Add an SSL_AEAD_CTX to enable the use of EVP_AEAD with an SSL cipher.

Read and write contexts are also added to the SSL_CTX, along with
supporting code.

Based on Adam Langley's chromium diffs.

Rides the recent SSL library bump.

lib/libssl/s3_pkt.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_pkt.c,v 1.46 2014/06/12 15:49:31 deraadt Exp $ */
+/* $OpenBSD: s3_pkt.c,v 1.47 2014/06/13 10:52:24 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -753,6 +753,9 @@ do_ssl3_write(SSL *s, int type, const unsigned char *buf,
 			eivlen = EVP_GCM_TLS_EXPLICIT_IV_LEN;
 		else
 			eivlen = 0;
+	} else if (s->aead_write_ctx != NULL &&
+	    s->aead_write_ctx->variable_nonce_in_record) {
+		eivlen = s->aead_write_ctx->variable_nonce_len;
 	} else
 		eivlen = 0;
 

lib/libssl/src/ssl/s3_pkt.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_pkt.c,v 1.46 2014/06/12 15:49:31 deraadt Exp $ */
+/* $OpenBSD: s3_pkt.c,v 1.47 2014/06/13 10:52:24 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -753,6 +753,9 @@ do_ssl3_write(SSL *s, int type, const unsigned char *buf,
 			eivlen = EVP_GCM_TLS_EXPLICIT_IV_LEN;
 		else
 			eivlen = 0;
+	} else if (s->aead_write_ctx != NULL &&
+	    s->aead_write_ctx->variable_nonce_in_record) {
+		eivlen = s->aead_write_ctx->variable_nonce_len;
 	} else
 		eivlen = 0;
 

lib/libssl/src/ssl/ssl.h

@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.h,v 1.53 2014/06/13 04:29:13 miod Exp $ */
+/* $OpenBSD: ssl.h,v 1.54 2014/06/13 10:52:24 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -654,6 +654,8 @@ void SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version,
 #define SSL_CTX_set_msg_callback_arg(ctx, arg) SSL_CTX_ctrl((ctx), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg))
 #define SSL_set_msg_callback_arg(ssl, arg) SSL_ctrl((ssl), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg))
 
+struct ssl_aead_ctx_st;
+typedef struct ssl_aead_ctx_st SSL_AEAD_CTX;
 
 #define SSL_MAX_CERT_LIST_DEFAULT 1024*100 /* 100k max cert list :-) */
 
@@ -1093,6 +1095,10 @@ struct ssl_st {
 	 * the ones to be 'copied' into these ones */
 	int mac_flags;
 
+	SSL_AEAD_CTX *aead_read_ctx;	/* AEAD context. If non-NULL, then
+					   enc_read_ctx and read_hash are
+					   ignored. */
+
 	EVP_CIPHER_CTX *enc_read_ctx;		/* cryptographic state */
 	EVP_MD_CTX *read_hash;			/* used for mac generation */
 #ifndef OPENSSL_NO_COMP
@@ -1101,6 +1107,10 @@ struct ssl_st {
 	char *expand;
 #endif
 
+	SSL_AEAD_CTX *aead_write_ctx;	/* AEAD context. If non-NULL, then
+					   enc_write_ctx and write_hash are
+					   ignored. */
+
 	EVP_CIPHER_CTX *enc_write_ctx;		/* cryptographic state */
 	EVP_MD_CTX *write_hash;			/* used for mac generation */
 #ifndef OPENSSL_NO_COMP

lib/libssl/src/ssl/ssl_lib.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.66 2014/06/13 04:29:13 miod Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.67 2014/06/13 10:52:24 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -2660,6 +2660,17 @@ ssl_clear_cipher_ctx(SSL *s)
 	EVP_CIPHER_CTX_free(s->enc_write_ctx);
 	s->enc_write_ctx = NULL;
 
+	if (s->aead_read_ctx != NULL) {
+		EVP_AEAD_CTX_cleanup(&s->aead_read_ctx->ctx);
+		free(s->aead_read_ctx);
+		s->aead_read_ctx = NULL;
+	}
+	if (s->aead_write_ctx != NULL) {
+		EVP_AEAD_CTX_cleanup(&s->aead_write_ctx->ctx);
+		free(s->aead_write_ctx);
+		s->aead_write_ctx = NULL;
+	}
+
 #ifndef OPENSSL_NO_COMP
 	COMP_CTX_free(s->expand);
 	s->expand = NULL;

lib/libssl/src/ssl/ssl_locl.h

@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.49 2014/06/12 15:49:31 deraadt Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.50 2014/06/13 10:52:24 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -578,6 +578,27 @@ typedef struct ssl3_enc_method {
 /* Allow TLS 1.2 ciphersuites: applies to DTLS 1.2 as well as TLS 1.2. */
 #define SSL_ENC_FLAG_TLS1_2_CIPHERS     (1 << 4)
 
