From 4221c0dd3004117c63b182af5e8ab345b7265902 Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Wed, 27 Mar 2013 19:54:48 +0000
Subject: [PATCH] Enable TLS 1.2 ciphers in DTLS 1.2.

Port TLS 1.2 GCM code to DTLS. Enable use of TLS 1.2 only ciphers when in
DTLS 1.2 mode too.
---
 ssl/d1_both.c  |  9 +++++++--
 ssl/d1_lib.c   |  7 ++++---
 ssl/d1_pkt.c   | 46 ++++++++++++++++++++++++----------------------
 ssl/s3_lib.c   |  8 ++++----
 ssl/ssl_locl.h |  9 +++++++++
 ssl/t1_enc.c   |  2 +-
 ssl/t1_lib.c   |  7 ++++---
 7 files changed, 53 insertions(+), 35 deletions(-)

diff --git a/ssl/d1_both.c b/ssl/d1_both.c
index 262299b154..f7947bd988 100644
--- a/ssl/d1_both.c
+++ b/ssl/d1_both.c
@@ -272,12 +272,17 @@ int dtls1_do_write(SSL *s, int type)
 			(int)s->d1->w_msg_hdr.msg_len + DTLS1_HM_HEADER_LENGTH);
 
 	if (s->write_hash)
-		mac_size = EVP_MD_CTX_size(s->write_hash);
+		{
+		if (s->enc_write_ctx && EVP_CIPHER_CTX_mode(s->enc_write_ctx) == EVP_CIPH_GCM_MODE)
+			mac_size = 0;
+		else
+			mac_size = EVP_MD_CTX_size(s->write_hash);
+		}
 	else
 		mac_size = 0;
 
 	if (s->enc_write_ctx && 
-		(EVP_CIPHER_mode( s->enc_write_ctx->cipher) & EVP_CIPH_CBC_MODE))
+		(EVP_CIPHER_CTX_mode(s->enc_write_ctx) == EVP_CIPH_CBC_MODE))
 		blocksize = 2 * EVP_CIPHER_block_size(s->enc_write_ctx->cipher);
 	else
 		blocksize = 0;
diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c
index 16bafa3560..ddbb78a199 100644
--- a/ssl/d1_lib.c
+++ b/ssl/d1_lib.c
@@ -73,7 +73,7 @@ const char dtls1_version_str[]="DTLSv1" OPENSSL_VERSION_PTEXT;
 int dtls1_listen(SSL *s, struct sockaddr *client);
 
 SSL3_ENC_METHOD DTLSv1_enc_data={
-    dtls1_enc,
+    	tls1_enc,
 	tls1_mac,
 	tls1_setup_key_block,
 	tls1_generate_master_secret,
@@ -92,7 +92,7 @@ SSL3_ENC_METHOD DTLSv1_enc_data={
 	};
 
 SSL3_ENC_METHOD DTLSv1_2_enc_data={
-    dtls1_enc,
+    	tls1_enc,
 	tls1_mac,
 	tls1_setup_key_block,
 	tls1_generate_master_secret,
@@ -104,7 +104,8 @@ SSL3_ENC_METHOD DTLSv1_2_enc_data={
 	TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
 	tls1_alert_code,
 	tls1_export_keying_material,
-	SSL_ENC_FLAG_DTLS|SSL_ENC_FLAG_EXPLICIT_IV|SSL_ENC_FLAG_SIGALGS|SSL_ENC_FLAG_SHA256_PRF,
+	SSL_ENC_FLAG_DTLS|SSL_ENC_FLAG_EXPLICIT_IV|SSL_ENC_FLAG_SIGALGS
+		|SSL_ENC_FLAG_SHA256_PRF|SSL_ENC_FLAG_TLS1_2_CIPHERS,
 	DTLS1_HM_HEADER_LENGTH,
 	dtls1_set_handshake_header,
 	dtls1_handshake_write	
diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c
index b7ff9a8705..995e6576e0 100644
--- a/ssl/d1_pkt.c
+++ b/ssl/d1_pkt.c
@@ -1466,10 +1466,10 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len,
 	unsigned char *p,*pseq;
 	int i,mac_size,clear=0;
 	int prefix_len = 0;
+	int eivlen;
 	SSL3_RECORD *wr;
 	SSL3_BUFFER *wb;
 	SSL_SESSION *sess;
-	int bs;
 
 	/* first check if there is a SSL3_BUFFER still being written
 	 * out.  This will happen with non blocking IO */
@@ -1554,18 +1554,27 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len,
 	pseq=p; 
 	p+=10;
 
-	/* lets setup the record stuff. */
-
-	/* Make space for the explicit IV in case of CBC.
-	 * (this is a bit of a boundary violation, but what the heck).
-	 */
-	if ( s->enc_write_ctx && 
-		(EVP_CIPHER_mode( s->enc_write_ctx->cipher ) & EVP_CIPH_CBC_MODE))
-		bs = EVP_CIPHER_block_size(s->enc_write_ctx->cipher);
-	else
-		bs = 0;
+	/* Explicit IV length, block ciphers appropriate version flag */
+	if (s->enc_write_ctx)
+		{
+		int mode = EVP_CIPHER_CTX_mode(s->enc_write_ctx);
+		if (mode == EVP_CIPH_CBC_MODE)
+			{
+			eivlen = EVP_CIPHER_CTX_iv_length(s->enc_write_ctx);
+			if (eivlen <= 1)
+				eivlen = 0;
+			}
+		/* Need explicit part of IV for GCM mode */
+		else if (mode == EVP_CIPH_GCM_MODE)
+			eivlen = EVP_GCM_TLS_EXPLICIT_IV_LEN;
+		else
+			eivlen = 0;
+		}
+	else 
+		eivlen = 0;
 
