Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / ea72bd0b6033bc35d6a06da86e909a578d3d5daa^! / . / ssl / ssl_lib.c
commitea72bd0b6033bc35d6a06da86e909a578d3d5daa[log] [tgz]
authorDavid Benjamin <davidben@chromium.org>Sun Dec 21 21:27:41 2014 -0500
committerAdam Langley <agl@google.com>Wed Jan 14 20:30:26 2015 +0000
treebab584792ab57e5d8d9aaccb92b93fa4d09700d2
parentdf109ab3d4416f1c498f7ef24481cab3d3d72f1e [diff] [blame]
Implement all TLS ciphers with stateful AEADs.

The EVP_CIPHER codepath should no longer be used with TLS. It still exists for
DTLS and SSLv3. The AEAD construction in TLS does not allow for
variable-overhead AEADs, so stateful AEADs do not include the length in the ad
parameter. Rather the AEADs internally append the unpadded length once it is
known. EVP_aead_rc4_md5_tls is modified to account for this.

Tests are added (and RC4-MD5's regenerated) for each of the new AEADs. The
cipher tests are all moved into crypto/cipher/test because there's now a lot of
them and they clutter the directory listing.

In ssl/, the stateful AEAD logic is also modified to account for stateful AEADs
with a fixed IV component, and for AEADs which use a random nonce (for the
explicit-IV CBC mode ciphers).

The new implementation fixes a bug/quirk in stateless CBC mode ciphers where
the fixed IV portion of the keyblock was generated regardless. This is at the
end, so it's only relevant for EAP-TLS which generates a MSK from the end of
the key block.

Change-Id: I2d8b8aa11deb43bde2fd733f4f90b5d5b8cb1334
Reviewed-on: https://boringssl-review.googlesource.com/2692
Reviewed-by: Adam Langley <agl@google.com>

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 0118aa5..9e5af76 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c

@@ -3165,6 +3165,27 @@
   }
 }
 
+uint16_t ssl3_version_from_wire(SSL *s, uint16_t wire_version) {
+  if (!SSL_IS_DTLS(s)) {
+    return wire_version;
+  }
+
+  uint16_t tls_version = ~wire_version;
+  uint16_t version = tls_version + 0x0201;
+  /* If either component overflowed, clamp it so comparisons still work. */
+  if ((version >> 8) < (tls_version >> 8)) {
+    version = 0xff00 | (version & 0xff);
+  }
+  if ((version & 0xff) < (tls_version & 0xff)) {
+    version = (version & 0xff00) | 0xff;
+  }
+  /* DTLS 1.0 maps to TLS 1.1, not TLS 1.0. */
+  if (version == TLS1_VERSION) {
+    version = TLS1_1_VERSION;
+  }
+  return version;
+}
+
 /* Allocates new EVP_MD_CTX and sets pointer to it into given pointer vairable,
  * freeing  EVP_MD_CTX previously stored in that variable, if any. If EVP_MD
  * pointer is passed, initializes ctx with this md Returns newly allocated