libressl/0087-ssl-add-support-for-TLSTREE-rekeying.patch

From 6da2bfbafdce6ef876fe8645a01da835831f1f2a Mon Sep 17 00:00:00 2001
From: Dmitry Baryshkov <dbaryshkov@gmail.com>
Date: Sat, 18 Apr 2020 18:42:12 +0300
Subject: [PATCH 87/87] ssl: add support for TLSTREE rekeying

CTR-OMAC ciphersuites use TLSTREE rekeying to change keys regularly.
Handle TLSTREE rekeying for those ciphersuites.

Sponsored by ROSA Linux

Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
---
 src/lib/libssl/s3_lib.c   | 18 +++++++++++++++--
 src/lib/libssl/ssl.h      |  6 ++++++
 src/lib/libssl/ssl_lib.c  | 14 +++++++++++++
 src/lib/libssl/ssl_locl.h |  4 ++++
 src/lib/libssl/t1_enc.c   | 42 +++++++++++++++++++++++++++++++++++++++
 5 files changed, 82 insertions(+), 2 deletions(-)

diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index ba87e9101..2636cfd4f 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -169,6 +169,18 @@
  */
 #define FIXED_NONCE_LEN(x) (((x / 2) & 0xf) << 24)
 
+static const TLSTREE_CONST tlstree_magma_ctr_omac = {
+	.c1 = UINT64_C(0xFFFFFFC000000000),
+	.c2 = UINT64_C(0xFFFFFFFFFE000000),
+	.c3 = UINT64_C(0xFFFFFFFFFFFFF000),
+};
+
+static const TLSTREE_CONST tlstree_kuznyechik_ctr_omac = {
+	.c1 = UINT64_C(0xFFFFFFFF00000000),
+	.c2 = UINT64_C(0xFFFFFFFFFFF80000),
+	.c3 = UINT64_C(0xFFFFFFFFFFFFFFC0),
+};
+
 /* list of available SSLv3 ciphers (sorted by id) */
 SSL_CIPHER ssl3_ciphers[] = {
 
@@ -1318,7 +1330,8 @@ SSL_CIPHER ssl3_ciphers[] = {
 		.algo_strength = SSL_HIGH,
 		.algorithm2 = SSL_HANDSHAKE_MAC_STREEBOG256|TLS1_PRF_STREEBOG256|TLS1_NONCE_ADD_SEQUENCE,
 		.strength_bits = 256,
-		.alg_bits = 256
+		.alg_bits = 256,
+		.tlstree = &tlstree_kuznyechik_ctr_omac,
 	},
 
 	/* Cipher C101 */
@@ -1334,7 +1347,8 @@ SSL_CIPHER ssl3_ciphers[] = {
 		.algo_strength = SSL_HIGH,
 		.algorithm2 = SSL_HANDSHAKE_MAC_STREEBOG256|TLS1_PRF_STREEBOG256|TLS1_NONCE_ADD_SEQUENCE,
 		.strength_bits = 256,
-		.alg_bits = 256
+		.alg_bits = 256,
+		.tlstree = &tlstree_magma_ctr_omac,
 	},
 
 	/* Cipher C102 */
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
index 1c5e174b8..a9f414224 100644
--- a/src/lib/libssl/ssl.h
+++ b/src/lib/libssl/ssl.h
@@ -153,6 +153,8 @@
 
 #include <openssl/bio.h>
 
+#include <openssl/kdftree.h>
+
 #ifndef OPENSSL_NO_DEPRECATED
 #include <openssl/buffer.h>
 #include <openssl/crypto.h>
@@ -397,6 +399,10 @@ struct ssl_cipher_st {
 	unsigned long algorithm2;	/* Extra flags */
 	int strength_bits;		/* Number of bits really used */
 	int alg_bits;			/* Number of bits for algorithm */
+
+#ifndef OPENSSL_NO_GOST
+	const TLSTREE_CONST *tlstree;	/* TLSTREE parameters */
+#endif
 };
 
