Implement all TLS ciphers with stateful AEADs.
The EVP_CIPHER codepath should no longer be used with TLS. It still exists for
DTLS and SSLv3. The AEAD construction in TLS does not allow for
variable-overhead AEADs, so stateful AEADs do not include the length in the ad
parameter. Rather the AEADs internally append the unpadded length once it is
known. EVP_aead_rc4_md5_tls is modified to account for this.
Tests are added (and RC4-MD5's regenerated) for each of the new AEADs. The
cipher tests are all moved into crypto/cipher/test because there's now a lot of
them and they clutter the directory listing.
In ssl/, the stateful AEAD logic is also modified to account for stateful AEADs
with a fixed IV component, and for AEADs which use a random nonce (for the
explicit-IV CBC mode ciphers).
The new implementation fixes a bug/quirk in stateless CBC mode ciphers where
the fixed IV portion of the keyblock was generated regardless. This is at the
end, so it's only relevant for EAP-TLS which generates a MSK from the end of
the key block.
Change-Id: I2d8b8aa11deb43bde2fd733f4f90b5d5b8cb1334
Reviewed-on: https://boringssl-review.googlesource.com/2692
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/include/openssl/aead.h b/include/openssl/aead.h
index ad2bbf7..7bc505a 100644
--- a/include/openssl/aead.h
+++ b/include/openssl/aead.h
@@ -104,7 +104,7 @@
/* EVP_aead_aes_128_key_wrap is AES-128 Key Wrap mode. This should never be
* used except to interoperate with existing systems that use this mode.
*
- * If the nonce is emtpy then the default nonce will be used, otherwise it must
+ * If the nonce is empty then the default nonce will be used, otherwise it must
* be eight bytes long. The input must be a multiple of eight bytes long. No
* additional data can be given to this mode. */
OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_key_wrap(void);
@@ -124,13 +124,24 @@
*
* These AEAD primitives do not meet the definition of generic AEADs. They are
* all specific to TLS in some fashion and should not be used outside of that
- * context. */
+ * context. They require an additional data of length 11 (the standard TLS one
+ * with the length omitted). They are also stateful, so a given |EVP_AEAD_CTX|
+ * may only be used for one of seal or open, but not both. */
-/* EVP_aead_rc4_md5_tls uses RC4 and HMAC(MD5) in MAC-then-encrypt mode. Unlike
- * a standard AEAD, this is stateful as the RC4 state is carried from operation
- * to operation. */
OPENSSL_EXPORT const EVP_AEAD *EVP_aead_rc4_md5_tls(void);
+OPENSSL_EXPORT const EVP_AEAD *EVP_aead_rc4_sha1_tls(void);
+OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_tls(void);
+OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_tls_implicit_iv(void);
+OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_cbc_sha256_tls(void);
+
+OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_tls(void);
+OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_tls_implicit_iv(void);
+OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_cbc_sha256_tls(void);
+OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_cbc_sha384_tls(void);
+
+OPENSSL_EXPORT const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_tls(void);
+OPENSSL_EXPORT const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv(void);
/* Utility functions. */
@@ -163,9 +174,17 @@
void *aead_state;
} EVP_AEAD_CTX;
+/* EVP_AEAD_MAX_KEY_LENGTH contains the maximum key length used by
+ * any AEAD defined in this header. */
+#define EVP_AEAD_MAX_KEY_LENGTH 80
+
+/* EVP_AEAD_MAX_NONCE_LENGTH contains the maximum nonce length used by
+ * any AEAD defined in this header. */
+#define EVP_AEAD_MAX_NONCE_LENGTH 16
+
/* EVP_AEAD_MAX_OVERHEAD contains the maximum overhead used by any AEAD
* defined in this header. */
-#define EVP_AEAD_MAX_OVERHEAD 16
+#define EVP_AEAD_MAX_OVERHEAD 64
/* EVP_AEAD_DEFAULT_TAG_LENGTH is a magic value that can be passed to
* EVP_AEAD_CTX_init to indicate that the default tag length for an AEAD should
diff --git a/include/openssl/cipher.h b/include/openssl/cipher.h
index b496c85..1b714e7 100644
--- a/include/openssl/cipher.h
+++ b/include/openssl/cipher.h
@@ -522,6 +522,10 @@
#define CIPHER_F_aead_aes_key_wrap_init 120
#define CIPHER_F_aead_aes_key_wrap_open 121
#define CIPHER_F_EVP_CIPHER_CTX_set_key_length 122
+#define CIPHER_F_aead_tls_init 123
+#define CIPHER_F_aead_tls_open 124
+#define CIPHER_F_aead_tls_seal 125
+#define CIPHER_F_aead_tls_ensure_cipher_init 126
#define CIPHER_R_WRAP_MODE_NOT_ALLOWED 100
#define CIPHER_R_AES_KEY_SETUP_FAILED 101
#define CIPHER_R_INPUT_NOT_INITIALIZED 102
@@ -546,5 +550,7 @@
#define CIPHER_R_UNSUPPORTED_AD_SIZE 121
#define CIPHER_R_UNSUPPORTED_NONCE_SIZE 122
#define CIPHER_R_INVALID_KEY_LENGTH 123
+#define CIPHER_R_INVALID_OPERATION 124
+#define CIPHER_R_INVALID_NONCE_SIZE 125
#endif /* OPENSSL_HEADER_CIPHER_H */
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 960bc86..201f1e4 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -2434,6 +2434,7 @@
#define SSL_F_SSL_connect 294
#define SSL_F_ssl3_get_v2_client_hello 295
#define SSL_F_ssl3_get_initial_bytes 296
+#define SSL_F_tls1_enc 297
#define SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS 100
#define SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC 101
#define SSL_R_INVALID_NULL_CMD_NAME 102
diff --git a/include/openssl/ssl3.h b/include/openssl/ssl3.h
index 34c483e..ae6c52c 100644
--- a/include/openssl/ssl3.h
+++ b/include/openssl/ssl3.h
@@ -468,7 +468,9 @@
const EVP_AEAD *new_aead;
const EVP_MD *new_hash;
int new_mac_pkey_type;
- int new_mac_secret_size;
+ uint8_t new_mac_secret_len;
+ uint8_t new_fixed_iv_len;
+ uint8_t new_variable_iv_len;
/* Server-only: cert_request is true if a client certificate was
* requested. */
