kris
/
boringssl
1
0
Fork 0
Code Issues 0 Pull-Requests 0 Releases 0 Wiki Aktivität
Du kannst nicht mehr als 25 Themen auswählen Themen müssen entweder mit einem Buchstaben oder einer Ziffer beginnen. Sie können Bindestriche („-“) enthalten und bis zu 35 Zeichen lang sein.
1673 Commits
12 Branches
38 MiB
Struktur: b2d987b47c
Branches Tags
${ item.name }
Erstelle Branch ${ searchTerm }
von „b2d987b47c“
${ noResults }
boringssl/ssl/ssl_aead_ctx.c

ssl_aead_ctx.c 8.7 KiB
Originalformat Normale Ansicht Verlauf

Factor SSL_AEAD_CTX into a dedicated type. tls1_enc is now SSL_AEAD_CTX_{open,seal}. This starts tidying up a bit of the record-layer logic. This removes rr->input, as encrypting and decrypting records no longer refers to various globals. It also removes wrec altogether. SSL3_RECORD is now only used to maintain state about the current incoming record. Outgoing records go straight to the write buffer. This also removes the outgoing alignment memcpy and simply calls SSL_AEAD_CTX_seal with the parameters as appropriate. From bssl speed tests, this seems to be faster on non-ARM and a bit of a wash on ARM. Later it may be worth recasting these open/seal functions to write into a CBB (tweaked so it can be malloc-averse), but for now they take an out/out_len/max_out trio like their EVP_AEAD counterparts. BUG=468889 Change-Id: Ie9266a818cc053f695d35ef611fd74c5d4def6c3 Reviewed-on: https://boringssl-review.googlesource.com/4792 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Remove the func parameter to OPENSSL_PUT_ERROR. Much of this was done automatically with find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' BUG=468039 Change-Id: I4c75fd95dff85ab1d4a546b05e6aed1aeeb499d8 Reviewed-on: https://boringssl-review.googlesource.com/5276 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Factor SSL_AEAD_CTX into a dedicated type. tls1_enc is now SSL_AEAD_CTX_{open,seal}. This starts tidying up a bit of the record-layer logic. This removes rr->input, as encrypting and decrypting records no longer refers to various globals. It also removes wrec altogether. SSL3_RECORD is now only used to maintain state about the current incoming record. Outgoing records go straight to the write buffer. This also removes the outgoing alignment memcpy and simply calls SSL_AEAD_CTX_seal with the parameters as appropriate. From bssl speed tests, this seems to be faster on non-ARM and a bit of a wash on ARM. Later it may be worth recasting these open/seal functions to write into a CBB (tweaked so it can be malloc-averse), but for now they take an out/out_len/max_out trio like their EVP_AEAD counterparts. BUG=468889 Change-Id: Ie9266a818cc053f695d35ef611fd74c5d4def6c3 Reviewed-on: https://boringssl-review.googlesource.com/4792 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Remove the func parameter to OPENSSL_PUT_ERROR. Much of this was done automatically with find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' BUG=468039 Change-Id: I4c75fd95dff85ab1d4a546b05e6aed1aeeb499d8 Reviewed-on: https://boringssl-review.googlesource.com/5276 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Factor SSL_AEAD_CTX into a dedicated type. tls1_enc is now SSL_AEAD_CTX_{open,seal}. This starts tidying up a bit of the record-layer logic. This removes rr->input, as encrypting and decrypting records no longer refers to various globals. It also removes wrec altogether. SSL3_RECORD is now only used to maintain state about the current incoming record. Outgoing records go straight to the write buffer. This also removes the outgoing alignment memcpy and simply calls SSL_AEAD_CTX_seal with the parameters as appropriate. From bssl speed tests, this seems to be faster on non-ARM and a bit of a wash on ARM. Later it may be worth recasting these open/seal functions to write into a CBB (tweaked so it can be malloc-averse), but for now they take an out/out_len/max_out trio like their EVP_AEAD counterparts. BUG=468889 Change-Id: Ie9266a818cc053f695d35ef611fd74c5d4def6c3 Reviewed-on: