Commit ec07b1d8 authored by Dr. Stephen Henson's avatar Dr. Stephen Henson
Browse files

Add CCM mode support for TLS 1.3 



Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2550)
parent aa24c47c

ssl/record/ssl3_record_tls13.c

+21 −16
Original line number Diff line number Diff line
@@ -24,7 +24,7 @@ int tls13_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int send) 
{

    EVP_CIPHER_CTX *ctx;

    unsigned char iv[EVP_MAX_IV_LENGTH];

    size_t ivlen, offset, loop;

    size_t ivlen, taglen, offset, loop;

    unsigned char *staticiv;

    unsigned char *seq;

    int lenu, lenf;
@@ -53,21 +53,27 @@ int tls13_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int send) 
    }

    ivlen = EVP_CIPHER_CTX_iv_length(ctx);



    if (EVP_CIPHER_CTX_mode(ctx) == EVP_CIPH_CCM_MODE) {

        if (s->s3->tmp.new_cipher->algorithm_enc

                & (SSL_AES128CCM8 | SSL_AES256CCM8))

            taglen = EVP_CCM8_TLS_TAG_LEN;

         else

            taglen = EVP_CCM_TLS_TAG_LEN;

         if (send && EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, taglen,

                                         NULL) <= 0)

            return -1;

    } else {

        taglen = EVP_GCM_TLS_TAG_LEN;

    }



    if (!send) {

        /*

         * Take off tag. There must be at least one byte of content type as

         * well as the tag

         */

        /*

         * TODO(TLS1.3): We're going to need to figure out the tag len based on

         * the cipher. For now we just support GCM tags.

         * TODO(TLS1.3): When we've swapped over the record layer to TLSv1.3

         * then the length must be 1 + the tag len to account for the content

         * byte that we know must have been encrypted.

         */

        if (rec->length < EVP_GCM_TLS_TAG_LEN)

        if (rec->length < taglen + 1)

            return 0;

        rec->length -= EVP_GCM_TLS_TAG_LEN;

        rec->length -= taglen;

    }



    /* Set up IV */
@@ -93,22 +99,21 @@ int tls13_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int send) 


    /* TODO(size_t): lenu/lenf should be a size_t but EVP doesn't support it */

    if (EVP_CipherInit_ex(ctx, NULL, NULL, NULL, iv, send) <= 0

            || EVP_CipherUpdate(ctx, rec->data, &lenu, rec->input,

                                (unsigned int)rec->length) <= 0

            || (!send && EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG,

                                             EVP_GCM_TLS_TAG_LEN,

                                             taglen,

                                             rec->data + rec->length) <= 0)

            || EVP_CipherUpdate(ctx, rec->data, &lenu, rec->input,

                                (unsigned int)rec->length) <= 0

            || EVP_CipherFinal_ex(ctx, rec->data + lenu, &lenf) <= 0

            || (size_t)(lenu + lenf) != rec->length) {

        return -1;

    }



    if (send) {

        /* Add the tag */

        if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, EVP_GCM_TLS_TAG_LEN,

        if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, taglen,

                                rec->data + rec->length) <= 0)

            return -1;

        rec->length += EVP_GCM_TLS_TAG_LEN;

        rec->length += taglen;

    }



    return 1;

ssl/t1_enc.c

+2 −2
Original line number Diff line number Diff line
@@ -281,9 +281,9 @@ int tls1_change_cipher_state(SSL *s, int which) 
        int taglen;

        if (s->s3->tmp.

            new_cipher->algorithm_enc & (SSL_AES128CCM8 | SSL_AES256CCM8))

            taglen = 8;

            taglen = EVP_CCM8_TLS_TAG_LEN;

        else

            taglen = 16;

            taglen = EVP_CCM_TLS_TAG_LEN;

        if (!EVP_CipherInit_ex(dd, c, NULL, NULL, NULL, (which & SSL3_CC_WRITE))

            || !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_IVLEN, 12, NULL)

            || !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_TAG, taglen, NULL)

ssl/tls13_enc.c

+18 −4
Original line number Diff line number Diff line
@@ -264,7 +264,7 @@ int tls13_change_cipher_state(SSL *s, int which) 
    const char *log_label = NULL;

    EVP_CIPHER_CTX *ciph_ctx;

    const EVP_CIPHER *ciph = s->s3->tmp.new_sym_enc;

    size_t ivlen, keylen, finsecretlen = 0;

    size_t ivlen, keylen, taglen, finsecretlen = 0;

    const unsigned char *label;

    size_t labellen, hashlen = 0;

    int ret = 0;
@@ -373,7 +373,17 @@ int tls13_change_cipher_state(SSL *s, int which) 


    /* TODO(size_t): convert me */

    keylen = EVP_CIPHER_key_length(ciph);

    if (EVP_CIPHER_mode(ciph) == EVP_CIPH_CCM_MODE) {

        ivlen = EVP_CCM_TLS_IV_LEN;

        if (s->s3->tmp.new_cipher->algorithm_enc

                & (SSL_AES128CCM8 | SSL_AES256CCM8))

            taglen = EVP_CCM8_TLS_TAG_LEN;

         else

            taglen = EVP_CCM_TLS_TAG_LEN;

    } else {

        ivlen = EVP_CIPHER_iv_length(ciph);

        taglen = 0;

    }



    if (!ssl_log_secret(s, log_label, secret, hashlen)) {

        SSLerr(SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
@@ -391,8 +401,12 @@ int tls13_change_cipher_state(SSL *s, int which) 
        goto err;

    }



    if (EVP_CipherInit_ex(ciph_ctx, ciph, NULL, key, NULL,

                          (which & SSL3_CC_WRITE)) <= 0) {

    if (EVP_CipherInit_ex(ciph_ctx, ciph, NULL, NULL, NULL,

                          (which & SSL3_CC_WRITE)) <= 0

        || !EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_IVLEN, ivlen, NULL)

        || (taglen != 0 && !EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_TAG,

                                                taglen, NULL))

        || EVP_CipherInit_ex(ciph_ctx, NULL, NULL, key, NULL, -1) <= 0) {

        SSLerr(SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_EVP_LIB);

        goto err;

    }