 
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index c989d802c..a54c01dc7 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -2545,6 +2545,13 @@ ssl_clear_cipher_read_state(SSL *s)
 		free(s->internal->aead_read_ctx);
 		s->internal->aead_read_ctx = NULL;
 	}
+
+#ifndef OPENSSL_NO_GOST
+	if (S3I(s)->read.tlstree_cipher != NULL)
+		TLSTREE_CTX_free(S3I(s)->read.tlstree_cipher);
+	if (S3I(s)->read.tlstree_mac != NULL)
+		TLSTREE_CTX_free(S3I(s)->read.tlstree_mac);
+#endif
 }
 
 void
@@ -2561,6 +2568,13 @@ ssl_clear_cipher_write_state(SSL *s)
 		free(s->internal->aead_write_ctx);
 		s->internal->aead_write_ctx = NULL;
 	}
+
+#ifndef OPENSSL_NO_GOST
+	if (S3I(s)->write.tlstree_cipher != NULL)
+		TLSTREE_CTX_free(S3I(s)->write.tlstree_cipher);
+	if (S3I(s)->write.tlstree_mac != NULL)
+		TLSTREE_CTX_free(S3I(s)->write.tlstree_mac);
+#endif
 }
 
 /* Fix this function so that it takes an optional type parameter */
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index dc291ae4f..6871b01a9 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -811,6 +811,10 @@ typedef struct ssl3_rw_state_internal_st {
 	unsigned char mac_secret[EVP_MAX_MD_SIZE];
 	int cipher_iv_size;
 	unsigned char cipher_iv[EVP_MAX_IV_LENGTH];
+#ifndef OPENSSL_NO_GOST
+	TLSTREE_CTX *tlstree_cipher;
+	TLSTREE_CTX *tlstree_mac;
+#endif
 } SSL3_RW_STATE_INTERNAL;
 
 typedef struct ssl3_state_internal_st {
diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c
index 7ed6825a1..a4219599d 100644
--- a/src/lib/libssl/t1_enc.c
+++ b/src/lib/libssl/t1_enc.c
@@ -411,6 +411,7 @@ tls1_change_cipher_state_cipher(SSL *s, char is_read,
 	const EVP_MD *mac;
 	const EVP_CIPHER *mac_cipher;
 	int mac_type;
+	SSL3_RW_STATE_INTERNAL *rws;
 
 	cipher = S3I(s)->tmp.new_sym_enc;
 	mac = S3I(s)->tmp.new_hash;
@@ -426,6 +427,7 @@ tls1_change_cipher_state_cipher(SSL *s, char is_read,
 		if ((mac_ctx = EVP_MD_CTX_new()) == NULL)
 			goto err;
 		s->read_hash = mac_ctx;
+		rws = &S3I(s)->read;
 	} else {
 		/*
 		 * DTLS fragments retain a pointer to the compression, cipher
@@ -443,6 +445,7 @@ tls1_change_cipher_state_cipher(SSL *s, char is_read,
 		if ((mac_ctx = EVP_MD_CTX_new()) == NULL)
 			goto err;
 		s->internal->write_hash = mac_ctx;
+		rws = &S3I(s)->write;
 	}
 
 	EVP_CipherInit_ex(cipher_ctx, cipher, NULL, key, iv, !is_read);
@@ -465,6 +468,24 @@ tls1_change_cipher_state_cipher(SSL *s, char is_read,
 	else
 		s->internal->write_mac_size = mac_size;
 
+#ifndef OPENSSL_NO_GOST
+	if (s->session->cipher->tlstree) {
+		rws->tlstree_cipher = TLSTREE_CTX_new();
+		rws->tlstree_mac = TLSTREE_CTX_new();
+		if (rws->tlstree_cipher == NULL ||
+		    rws->tlstree_mac == NULL ||
+		    !TLSTREE_Init(rws->tlstree_cipher,
+			    s->session->cipher->tlstree,
+			    EVP_streebog256(), NULL,
+			    key, key_len) ||
+		    !TLSTREE_Init(rws->tlstree_mac,
+			    s->session->cipher->tlstree,
+			    EVP_streebog256(), NULL,
+			    mac_secret, mac_secret_size))
+			goto err;
+	}
+#endif
+
 	if (S3I(s)->hs.new_cipher->algorithm_enc == SSL_eGOST2814789CNT) {
 		int nid;
 		if (S3I(s)->hs.new_cipher->algorithm2 & SSL_HANDSHAKE_MAC_GOST94)
@@ -904,6 +925,14 @@ tls1_enc(SSL *s, int send)
 				return 0;
 		}
 