https://boringssl-review.googlesource.com/4792 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Remove the func parameter to OPENSSL_PUT_ERROR. Much of this was done automatically with find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' BUG=468039 Change-Id: I4c75fd95dff85ab1d4a546b05e6aed1aeeb499d8 Reviewed-on: https://boringssl-review.googlesource.com/5276 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Factor SSL_AEAD_CTX into a dedicated type. tls1_enc is now SSL_AEAD_CTX_{open,seal}. This starts tidying up a bit of the record-layer logic. This removes rr->input, as encrypting and decrypting records no longer refers to various globals. It also removes wrec altogether. SSL3_RECORD is now only used to maintain state about the current incoming record. Outgoing records go straight to the write buffer. This also removes the outgoing alignment memcpy and simply calls SSL_AEAD_CTX_seal with the parameters as appropriate. From bssl speed tests, this seems to be faster on non-ARM and a bit of a wash on ARM. Later it may be worth recasting these open/seal functions to write into a CBB (tweaked so it can be malloc-averse), but for now they take an out/out_len/max_out trio like their EVP_AEAD counterparts. BUG=468889 Change-Id: Ie9266a818cc053f695d35ef611fd74c5d4def6c3 Reviewed-on: https://boringssl-review.googlesource.com/4792 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Remove the func parameter to OPENSSL_PUT_ERROR. Much of this was done automatically with find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' BUG=468039 Change-Id: I4c75fd95dff85ab1d4a546b05e6aed1aeeb499d8 Reviewed-on: https://boringssl-review.googlesource.com/5276 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Factor SSL_AEAD_CTX into a dedicated type. tls1_enc is now SSL_AEAD_CTX_{open,seal}. This starts tidying up a bit of the record-layer logic. This removes rr->input, as encrypting and decrypting records no longer refers to various globals. It also removes wrec altogether. SSL3_RECORD is now only used to maintain state about the current incoming record. Outgoing records go straight to the write buffer. This also removes the outgoing alignment memcpy and simply calls SSL_AEAD_CTX_seal with the parameters as appropriate. From bssl speed tests, this seems to be faster on non-ARM and a bit of a wash on ARM. Later it may be worth recasting these open/seal functions to write into a CBB (tweaked so it can be malloc-averse), but for now they take an out/out_len/max_out trio like their EVP_AEAD counterparts. BUG=468889 Change-Id: Ie9266a818cc053f695d35ef611fd74c5d4def6c3 Reviewed-on: https://boringssl-review.googlesource.com/4792 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Fold away SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD. It's a property of just algorithm_enc and hopefully AES-GCM will continue to be the only true AEAD that requires this. Simpler to just keep it in ssl_aead_ctx.c. Change-Id: Ib7c060a3de2fa8590b2dc36c23a5d5fabff43b07 Reviewed-on: https://boringssl-review.googlesource.com/5613 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Factor SSL_AEAD_CTX into a dedicated type. tls1_enc is now SSL_AEAD_CTX_{open,seal}. This starts tidying up a bit of the record-layer logic. This removes rr->input, as encrypting and decrypting records no longer refers to various globals. It also removes wrec altogether. SSL3_RECORD is now only used to maintain state about the current incoming record. Outgoing records go straight to the write buffer. This also removes the outgoing alignment memcpy and simply calls SSL_AEAD_CTX_seal with the parameters as appropriate. From bssl speed tests, this seems to be faster on non-ARM and a bit of a wash on ARM. Later it may be worth recasting these open/seal functions to write into a CBB (tweaked so it can be malloc-averse), but for now they take an out/out_len/max_out trio like their EVP_AEAD counterparts. BUG=468889 Change-Id: Ie9266a818cc053f695d35ef611fd74c5d4def6c3 Reviewed-on: