAD_CTX_explicit_nonce_len returns the length of the explicit nonce for
- * |ctx|, if any. |ctx| may be NULL to denote the null cipher. */
-size_t SSL_AEAD_CTX_explicit_nonce_len(const SSL_AEAD_CTX *ctx);
-
-/* SSL_AEAD_CTX_max_overhead returns the maximum overhead of calling
- * |SSL_AEAD_CTX_seal|. |ctx| may be NULL to denote the null cipher. */
-size_t SSL_AEAD_CTX_max_overhead(const SSL_AEAD_CTX *ctx);
-
-/* SSL_AEAD_CTX_max_suffix_len returns the maximum suffix length written by
- * |SSL_AEAD_CTX_seal_scatter|. |ctx| may be NULL to denote the null cipher.
- * |extra_in_len| should equal the argument of the same name passed to
- * |SSL_AEAD_CTX_seal_scatter|. */
-size_t SSL_AEAD_CTX_max_suffix_len(const SSL_AEAD_CTX *ctx,
- size_t extra_in_len);
-
-/* SSL_AEAD_CTX_open authenticates and decrypts |in_len| bytes from |in|
- * in-place. On success, it sets |*out| to the plaintext in |in| and returns
- * one. Otherwise, it returns zero. |ctx| may be NULL to denote the null cipher.
- * The output will always be |explicit_nonce_len| bytes ahead of |in|. */
-int SSL_AEAD_CTX_open(SSL_AEAD_CTX *ctx, CBS *out, uint8_t type,
- uint16_t wire_version, const uint8_t seqnum[8],
- uint8_t *in, size_t in_len);
-
-/* SSL_AEAD_CTX_seal encrypts and authenticates |in_len| bytes from |in| and
- * writes the result to |out|. It returns one on success and zero on
- * error. |ctx| may be NULL to denote the null cipher.
- *
- * If |in| and |out| alias then |out| + |explicit_nonce_len| must be == |in|. */
-int SSL_AEAD_CTX_seal(SSL_AEAD_CTX *ctx, uint8_t *out, size_t *out_len,
- size_t max_out, uint8_t type, uint16_t wire_version,
- const uint8_t seqnum[8], const uint8_t *in,
- size_t in_len);
-
-/* SSL_AEAD_CTX_seal_scatter encrypts and authenticates |in_len| bytes from |in|
- * and splits the result between |out_prefix|, |out| and |out_suffix|. It
- * returns one on success and zero on error. |ctx| may be NULL to denote the
- * null cipher.
- *
- * On successful return, exactly |SSL_AEAD_CTX_explicit_nonce_len| bytes are
- * written to |out_prefix|, |in_len| bytes to |out|, and up to
- * |SSL_AEAD_CTX_max_suffix_len| bytes to |out_suffix|. |*out_suffix_len| is set
- * to the actual number of bytes written to |out_suffix|.
- *
- * |extra_in| may point to an additional plaintext buffer. If present,
- * |extra_in_len| additional bytes are encrypted and authenticated, and the
- * ciphertext is written to the beginning of |out_suffix|.
- * |SSL_AEAD_CTX_max_suffix_len| may be used to size |out_suffix| accordingly.
- *
- * If |in| and |out| alias then |out| must be == |in|. Other arguments may not
- * alias anything. */
-int SSL_AEAD_CTX_seal_scatter(SSL_AEAD_CTX *aead, uint8_t *out_prefix,
- uint8_t *out, uint8_t *out_suffix,
- size_t *out_suffix_len, size_t max_out_suffix_len,
- uint8_t type, uint16_t wire_version,
- const uint8_t seqnum[8], const uint8_t *in,
- size_t in_len, const uint8_t *extra_in,
- size_t extra_in_len);
-
/* DTLS replay bitmap. */
@@ -1568,14 +1629,14 @@
/* received_flight is called when the handshake has received a flight of
* messages from the peer. */
void (*received_flight)(SSL *ssl);
- /* set_read_state sets |ssl|'s read cipher state to |aead_ctx|. It takes
- * ownership of |aead_ctx|. It returns one on success and zero if changing the
- * read state is forbidden at this point. */
- int (*set_read_state)(SSL *ssl, SSL_AEAD_CTX *aead_ctx);
- /* set_write_state sets |ssl|'s write cipher state to |aead_ctx|. It takes
- * ownership of |aead_ctx|. It returns one on success and zero if changing the
- * write state is forbidden at this point. */
- int (*set_write_state)(SSL *ssl, SSL_AEAD_CTX *aead_ctx);
+ /* set_read_state sets |ssl|'s read cipher state to |aead_ctx|. It returns
+ * one on success and zero if changing the read state is forbidden at this
+ * point. */
+ int (*set_read_state)(SSL *ssl, UniquePtr<SSLAEADContext> aead_ctx);
+ /* set_write_state sets |ssl|'s write cipher state to |aead_ctx|. It returns
+ * one on success and zero if changing the write state is forbidden at this
+ * point. */
+ int (*set_write_state)(SSL *ssl, UniquePtr<SSLAEADContext> aead_ctx);
};
struct SSLX509Method {
@@ -1762,10 +1823,10 @@
uint32_t pending_flight_offset;
/* aead_read_ctx is the current read cipher state. */
- SSL_AEAD_CTX *aead_read_ctx;
+ SSLAEADContext *aead_read_ctx;
/* aead_write_ctx is the current write cipher state. */
- SSL_AEAD_CTX *aead_write_ctx;
+ SSLAEADContext *aead_write_ctx;
/* hs is the handshake state for the current handshake or NULL if there isn't
* one. */
@@ -1896,6 +1957,7 @@
/* save last sequence number for retransmissions */
uint8_t last_write_sequence[8];
+ SSLAEADContext *last_aead_write_ctx;
/* incoming_messages is a ring buffer of incoming handshake messages that have
* yet to be processed. The front of the ring buffer is message number
diff --git a/ssl/s3_both.cc b/ssl/s3_both.cc
index 785d66a..dea1b4f 100644
--- a/ssl/s3_both.cc
+++ b/ssl/s3_both.cc
@@ -274,7 +274,7 @@
if (ssl->server &&
ssl->s3->have_version &&
ssl->version == TLS1_3_RECORD_TYPE_EXPERIMENT_VERSION &&
- ssl->s3->aead_write_ctx == NULL) {
+ ssl->s3->aead_write_ctx->is_null_cipher()) {
type = SSL3_RT_PLAINTEXT_HANDSHAKE;
}
diff --git a/ssl/s3_lib.cc b/ssl/s3_lib.cc
index cd39524..f5c70c4 100644
--- a/ssl/s3_lib.cc
+++ b/ssl/s3_lib.cc
@@ -167,6 +167,12 @@
namespace bssl {
int ssl3_new(SSL *ssl) {
+ UniquePtr<SSLAEADContext> aead_read_ctx = SSLAEADContext::CreateNullCipher();
+ UniquePtr<SSLAEADContext> aead_write_ctx = SSLAEADContext::CreateNullCipher();
+ if (!aead_read_ctx || !aead_write_ctx) {
+ return 0;
+ }
+
SSL3_STATE *s3 = (SSL3_STATE *)OPENSSL_malloc(sizeof *s3);
if (s3 == NULL) {
return 0;
@@ -179,6 +185,8 @@
return 0;
}
+ s3->aead_read_ctx = aead_read_ctx.release();
+ s3->aead_write_ctx = aead_write_ctx.release();
ssl->s3 = s3;
/* Set the version to the highest supported version.