+#ifndef OPENSSL_NO_GOST
+		if (rws->tlstree_cipher != NULL) {
+			unsigned char tmp[EVP_MAX_KEY_LENGTH];
+			if (!TLSTREE_GET(rws->tlstree_cipher, rws->sequence, tmp) ||
+			    !EVP_CipherInit_ex(ds, NULL, NULL, tmp, NULL, -1))
+				return 0;
+		}
+#endif
 		if (add_nonce) {
 			unsigned char new_iv[EVP_MAX_IV_LENGTH];
 			int iv_size = rws->cipher_iv_size;
@@ -974,6 +1003,7 @@ tls1_mac(SSL *ssl, unsigned char *md, int send)
 	int stream_mac = ssl->session && ssl->session->cipher ?
 		ssl->session->cipher->algorithm2 & TLS1_STREAM_MAC :
 		0;
+	SSL3_RW_STATE_INTERNAL *rws;
 	int t;
 
 	if (send) {
@@ -981,11 +1011,13 @@ tls1_mac(SSL *ssl, unsigned char *md, int send)
 		seq = &(ssl->s3->internal->write.sequence[0]);
 		hash = ssl->internal->write_hash;
 		t = ssl->internal->write_mac_size;
+		rws = &S3I(ssl)->write;
 	} else {
 		rec = &(ssl->s3->internal->rrec);
 		seq = &(ssl->s3->internal->read.sequence[0]);
 		hash = ssl->read_hash;
 		t = ssl->read_mac_size;
+		rws = &S3I(ssl)->read;
 	}
 
 	OPENSSL_assert(t >= 0);
@@ -1028,6 +1060,16 @@ tls1_mac(SSL *ssl, unsigned char *md, int send)
 		    ssl->s3->internal->read.mac_secret_size))
 			return -1;
 	} else {
+#ifndef OPENSSL_NO_GOST
+		if (rws->tlstree_mac != NULL) {
+			unsigned char tmp[EVP_MAX_KEY_LENGTH];
+			if (mac_ctx->pctx == NULL ||
+			    !TLSTREE_GET(rws->tlstree_mac, seq, tmp) ||
+			    EVP_PKEY_CTX_ctrl(mac_ctx->pctx, -1, EVP_PKEY_OP_SIGNCTX,
+				    EVP_PKEY_CTRL_SET_MAC_KEY, rws->mac_secret_size, tmp) <= 0)
+				return -1;
+		}
+#endif
 		EVP_DigestSignUpdate(mac_ctx, header, sizeof(header));
 		EVP_DigestSignUpdate(mac_ctx, rec->input, rec->length);
 		t = EVP_DigestSignFinal(mac_ctx, md, &md_size);
-- 
2.17.1
Add gost-new patches sponsored by ROSA Linux TODO: add tests 2020-08-05 12:55:25 +03:00			`From 6da2bfbafdce6ef876fe8645a01da835831f1f2a Mon Sep 17 00:00:00 2001`
			`From: Dmitry Baryshkov <dbaryshkov@gmail.com>`
			`Date: Sat, 18 Apr 2020 18:42:12 +0300`
			`Subject: [PATCH 87/87] ssl: add support for TLSTREE rekeying`

			`CTR-OMAC ciphersuites use TLSTREE rekeying to change keys regularly.`
			`Handle TLSTREE rekeying for those ciphersuites.`