https://boringssl-review.googlesource.com/4792 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Remove the func parameter to OPENSSL_PUT_ERROR. Much of this was done automatically with find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' BUG=468039 Change-Id: I4c75fd95dff85ab1d4a546b05e6aed1aeeb499d8 Reviewed-on: https://boringssl-review.googlesource.com/5276 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Factor SSL_AEAD_CTX into a dedicated type. tls1_enc is now SSL_AEAD_CTX_{open,seal}. This starts tidying up a bit of the record-layer logic. This removes rr->input, as encrypting and decrypting records no longer refers to various globals. It also removes wrec altogether. SSL3_RECORD is now only used to maintain state about the current incoming record. Outgoing records go straight to the write buffer. This also removes the outgoing alignment memcpy and simply calls SSL_AEAD_CTX_seal with the parameters as appropriate. From bssl speed tests, this seems to be faster on non-ARM and a bit of a wash on ARM. Later it may be worth recasting these open/seal functions to write into a CBB (tweaked so it can be malloc-averse), but for now they take an out/out_len/max_out trio like their EVP_AEAD counterparts. BUG=468889 Change-Id: Ie9266a818cc053f695d35ef611fd74c5d4def6c3 Reviewed-on: https://boringssl-review.googlesource.com/4792 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Remove the func parameter to OPENSSL_PUT_ERROR. Much of this was done automatically with find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' BUG=468039 Change-Id: I4c75fd95dff85ab1d4a546b05e6aed1aeeb499d8 Reviewed-on: https://boringssl-review.googlesource.com/5276 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Factor SSL_AEAD_CTX into a dedicated type. tls1_enc is now SSL_AEAD_CTX_{open,seal}. This starts tidying up a bit of the record-layer logic. This removes rr->input, as encrypting and decrypting records no longer refers to various globals. It also removes wrec altogether. SSL3_RECORD is now only used to maintain state about the current incoming record. Outgoing records go straight to the write buffer. This also removes the outgoing alignment memcpy and simply calls SSL_AEAD_CTX_seal with the parameters as appropriate. From bssl speed tests, this seems to be faster on non-ARM and a bit of a wash on ARM. Later it may be worth recasting these open/seal functions to write into a CBB (tweaked so it can be malloc-averse), but for now they take an out/out_len/max_out trio like their EVP_AEAD counterparts. BUG=468889 Change-Id: Ie9266a818cc053f695d35ef611fd74c5d4def6c3 Reviewed-on: https://boringssl-review.googlesource.com/4792 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Remove the func parameter to OPENSSL_PUT_ERROR. Much of this was done automatically with find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' BUG=468039 Change-Id: I4c75fd95dff85ab1d4a546b05e6aed1aeeb499d8 Reviewed-on: https://boringssl-review.googlesource.com/5276 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Factor SSL_AEAD_CTX into a dedicated type. tls1_enc is now SSL_AEAD_CTX_{open,seal}. This starts tidying up a bit of the record-layer logic. This removes rr->input, as encrypting and decrypting records no longer refers to various globals. It also removes wrec altogether. SSL3_RECORD is now only used to maintain state about the current incoming record. Outgoing records go straight to the write buffer. This also removes the outgoing alignment memcpy and simply calls SSL_AEAD_CTX_seal with the parameters as appropriate. From bssl speed tests, this seems to be faster on non-ARM and a bit of a wash on ARM. Later it may be worth recasting these open/seal functions to write into a CBB (tweaked so it can be malloc-averse), but for now they take an out/out_len/max_out trio like their EVP_AEAD counterparts. BUG=468889 Change-Id: Ie9266a818cc053f695d35ef611fd74c5d4def6c3 Reviewed-on: https://boringssl-review.googlesource.com/4792 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Remove the