@@ -202,8 +210,8 @@
ssl_handshake_free(ssl->s3->hs);
OPENSSL_free(ssl->s3->next_proto_negotiated);
OPENSSL_free(ssl->s3->alpn_selected);
- SSL_AEAD_CTX_free(ssl->s3->aead_read_ctx);
- SSL_AEAD_CTX_free(ssl->s3->aead_write_ctx);
+ Delete(ssl->s3->aead_read_ctx);
+ Delete(ssl->s3->aead_write_ctx);
BUF_MEM_free(ssl->s3->pending_flight);
OPENSSL_cleanse(ssl->s3, sizeof *ssl->s3);
diff --git a/ssl/s3_pkt.cc b/ssl/s3_pkt.cc
index 9d4b057..c677c68 100644
--- a/ssl/s3_pkt.cc
+++ b/ssl/s3_pkt.cc
@@ -196,7 +196,7 @@
int ssl3_write_app_data(SSL *ssl, int *out_needs_handshake, const uint8_t *buf,
int len) {
assert(ssl_can_write(ssl));
- assert(ssl->s3->aead_write_ctx != NULL);
+ assert(!ssl->s3->aead_write_ctx->is_null_cipher());
*out_needs_handshake = 0;
@@ -376,7 +376,7 @@
int ssl3_read_app_data(SSL *ssl, int *out_got_handshake, uint8_t *buf, int len,
int peek) {
assert(ssl_can_read(ssl));
- assert(ssl->s3->aead_read_ctx != NULL);
+ assert(!ssl->s3->aead_read_ctx->is_null_cipher());
*out_got_handshake = 0;
ssl->method->release_current_message(ssl, 0 /* don't free buffer */);
@@ -521,7 +521,7 @@
* as-is. This manifests as an application data record when we expect
* handshake. Report a dedicated error code for this case. */
if (!ssl->server && rr->type == SSL3_RT_APPLICATION_DATA &&
- ssl->s3->aead_read_ctx == NULL) {
+ ssl->s3->aead_read_ctx->is_null_cipher()) {
OPENSSL_PUT_ERROR(SSL, SSL_R_APPLICATION_DATA_INSTEAD_OF_HANDSHAKE);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
return -1;
@@ -532,7 +532,7 @@
if (rr->type != SSL3_RT_HANDSHAKE &&
!(!ssl->server &&
ssl->tls13_variant == tls13_record_type_experiment &&
- ssl->s3->aead_read_ctx == NULL &&
+ ssl->s3->aead_read_ctx->is_null_cipher() &&
rr->type == SSL3_RT_PLAINTEXT_HANDSHAKE)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_RECORD);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
diff --git a/ssl/ssl_aead_ctx.cc b/ssl/ssl_aead_ctx.cc
index e7e4cb5..03bf0a9 100644
--- a/ssl/ssl_aead_ctx.cc
+++ b/ssl/ssl_aead_ctx.cc
@@ -27,14 +27,38 @@
#include "internal.h"
+#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
+#define FUZZER_MODE true
+#else
+#define FUZZER_MODE false
+#endif
+
namespace bssl {
-SSL_AEAD_CTX *SSL_AEAD_CTX_new(enum evp_aead_direction_t direction,
- uint16_t version, int is_dtls,
- const SSL_CIPHER *cipher, const uint8_t *enc_key,
- size_t enc_key_len, const uint8_t *mac_key,
- size_t mac_key_len, const uint8_t *fixed_iv,
- size_t fixed_iv_len) {
+SSLAEADContext::SSLAEADContext(uint16_t version_arg,
+ const SSL_CIPHER *cipher_arg)
+ : cipher_(cipher_arg),
+ version_(version_arg),
+ variable_nonce_included_in_record_(false),
+ random_variable_nonce_(false),
+ omit_length_in_ad_(false),
+ omit_version_in_ad_(false),
+ omit_ad_(false),
+ xor_fixed_nonce_(false) {
+ OPENSSL_memset(fixed_nonce_, 0, sizeof(fixed_nonce_));
+}
+
+SSLAEADContext::~SSLAEADContext() {}
+
+UniquePtr<SSLAEADContext> SSLAEADContext::CreateNullCipher() {
+ return MakeUnique<SSLAEADContext>(0 /* version */, nullptr /* cipher */);
+}
+
+UniquePtr<SSLAEADContext> SSLAEADContext::Create(
+ enum evp_aead_direction_t direction, uint16_t version, int is_dtls,
+ const SSL_CIPHER *cipher, const uint8_t *enc_key, size_t enc_key_len,
+ const uint8_t *mac_key, size_t mac_key_len, const uint8_t *fixed_iv,
+ size_t fixed_iv_len) {
const EVP_AEAD *aead;
size_t expected_mac_key_len, expected_fixed_iv_len;
if (!ssl_cipher_get_evp_aead(&aead, &expected_mac_key_len,
@@ -44,7 +68,7 @@
expected_fixed_iv_len != fixed_iv_len ||
expected_mac_key_len != mac_key_len) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
- return 0;
+ return nullptr;
}
uint8_t merged_key[EVP_AEAD_MAX_KEY_LENGTH];
@@ -53,7 +77,7 @@
* suites). */
if (mac_key_len + enc_key_len + fixed_iv_len > sizeof(merged_key)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
- return 0;
+ return nullptr;
}
OPENSSL_memcpy(merged_key, mac_key, mac_key_len);
OPENSSL_memcpy(merged_key + mac_key_len, enc_key, enc_key_len);
@@ -64,308 +88,280 @@
enc_key_len += fixed_iv_len;
}
- SSL_AEAD_CTX *aead_ctx = (SSL_AEAD_CTX *)OPENSSL_malloc(sizeof(SSL_AEAD_CTX));
- if (aead_ctx == NULL) {
+ UniquePtr<SSLAEADContext> aead_ctx =
+ MakeUnique<SSLAEADContext>(version, cipher);
+ if (!aead_ctx) {
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
- return NULL;
+ return nullptr;
}
- OPENSSL_memset(aead_ctx, 0, sizeof(SSL_AEAD_CTX));