			`Sponsored by ROSA Linux`

			`Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>`
			`---`
			`src/lib/libssl/s3_lib.c \| 18 +++++++++++++++--`
			`src/lib/libssl/ssl.h \| 6 ++++++`
			`src/lib/libssl/ssl_lib.c \| 14 +++++++++++++`
			`src/lib/libssl/ssl_locl.h \| 4 ++++`
			`src/lib/libssl/t1_enc.c \| 42 +++++++++++++++++++++++++++++++++++++++`
			`5 files changed, 82 insertions(+), 2 deletions(-)`

			`diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c`
			`index ba87e9101..2636cfd4f 100644`
			`--- a/src/lib/libssl/s3_lib.c`
			`+++ b/src/lib/libssl/s3_lib.c`
			`@@ -169,6 +169,18 @@`
			`*/`
			`#define FIXED_NONCE_LEN(x) (((x / 2) & 0xf) << 24)`

			`+static const TLSTREE_CONST tlstree_magma_ctr_omac = {`
			`+ .c1 = UINT64_C(0xFFFFFFC000000000),`
			`+ .c2 = UINT64_C(0xFFFFFFFFFE000000),`
			`+ .c3 = UINT64_C(0xFFFFFFFFFFFFF000),`
			`+};`
			`+`
			`+static const TLSTREE_CONST tlstree_kuznyechik_ctr_omac = {`
			`+ .c1 = UINT64_C(0xFFFFFFFF00000000),`
			`+ .c2 = UINT64_C(0xFFFFFFFFFFF80000),`
			`+ .c3 = UINT64_C(0xFFFFFFFFFFFFFFC0),`
			`+};`
			`+`
			`/* list of available SSLv3 ciphers (sorted by id) */`
			`SSL_CIPHER ssl3_ciphers[] = {`

			`@@ -1318,7 +1330,8 @@ SSL_CIPHER ssl3_ciphers[] = {`
			`.algo_strength = SSL_HIGH,`
			`.algorithm2 = SSL_HANDSHAKE_MAC_STREEBOG256\|TLS1_PRF_STREEBOG256\|TLS1_NONCE_ADD_SEQUENCE,`
			`.strength_bits = 256,`
			`- .alg_bits = 256`
			`+ .alg_bits = 256,`
			`+ .tlstree = &tlstree_kuznyechik_ctr_omac,`
			`},`

			`/* Cipher C101 */`
			`@@ -1334,7 +1347,8 @@ SSL_CIPHER ssl3_ciphers[] = {`
			`.algo_strength = SSL_HIGH,`
			`.algorithm2 = SSL_HANDSHAKE_MAC_STREEBOG256\|TLS1_PRF_STREEBOG256\|TLS1_NONCE_ADD_SEQUENCE,`
			`.strength_bits = 256,`
			`- .alg_bits = 256`
			`+ .alg_bits = 256,`
			`+ .tlstree = &tlstree_magma_ctr_omac,`
			`},`

			`/* Cipher C102 */`
			`diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h`
			`index 1c5e174b8..a9f414224 100644`
			`--- a/src/lib/libssl/ssl.h`
			`+++ b/src/lib/libssl/ssl.h`
			`@@ -153,6 +153,8 @@`

			`#include <openssl/bio.h>`

			`+#include <openssl/kdftree.h>`
			`+`
			`#ifndef OPENSSL_NO_DEPRECATED`
			`#include <openssl/buffer.h>`
			`#include <openssl/crypto.h>`
			`@@ -397,6 +399,10 @@ struct ssl_cipher_st {`
			`unsigned long algorithm2; /* Extra flags */`
			`int strength_bits; /* Number of bits really used */`
			`int alg_bits; /* Number of bits for algorithm */`
			`+`
			`+#ifndef OPENSSL_NO_GOST`
			`+ const TLSTREE_CONST tlstree; / TLSTREE parameters */`
			`+#endif`
			`};`


