commit de0b2026841c34193cacf5c97646b38439e13200
author Adam Langley <agl@chromium.org> Fri Jun 20 12:00:00 2014 -0700
committer Adam Langley <agl@chromium.org> Fri Jun 20 13:17:35 2014 -0700
tree 55390fa8197b59f6611025e6701463fd4f54658f
parent d8983ce0f2b083a45416195e05a11f3a2a1d5aed

ChaCha20-Poly1305 support.

ssl/t1_enc.c

diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index 58f8bf8..7897519 100644
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -361,6 +361,8 @@
 	memcpy(aead_ctx->fixed_nonce, iv, iv_len);
 	aead_ctx->fixed_nonce_len = iv_len;
 	aead_ctx->variable_nonce_len = 8;  /* always the case, currently. */
+	aead_ctx->variable_nonce_included_in_record =
+		(s->s3->tmp.new_cipher->algorithm2 & SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD) != 0;
 	if (aead_ctx->variable_nonce_len + aead_ctx->fixed_nonce_len != EVP_AEAD_nonce_length(aead))
 		{
 		OPENSSL_PUT_ERROR(SSL, tls1_change_cipher_state_aead, ERR_R_INTERNAL_ERROR);
@@ -822,6 +824,7 @@
 		if (send)
 			{
 			size_t len = rec->length;
+			size_t eivlen = 0;
 			in = rec->input;
 			out = rec->data;
 
@@ -837,22 +840,27 @@
 			 * variable nonce. Thus we can copy the sequence number
 			 * bytes into place without overwriting any of the
 			 * plaintext. */
-			memcpy(out, ad, aead->variable_nonce_len);
-			len -= aead->variable_nonce_len;
+			if (aead->variable_nonce_included_in_record)
+				{
+				memcpy(out, ad, aead->variable_nonce_len);
+				len -= aead->variable_nonce_len;
+				eivlen = aead->variable_nonce_len;
+				}
 
 			ad[11] = len >> 8;
 			ad[12] = len & 0xff;
 
 			if (!EVP_AEAD_CTX_seal(
 				&aead->ctx,
-				out + aead->variable_nonce_len, &n, len + aead->tag_len,
+				out + eivlen, &n, len + aead->tag_len,
 				nonce, nonce_used,
-				in + aead->variable_nonce_len, len,
+				in + eivlen, len,
 				ad, sizeof(ad)))
 				{
 				return -1;
 				}
-			n += aead->variable_nonce_len;
+			if (aead->variable_nonce_included_in_record)
+				n += aead->variable_nonce_len;
 			}
 		else
 			{
@@ -865,12 +873,17 @@
 
 			if (len < aead->variable_nonce_len)
 				return 0;
-			memcpy(nonce + nonce_used, in, aead->variable_nonce_len);
+			memcpy(nonce + nonce_used,
+			       aead->variable_nonce_included_in_record ? in : ad,
+			       aead->variable_nonce_len);
 			nonce_used += aead->variable_nonce_len;
 
-			in += aead->variable_nonce_len;
-			len -= aead->variable_nonce_len;
-			out += aead->variable_nonce_len;
+			if (aead->variable_nonce_included_in_record)
+				{
+				in += aead->variable_nonce_len;
+				len -= aead->variable_nonce_len;
+				out += aead->variable_nonce_len;
+				}
 
 			if (len < aead->tag_len)
 				return 0;