- aead_ctx->cipher = cipher;
- aead_ctx->version = version;
if (!EVP_AEAD_CTX_init_with_direction(
- &aead_ctx->ctx, aead, enc_key, enc_key_len,
+ aead_ctx->ctx_.get(), aead, enc_key, enc_key_len,
EVP_AEAD_DEFAULT_TAG_LENGTH, direction)) {
- OPENSSL_free(aead_ctx);
- return NULL;
+ return nullptr;
}
assert(EVP_AEAD_nonce_length(aead) <= EVP_AEAD_MAX_NONCE_LENGTH);
static_assert(EVP_AEAD_MAX_NONCE_LENGTH < 256,
"variable_nonce_len doesn't fit in uint8_t");
- aead_ctx->variable_nonce_len = (uint8_t)EVP_AEAD_nonce_length(aead);
+ aead_ctx->variable_nonce_len_ = (uint8_t)EVP_AEAD_nonce_length(aead);
if (mac_key_len == 0) {
- assert(fixed_iv_len <= sizeof(aead_ctx->fixed_nonce));
- OPENSSL_memcpy(aead_ctx->fixed_nonce, fixed_iv, fixed_iv_len);
- aead_ctx->fixed_nonce_len = fixed_iv_len;
+ assert(fixed_iv_len <= sizeof(aead_ctx->fixed_nonce_));
+ OPENSSL_memcpy(aead_ctx->fixed_nonce_, fixed_iv, fixed_iv_len);
+ aead_ctx->fixed_nonce_len_ = fixed_iv_len;
if (cipher->algorithm_enc & SSL_CHACHA20POLY1305) {
/* The fixed nonce into the actual nonce (the sequence number). */
- aead_ctx->xor_fixed_nonce = 1;
- aead_ctx->variable_nonce_len = 8;
+ aead_ctx->xor_fixed_nonce_ = true;
+ aead_ctx->variable_nonce_len_ = 8;
} else {
/* The fixed IV is prepended to the nonce. */
- assert(fixed_iv_len <= aead_ctx->variable_nonce_len);
- aead_ctx->variable_nonce_len -= fixed_iv_len;
+ assert(fixed_iv_len <= aead_ctx->variable_nonce_len_);
+ aead_ctx->variable_nonce_len_ -= fixed_iv_len;
}
/* AES-GCM uses an explicit nonce. */
if (cipher->algorithm_enc & (SSL_AES128GCM | SSL_AES256GCM)) {
- aead_ctx->variable_nonce_included_in_record = 1;
+ aead_ctx->variable_nonce_included_in_record_ = true;
}
/* The TLS 1.3 construction XORs the fixed nonce into the sequence number
* and omits the additional data. */
if (version >= TLS1_3_VERSION) {
- aead_ctx->xor_fixed_nonce = 1;
- aead_ctx->variable_nonce_len = 8;
- aead_ctx->variable_nonce_included_in_record = 0;
- aead_ctx->omit_ad = 1;
- assert(fixed_iv_len >= aead_ctx->variable_nonce_len);
+ aead_ctx->xor_fixed_nonce_ = true;
+ aead_ctx->variable_nonce_len_ = 8;
+ aead_ctx->variable_nonce_included_in_record_ = false;
+ aead_ctx->omit_ad_ = true;
+ assert(fixed_iv_len >= aead_ctx->variable_nonce_len_);
}
} else {
assert(version < TLS1_3_VERSION);
- aead_ctx->variable_nonce_included_in_record = 1;
- aead_ctx->random_variable_nonce = 1;
- aead_ctx->omit_length_in_ad = 1;
- aead_ctx->omit_version_in_ad = (version == SSL3_VERSION);
+ aead_ctx->variable_nonce_included_in_record_ = true;
+ aead_ctx->random_variable_nonce_ = true;
+ aead_ctx->omit_length_in_ad_ = true;
+ aead_ctx->omit_version_in_ad_ = (version == SSL3_VERSION);
}
return aead_ctx;
}
-void SSL_AEAD_CTX_free(SSL_AEAD_CTX *aead) {
- if (aead == NULL) {
- return;
- }
- EVP_AEAD_CTX_cleanup(&aead->ctx);
- OPENSSL_free(aead);
-}
-
-size_t SSL_AEAD_CTX_explicit_nonce_len(const SSL_AEAD_CTX *aead) {
-#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
- aead = NULL;
-#endif
-
- if (aead != NULL && aead->variable_nonce_included_in_record) {
- return aead->variable_nonce_len;
+size_t SSLAEADContext::ExplicitNonceLen() const {
+ if (!FUZZER_MODE && variable_nonce_included_in_record_) {
+ return variable_nonce_len_;
}
return 0;
}
-size_t SSL_AEAD_CTX_max_suffix_len(const SSL_AEAD_CTX *aead,
- size_t extra_in_len) {
-#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
- aead = NULL;
-#endif
-
+size_t SSLAEADContext::MaxSuffixLen(size_t extra_in_len) const {
return extra_in_len +
- (aead == NULL ? 0 : EVP_AEAD_max_overhead(aead->ctx.aead));
+ (is_null_cipher() || FUZZER_MODE
+ ? 0
+ : EVP_AEAD_max_overhead(EVP_AEAD_CTX_aead(ctx_.get())));
}
-size_t SSL_AEAD_CTX_max_overhead(const SSL_AEAD_CTX *aead) {
- return SSL_AEAD_CTX_explicit_nonce_len(aead) +
- SSL_AEAD_CTX_max_suffix_len(aead, 0);
+size_t SSLAEADContext::MaxOverhead() const {
+ return ExplicitNonceLen() + MaxSuffixLen(0);
}
-/* ssl_aead_ctx_get_ad writes the additional data for |aead| into |out| and
- * returns the number of bytes written. */
-static size_t ssl_aead_ctx_get_ad(SSL_AEAD_CTX *aead, uint8_t out[13],
- uint8_t type, uint16_t wire_version,
- const uint8_t seqnum[8],
- size_t plaintext_len) {
- if (aead->omit_ad) {
+size_t SSLAEADContext::GetAdditionalData(uint8_t out[13], uint8_t type,
+ uint16_t wire_version,
+ const uint8_t seqnum[8],
+ size_t plaintext_len) {