			`diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c`
			`index c989d802c..a54c01dc7 100644`
			`--- a/src/lib/libssl/ssl_lib.c`
			`+++ b/src/lib/libssl/ssl_lib.c`
			`@@ -2545,6 +2545,13 @@ ssl_clear_cipher_read_state(SSL *s)`
			`free(s->internal->aead_read_ctx);`
			`s->internal->aead_read_ctx = NULL;`
			`}`
			`+`
			`+#ifndef OPENSSL_NO_GOST`
			`+ if (S3I(s)->read.tlstree_cipher != NULL)`
			`+ TLSTREE_CTX_free(S3I(s)->read.tlstree_cipher);`
			`+ if (S3I(s)->read.tlstree_mac != NULL)`
			`+ TLSTREE_CTX_free(S3I(s)->read.tlstree_mac);`
			`+#endif`
			`}`

			`void`
			`@@ -2561,6 +2568,13 @@ ssl_clear_cipher_write_state(SSL *s)`
			`free(s->internal->aead_write_ctx);`
			`s->internal->aead_write_ctx = NULL;`
			`}`
			`+`
			`+#ifndef OPENSSL_NO_GOST`
			`+ if (S3I(s)->write.tlstree_cipher != NULL)`
			`+ TLSTREE_CTX_free(S3I(s)->write.tlstree_cipher);`
			`+ if (S3I(s)->write.tlstree_mac != NULL)`
			`+ TLSTREE_CTX_free(S3I(s)->write.tlstree_mac);`
			`+#endif`
			`}`

			`/* Fix this function so that it takes an optional type parameter */`
			`diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h`
			`index dc291ae4f..6871b01a9 100644`
			`--- a/src/lib/libssl/ssl_locl.h`
			`+++ b/src/lib/libssl/ssl_locl.h`
			`@@ -811,6 +811,10 @@ typedef struct ssl3_rw_state_internal_st {`
			`unsigned char mac_secret[EVP_MAX_MD_SIZE];`
			`int cipher_iv_size;`
			`unsigned char cipher_iv[EVP_MAX_IV_LENGTH];`
			`+#ifndef OPENSSL_NO_GOST`
			`+ TLSTREE_CTX *tlstree_cipher;`
			`+ TLSTREE_CTX *tlstree_mac;`
			`+#endif`
			`} SSL3_RW_STATE_INTERNAL;`

			`typedef struct ssl3_state_internal_st {`
			`diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c`
			`index 7ed6825a1..a4219599d 100644`
			`--- a/src/lib/libssl/t1_enc.c`
			`+++ b/src/lib/libssl/t1_enc.c`
			`@@ -411,6 +411,7 @@ tls1_change_cipher_state_cipher(SSL *s, char is_read,`
			`const EVP_MD *mac;`
			`const EVP_CIPHER *mac_cipher;`
			`int mac_type;`
			`+ SSL3_RW_STATE_INTERNAL *rws;`

			`cipher = S3I(s)->tmp.new_sym_enc;`
			`mac = S3I(s)->tmp.new_hash;`
			`@@ -426,6 +427,7 @@ tls1_change_cipher_state_cipher(SSL *s, char is_read,`
			`if ((mac_ctx = EVP_MD_CTX_new()) == NULL)`
			`goto err;`
			`s->read_hash = mac_ctx;`
			`+ rws = &S3I(s)->read;`
			`} else {`
			`/*`
			`* DTLS fragments retain a pointer to the compression, cipher`
			`@@ -443,6 +445,7 @@ tls1_change_cipher_state_cipher(SSL *s, char is_read,`
			`if ((mac_ctx = EVP_MD_CTX_new()) == NULL)`
			`goto err;`
			`s->internal->write_hash = mac_ctx;`
			`+ rws = &S3I(s)->write;`
			`}`

			`EVP_CipherInit_ex(cipher_ctx, cipher, NULL, key, iv, !is_read);`
			`@@ -465,6 +468,24 @@ tls1_change_cipher_state_cipher(SSL *s, char is_read,`
			`else`
			`s->internal->write_mac_size = mac_size;`

