Implement all TLS ciphers with stateful AEADs.
The EVP_CIPHER codepath should no longer be used with TLS. It still exists for
DTLS and SSLv3. The AEAD construction in TLS does not allow for
variable-overhead AEADs, so stateful AEADs do not include the length in the ad
parameter. Rather the AEADs internally append the unpadded length once it is
known. EVP_aead_rc4_md5_tls is modified to account for this.
Tests are added (and RC4-MD5's regenerated) for each of the new AEADs. The
cipher tests are all moved into crypto/cipher/test because there's now a lot of
them and they clutter the directory listing.
In ssl/, the stateful AEAD logic is also modified to account for stateful AEADs
with a fixed IV component, and for AEADs which use a random nonce (for the
explicit-IV CBC mode ciphers).
The new implementation fixes a bug/quirk in stateless CBC mode ciphers where
the fixed IV portion of the keyblock was generated regardless. This is at the
end, so it's only relevant for EAP-TLS which generates a MSK from the end of
the key block.
Change-Id: I2d8b8aa11deb43bde2fd733f4f90b5d5b8cb1334
Reviewed-on: https://boringssl-review.googlesource.com/2692
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index fb8c047..d5f9c68 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -142,8 +142,10 @@
#include <assert.h>
#include <openssl/engine.h>
+#include <openssl/md5.h>
#include <openssl/mem.h>
#include <openssl/obj.h>
+#include <openssl/sha.h>
#include "ssl_locl.h"
@@ -241,49 +243,109 @@
{0, SSL_TXT_FIPS, 0, 0, 0, 0, 0, 0, SSL_FIPS, 0, 0, 0},
};
-/* ssl_cipher_get_evp_aead sets |*aead| to point to the correct EVP_AEAD object
- * for |s->cipher|. It returns 1 on success and 0 on error. */
-int ssl_cipher_get_evp_aead(const SSL_SESSION *s, const EVP_AEAD **aead) {
- const SSL_CIPHER *c = s->cipher;
+int ssl_cipher_get_evp_aead(const EVP_AEAD **out_aead,
+ size_t *out_mac_secret_len,
+ size_t *out_fixed_iv_len,
+ const SSL_CIPHER *cipher, uint16_t version) {
+ *out_aead = NULL;
+ *out_mac_secret_len = 0;
+ *out_fixed_iv_len = 0;
- *aead = NULL;
-
- if (c == NULL) {
- return 0;
- }
-
- if ((c->algorithm2 & SSL_CIPHER_ALGORITHM2_AEAD) == 0 &&
- (c->algorithm2 & SSL_CIPHER_ALGORITHM2_STATEFUL_AEAD) == 0) {
- return 0;
- }
-
- switch (c->algorithm_enc) {
+ switch (cipher->algorithm_enc) {
case SSL_AES128GCM:
- *aead = EVP_aead_aes_128_gcm();
+ *out_aead = EVP_aead_aes_128_gcm();
+ *out_fixed_iv_len = 4;
return 1;
case SSL_AES256GCM:
- *aead = EVP_aead_aes_256_gcm();
+ *out_aead = EVP_aead_aes_256_gcm();
+ *out_fixed_iv_len = 4;
return 1;
case SSL_CHACHA20POLY1305:
- *aead = EVP_aead_chacha20_poly1305();
+ *out_aead = EVP_aead_chacha20_poly1305();
+ *out_fixed_iv_len = 0;
return 1;
case SSL_RC4:
- if (c->algorithm_mac != SSL_MD5) {
- return 0;
+ switch (cipher->algorithm_mac) {
+ case SSL_MD5:
+ *out_aead = EVP_aead_rc4_md5_tls();
+ *out_mac_secret_len = MD5_DIGEST_LENGTH;
+ return 1;
+ case SSL_SHA1:
+ *out_aead = EVP_aead_rc4_sha1_tls();
+ *out_mac_secret_len = SHA_DIGEST_LENGTH;
+ return 1;
+ default:
+ return 0;
}
- *aead = EVP_aead_rc4_md5_tls();
- return 1;
- }
- return 0;
+ case SSL_AES128:
+ switch (cipher->algorithm_mac) {
+ case SSL_SHA1:
+ if (version <= TLS1_VERSION) {
+ *out_aead = EVP_aead_aes_128_cbc_sha1_tls_implicit_iv();
+ *out_fixed_iv_len = 16;
+ } else {
+ *out_aead = EVP_aead_aes_128_cbc_sha1_tls();
+ }
+ *out_mac_secret_len = SHA_DIGEST_LENGTH;
+ return 1;
+ case SSL_SHA256:
+ *out_aead = EVP_aead_aes_128_cbc_sha256_tls();
+ *out_mac_secret_len = SHA256_DIGEST_LENGTH;
+ return 1;
+ default:
+ return 0;
+ }
+
+ case SSL_AES256:
+ switch (cipher->algorithm_mac) {
+ case SSL_SHA1:
+ if (version <= TLS1_VERSION) {
+ *out_aead = EVP_aead_aes_256_cbc_sha1_tls_implicit_iv();
+ *out_fixed_iv_len = 16;
+ } else {
+ *out_aead = EVP_aead_aes_256_cbc_sha1_tls();
+ }
+ *out_mac_secret_len = SHA_DIGEST_LENGTH;
+ return 1;
+ case SSL_SHA256:
+ *out_aead = EVP_aead_aes_256_cbc_sha256_tls();
+ *out_mac_secret_len = SHA256_DIGEST_LENGTH;
+ return 1;
+ case SSL_SHA384:
+ *out_aead = EVP_aead_aes_256_cbc_sha384_tls();
+ *out_mac_secret_len = SHA384_DIGEST_LENGTH;
+ return 1;
+ default:
+ return 0;
+ }
+
+ case SSL_3DES:
+ switch (cipher->algorithm_mac) {
+ case SSL_SHA1:
+ if (version <= TLS1_VERSION) {
+ *out_aead = EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv();
+ *out_fixed_iv_len = 8;
+ } else {
+ *out_aead = EVP_aead_des_ede3_cbc_sha1_tls();
+ }
+ *out_mac_secret_len = SHA_DIGEST_LENGTH;
+ return 1;
+ default:
+ return 0;
+ }
+
+ default:
+ return 0;
+ }
}
int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
const EVP_MD **md, int *mac_pkey_type,
- int *mac_secret_size) {
+ size_t *mac_secret_size) {
const SSL_CIPHER *c;
c = s->cipher;
@@ -347,7 +409,7 @@
}
int ssl_cipher_get_mac(const SSL_SESSION *s, const EVP_MD **md,
- int *mac_pkey_type, int *mac_secret_size) {
+ int *mac_pkey_type, size_t *mac_secret_size) {
const SSL_CIPHER *c;
c = s->cipher;
