Commit 877f1efa authored by Geoff Simmons's avatar Geoff Simmons

encrypt_record() appends the authentication tag.

So the calling code doesn't have to.
parent 68bdc698
...@@ -257,9 +257,10 @@ ssize_t ...@@ -257,9 +257,10 @@ ssize_t
encrypt_record(EVP_CIPHER_CTX *ctx, unsigned char *plaintext, encrypt_record(EVP_CIPHER_CTX *ctx, unsigned char *plaintext,
int plaintext_len, uint32_t rs, uint8_t cek[AES128_KEYLEN], int plaintext_len, uint32_t rs, uint8_t cek[AES128_KEYLEN],
unsigned char nonce[NONCE_LEN], int last, unsigned char *ciphertext, unsigned char nonce[NONCE_LEN], int last, unsigned char *ciphertext,
uint8_t *tag, char errmsg[ERRMSG_LEN]) char errmsg[ERRMSG_LEN])
{ {
int delim_idx, len, ciphertext_len; int delim_idx, len, ciphertext_len;
uint8_t *tag;
AN(ctx); AN(ctx);
AN(plaintext); AN(plaintext);
...@@ -304,6 +305,7 @@ encrypt_record(EVP_CIPHER_CTX *ctx, unsigned char *plaintext, ...@@ -304,6 +305,7 @@ encrypt_record(EVP_CIPHER_CTX *ctx, unsigned char *plaintext,
} }
ciphertext_len += len; ciphertext_len += len;
tag = ciphertext + (rs - TAG_LEN);
if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, TAG_LEN, tag)) { if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, TAG_LEN, tag)) {
mk_error(errmsg); mk_error(errmsg);
return (-1); return (-1);
......
...@@ -162,7 +162,7 @@ ssize_t decrypt_record(EVP_CIPHER_CTX *ctx, unsigned char *ciphertext, ...@@ -162,7 +162,7 @@ ssize_t decrypt_record(EVP_CIPHER_CTX *ctx, unsigned char *ciphertext,
* Encrypt a record. Inputs are: * Encrypt a record. Inputs are:
* plaintext, plaintext_len, rs, cek, nonce, last * plaintext, plaintext_len, rs, cek, nonce, last
* Outputs is: * Outputs is:
* ciphertext, tag * ciphertext
* *
* The buffer at plaintext MUST have at least rs bytes allocated. * The buffer at plaintext MUST have at least rs bytes allocated.
* *
...@@ -171,6 +171,7 @@ ssize_t decrypt_record(EVP_CIPHER_CTX *ctx, unsigned char *ciphertext, ...@@ -171,6 +171,7 @@ ssize_t decrypt_record(EVP_CIPHER_CTX *ctx, unsigned char *ciphertext,
* If last is non-zero, then this is the last record in the message. * If last is non-zero, then this is the last record in the message.
* *
* At least rs bytes must be allocated for the buffer at ciphertext. * At least rs bytes must be allocated for the buffer at ciphertext.
* The authentication tag is appended at ciphertext + (rs - TAG_LEN).
* *
* Returns -1 on error, otherwise the number of ciphertext bytes. That * Returns -1 on error, otherwise the number of ciphertext bytes. That
* number will be equal to rs for every record but the last, which may be * number will be equal to rs for every record but the last, which may be
...@@ -179,4 +180,4 @@ ssize_t decrypt_record(EVP_CIPHER_CTX *ctx, unsigned char *ciphertext, ...@@ -179,4 +180,4 @@ ssize_t decrypt_record(EVP_CIPHER_CTX *ctx, unsigned char *ciphertext,
ssize_t encrypt_record(EVP_CIPHER_CTX *ctx, unsigned char *plaintext, ssize_t encrypt_record(EVP_CIPHER_CTX *ctx, unsigned char *plaintext,
int plaintext_len, uint32_t rs, uint8_t cek[AES128_KEYLEN], int plaintext_len, uint32_t rs, uint8_t cek[AES128_KEYLEN],
unsigned char nonce[NONCE_LEN], int last, unsigned char *ciphertext, unsigned char nonce[NONCE_LEN], int last, unsigned char *ciphertext,
uint8_t tag[TAG_LEN], char errmsg[ERRMSG_LEN]); char errmsg[ERRMSG_LEN]);
...@@ -88,7 +88,7 @@ main(int argc, char *argv[]) ...@@ -88,7 +88,7 @@ main(int argc, char *argv[])
body1_test_b64[73]; body1_test_b64[73];
unsigned char key1[AES128_KEYLEN + 2], key2[AES128_KEYLEN + 2], unsigned char key1[AES128_KEYLEN + 2], key2[AES128_KEYLEN + 2],
salt[SALT_LEN + 2], prk[SHA256_LEN], cek[SHA256_LEN], salt[SALT_LEN + 2], prk[SHA256_LEN], cek[SHA256_LEN],
nonce[SHA256_LEN], seq[NONCE_LEN], tag[TAG_LEN], nonce[SHA256_LEN], seq[NONCE_LEN],
body1[54], body2[75], plaintext[64], *ciphertext; body1[54], body2[75], plaintext[64], *ciphertext;
char errmsg[ERRMSG_LEN]; char errmsg[ERRMSG_LEN];
uint32_t rs; uint32_t rs;
...@@ -268,14 +268,13 @@ main(int argc, char *argv[]) ...@@ -268,14 +268,13 @@ main(int argc, char *argv[])
last = 1; last = 1;
ciphertext = body1 + HDR_PREFIX_LEN + exp_idlen1; ciphertext = body1 + HDR_PREFIX_LEN + exp_idlen1;
len = encrypt_record(ctx, plaintext, exp_plaintext_len, rs, cek, len = encrypt_record(ctx, plaintext, exp_plaintext_len, rs, cek,
nonce, last, ciphertext, tag, errmsg); nonce, last, ciphertext, errmsg);
if (len < 0) { if (len < 0) {
fprintf(stderr, "ex1 encrypt_record: %s\n", errmsg); fprintf(stderr, "ex1 encrypt_record: %s\n", errmsg);
exit(-1); exit(-1);
} }
assert((unsigned)len == rs - TAG_LEN); assert((unsigned)len == rs - TAG_LEN);
memcpy(ciphertext + (rs - TAG_LEN), tag, TAG_LEN);
len = EVP_EncodeBlock(body1_test_b64, body1, bodylen1); len = EVP_EncodeBlock(body1_test_b64, body1, bodylen1);
assert(len == 72); assert(len == 72);
AZ(memcmp(body1_test_b64, body1_b64, len)); AZ(memcmp(body1_test_b64, body1_b64, len));
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment