From a9541beba58c494300e55dcfbda288e60a2fb54a Mon Sep 17 00:00:00 2001
From: Ingela Anderton Andin <ingela@erlang.org>
Date: Wed, 17 Oct 2018 11:44:29 +0200
Subject: ssl: Refactor AEAD ciphers

TLS-1.3 needs to handle AEAD inputs diffrently than previous versions.
Refactor code to facilitate TLS-1.3 additions.

Change CHACHA20_POLY1305 NONCE to match RFC 7905. This will be
important later when we fix interop with TLS compatible crypto
invocation.
---
 lib/ssl/src/ssl_cipher.erl | 88 ++++++++++------------------------------------
 1 file changed, 19 insertions(+), 69 deletions(-)

(limited to 'lib/ssl/src/ssl_cipher.erl')

diff --git a/lib/ssl/src/ssl_cipher.erl b/lib/ssl/src/ssl_cipher.erl
index b23129dcdd..0e22d63b4b 100644
--- a/lib/ssl/src/ssl_cipher.erl
+++ b/lib/ssl/src/ssl_cipher.erl
@@ -34,7 +34,7 @@
 -include_lib("public_key/include/public_key.hrl").
 
 -export([security_parameters/2, security_parameters/3, 
-	 cipher_init/3, decipher/6, cipher/5, decipher_aead/6, cipher_aead/6,
+	 cipher_init/3, nonce_seed/2, decipher/6, cipher/5, aead_encrypt/5, aead_decrypt/6,
 	 suites/1, all_suites/1,  crypto_support_filters/0,
 	 chacha_suites/1, anonymous_suites/1, psk_suites/1, psk_suites_anon/1, 
          srp_suites/0, srp_suites_anon/0,
@@ -48,6 +48,8 @@
 
 -type cipher_enum()        :: integer().
 
+-export_type([cipher_enum/0]).
+
 %%--------------------------------------------------------------------
 -spec security_parameters(ssl_cipher_format:cipher_suite(), #security_parameters{}) ->
 				 #security_parameters{}.
@@ -91,10 +93,15 @@ cipher_init(?RC4, IV, Key) ->
     #cipher_state{iv = IV, key = Key, state = State};
 cipher_init(?AES_GCM, IV, Key) ->
     <<Nonce:64>> = random_bytes(8),
-    #cipher_state{iv = IV, key = Key, nonce = Nonce};
+    #cipher_state{iv = IV, key = Key, nonce = Nonce, tag_len = 16};
+cipher_init(?CHACHA20_POLY1305, IV, Key) ->
+    #cipher_state{iv = IV, key = Key, tag_len = 16};
 cipher_init(_BCA, IV, Key) ->
     #cipher_state{iv = IV, key = Key}.
 
+nonce_seed(Seed, CipherState) ->
+    CipherState#cipher_state{nonce = Seed}.
+
 %%--------------------------------------------------------------------
 -spec cipher(cipher_enum(), #cipher_state{}, binary(), iodata(), ssl_record:ssl_version()) ->
 		    {binary(), #cipher_state{}}. 
@@ -126,32 +133,16 @@ cipher(?AES_CBC, CipherState, Mac, Fragment, Version) ->
 			 crypto:block_encrypt(aes_cbc256, Key, IV, T)
 		 end, block_size(aes_128_cbc), CipherState, Mac, Fragment, Version).
 
-%%--------------------------------------------------------------------
--spec cipher_aead(cipher_enum(), #cipher_state{}, integer(), binary(), iodata(), ssl_record:ssl_version()) ->
-		    {binary(), #cipher_state{}}.
-%%
-%% Description: Encrypts the data and protects associated data (AAD) using chipher
-%% described by cipher_enum() and updating the cipher state
-%% Use for suites that use authenticated encryption with associated data (AEAD)
-%%-------------------------------------------------------------------
-cipher_aead(?AES_GCM, CipherState, SeqNo, AAD, Fragment, Version) ->
-    aead_cipher(aes_gcm, CipherState, SeqNo, AAD, Fragment, Version);
-cipher_aead(?CHACHA20_POLY1305, CipherState, SeqNo, AAD, Fragment, Version) ->
-    aead_cipher(chacha20_poly1305, CipherState, SeqNo, AAD, Fragment, Version).
-
-aead_cipher(chacha20_poly1305, #cipher_state{key=Key} = CipherState, SeqNo, AAD0, Fragment, _Version) ->
-    CipherLen = erlang:iolist_size(Fragment),
-    AAD = <<AAD0/binary, ?UINT16(CipherLen)>>,
-    Nonce = ?uint64(SeqNo),
-    {Content, CipherTag} = crypto:block_encrypt(chacha20_poly1305, Key, Nonce, {AAD, Fragment}),
-    {<<Content/binary, CipherTag/binary>>, CipherState};
-aead_cipher(Type, #cipher_state{key=Key, iv = IV0, nonce = Nonce} = CipherState, _SeqNo, AAD0, Fragment, _Version) ->
-    CipherLen = erlang:iolist_size(Fragment),
-    AAD = <<AAD0/binary, ?UINT16(CipherLen)>>,
-    <<Salt:4/bytes, _/binary>> = IV0,
-    IV = <<Salt/binary, Nonce:64/integer>>,
-    {Content, CipherTag} = crypto:block_encrypt(Type, Key, IV, {AAD, Fragment}),
-    {<<Nonce:64/integer, Content/binary, CipherTag/binary>>, CipherState#cipher_state{nonce = Nonce + 1}}.
+aead_encrypt(Type, Key, Nonce, Fragment, AdditionalData) ->
+    crypto:block_encrypt(aead_type(Type), Key, Nonce, {AdditionalData, Fragment}).
+
+aead_decrypt(Type, Key, Nonce, CipherText, CipherTag, AdditionalData) ->
+    crypto:block_decrypt(aead_type(Type), Key, Nonce, {AdditionalData, CipherText, CipherTag}).
+
+aead_type(?AES_GCM) ->
+    aes_gcm;
+aead_type(?CHACHA20_POLY1305) ->
+    chacha20_poly1305.
 
