Add CCM mode support for TLS 1.3

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2550)

diff --git a/ssl/record/ssl3_record_tls13.c b/ssl/record/ssl3_record_tls13.c
index 2099e7902247ea83f6553547ecae40e94a098b25..e3765ded93535d97e6bace8fcf9bd1d4ef9d8c51 100644 (file)
--- a/ssl/record/ssl3_record_tls13.c
+++ b/ssl/record/ssl3_record_tls13.c
@@ -24,7 +24,7 @@ int tls13_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int send)
 {
     EVP_CIPHER_CTX *ctx;
     unsigned char iv[EVP_MAX_IV_LENGTH];
 {
     EVP_CIPHER_CTX *ctx;
     unsigned char iv[EVP_MAX_IV_LENGTH];

-    size_t ivlen, offset, loop;
+    size_t ivlen, taglen, offset, loop;

     unsigned char *staticiv;
     unsigned char *seq;
     int lenu, lenf;
     unsigned char *staticiv;
     unsigned char *seq;
     int lenu, lenf;


@@ -53,21 +53,27 @@ int tls13_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int send)
     }
     ivlen = EVP_CIPHER_CTX_iv_length(ctx);
 
     }
     ivlen = EVP_CIPHER_CTX_iv_length(ctx);
 

+    if (EVP_CIPHER_CTX_mode(ctx) == EVP_CIPH_CCM_MODE) {
+        if (s->s3->tmp.new_cipher->algorithm_enc
+                & (SSL_AES128CCM8 | SSL_AES256CCM8))
+            taglen = EVP_CCM8_TLS_TAG_LEN;
+         else
+            taglen = EVP_CCM_TLS_TAG_LEN;
+         if (send && EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, taglen,
+                                         NULL) <= 0)
+            return -1;
+    } else {
+        taglen = EVP_GCM_TLS_TAG_LEN;
+    }
+

     if (!send) {
         /*
          * Take off tag. There must be at least one byte of content type as
          * well as the tag
          */
     if (!send) {
         /*
          * Take off tag. There must be at least one byte of content type as
          * well as the tag
          */

-        /*
-         * TODO(TLS1.3): We're going to need to figure out the tag len based on
-         * the cipher. For now we just support GCM tags.
-         * TODO(TLS1.3): When we've swapped over the record layer to TLSv1.3
-         * then the length must be 1 + the tag len to account for the content
-         * byte that we know must have been encrypted.
-         */
-        if (rec->length < EVP_GCM_TLS_TAG_LEN)
+        if (rec->length < taglen + 1)

             return 0;
             return 0;

-        rec->length -= EVP_GCM_TLS_TAG_LEN;
+        rec->length -= taglen;

     }
 
     /* Set up IV */
     }
 
     /* Set up IV */


@@ -93,22 +99,21 @@ int tls13_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int send)
 
     /* TODO(size_t): lenu/lenf should be a size_t but EVP doesn't support it */
     if (EVP_CipherInit_ex(ctx, NULL, NULL, NULL, iv, send) <= 0
 
     /* TODO(size_t): lenu/lenf should be a size_t but EVP doesn't support it */
     if (EVP_CipherInit_ex(ctx, NULL, NULL, NULL, iv, send) <= 0

-            || EVP_CipherUpdate(ctx, rec->data, &lenu, rec->input,
-                                (unsigned int)rec->length) <= 0

             || (!send && EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG,
             || (!send && EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG,

-                                             EVP_GCM_TLS_TAG_LEN,
+                                             taglen,

                                              rec->data + rec->length) <= 0)
                                              rec->data + rec->length) <= 0)

+            || EVP_CipherUpdate(ctx, rec->data, &lenu, rec->input,
+                                (unsigned int)rec->length) <= 0

             || EVP_CipherFinal_ex(ctx, rec->data + lenu, &lenf) <= 0
             || (size_t)(lenu + lenf) != rec->length) {
         return -1;
     }
             || EVP_CipherFinal_ex(ctx, rec->data + lenu, &lenf) <= 0
             || (size_t)(lenu + lenf) != rec->length) {
         return -1;
     }

-

     if (send) {
         /* Add the tag */
     if (send) {
         /* Add the tag */

-        if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, EVP_GCM_TLS_TAG_LEN,
+        if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, taglen,

                                 rec->data + rec->length) <= 0)
             return -1;
                                 rec->data + rec->length) <= 0)
             return -1;

