Add IETF standard ChaCha20Poly1305 ciphersuites to TLS

6 files changed, 109 insertions, 59 deletions

diff --git a/doc/news.rst b/doc/news.rst
index e7a62b0c2..80b0dfe5a 100644
--- a/doc/news.rst
+++ b/doc/news.rst
@@ -1,6 +1,18 @@
 Release Notes
 ========================================
 
+Version 1.11.30, Not Yet Released
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Add IETF versions of the ChaCha20Poly1305 TLS ciphersuites from
+  draft-ietf-tls-chacha20-poly1305-04. The previously implemented
+  (non-standard) ChaCha20Poly1305 ciphersuites from
+  draft-agl-tls-chacha20poly1305 remain but are deprecated.
+
+* A bug in the IETF version of ChaCha20Poly1305 (with 96 bit nonces)
+  caused incorrect computation when the plaintext or AAD was exactly
+  a multiple of 16 bytes.
+
 Version 1.11.29, 2016-03-20
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
diff --git a/doc/todo.rst b/doc/todo.rst
index 0045b18be..dfab3cdf9 100644
--- a/doc/todo.rst
+++ b/doc/todo.rst
@@ -17,7 +17,6 @@ TLS
 * Make DTLS support optional at build time
 * Make TLS v1.0 and v1.1 optional at build time
 * Curve25519 key exchange
-* IETF standard ChaCha20Poly1305
 * TLS OCSP stapling (RFC 6066)
 * Encrypt-then-MAC extension (RFC 7366)
 * Authentication using TOFU (sqlite3 storage)
diff --git a/src/lib/tls/tls_record.cpp b/src/lib/tls/tls_record.cpp
index bdb37baad..efa6e2d18 100644
--- a/src/lib/tls/tls_record.cpp
+++ b/src/lib/tls/tls_record.cpp
@@ -53,12 +53,16 @@ Connection_Cipher_State::Connection_Cipher_State(Protocol_Version version,
       m_aead->set_key(cipher_key + mac_key);
 
       BOTAN_ASSERT_EQUAL(iv.length(), nonce_bytes_from_handshake(), "Matching nonce sizes");
-      m_nonce = iv.bits_of();
+      m_nonce = unlock(iv.bits_of());
 
       BOTAN_ASSERT(nonce_bytes_from_record() == 0 || nonce_bytes_from_record() == 8,
                    "Ciphersuite uses implemented IV length");
 
-      m_nonce.resize(m_nonce.size() + 8);
+      if(m_nonce.size() != 12)
+         {
+         m_nonce.resize(m_nonce.size() + 8);
+         }
+
       return;
       }
 
@@ -77,20 +81,45 @@ Connection_Cipher_State::Connection_Cipher_State(Protocol_Version version,
    m_mac->set_key(mac_key);
    }
 
-const secure_vector<byte>& Connection_Cipher_State::aead_nonce(u64bit seq)
+std::vector<byte> Connection_Cipher_State::aead_nonce(u64bit seq)
    {
-   store_be(seq, &m_nonce[nonce_bytes_from_handshake()]);
-   return m_nonce;
+   if(nonce_bytes_from_handshake() == 12)
+      {
+      std::vector<byte> nonce(12);
+      store_be(seq, nonce.data() + 4);
+      xor_buf(nonce, m_nonce.data(), m_nonce.size());
+      return nonce;
+      }
+   else
+      {
+      std::vector<byte> nonce = m_nonce;
+      store_be(seq, &nonce[nonce_bytes_from_handshake()]);
+      return nonce;
+      }
    }
 
-const secure_vector<byte>&
+std::vector<byte>
 Connection_Cipher_State::aead_nonce(const byte record[], size_t record_len, u64bit seq)
    {
-   if(nonce_bytes_from_record())
+   if(nonce_bytes_from_handshake() == 12)
+      {
+      /*
+      Assumes if the suite specifies 12 bytes come from the handshake then
+      use the XOR nonce construction from draft-ietf-tls-chacha20-poly1305
+      */
+
+      std::vector<byte> nonce(12);
+      store_be(seq, nonce.data() + 4);
+      xor_buf(nonce, m_nonce.data(), m_nonce.size());
+      return nonce;
+      }
+   else if(nonce_bytes_from_record() > 0)
       {
       if(record_len < nonce_bytes_from_record())
          throw Decoding_Error("Invalid AEAD packet too short to be valid");
-      copy_mem(&m_nonce[nonce_bytes_from_handshake()], record, nonce_bytes_from_record());
+      std::vector<byte> nonce = m_nonce;
+      copy_mem(&nonce[nonce_bytes_from_handshake()], record, nonce_bytes_from_record());
+      return nonce;
       }
    else
       {
@@ -98,18 +127,21 @@ Connection_Cipher_State::aead_nonce(const byte record[], size_t record_len, u64b
       nonce_len == 0 is assumed to mean no nonce in the message but
       instead the AEAD uses the seq number in network order.
       */
-      store_be(seq, &m_nonce[nonce_bytes_from_handshake()]);
+      std::vector<byte> nonce = m_nonce;
+      store_be(seq, &nonce[nonce_bytes_from_handshake()]);
+      return nonce;
       }
-   return m_nonce;
    }
 