			`+#ifndef OPENSSL_NO_GOST`
			`+ if (s->session->cipher->tlstree) {`
			`+ rws->tlstree_cipher = TLSTREE_CTX_new();`
			`+ rws->tlstree_mac = TLSTREE_CTX_new();`
			`+ if (rws->tlstree_cipher == NULL \|\|`
			`+ rws->tlstree_mac == NULL \|\|`
			`+ !TLSTREE_Init(rws->tlstree_cipher,`
			`+ s->session->cipher->tlstree,`
			`+ EVP_streebog256(), NULL,`
			`+ key, key_len) \|\|`
			`+ !TLSTREE_Init(rws->tlstree_mac,`
			`+ s->session->cipher->tlstree,`
			`+ EVP_streebog256(), NULL,`
			`+ mac_secret, mac_secret_size))`
			`+ goto err;`
			`+ }`
			`+#endif`
			`+`
			`if (S3I(s)->hs.new_cipher->algorithm_enc == SSL_eGOST2814789CNT) {`
			`int nid;`
			`if (S3I(s)->hs.new_cipher->algorithm2 & SSL_HANDSHAKE_MAC_GOST94)`
			`@@ -904,6 +925,14 @@ tls1_enc(SSL *s, int send)`
			`return 0;`
			`}`

			`+#ifndef OPENSSL_NO_GOST`
			`+ if (rws->tlstree_cipher != NULL) {`
			`+ unsigned char tmp[EVP_MAX_KEY_LENGTH];`
			`+ if (!TLSTREE_GET(rws->tlstree_cipher, rws->sequence, tmp) \|\|`
			`+ !EVP_CipherInit_ex(ds, NULL, NULL, tmp, NULL, -1))`
			`+ return 0;`
			`+ }`
			`+#endif`
			`if (add_nonce) {`
			`unsigned char new_iv[EVP_MAX_IV_LENGTH];`
			`int iv_size = rws->cipher_iv_size;`
			`@@ -974,6 +1003,7 @@ tls1_mac(SSL ssl, unsigned char md, int send)`
			`int stream_mac = ssl->session && ssl->session->cipher ?`
			`ssl->session->cipher->algorithm2 & TLS1_STREAM_MAC :`
			`0;`
			`+ SSL3_RW_STATE_INTERNAL *rws;`
			`int t;`

			`if (send) {`
			`@@ -981,11 +1011,13 @@ tls1_mac(SSL ssl, unsigned char md, int send)`
			`seq = &(ssl->s3->internal->write.sequence[0]);`
			`hash = ssl->internal->write_hash;`
			`t = ssl->internal->write_mac_size;`
			`+ rws = &S3I(ssl)->write;`
			`} else {`
			`rec = &(ssl->s3->internal->rrec);`
			`seq = &(ssl->s3->internal->read.sequence[0]);`
			`hash = ssl->read_hash;`
			`t = ssl->read_mac_size;`
			`+ rws = &S3I(ssl)->read;`
			`}`

			`OPENSSL_assert(t >= 0);`
			`@@ -1028,6 +1060,16 @@ tls1_mac(SSL ssl, unsigned char md, int send)`
			`ssl->s3->internal->read.mac_secret_size))`
			`return -1;`
			`} else {`
			`+#ifndef OPENSSL_NO_GOST`
			`+ if (rws->tlstree_mac != NULL) {`
			`+ unsigned char tmp[EVP_MAX_KEY_LENGTH];`
			`+ if (mac_ctx->pctx == NULL \|\|`
			`+ !TLSTREE_GET(rws->tlstree_mac, seq, tmp) \|\|`
			`+ EVP_PKEY_CTX_ctrl(mac_ctx->pctx, -1, EVP_PKEY_OP_SIGNCTX,`
			`+ EVP_PKEY_CTRL_SET_MAC_KEY, rws->mac_secret_size, tmp) <= 0)`
			`+ return -1;`
			`+ }`
			`+#endif`
			`EVP_DigestSignUpdate(mac_ctx, header, sizeof(header));`
			`EVP_DigestSignUpdate(mac_ctx, rec->input, rec->length);`
			`t = EVP_DigestSignFinal(mac_ctx, md, &md_size);`
			`--`
			`2.17.1`