-        rec->length += EVP_GCM_TLS_TAG_LEN;
+        rec->length += taglen;

     }
 
     return 1;
     }
 
     return 1;

diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index d97b9a8ea904d096a28200f01c33d70d9fb6d805..ebdc0fbd5296e2f74653a27f1a554fd831cf62c3 100644 (file)
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -281,9 +281,9 @@ int tls1_change_cipher_state(SSL *s, int which)
         int taglen;
         if (s->s3->tmp.
             new_cipher->algorithm_enc & (SSL_AES128CCM8 | SSL_AES256CCM8))
         int taglen;
         if (s->s3->tmp.
             new_cipher->algorithm_enc & (SSL_AES128CCM8 | SSL_AES256CCM8))

-            taglen = 8;
+            taglen = EVP_CCM8_TLS_TAG_LEN;

         else
         else

-            taglen = 16;
+            taglen = EVP_CCM_TLS_TAG_LEN;

         if (!EVP_CipherInit_ex(dd, c, NULL, NULL, NULL, (which & SSL3_CC_WRITE))
             || !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_IVLEN, 12, NULL)
             || !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_TAG, taglen, NULL)
         if (!EVP_CipherInit_ex(dd, c, NULL, NULL, NULL, (which & SSL3_CC_WRITE))
             || !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_IVLEN, 12, NULL)
             || !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_TAG, taglen, NULL)

diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c
index 0d29dae0428c70d047475565ec7e96f6755f201b..ebfeecdfb2f67c8fa19eb24ed96ebd0b45e965a7 100644 (file)
--- a/ssl/tls13_enc.c
+++ b/ssl/tls13_enc.c
@@ -264,7 +264,7 @@ int tls13_change_cipher_state(SSL *s, int which)
     const char *log_label = NULL;
     EVP_CIPHER_CTX *ciph_ctx;
     const EVP_CIPHER *ciph = s->s3->tmp.new_sym_enc;
     const char *log_label = NULL;
     EVP_CIPHER_CTX *ciph_ctx;
     const EVP_CIPHER *ciph = s->s3->tmp.new_sym_enc;

-    size_t ivlen, keylen, finsecretlen = 0;
+    size_t ivlen, keylen, taglen, finsecretlen = 0;

     const unsigned char *label;
     size_t labellen, hashlen = 0;
     int ret = 0;
     const unsigned char *label;
     size_t labellen, hashlen = 0;
     int ret = 0;


@@ -373,7 +373,17 @@ int tls13_change_cipher_state(SSL *s, int which)
 
     /* TODO(size_t): convert me */
     keylen = EVP_CIPHER_key_length(ciph);
 
     /* TODO(size_t): convert me */
     keylen = EVP_CIPHER_key_length(ciph);

-    ivlen = EVP_CIPHER_iv_length(ciph);
+    if (EVP_CIPHER_mode(ciph) == EVP_CIPH_CCM_MODE) {
+        ivlen = EVP_CCM_TLS_IV_LEN;
+        if (s->s3->tmp.new_cipher->algorithm_enc
+                & (SSL_AES128CCM8 | SSL_AES256CCM8))
+            taglen = EVP_CCM8_TLS_TAG_LEN;
+         else
+            taglen = EVP_CCM_TLS_TAG_LEN;
+    } else {
+        ivlen = EVP_CIPHER_iv_length(ciph);
+        taglen = 0;
+    }

 
     if (!ssl_log_secret(s, log_label, secret, hashlen)) {
         SSLerr(SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
 
     if (!ssl_log_secret(s, log_label, secret, hashlen)) {
         SSLerr(SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);


@@ -391,8 +401,12 @@ int tls13_change_cipher_state(SSL *s, int which)
         goto err;
     }
 
         goto err;
     }
 

-    if (EVP_CipherInit_ex(ciph_ctx, ciph, NULL, key, NULL,
-                          (which & SSL3_CC_WRITE)) <= 0) {
+    if (EVP_CipherInit_ex(ciph_ctx, ciph, NULL, NULL, NULL,
+                          (which & SSL3_CC_WRITE)) <= 0
+        || !EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_IVLEN, ivlen, NULL)
+        || (taglen != 0 && !EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_TAG,
+                                                taglen, NULL))
+        || EVP_CipherInit_ex(ciph_ctx, NULL, NULL, key, NULL, -1) <= 0) {

         SSLerr(SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_EVP_LIB);
         goto err;
     }
         SSLerr(SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_EVP_LIB);
         goto err;
     }