+ if (omit_ad_) {
return 0;
}
OPENSSL_memcpy(out, seqnum, 8);
size_t len = 8;
out[len++] = type;
- if (!aead->omit_version_in_ad) {
- out[len++] = (uint8_t)(wire_version >> 8);
- out[len++] = (uint8_t)wire_version;
+ if (!omit_version_in_ad_) {
+ out[len++] = static_cast<uint8_t>((wire_version >> 8));
+ out[len++] = static_cast<uint8_t>(wire_version);
}
- if (!aead->omit_length_in_ad) {
- out[len++] = (uint8_t)(plaintext_len >> 8);
- out[len++] = (uint8_t)plaintext_len;
+ if (!omit_length_in_ad_) {
+ out[len++] = static_cast<uint8_t>((plaintext_len >> 8));
+ out[len++] = static_cast<uint8_t>(plaintext_len);
}
return len;
}
-int SSL_AEAD_CTX_open(SSL_AEAD_CTX *aead, CBS *out, uint8_t type,
- uint16_t wire_version, const uint8_t seqnum[8],
- uint8_t *in, size_t in_len) {
-#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
- aead = NULL;
-#endif
-
- if (aead == NULL) {
+bool SSLAEADContext::Open(CBS *out, uint8_t type, uint16_t wire_version,
+ const uint8_t seqnum[8], uint8_t *in, size_t in_len) {
+ if (is_null_cipher() || FUZZER_MODE) {
/* Handle the initial NULL cipher. */
CBS_init(out, in, in_len);
- return 1;
+ return true;
}
/* TLS 1.2 AEADs include the length in the AD and are assumed to have fixed
* overhead. Otherwise the parameter is unused. */
size_t plaintext_len = 0;
- if (!aead->omit_length_in_ad) {
- size_t overhead = SSL_AEAD_CTX_max_overhead(aead);
+ if (!omit_length_in_ad_) {
+ size_t overhead = MaxOverhead();
if (in_len < overhead) {
/* Publicly invalid. */
OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_PACKET_LENGTH);
- return 0;
+ return false;
}
plaintext_len = in_len - overhead;
}
uint8_t ad[13];
- size_t ad_len = ssl_aead_ctx_get_ad(aead, ad, type, wire_version, seqnum,
- plaintext_len);
+ size_t ad_len =
+ GetAdditionalData(ad, type, wire_version, seqnum, plaintext_len);
/* Assemble the nonce. */
uint8_t nonce[EVP_AEAD_MAX_NONCE_LENGTH];
size_t nonce_len = 0;
/* Prepend the fixed nonce, or left-pad with zeros if XORing. */
- if (aead->xor_fixed_nonce) {
- nonce_len = aead->fixed_nonce_len - aead->variable_nonce_len;
+ if (xor_fixed_nonce_) {
+ nonce_len = fixed_nonce_len_ - variable_nonce_len_;
OPENSSL_memset(nonce, 0, nonce_len);
} else {
- OPENSSL_memcpy(nonce, aead->fixed_nonce, aead->fixed_nonce_len);
- nonce_len += aead->fixed_nonce_len;
+ OPENSSL_memcpy(nonce, fixed_nonce_, fixed_nonce_len_);
+ nonce_len += fixed_nonce_len_;
}
/* Add the variable nonce. */
- if (aead->variable_nonce_included_in_record) {
- if (in_len < aead->variable_nonce_len) {
+ if (variable_nonce_included_in_record_) {
+ if (in_len < variable_nonce_len_) {
/* Publicly invalid. */
OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_PACKET_LENGTH);
- return 0;
+ return false;
}
- OPENSSL_memcpy(nonce + nonce_len, in, aead->variable_nonce_len);
- in += aead->variable_nonce_len;
- in_len -= aead->variable_nonce_len;
+ OPENSSL_memcpy(nonce + nonce_len, in, variable_nonce_len_);
+ in += variable_nonce_len_;
+ in_len -= variable_nonce_len_;
} else {
- assert(aead->variable_nonce_len == 8);
- OPENSSL_memcpy(nonce + nonce_len, seqnum, aead->variable_nonce_len);
+ assert(variable_nonce_len_ == 8);
+ OPENSSL_memcpy(nonce + nonce_len, seqnum, variable_nonce_len_);
}
- nonce_len += aead->variable_nonce_len;
+ nonce_len += variable_nonce_len_;
/* XOR the fixed nonce, if necessary. */
- if (aead->xor_fixed_nonce) {
- assert(nonce_len == aead->fixed_nonce_len);
- for (size_t i = 0; i < aead->fixed_nonce_len; i++) {
- nonce[i] ^= aead->fixed_nonce[i];
+ if (xor_fixed_nonce_) {
+ assert(nonce_len == fixed_nonce_len_);
+ for (size_t i = 0; i < fixed_nonce_len_; i++) {
+ nonce[i] ^= fixed_nonce_[i];
}
}
/* Decrypt in-place. */
size_t len;
- if (!EVP_AEAD_CTX_open(&aead->ctx, in, &len, in_len, nonce, nonce_len,
- in, in_len, ad, ad_len)) {
- return 0;
+ if (!EVP_AEAD_CTX_open(ctx_.get(), in, &len, in_len, nonce, nonce_len, in,
+ in_len, ad, ad_len)) {
+ return false;
}
CBS_init(out, in, len);
- return 1;
+ return true;
}
-int SSL_AEAD_CTX_seal_scatter(SSL_AEAD_CTX *aead, uint8_t *out_prefix,
- uint8_t *out, uint8_t *out_suffix,
- size_t *out_suffix_len, size_t max_out_suffix_len,
- uint8_t type, uint16_t wire_version,
- const uint8_t seqnum[8], const uint8_t *in,
- size_t in_len, const uint8_t *extra_in,
- size_t extra_in_len) {
-#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
- aead = NULL;
-#endif
-