+/*
+ * ssl_aead_ctx_st contains information about an AEAD that is being used to
+ * encrypt an SSL connection.
+ */
+struct ssl_aead_ctx_st {
+	EVP_AEAD_CTX ctx;
+	/*
+	 * fixed_nonce contains any bytes of the nonce that are fixed for all
+	 * records.
+	 */
+	unsigned char fixed_nonce[8];
+	unsigned char fixed_nonce_len;
+	unsigned char variable_nonce_len;
+	unsigned char tag_len;
+	/*
+	 * variable_nonce_in_record is non-zero if the variable nonce
+	 * for a record is included as a prefix before the ciphertext.
+	 */
+	char variable_nonce_in_record;
+};
+
 #ifndef OPENSSL_NO_COMP
 /* Used for holding the relevant compression methods loaded into SSL_CTX */
 typedef struct ssl3_comp_st {

lib/libssl/ssl.h

@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.h,v 1.53 2014/06/13 04:29:13 miod Exp $ */
+/* $OpenBSD: ssl.h,v 1.54 2014/06/13 10:52:24 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -654,6 +654,8 @@ void SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version,
 #define SSL_CTX_set_msg_callback_arg(ctx, arg) SSL_CTX_ctrl((ctx), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg))
 #define SSL_set_msg_callback_arg(ssl, arg) SSL_ctrl((ssl), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg))
 
+struct ssl_aead_ctx_st;
+typedef struct ssl_aead_ctx_st SSL_AEAD_CTX;
 
 #define SSL_MAX_CERT_LIST_DEFAULT 1024*100 /* 100k max cert list :-) */
 
@@ -1093,6 +1095,10 @@ struct ssl_st {
 	 * the ones to be 'copied' into these ones */
 	int mac_flags;
 
+	SSL_AEAD_CTX *aead_read_ctx;	/* AEAD context. If non-NULL, then
+					   enc_read_ctx and read_hash are
+					   ignored. */
+
 	EVP_CIPHER_CTX *enc_read_ctx;		/* cryptographic state */
 	EVP_MD_CTX *read_hash;			/* used for mac generation */
 #ifndef OPENSSL_NO_COMP
@@ -1101,6 +1107,10 @@ struct ssl_st {
 	char *expand;
 #endif
 
+	SSL_AEAD_CTX *aead_write_ctx;	/* AEAD context. If non-NULL, then
+					   enc_write_ctx and write_hash are
+					   ignored. */
+
 	EVP_CIPHER_CTX *enc_write_ctx;		/* cryptographic state */
 	EVP_MD_CTX *write_hash;			/* used for mac generation */
 #ifndef OPENSSL_NO_COMP

lib/libssl/ssl_lib.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.66 2014/06/13 04:29:13 miod Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.67 2014/06/13 10:52:24 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -2660,6 +2660,17 @@ ssl_clear_cipher_ctx(SSL *s)
 	EVP_CIPHER_CTX_free(s->enc_write_ctx);
 	s->enc_write_ctx = NULL;
 
+	if (s->aead_read_ctx != NULL) {
+		EVP_AEAD_CTX_cleanup(&s->aead_read_ctx->ctx);
+		free(s->aead_read_ctx);
+		s->aead_read_ctx = NULL;
+	}
+	if (s->aead_write_ctx != NULL) {
+		EVP_AEAD_CTX_cleanup(&s->aead_write_ctx->ctx);
+		free(s->aead_write_ctx);
+		s->aead_write_ctx = NULL;
+	}
+
 #ifndef OPENSSL_NO_COMP
 	COMP_CTX_free(s->expand);
 	s->expand = NULL;

lib/libssl/ssl_locl.h

@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.49 2014/06/12 15:49:31 deraadt Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.50 2014/06/13 10:52:24 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -578,6 +578,27 @@ typedef struct ssl3_enc_method {
 /* Allow TLS 1.2 ciphersuites: applies to DTLS 1.2 as well as TLS 1.2. */
 #define SSL_ENC_FLAG_TLS1_2_CIPHERS     (1 << 4)
 
+/*
+ * ssl_aead_ctx_st contains information about an AEAD that is being used to
+ * encrypt an SSL connection.
+ */
+struct ssl_aead_ctx_st {
+	EVP_AEAD_CTX ctx;
+	/*
+	 * fixed_nonce contains any bytes of the nonce that are fixed for all
+	 * records.
+	 */
+	unsigned char fixed_nonce[8];
+	unsigned char fixed_nonce_len;
+	unsigned char variable_nonce_len;
+	unsigned char tag_len;
+	/*
+	 * variable_nonce_in_record is non-zero if the variable nonce
+	 * for a record is included as a prefix before the ciphertext.
+	 */
+	char variable_nonce_in_record;
+};
+
 #ifndef OPENSSL_NO_COMP
 /* Used for holding the relevant compression methods loaded into SSL_CTX */
 typedef struct ssl3_comp_st {