Adding TLS 1.3 AEAD construction.
The TLS 1.3 spec has an explicit nonce construction for AEADs that
requires xoring the IV and sequence number.
Change-Id: I77145e12f7946ffb35ebeeb9b2947aa51058cbe9
Reviewed-on: https://boringssl-review.googlesource.com/8042
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/ssl/internal.h b/ssl/internal.h
index f3b6d01..5d003f9 100644
--- a/ssl/internal.h
+++ b/ssl/internal.h
@@ -283,6 +283,8 @@
/* omit_version_in_ad is non-zero if the version should be omitted
* in the AEAD's ad parameter. */
char omit_version_in_ad;
+ /* omit_ad is non-zero if the AEAD's ad parameter should be omitted. */
+ char omit_ad;
/* xor_fixed_nonce is non-zero if the fixed nonce should be XOR'd into the
* variable nonce rather than prepended. */
char xor_fixed_nonce;
diff --git a/ssl/ssl_aead_ctx.c b/ssl/ssl_aead_ctx.c
index 4de9d45..1e549ea 100644
--- a/ssl/ssl_aead_ctx.c
+++ b/ssl/ssl_aead_ctx.c
@@ -92,6 +92,15 @@
if (cipher->algorithm_enc & (SSL_AES128GCM | SSL_AES256GCM)) {
aead_ctx->variable_nonce_included_in_record = 1;
}
+
+ /* The TLS 1.3 construction XORs the fixed nonce into the sequence number
+ * and omits the additional data. */
+ if (version >= TLS1_3_VERSION) {
+ aead_ctx->xor_fixed_nonce = 1;
+ aead_ctx->variable_nonce_len = 8;
+ aead_ctx->variable_nonce_included_in_record = 0;
+ aead_ctx->omit_ad = 1;
+ }
} else {
aead_ctx->variable_nonce_included_in_record = 1;
aead_ctx->random_variable_nonce = 1;
@@ -139,6 +148,10 @@
uint8_t type, uint16_t wire_version,
const uint8_t seqnum[8],
size_t plaintext_len) {
+ if (aead->omit_ad) {
+ return 0;
+ }
+
memcpy(out, seqnum, 8);
size_t len = 8;
out[len++] = type;