+bool SSLAEADContext::SealScatter(uint8_t *out_prefix, uint8_t *out,
+ uint8_t *out_suffix, size_t *out_suffix_len,
+ size_t max_out_suffix_len, uint8_t type,
+ uint16_t wire_version, const uint8_t seqnum[8],
+ const uint8_t *in, size_t in_len,
+ const uint8_t *extra_in, size_t extra_in_len) {
if ((in != out && buffers_alias(in, in_len, out, in_len)) ||
buffers_alias(in, in_len, out_suffix, max_out_suffix_len)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_OUTPUT_ALIASES_INPUT);
- return 0;
+ return false;
}
if (extra_in_len > max_out_suffix_len) {
OPENSSL_PUT_ERROR(SSL, SSL_R_BUFFER_TOO_SMALL);
- return 0;
+ return false;
}
- if (aead == NULL) {
+ if (is_null_cipher() || FUZZER_MODE) {
/* Handle the initial NULL cipher. */
OPENSSL_memmove(out, in, in_len);
OPENSSL_memmove(out_suffix, extra_in, extra_in_len);
*out_suffix_len = extra_in_len;
- return 1;
+ return true;
}
uint8_t ad[13];
- size_t ad_len = ssl_aead_ctx_get_ad(aead, ad, type, wire_version, seqnum,
- in_len);
+ size_t ad_len = GetAdditionalData(ad, type, wire_version, seqnum, in_len);
/* Assemble the nonce. */
uint8_t nonce[EVP_AEAD_MAX_NONCE_LENGTH];
size_t nonce_len = 0;
/* Prepend the fixed nonce, or left-pad with zeros if XORing. */
- if (aead->xor_fixed_nonce) {
- nonce_len = aead->fixed_nonce_len - aead->variable_nonce_len;
+ if (xor_fixed_nonce_) {
+ nonce_len = fixed_nonce_len_ - variable_nonce_len_;
OPENSSL_memset(nonce, 0, nonce_len);
} else {
- OPENSSL_memcpy(nonce, aead->fixed_nonce, aead->fixed_nonce_len);
- nonce_len += aead->fixed_nonce_len;
+ OPENSSL_memcpy(nonce, fixed_nonce_, fixed_nonce_len_);
+ nonce_len += fixed_nonce_len_;
}
/* Select the variable nonce. */
- if (aead->random_variable_nonce) {
- assert(aead->variable_nonce_included_in_record);
- if (!RAND_bytes(nonce + nonce_len, aead->variable_nonce_len)) {
- return 0;
+ if (random_variable_nonce_) {
+ assert(variable_nonce_included_in_record_);
+ if (!RAND_bytes(nonce + nonce_len, variable_nonce_len_)) {
+ return false;
}
} else {
/* When sending we use the sequence number as the variable part of the
* nonce. */
- assert(aead->variable_nonce_len == 8);
- OPENSSL_memcpy(nonce + nonce_len, seqnum, aead->variable_nonce_len);
+ assert(variable_nonce_len_ == 8);
+ OPENSSL_memcpy(nonce + nonce_len, seqnum, variable_nonce_len_);
}
- nonce_len += aead->variable_nonce_len;
+ nonce_len += variable_nonce_len_;
/* Emit the variable nonce if included in the record. */
- if (aead->variable_nonce_included_in_record) {
- assert(!aead->xor_fixed_nonce);
- if (buffers_alias(in, in_len, out_prefix, aead->variable_nonce_len)) {
+ if (variable_nonce_included_in_record_) {
+ assert(!xor_fixed_nonce_);
+ if (buffers_alias(in, in_len, out_prefix, variable_nonce_len_)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_OUTPUT_ALIASES_INPUT);
- return 0;
+ return false;
}
- OPENSSL_memcpy(out_prefix, nonce + aead->fixed_nonce_len,
- aead->variable_nonce_len);
+ OPENSSL_memcpy(out_prefix, nonce + fixed_nonce_len_,
+ variable_nonce_len_);
}
/* XOR the fixed nonce, if necessary. */
- if (aead->xor_fixed_nonce) {
- assert(nonce_len == aead->fixed_nonce_len);
- for (size_t i = 0; i < aead->fixed_nonce_len; i++) {
- nonce[i] ^= aead->fixed_nonce[i];
+ if (xor_fixed_nonce_) {
+ assert(nonce_len == fixed_nonce_len_);
+ for (size_t i = 0; i < fixed_nonce_len_; i++) {
+ nonce[i] ^= fixed_nonce_[i];
}
}
- return EVP_AEAD_CTX_seal_scatter(&aead->ctx, out, out_suffix, out_suffix_len,
- max_out_suffix_len, nonce, nonce_len, in,
- in_len, extra_in, extra_in_len, ad, ad_len);
+ return !!EVP_AEAD_CTX_seal_scatter(
+ ctx_.get(), out, out_suffix, out_suffix_len, max_out_suffix_len, nonce,
+ nonce_len, in, in_len, extra_in, extra_in_len, ad, ad_len);
}
-int SSL_AEAD_CTX_seal(SSL_AEAD_CTX *aead, uint8_t *out, size_t *out_len,
- size_t max_out_len, uint8_t type, uint16_t wire_version,
- const uint8_t seqnum[8], const uint8_t *in,
- size_t in_len) {
- size_t prefix_len = SSL_AEAD_CTX_explicit_nonce_len(aead);
+bool SSLAEADContext::Seal(uint8_t *out, size_t *out_len, size_t max_out_len,
+ uint8_t type, uint16_t wire_version,
+ const uint8_t seqnum[8], const uint8_t *in,
+ size_t in_len) {
+ size_t prefix_len = ExplicitNonceLen();
if (in_len + prefix_len < in_len) {
OPENSSL_PUT_ERROR(CIPHER, SSL_R_RECORD_TOO_LARGE);
- return 0;
+ return false;
}
if (in_len + prefix_len > max_out_len) {
OPENSSL_PUT_ERROR(SSL, SSL_R_BUFFER_TOO_SMALL);