func parameter to OPENSSL_PUT_ERROR. Much of this was done automatically with find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' BUG=468039 Change-Id: I4c75fd95dff85ab1d4a546b05e6aed1aeeb499d8 Reviewed-on: https://boringssl-review.googlesource.com/5276 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Factor SSL_AEAD_CTX into a dedicated type. tls1_enc is now SSL_AEAD_CTX_{open,seal}. This starts tidying up a bit of the record-layer logic. This removes rr->input, as encrypting and decrypting records no longer refers to various globals. It also removes wrec altogether. SSL3_RECORD is now only used to maintain state about the current incoming record. Outgoing records go straight to the write buffer. This also removes the outgoing alignment memcpy and simply calls SSL_AEAD_CTX_seal with the parameters as appropriate. From bssl speed tests, this seems to be faster on non-ARM and a bit of a wash on ARM. Later it may be worth recasting these open/seal functions to write into a CBB (tweaked so it can be malloc-averse), but for now they take an out/out_len/max_out trio like their EVP_AEAD counterparts. BUG=468889 Change-Id: Ie9266a818cc053f695d35ef611fd74c5d4def6c3 Reviewed-on: https://boringssl-review.googlesource.com/4792 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Remove the func parameter to OPENSSL_PUT_ERROR. Much of this was done automatically with find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' BUG=468039 Change-Id: I4c75fd95dff85ab1d4a546b05e6aed1aeeb499d8 Reviewed-on: https://boringssl-review.googlesource.com/5276 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Factor SSL_AEAD_CTX into a dedicated type. tls1_enc is now SSL_AEAD_CTX_{open,seal}. This starts tidying up a bit of the record-layer logic. This removes rr->input, as encrypting and decrypting records no longer refers to various globals. It also removes wrec altogether. SSL3_RECORD is now only used to maintain state about the current incoming record. Outgoing records go straight to the write buffer. This also removes the outgoing alignment memcpy and simply calls SSL_AEAD_CTX_seal with the parameters as appropriate. From bssl speed tests, this seems to be faster on non-ARM and a bit of a wash on ARM. Later it may be worth recasting these open/seal functions to write into a CBB (tweaked so it can be malloc-averse), but for now they take an out/out_len/max_out trio like their EVP_AEAD counterparts. BUG=468889 Change-Id: Ie9266a818cc053f695d35ef611fd74c5d4def6c3 Reviewed-on: https://boringssl-review.googlesource.com/4792 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Remove the func parameter to OPENSSL_PUT_ERROR. Much of this was done automatically with find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' BUG=468039 Change-Id: I4c75fd95dff85ab1d4a546b05e6aed1aeeb499d8 Reviewed-on: https://boringssl-review.googlesource.com/5276 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
Factor SSL_AEAD_CTX into a dedicated type. tls1_enc is now SSL_AEAD_CTX_{open,seal}. This starts tidying up a bit of the record-layer logic. This removes rr->input, as encrypting and decrypting records no longer refers to various globals. It also removes wrec altogether. SSL3_RECORD is now only used to maintain state about the current incoming record. Outgoing records go straight to the write buffer. This also removes the outgoing alignment memcpy and simply calls SSL_AEAD_CTX_seal with the parameters as appropriate. From bssl speed tests, this seems to be faster on non-ARM and a bit of a wash on ARM. Later it may be worth recasting these open/seal functions to write into a CBB (tweaked so it can be malloc-averse), but for now they take an out/out_len/max_out trio like their EVP_AEAD counterparts. BUG=468889 Change-Id: Ie9266a818cc053f695d35ef611fd74c5d4def6c3 Reviewed-on: https://boringssl-review.googlesource.com/4792 Reviewed-by: Adam Langley <agl@google.com>
vor 9 Jahren
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258 
  1. /* Copyright (c) 2015, Google Inc.