-	wr->data=p + bs;  /* make room for IV in case of CBC */
+	/* lets setup the record stuff. */
+	wr->data=p + eivlen;  /* make room for IV in case of CBC */
 	wr->length=(int)len;
 	wr->input=(unsigned char *)buf;
 
@@ -1593,7 +1602,7 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len,
 
 	if (mac_size != 0)
 		{
-		if(s->method->ssl3_enc->mac(s,&(p[wr->length + bs]),1) < 0)
+		if(s->method->ssl3_enc->mac(s,&(p[wr->length + eivlen]),1) < 0)
 			goto err;
 		wr->length+=mac_size;
 		}
@@ -1602,15 +1611,8 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len,
 	wr->input=p;
 	wr->data=p;
 
-
-	/* ssl3_enc can only have an error on read */
-	if (bs)	/* bs != 0 in case of CBC */
-		{
-		RAND_pseudo_bytes(p,bs);
-		/* master IV and last CBC residue stand for
-		 * the rest of randomness */
-		wr->length += bs;
-		}
+	if (eivlen)
+		wr->length += eivlen;
 
 	s->method->ssl3_enc->enc(s,1);
 
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index b92d879f3d..7ad8a541fa 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3372,7 +3372,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
 
 #ifndef OPENSSL_NO_HEARTBEATS
 	case SSL_CTRL_TLS_EXT_SEND_HEARTBEAT:
-		if (SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER)
+		if (SSL_IS_DTLS(s))
 			ret = dtls1_heartbeat(s);
 		else
 			ret = tls1_heartbeat(s);
@@ -3493,7 +3493,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
 		return ssl_cert_set_cert_store(s->cert, parg, 1, larg);
 
 	case SSL_CTRL_GET_PEER_SIGNATURE_NID:
-		if (TLS1_get_version(s) >= TLS1_2_VERSION)
+		if (SSL_USE_SIGALGS(s))
 			{
 			if (s->session && s->session->sess_cert)
 				{
@@ -4080,9 +4080,9 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
 		{
 		c=sk_SSL_CIPHER_value(prio,i);
 
-		/* Skip TLS v1.2 only ciphersuites if lower than v1.2 */
+		/* Skip TLS v1.2 only ciphersuites if not supported */
 		if ((c->algorithm_ssl & SSL_TLSV1_2) && 
-			(TLS1_get_version(s) < TLS1_2_VERSION))
+			!SSL_USE_TLS1_2_CIPHERS(s))
 			continue;
 
 		ssl_set_cert_masks(cert,c);
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 13680cbf72..101f4e9761 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -448,6 +448,11 @@
  */
 #define SSL_USE_SIGALGS(s)	\
 			(s->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_SIGALGS)
+/* Allow TLS 1.2 ciphersuites: applies to DTLS 1.2 as well as TLS 1.2:
+ * may apply to others in future.
+ */
+#define SSL_USE_TLS1_2_CIPHERS(s)	\
+		(s->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_TLS1_2_CIPHERS)
 
 /* Mostly for SSLv3 */
 #define SSL_PKEY_RSA_ENC	0
@@ -713,6 +718,10 @@ typedef struct ssl3_enc_method
 #define SSL_ENC_FLAG_SHA256_PRF		0x4
 /* Is DTLS */
 #define SSL_ENC_FLAG_DTLS		0x8
+/* Allow TLS 1.2 ciphersuites: applies to DTLS 1.2 as well as TLS 1.2:
+ * may apply to others in future.
+ */
+#define SSL_ENC_FLAG_TLS1_2_CIPHERS	0x10
 
 #ifndef OPENSSL_NO_COMP
 /* Used for holding the relevant compression methods loaded into SSL_CTX */
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index 5d46bb24c1..fdd20d9009 100644
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -724,7 +724,7 @@ int tls1_enc(SSL *s, int send)
 			int ivlen;
 			enc=EVP_CIPHER_CTX_cipher(s->enc_write_ctx);
 			/* For TLSv1.1 and later explicit IV */
-			if (s->version >= TLS1_1_VERSION
+			if (SSL_USE_EXPLICIT_IV(s)
 				&& EVP_CIPHER_mode(enc) == EVP_CIPH_CBC_MODE)
 				ivlen = EVP_CIPHER_iv_length(enc);
 			else
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index b0e91ad3e5..8cb018d65e 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -178,7 +178,8 @@ SSL3_ENC_METHOD TLSv1_2_enc_data={
 	TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
 	tls1_alert_code,
 	tls1_export_keying_material,
-	SSL_ENC_FLAG_EXPLICIT_IV|SSL_ENC_FLAG_SIGALGS|SSL_ENC_FLAG_SHA256_PRF,
+	SSL_ENC_FLAG_EXPLICIT_IV|SSL_ENC_FLAG_SIGALGS|SSL_ENC_FLAG_SHA256_PRF
+		|SSL_ENC_FLAG_TLS1_2_CIPHERS,
 	SSL3_HM_HEADER_LENGTH,
 	ssl3_set_handshake_header,
 	ssl3_handshake_write
@@ -1008,8 +1009,8 @@ void ssl_set_client_disabled(SSL *s)
 	int have_rsa = 0, have_dsa = 0, have_ecdsa = 0;
 	c->mask_a = 0;
 	c->mask_k = 0;
-	/* If less than TLS 1.2 don't allow TLS 1.2 only ciphers */
-	if (TLS1_get_client_version(s) < TLS1_2_VERSION)
+	/* Don't allow TLS 1.2 only ciphers if we don't suppport them */
+	if (!SSL_USE_TLS1_2_CIPHERS(s))
 		c->mask_ssl = SSL_TLSV1_2;
 	else
 		c->mask_ssl = 0;
-- 
2.34.1