- return 0;
+ return false;
}
size_t suffix_len;
- if (!SSL_AEAD_CTX_seal_scatter(aead, out, out + prefix_len,
- out + prefix_len + in_len, &suffix_len,
- max_out_len - prefix_len - in_len, type,
- wire_version, seqnum, in, in_len, 0, 0)) {
- return 0;
+ if (!SealScatter(out, out + prefix_len, out + prefix_len + in_len,
+ &suffix_len, max_out_len - prefix_len - in_len, type,
+ wire_version, seqnum, in, in_len, 0, 0)) {
+ return false;
}
- assert(suffix_len <= SSL_AEAD_CTX_max_suffix_len(aead, 0));
+ assert(suffix_len <= MaxSuffixLen(0));
*out_len = prefix_len + in_len + suffix_len;
- return 1;
+ return true;
+}
+
+bool SSLAEADContext::GetIV(const uint8_t **out_iv, size_t *out_iv_len) const {
+ return !is_null_cipher() &&
+ EVP_AEAD_CTX_get_iv(ctx_.get(), out_iv, out_iv_len);
}
} // namespace bssl
diff --git a/ssl/ssl_lib.cc b/ssl/ssl_lib.cc
index 1808fb2..305bcad 100644
--- a/ssl/ssl_lib.cc
+++ b/ssl/ssl_lib.cc
@@ -2034,10 +2034,7 @@
}
const SSL_CIPHER *SSL_get_current_cipher(const SSL *ssl) {
- if (ssl->s3->aead_write_ctx == NULL) {
- return NULL;
- }
- return ssl->s3->aead_write_ctx->cipher;
+ return ssl->s3->aead_write_ctx->cipher();
}
int SSL_session_reused(const SSL *ssl) {
@@ -2364,15 +2361,9 @@
int SSL_get_ivs(const SSL *ssl, const uint8_t **out_read_iv,
const uint8_t **out_write_iv, size_t *out_iv_len) {
- if (ssl->s3->aead_read_ctx == NULL || ssl->s3->aead_write_ctx == NULL) {
- return 0;
- }
-
size_t write_iv_len;
- if (!EVP_AEAD_CTX_get_iv(&ssl->s3->aead_read_ctx->ctx, out_read_iv,
- out_iv_len) ||
- !EVP_AEAD_CTX_get_iv(&ssl->s3->aead_write_ctx->ctx, out_write_iv,
- &write_iv_len) ||
+ if (!ssl->s3->aead_read_ctx->GetIV(out_read_iv, out_iv_len) ||
+ !ssl->s3->aead_write_ctx->GetIV(out_write_iv, &write_iv_len) ||
*out_iv_len != write_iv_len) {
return 0;
}
diff --git a/ssl/t1_enc.cc b/ssl/t1_enc.cc
index 1efd834..7d20fbf 100644
--- a/ssl/t1_enc.cc
+++ b/ssl/t1_enc.cc
@@ -140,6 +140,8 @@
#include <assert.h>
#include <string.h>
+#include <utility>
+
#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/hmac.h>
@@ -432,18 +434,19 @@
iv = server_write_iv;
}
- SSL_AEAD_CTX *aead_ctx = SSL_AEAD_CTX_new(
- is_read ? evp_aead_open : evp_aead_seal, ssl3_protocol_version(ssl), SSL_is_dtls(ssl),
- hs->new_cipher, key, key_len, mac_secret, mac_secret_len, iv, iv_len);
- if (aead_ctx == NULL) {
+ UniquePtr<SSLAEADContext> aead_ctx = SSLAEADContext::Create(
+ is_read ? evp_aead_open : evp_aead_seal, ssl3_protocol_version(ssl),
+ SSL_is_dtls(ssl), hs->new_cipher, key, key_len, mac_secret,
+ mac_secret_len, iv, iv_len);
+ if (!aead_ctx) {
return 0;
}
if (is_read) {
- return ssl->method->set_read_state(ssl, aead_ctx);
+ return ssl->method->set_read_state(ssl, std::move(aead_ctx));
}
- return ssl->method->set_write_state(ssl, aead_ctx);
+ return ssl->method->set_write_state(ssl, std::move(aead_ctx));
}
int tls1_generate_master_secret(SSL_HANDSHAKE *hs, uint8_t *out,
diff --git a/ssl/tls13_client.cc b/ssl/tls13_client.cc
index 95ef653..5e2b03e 100644
--- a/ssl/tls13_client.cc
+++ b/ssl/tls13_client.cc
@@ -155,7 +155,10 @@
static enum ssl_hs_wait_t do_send_second_client_hello(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
- if (!ssl->method->set_write_state(ssl, NULL) ||
+ /* Restore the null cipher. We may have switched due to 0-RTT. */
+ bssl::UniquePtr<SSLAEADContext> null_ctx = SSLAEADContext::CreateNullCipher();
+ if (!null_ctx ||
+ !ssl->method->set_write_state(ssl, std::move(null_ctx)) ||
!ssl_write_client_hello(hs)) {
return ssl_hs_error;
}
diff --git a/ssl/tls13_enc.cc b/ssl/tls13_enc.cc
index e7d5448..8dd6765 100644
--- a/ssl/tls13_enc.cc
+++ b/ssl/tls13_enc.cc
@@ -19,6 +19,8 @@
#include <assert.h>
#include <string.h>
+#include <utility>
+
#include <openssl/aead.h>
#include <openssl/bytestring.h>
#include <openssl/digest.h>
@@ -152,19 +154,19 @@
return 0;
}
- SSL_AEAD_CTX *traffic_aead =
- SSL_AEAD_CTX_new(direction, version, SSL_is_dtls(ssl), session->cipher,
- key, key_len, NULL, 0, iv, iv_len);
- if (traffic_aead == NULL) {
+ UniquePtr<SSLAEADContext> traffic_aead = SSLAEADContext::Create(
+ direction, version, SSL_is_dtls(ssl), session->cipher, key, key_len, NULL,
+ 0, iv, iv_len);
+ if (!traffic_aead) {
return 0;
}
if (direction == evp_aead_open) {
- if (!ssl->method->set_read_state(ssl, traffic_aead)) {
+ if (!ssl->method->set_read_state(ssl, std::move(traffic_aead))) {
return 0;
}