  2.  *

  3.  * Permission to use, copy, modify, and/or distribute this software for any

  4.  * purpose with or without fee is hereby granted, provided that the above

  5.  * copyright notice and this permission notice appear in all copies.

  6.  *

  7.  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

  8.  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

  9.  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY

  10.  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

  11.  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION

  12.  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN

  13.  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

  14. 

  15. #include <assert.h>

  16. #include <string.h>

  17. 

  18. #include <openssl/aead.h>

  19. #include <openssl/err.h>

  20. #include <openssl/rand.h>

  21. #include <openssl/type_check.h>

  22. 

  23. #include "internal.h"

  24. 

  25. 

  26. OPENSSL_COMPILE_ASSERT(EVP_AEAD_MAX_NONCE_LENGTH < 256,

  27.                        variable_nonce_len_doesnt_fit_in_uint8_t);

  28. 

  29. SSL_AEAD_CTX *SSL_AEAD_CTX_new(enum evp_aead_direction_t direction,

  30.                                uint16_t version, const SSL_CIPHER *cipher,

  31.                                const uint8_t *enc_key, size_t enc_key_len,

  32.                                const uint8_t *mac_key, size_t mac_key_len,

  33.                                const uint8_t *fixed_iv, size_t fixed_iv_len) {

  34.   const EVP_AEAD *aead;

  35.   size_t discard;

  36.   if (!ssl_cipher_get_evp_aead(&aead, &discard, &discard, cipher, version)) {

  37.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  38.     return 0;

  39.   }

  40. 

  41.   uint8_t merged_key[EVP_AEAD_MAX_KEY_LENGTH];

  42.   if (mac_key_len > 0) {

  43.     /* This is a "stateful" AEAD (for compatibility with pre-AEAD cipher

  44.      * suites). */

  45.     if (mac_key_len + enc_key_len + fixed_iv_len > sizeof(merged_key)) {

  46.       OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  47.       return 0;

  48.     }

  49.     memcpy(merged_key, mac_key, mac_key_len);

  50.     memcpy(merged_key + mac_key_len, enc_key, enc_key_len);

  51.     memcpy(merged_key + mac_key_len + enc_key_len, fixed_iv, fixed_iv_len);

  52.     enc_key = merged_key;

  53.     enc_key_len += mac_key_len;

  54.     enc_key_len += fixed_iv_len;

  55.   }

  56. 

  57.   SSL_AEAD_CTX *aead_ctx = (SSL_AEAD_CTX *)OPENSSL_malloc(sizeof(SSL_AEAD_CTX));

  58.   if (aead_ctx == NULL) {

  59.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  60.     return NULL;

  61.   }

  62.   memset(aead_ctx, 0, sizeof(SSL_AEAD_CTX));

  63.   aead_ctx->cipher = cipher;

  64. 

  65.   if (!EVP_AEAD_CTX_init_with_direction(

  66.           &aead_ctx->ctx, aead, enc_key, enc_key_len,

  67.           EVP_AEAD_DEFAULT_TAG_LENGTH, direction)) {

  68.     OPENSSL_free(aead_ctx);

  69.     return NULL;

  70.   }

  71. 

  72.   assert(EVP_AEAD_nonce_length(aead) <= EVP_AEAD_MAX_NONCE_LENGTH);

  73.   aead_ctx->variable_nonce_len = (uint8_t)EVP_AEAD_nonce_length(aead);

  74.   if (mac_key_len == 0) {

  75.     /* For a real AEAD, the IV is the fixed part of the nonce. */

  76.     if (fixed_iv_len > sizeof(aead_ctx->fixed_nonce) ||

  77.         fixed_iv_len > aead_ctx->variable_nonce_len) {

  78.       SSL_AEAD_CTX_free(aead_ctx);

  79.       OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  80.       return 0;

  81.     }

  82.     aead_ctx->variable_nonce_len -= fixed_iv_len;

  83. 

  84.     memcpy(aead_ctx->fixed_nonce, fixed_iv, fixed_iv_len);

  85.     aead_ctx->fixed_nonce_len = fixed_iv_len;

  86.     /* AES-GCM uses an explicit nonce. */

  87.     if (cipher->algorithm_enc & (SSL_AES128GCM | SSL_AES256GCM)) {

  88.       aead_ctx->variable_nonce_included_in_record = 1;

  89.     }

  90.   } else {

  91.     aead_ctx->variable_nonce_included_in_record = 1;

  92.     aead_ctx->random_variable_nonce = 1;

  93.     aead_ctx->omit_length_in_ad = 1;

  94.     aead_ctx->omit_version_in_ad = (version == SSL3_VERSION);

  95.   }

  96. 

