From ec07b1d872300f347c436ff5e549b94f79c0fa63 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Fri, 3 Feb 2017 02:44:15 +0000 Subject: [PATCH] Add CCM mode support for TLS 1.3 Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/2550) --- ssl/record/ssl3_record_tls13.c | 37 +++++++++++++++++++--------------- ssl/t1_enc.c | 4 ++-- ssl/tls13_enc.c | 22 ++++++++++++++++---- 3 files changed, 41 insertions(+), 22 deletions(-) diff --git a/ssl/record/ssl3_record_tls13.c b/ssl/record/ssl3_record_tls13.c index 2099e79022..e3765ded93 100644 --- a/ssl/record/ssl3_record_tls13.c +++ b/ssl/record/ssl3_record_tls13.c @@ -24,7 +24,7 @@ int tls13_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int send) { EVP_CIPHER_CTX *ctx; unsigned char iv[EVP_MAX_IV_LENGTH]; - size_t ivlen, offset, loop; + size_t ivlen, taglen, offset, loop; unsigned char *staticiv; unsigned char *seq; int lenu, lenf; @@ -53,21 +53,27 @@ int tls13_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int send) } ivlen = EVP_CIPHER_CTX_iv_length(ctx); + if (EVP_CIPHER_CTX_mode(ctx) == EVP_CIPH_CCM_MODE) { + if (s->s3->tmp.new_cipher->algorithm_enc + & (SSL_AES128CCM8 | SSL_AES256CCM8)) + taglen = EVP_CCM8_TLS_TAG_LEN; + else + taglen = EVP_CCM_TLS_TAG_LEN; + if (send && EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, taglen, + NULL) <= 0) + return -1; + } else { + taglen = EVP_GCM_TLS_TAG_LEN; + } + if (!send) { /* * Take off tag. There must be at least one byte of content type as * well as the tag */ - /* - * TODO(TLS1.3): We're going to need to figure out the tag len based on - * the cipher. For now we just support GCM tags. - * TODO(TLS1.3): When we've swapped over the record layer to TLSv1.3 - * then the length must be 1 + the tag len to account for the content - * byte that we know must have been encrypted. - */ - if (rec->length < EVP_GCM_TLS_TAG_LEN) + if (rec->length < taglen + 1) return 0; - rec->length -= EVP_GCM_TLS_TAG_LEN; + rec->length -= taglen; } /* Set up IV */ @@ -93,22 +99,21 @@ int tls13_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int send) /* TODO(size_t): lenu/lenf should be a size_t but EVP doesn't support it */ if (EVP_CipherInit_ex(ctx, NULL, NULL, NULL, iv, send) <= 0 - || EVP_CipherUpdate(ctx, rec->data, &lenu, rec->input, - (unsigned int)rec->length) <= 0 || (!send && EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, - EVP_GCM_TLS_TAG_LEN, + taglen, rec->data + rec->length) <= 0) + || EVP_CipherUpdate(ctx, rec->data, &lenu, rec->input, + (unsigned int)rec->length) <= 0 || EVP_CipherFinal_ex(ctx, rec->data + lenu, &lenf) <= 0 || (size_t)(lenu + lenf) != rec->length) { return -1; } - if (send) { /* Add the tag */ - if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, EVP_GCM_TLS_TAG_LEN, + if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, taglen, rec->data + rec->length) <= 0) return -1; - rec->length += EVP_GCM_TLS_TAG_LEN; + rec->length += taglen; } return 1; diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c index d97b9a8ea9..ebdc0fbd52 100644 --- a/ssl/t1_enc.c +++ b/ssl/t1_enc.c @@ -281,9 +281,9 @@ int tls1_change_cipher_state(SSL *s, int which) int taglen; if (s->s3->tmp. new_cipher->algorithm_enc & (SSL_AES128CCM8 | SSL_AES256CCM8)) - taglen = 8; + taglen = EVP_CCM8_TLS_TAG_LEN; else - taglen = 16; + taglen = EVP_CCM_TLS_TAG_LEN; if (!EVP_CipherInit_ex(dd, c, NULL, NULL, NULL, (which & SSL3_CC_WRITE)) || !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_IVLEN, 12, NULL) || !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_TAG, taglen, NULL) diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c index 0d29dae042..ebfeecdfb2 100644 --- a/ssl/tls13_enc.c +++ b/ssl/tls13_enc.c @@ -264,7 +264,7 @@ int tls13_change_cipher_state(SSL *s, int which) const char *log_label = NULL; EVP_CIPHER_CTX *ciph_ctx; const EVP_CIPHER *ciph = s->s3->tmp.new_sym_enc; - size_t ivlen, keylen, finsecretlen = 0; + size_t ivlen, keylen, taglen, finsecretlen = 0; const unsigned char *label; size_t labellen, hashlen = 0; int ret = 0; @@ -373,7 +373,17 @@ int tls13_change_cipher_state(SSL *s, int which) /* TODO(size_t): convert me */ keylen = EVP_CIPHER_key_length(ciph); - ivlen = EVP_CIPHER_iv_length(ciph); + if (EVP_CIPHER_mode(ciph) == EVP_CIPH_CCM_MODE) { + ivlen = EVP_CCM_TLS_IV_LEN; + if (s->s3->tmp.new_cipher->algorithm_enc + & (SSL_AES128CCM8 | SSL_AES256CCM8)) + taglen = EVP_CCM8_TLS_TAG_LEN; + else + taglen = EVP_CCM_TLS_TAG_LEN; + } else { + ivlen = EVP_CIPHER_iv_length(ciph); + taglen = 0; + } if (!ssl_log_secret(s, log_label, secret, hashlen)) { SSLerr(SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); @@ -391,8 +401,12 @@ int tls13_change_cipher_state(SSL *s, int which) goto err; } - if (EVP_CipherInit_ex(ciph_ctx, ciph, NULL, key, NULL, - (which & SSL3_CC_WRITE)) <= 0) { + if (EVP_CipherInit_ex(ciph_ctx, ciph, NULL, NULL, NULL, + (which & SSL3_CC_WRITE)) <= 0 + || !EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_IVLEN, ivlen, NULL) + || (taglen != 0 && !EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_TAG, + taglen, NULL)) + || EVP_CipherInit_ex(ciph_ctx, NULL, NULL, key, NULL, -1) <= 0) { SSLerr(SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_EVP_LIB); goto err; } -- 2.25.1