} else {
- if (!ssl->method->set_write_state(ssl, traffic_aead)) {
+ if (!ssl->method->set_write_state(ssl, std::move(traffic_aead))) {
return 0;
}
}
diff --git a/ssl/tls_method.cc b/ssl/tls_method.cc
index ba299ed..12735aa 100644
--- a/ssl/tls_method.cc
+++ b/ssl/tls_method.cc
@@ -75,27 +75,26 @@
static void ssl3_received_flight(SSL *ssl) {}
-static int ssl3_set_read_state(SSL *ssl, SSL_AEAD_CTX *aead_ctx) {
+static int ssl3_set_read_state(SSL *ssl, UniquePtr<SSLAEADContext> aead_ctx) {
if (ssl->s3->rrec.length != 0) {
/* There may not be unprocessed record data at a cipher change. */
OPENSSL_PUT_ERROR(SSL, SSL_R_BUFFERED_MESSAGES_ON_CIPHER_CHANGE);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
- SSL_AEAD_CTX_free(aead_ctx);
return 0;
}
OPENSSL_memset(ssl->s3->read_sequence, 0, sizeof(ssl->s3->read_sequence));
- SSL_AEAD_CTX_free(ssl->s3->aead_read_ctx);
- ssl->s3->aead_read_ctx = aead_ctx;
+ Delete(ssl->s3->aead_read_ctx);
+ ssl->s3->aead_read_ctx = aead_ctx.release();
return 1;
}
-static int ssl3_set_write_state(SSL *ssl, SSL_AEAD_CTX *aead_ctx) {
+static int ssl3_set_write_state(SSL *ssl, UniquePtr<SSLAEADContext> aead_ctx) {
OPENSSL_memset(ssl->s3->write_sequence, 0, sizeof(ssl->s3->write_sequence));
- SSL_AEAD_CTX_free(ssl->s3->aead_write_ctx);
- ssl->s3->aead_write_ctx = aead_ctx;
+ Delete(ssl->s3->aead_write_ctx);
+ ssl->s3->aead_write_ctx = aead_ctx.release();
return 1;
}
diff --git a/ssl/tls_record.cc b/ssl/tls_record.cc
index b7ac0a9..b5e101c 100644
--- a/ssl/tls_record.cc
+++ b/ssl/tls_record.cc
@@ -144,10 +144,10 @@
* state needs record-splitting and zero otherwise. */
static int ssl_needs_record_splitting(const SSL *ssl) {
#if !defined(BORINGSSL_UNSAFE_FUZZER_MODE)
- return ssl->s3->aead_write_ctx != NULL &&
- ssl->s3->aead_write_ctx->version < TLS1_1_VERSION &&
+ return !ssl->s3->aead_write_ctx->is_null_cipher() &&
+ ssl->s3->aead_write_ctx->version() < TLS1_1_VERSION &&
(ssl->mode & SSL_MODE_CBC_RECORD_SPLITTING) != 0 &&
- SSL_CIPHER_is_block_cipher(ssl->s3->aead_write_ctx->cipher);
+ SSL_CIPHER_is_block_cipher(ssl->s3->aead_write_ctx->cipher());
#else
return 0;
#endif
@@ -172,20 +172,19 @@
header_len = SSL3_RT_HEADER_LENGTH;
}
- return header_len + SSL_AEAD_CTX_explicit_nonce_len(ssl->s3->aead_read_ctx);
+ return header_len + ssl->s3->aead_read_ctx->ExplicitNonceLen();
}
size_t ssl_seal_align_prefix_len(const SSL *ssl) {
if (SSL_is_dtls(ssl)) {
- return DTLS1_RT_HEADER_LENGTH +
- SSL_AEAD_CTX_explicit_nonce_len(ssl->s3->aead_write_ctx);
+ return DTLS1_RT_HEADER_LENGTH + ssl->s3->aead_write_ctx->ExplicitNonceLen();
}
- size_t ret = SSL3_RT_HEADER_LENGTH +
- SSL_AEAD_CTX_explicit_nonce_len(ssl->s3->aead_write_ctx);
+ size_t ret =
+ SSL3_RT_HEADER_LENGTH + ssl->s3->aead_write_ctx->ExplicitNonceLen();
if (ssl_needs_record_splitting(ssl)) {
ret += SSL3_RT_HEADER_LENGTH;
- ret += ssl_cipher_get_record_split_len(ssl->s3->aead_write_ctx->cipher);
+ ret += ssl_cipher_get_record_split_len(ssl->s3->aead_write_ctx->cipher());
}
return ret;
}
@@ -209,7 +208,7 @@
}
int version_ok;
- if (ssl->s3->aead_read_ctx == NULL) {
+ if (ssl->s3->aead_read_ctx->is_null_cipher()) {
/* Only check the first byte. Enforcing beyond that can prevent decoding
* version negotiation failure alerts. */
version_ok = (version >> 8) == SSL3_VERSION_MAJOR;
@@ -249,17 +248,16 @@
/* Skip early data received when expecting a second ClientHello if we rejected
* 0RTT. */
if (ssl->s3->skip_early_data &&
- ssl->s3->aead_read_ctx == NULL &&
+ ssl->s3->aead_read_ctx->is_null_cipher() &&
type == SSL3_RT_APPLICATION_DATA) {
goto skipped_data;
}
/* Decrypt the body in-place. */
- if (!SSL_AEAD_CTX_open(ssl->s3->aead_read_ctx, out, type, version,
- ssl->s3->read_sequence, (uint8_t *)CBS_data(&body),
- CBS_len(&body))) {
- if (ssl->s3->skip_early_data &&
- ssl->s3->aead_read_ctx != NULL) {
+ if (!ssl->s3->aead_read_ctx->Open(out, type, version, ssl->s3->read_sequence,
+ (uint8_t *)CBS_data(&body),
+ CBS_len(&body))) {
+ if (ssl->s3->skip_early_data && !ssl->s3->aead_read_ctx->is_null_cipher()) {
ERR_clear_error();
goto skipped_data;
}
@@ -277,8 +275,8 @@
}
/* TLS 1.3 hides the record type inside the encrypted data. */
- if (ssl->s3->aead_read_ctx != NULL &&
- ssl->s3->aead_read_ctx->version >= TLS1_3_VERSION) {
+ if (!ssl->s3->aead_read_ctx->is_null_cipher() &&
+ ssl->s3->aead_read_ctx->version() >= TLS1_3_VERSION) {