  97.   return aead_ctx;

  98. }

  99. 

  100. void SSL_AEAD_CTX_free(SSL_AEAD_CTX *aead) {

  101.   if (aead == NULL) {

  102.     return;

  103.   }

  104.   EVP_AEAD_CTX_cleanup(&aead->ctx);

  105.   OPENSSL_free(aead);

  106. }

  107. 

  108. size_t SSL_AEAD_CTX_explicit_nonce_len(SSL_AEAD_CTX *aead) {

  109.   if (aead != NULL && aead->variable_nonce_included_in_record) {

  110.     return aead->variable_nonce_len;

  111.   }

  112.   return 0;

  113. }

  114. 

  115. size_t SSL_AEAD_CTX_max_overhead(SSL_AEAD_CTX *aead) {

  116.   if (aead == NULL) {

  117.     return 0;

  118.   }

  119.   return EVP_AEAD_max_overhead(aead->ctx.aead) +

  120.       SSL_AEAD_CTX_explicit_nonce_len(aead);

  121. }

  122. 

  123. /* ssl_aead_ctx_get_ad writes the additional data for |aead| into |out| and

  124.  * returns the number of bytes written. */

  125. static size_t ssl_aead_ctx_get_ad(SSL_AEAD_CTX *aead, uint8_t out[13],

  126.                                   uint8_t type, uint16_t wire_version,

  127.                                   const uint8_t seqnum[8],

  128.                                   size_t plaintext_len) {

  129.   memcpy(out, seqnum, 8);

  130.   size_t len = 8;

  131.   out[len++] = type;

  132.   if (!aead->omit_version_in_ad) {

  133.     out[len++] = (uint8_t)(wire_version >> 8);

  134.     out[len++] = (uint8_t)wire_version;

  135.   }

  136.   if (!aead->omit_length_in_ad) {

  137.     out[len++] = (uint8_t)(plaintext_len >> 8);

  138.     out[len++] = (uint8_t)plaintext_len;

  139.   }

  140.   return len;

  141. }

  142. 

  143. int SSL_AEAD_CTX_open(SSL_AEAD_CTX *aead, uint8_t *out, size_t *out_len,

  144.                       size_t max_out, uint8_t type, uint16_t wire_version,

  145.                       const uint8_t seqnum[8], const uint8_t *in,

  146.                       size_t in_len) {

  147.   if (aead == NULL) {

  148.     /* Handle the initial NULL cipher. */

  149.     if (in_len > max_out) {

  150.       OPENSSL_PUT_ERROR(SSL, SSL_R_BUFFER_TOO_SMALL);

  151.       return 0;

  152.     }

  153.     memmove(out, in, in_len);

  154.     *out_len = in_len;

  155.     return 1;

  156.   }

  157. 

  158.   /* TLS 1.2 AEADs include the length in the AD and are assumed to have fixed

  159.    * overhead. Otherwise the parameter is unused. */

  160.   size_t plaintext_len = 0;

  161.   if (!aead->omit_length_in_ad) {

  162.     size_t overhead = SSL_AEAD_CTX_max_overhead(aead);

  163.     if (in_len < overhead) {

  164.       /* Publicly invalid. */

  165.       OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_PACKET_LENGTH);

  166.       return 0;

  167.     }

  168.     plaintext_len = in_len - overhead;

  169.   }

  170.   uint8_t ad[13];

  171.   size_t ad_len = ssl_aead_ctx_get_ad(aead, ad, type, wire_version, seqnum,

  172.                                       plaintext_len);

  173. 