 build_cipher_block(BlockSz, Mac, Fragment) ->
     TotSz = byte_size(Mac) + erlang:iolist_size(Fragment) + 1,
@@ -218,19 +209,6 @@ decipher(?AES_CBC, HashSz, CipherState, Fragment, Version, PaddingCheck) ->
 			   crypto:block_decrypt(aes_cbc256, Key, IV, T)
 		   end, CipherState, HashSz, Fragment, Version, PaddingCheck).
 
-%%--------------------------------------------------------------------
--spec decipher_aead(cipher_enum(),  #cipher_state{}, integer(), binary(), binary(), ssl_record:ssl_version()) ->
-			   {binary(), #cipher_state{}} | #alert{}.
-%%
-%% Description: Decrypts the data and checks the associated data (AAD) MAC using
-%% cipher described by cipher_enum() and updating the cipher state.
-%% Use for suites that use authenticated encryption with associated data (AEAD)
-%%-------------------------------------------------------------------
-decipher_aead(?AES_GCM, CipherState, SeqNo, AAD, Fragment, Version) ->
-    aead_decipher(aes_gcm, CipherState, SeqNo, AAD, Fragment, Version);
-decipher_aead(?CHACHA20_POLY1305, CipherState, SeqNo, AAD, Fragment, Version) ->
-    aead_decipher(chacha20_poly1305, CipherState, SeqNo, AAD, Fragment, Version).
-
 block_decipher(Fun, #cipher_state{key=Key, iv=IV} = CipherState0, 
 	       HashSz, Fragment, Version, PaddingCheck) ->
     try 
@@ -261,34 +239,6 @@ block_decipher(Fun, #cipher_state{key=Key, iv=IV} = CipherState0,
             ?ALERT_REC(?FATAL, ?BAD_RECORD_MAC, decryption_failed)
     end.
 
-aead_ciphertext_to_state(chacha20_poly1305, SeqNo, _IV, AAD0, Fragment, _Version) ->
-    CipherLen = size(Fragment) - 16,
-    <<CipherText:CipherLen/bytes, CipherTag:16/bytes>> = Fragment,
-    AAD = <<AAD0/binary, ?UINT16(CipherLen)>>,
-    Nonce = ?uint64(SeqNo),
-    {Nonce, AAD, CipherText, CipherTag};
-aead_ciphertext_to_state(_, _SeqNo, <<Salt:4/bytes, _/binary>>, AAD0, Fragment, _Version) ->
-    CipherLen = size(Fragment) - 24,
-    <<ExplicitNonce:8/bytes, CipherText:CipherLen/bytes,  CipherTag:16/bytes>> = Fragment,
-    AAD = <<AAD0/binary, ?UINT16(CipherLen)>>,
-    Nonce = <<Salt/binary, ExplicitNonce/binary>>,
-    {Nonce, AAD, CipherText, CipherTag}.
-
-aead_decipher(Type, #cipher_state{key = Key, iv = IV} = CipherState,
-	      SeqNo, AAD0, Fragment, Version) ->
-    try
-	{Nonce, AAD, CipherText, CipherTag} = aead_ciphertext_to_state(Type, SeqNo, IV, AAD0, Fragment, Version),
-	case crypto:block_decrypt(Type, Key, Nonce, {AAD, CipherText, CipherTag}) of
-	    Content when is_binary(Content) ->
-		{Content, CipherState};
-	    _ ->
-                ?ALERT_REC(?FATAL, ?BAD_RECORD_MAC, decryption_failed)
-	end
-    catch
-	_:_ ->
-            ?ALERT_REC(?FATAL, ?BAD_RECORD_MAC, decryption_failed)
-    end.
-
 %%--------------------------------------------------------------------
 -spec suites(ssl_record:ssl_version()) -> [ssl_cipher_format:cipher_suite()].
 %%
-- 
cgit v1.2.3