/* The outer record type is always application_data. */
if (type != SSL3_RT_APPLICATION_DATA) {
OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_OUTER_RECORD_TYPE);
@@ -359,8 +357,8 @@
/* TLS 1.3 hides the actual record type inside the encrypted data. */
uint8_t *extra_in = NULL;
size_t extra_in_len = 0;
- if (ssl->s3->aead_write_ctx != NULL &&
- ssl->s3->aead_write_ctx->version >= TLS1_3_VERSION) {
+ if (!ssl->s3->aead_write_ctx->is_null_cipher() &&
+ ssl->s3->aead_write_ctx->version() >= TLS1_3_VERSION) {
extra_in = &type;
extra_in_len = 1;
out_prefix[0] = SSL3_RT_APPLICATION_DATA;
@@ -383,18 +381,17 @@
out_prefix[2] = wire_version & 0xff;
/* Write the ciphertext, leaving two bytes for the length. */
- if (!SSL_AEAD_CTX_seal_scatter(
- ssl->s3->aead_write_ctx, out_prefix + SSL3_RT_HEADER_LENGTH, out,
- out_suffix, out_suffix_len, max_out_suffix_len, type, wire_version,
- ssl->s3->write_sequence, in, in_len, extra_in, extra_in_len) ||
+ if (!ssl->s3->aead_write_ctx->SealScatter(
+ out_prefix + SSL3_RT_HEADER_LENGTH, out, out_suffix, out_suffix_len,
+ max_out_suffix_len, type, wire_version, ssl->s3->write_sequence, in,
+ in_len, extra_in, extra_in_len) ||
!ssl_record_sequence_update(ssl->s3->write_sequence, 8)) {
return 0;
}
/* Fill in the length. */
const size_t ciphertext_len =
- SSL_AEAD_CTX_explicit_nonce_len(ssl->s3->aead_write_ctx) + in_len +
- *out_suffix_len;
+ ssl->s3->aead_write_ctx->ExplicitNonceLen() + in_len + *out_suffix_len;
if (ciphertext_len >= 1 << 15) {
OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);
return 0;
@@ -416,10 +413,10 @@
* will be placed in the prefix, as will four of the five bytes of the
* record header for the main record. The final byte will replace the first
* byte of the plaintext that was used in the small record. */
- ret += ssl_cipher_get_record_split_len(ssl->s3->aead_write_ctx->cipher);
+ ret += ssl_cipher_get_record_split_len(ssl->s3->aead_write_ctx->cipher());
ret += SSL3_RT_HEADER_LENGTH - 1;
} else {
- ret += SSL_AEAD_CTX_explicit_nonce_len(ssl->s3->aead_write_ctx);
+ ret += ssl->s3->aead_write_ctx->ExplicitNonceLen();
}
return ret;
}
@@ -427,7 +424,7 @@
/* tls_seal_scatter_record seals a new record of type |type| and body |in| and
* splits it between |out_prefix|, |out|, and |out_suffix|. Exactly
* |tls_seal_scatter_prefix_len| bytes are written to |out_prefix|, |in_len|
- * bytes to |out|, and up to 1 + |SSL_AEAD_CTX_max_overhead| bytes to
+ * bytes to |out|, and up to 1 + |SSLAEADContext::MaxOverhead| bytes to
* |out_suffix|. |*out_suffix_len| is set to the actual number of bytes written
* to |out_suffix|. It returns one on success and zero on error. If enabled,
* |tls_seal_scatter_record| implements TLS 1.0 CBC 1/n-1 record splitting and
@@ -438,7 +435,7 @@
const uint8_t *in, size_t in_len) {
if (type == SSL3_RT_APPLICATION_DATA && in_len > 1 &&
ssl_needs_record_splitting(ssl)) {
- assert(SSL_AEAD_CTX_explicit_nonce_len(ssl->s3->aead_write_ctx) == 0);
+ assert(ssl->s3->aead_write_ctx->ExplicitNonceLen() == 0);
const size_t prefix_len = SSL3_RT_HEADER_LENGTH;
/* Write the 1-byte fragment into |out_prefix|. */
@@ -447,8 +444,7 @@
/* TODO(martinkr): Make AEAD code not complain if max_suffix_len is lower
* than |EVP_AEAD_max_overhead| but still sufficiently large. */
- size_t split_max_suffix_len =
- SSL_AEAD_CTX_max_suffix_len(ssl->s3->aead_write_ctx, 0);
+ size_t split_max_suffix_len = ssl->s3->aead_write_ctx->MaxSuffixLen(0);
size_t split_suffix_len = 0;
if (!do_seal_record(ssl, out_prefix, split_body, split_suffix,
&split_suffix_len, split_max_suffix_len, type, in, 1)) {
@@ -458,7 +454,7 @@
size_t split_record_len = prefix_len + 1 + split_suffix_len;
assert(SSL3_RT_HEADER_LENGTH + ssl_cipher_get_record_split_len(
- ssl->s3->aead_write_ctx->cipher) ==
+ ssl->s3->aead_write_ctx->cipher()) ==
split_record_len);
/* Write the n-1-byte fragment. The header gets split between |out_prefix|
@@ -583,10 +579,10 @@
}
size_t ret = SSL3_RT_HEADER_LENGTH;
- ret += SSL_AEAD_CTX_max_overhead(ssl->s3->aead_write_ctx);
+ ret += ssl->s3->aead_write_ctx->MaxOverhead();
/* TLS 1.3 needs an extra byte for the encrypted record type. */
- if (ssl->s3->aead_write_ctx != NULL &&
- ssl->s3->aead_write_ctx->version >= TLS1_3_VERSION) {
+ if (!ssl->s3->aead_write_ctx->is_null_cipher() &&
+ ssl->s3->aead_write_ctx->version() >= TLS1_3_VERSION) {
ret += 1;
}
if (ssl_needs_record_splitting(ssl)) {