  174.   /* Assemble the nonce. */

  175.   uint8_t nonce[EVP_AEAD_MAX_NONCE_LENGTH];

  176.   size_t nonce_len = 0;

  177.   memcpy(nonce, aead->fixed_nonce, aead->fixed_nonce_len);

  178.   nonce_len += aead->fixed_nonce_len;

  179.   if (aead->variable_nonce_included_in_record) {

  180.     if (in_len < aead->variable_nonce_len) {

  181.       /* Publicly invalid. */

  182.       OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_PACKET_LENGTH);

  183.       return 0;

  184.     }

  185.     memcpy(nonce + nonce_len, in, aead->variable_nonce_len);

  186.     in += aead->variable_nonce_len;

  187.     in_len -= aead->variable_nonce_len;

  188.   } else {

  189.     assert(aead->variable_nonce_len == 8);

  190.     memcpy(nonce + nonce_len, seqnum, aead->variable_nonce_len);

  191.   }

  192.   nonce_len += aead->variable_nonce_len;

  193. 

  194.   return EVP_AEAD_CTX_open(&aead->ctx, out, out_len, max_out, nonce, nonce_len,

  195.                            in, in_len, ad, ad_len);

  196. }

  197. 

  198. int SSL_AEAD_CTX_seal(SSL_AEAD_CTX *aead, uint8_t *out, size_t *out_len,

  199.                       size_t max_out, uint8_t type, uint16_t wire_version,

  200.                       const uint8_t seqnum[8], const uint8_t *in,

  201.                       size_t in_len) {

  202.   if (aead == NULL) {

  203.     /* Handle the initial NULL cipher. */

  204.     if (in_len > max_out) {

  205.       OPENSSL_PUT_ERROR(SSL, SSL_R_BUFFER_TOO_SMALL);

  206.       return 0;

  207.     }

  208.     memmove(out, in, in_len);

  209.     *out_len = in_len;

  210.     return 1;

  211.   }

  212. 

  213.   uint8_t ad[13];

  214.   size_t ad_len = ssl_aead_ctx_get_ad(aead, ad, type, wire_version, seqnum,

  215.                                       in_len);

  216. 

  217.   /* Assemble the nonce. */

  218.   uint8_t nonce[EVP_AEAD_MAX_NONCE_LENGTH];

  219.   size_t nonce_len = 0;

  220.   memcpy(nonce, aead->fixed_nonce, aead->fixed_nonce_len);

  221.   nonce_len += aead->fixed_nonce_len;

  222.   if (aead->random_variable_nonce) {

  223.     assert(aead->variable_nonce_included_in_record);

  224.     if (!RAND_bytes(nonce + nonce_len, aead->variable_nonce_len)) {

  225.       return 0;

  226.     }

  227.   } else {

  228.     /* When sending we use the sequence number as the variable part of the

  229.      * nonce. */

  230.     assert(aead->variable_nonce_len == 8);

  231.     memcpy(nonce + nonce_len, ad, aead->variable_nonce_len);

  232.   }

  233.   nonce_len += aead->variable_nonce_len;

  234. 

  235.   /* Emit the variable nonce if included in the record. */

  236.   size_t extra_len = 0;

  237.   if (aead->variable_nonce_included_in_record) {

  238.     if (max_out < aead->variable_nonce_len) {

  239.       OPENSSL_PUT_ERROR(SSL, SSL_R_BUFFER_TOO_SMALL);

  240.       return 0;

  241.     }

  242.     if (out < in + in_len && in < out + aead->variable_nonce_len) {

  243.       OPENSSL_PUT_ERROR(SSL, SSL_R_OUTPUT_ALIASES_INPUT);

  244.       return 0;

  245.     }

  246.     memcpy(out, nonce + aead->fixed_nonce_len, aead->variable_nonce_len);

  247.     extra_len = aead->variable_nonce_len;

  248.     out += aead->variable_nonce_len;

  249.     max_out -= aead->variable_nonce_len;

  250.   }

  251. 

  252.   if (!EVP_AEAD_CTX_seal(&aead->ctx, out, out_len, max_out, nonce, nonce_len,

  253.                          in, in_len, ad, ad_len)) {

  254.     return 0;

  255.   }

  256.   *out_len += extra_len;

  257.   return 1;

  258. }