-const secure_vector<byte>&
+std::vector<byte>
 Connection_Cipher_State::format_ad(u64bit msg_sequence,
                                    byte msg_type,
                                    Protocol_Version version,
                                    u16bit msg_length)
    {
-   m_ad.clear();
+   std::vector<byte> m_ad;
+   m_ad.reserve(13);
+
    for(size_t i = 0; i != 8; ++i)
       m_ad.push_back(get_byte(i, msg_sequence));
    m_ad.push_back(msg_type);
@@ -156,7 +188,7 @@ void write_record(secure_vector<byte>& output,
       {
       const size_t ctext_size = aead->output_length(msg_length);
 
-      const secure_vector<byte>& nonce = cs->aead_nonce(seq);
+      const std::vector<byte> nonce = cs->aead_nonce(seq);
 
       // wrong if start returns something
       const size_t rec_size = ctext_size + cs->nonce_bytes_from_record();
@@ -167,7 +199,11 @@ void write_record(secure_vector<byte>& output,
 
       aead->set_ad(cs->format_ad(seq, msg_type, version, msg_length));
 
-      output += std::make_pair(&nonce[cs->nonce_bytes_from_handshake()], cs->nonce_bytes_from_record());
+      if(cs->nonce_bytes_from_record() > 0)
+         {
+         output += std::make_pair(&nonce[cs->nonce_bytes_from_handshake()], cs->nonce_bytes_from_record());
+         }
+
       BOTAN_ASSERT(aead->start(nonce).empty(), "AEAD doesn't return anything from start");
 
       const size_t offset = output.size();
@@ -350,7 +386,7 @@ void decrypt_record(secure_vector<byte>& output,
    {
    if(AEAD_Mode* aead = cs.aead())
       {
-      const secure_vector<byte>& nonce = cs.aead_nonce(record_contents, record_len, record_sequence);
+      const std::vector<byte> nonce = cs.aead_nonce(record_contents, record_len, record_sequence);
       const byte* msg = &record_contents[cs.nonce_bytes_from_record()];
       const size_t msg_length = record_len - cs.nonce_bytes_from_record();
 
diff --git a/src/lib/tls/tls_record.h b/src/lib/tls/tls_record.h
index d7aa82e71..e3b0b9b58 100644
--- a/src/lib/tls/tls_record.h
+++ b/src/lib/tls/tls_record.h
@@ -42,13 +42,13 @@ class Connection_Cipher_State
 
       AEAD_Mode* aead() { return m_aead.get(); }
 
-      const secure_vector<byte>& aead_nonce(u64bit seq);
+      std::vector<byte> aead_nonce(u64bit seq);
 
-      const secure_vector<byte>& aead_nonce(const byte record[], size_t record_len, u64bit seq);
+      std::vector<byte> aead_nonce(const byte record[], size_t record_len, u64bit seq);
 
-      const secure_vector<byte>& format_ad(u64bit seq, byte type,
-                                           Protocol_Version version,
-                                           u16bit ptext_length);
+      std::vector<byte> format_ad(u64bit seq, byte type,
+                                  Protocol_Version version,
+                                  u16bit ptext_length);
 
       BlockCipher* block_cipher() { return m_block_cipher.get(); }
 
@@ -82,7 +82,7 @@ class Connection_Cipher_State
       std::unique_ptr<MessageAuthenticationCode> m_mac;
 
       std::unique_ptr<AEAD_Mode> m_aead;
-      secure_vector<byte> m_nonce, m_ad;
+      std::vector<byte> m_nonce;
 
       size_t m_block_size = 0;
       size_t m_nonce_bytes_from_handshake;
diff --git a/src/lib/tls/tls_suite_info.cpp b/src/lib/tls/tls_suite_info.cpp
index 0bebecb82..84e2a30a8 100644
--- a/src/lib/tls/tls_suite_info.cpp
+++ b/src/lib/tls/tls_suite_info.cpp
@@ -2,8 +2,8 @@
 * TLS cipher suite information
 *
 * This file was automatically generated from the IANA assignments
-* (tls-parameters.txt hash 6a934405ed41aa4d6113dad17f815867741430ac)
-* by ./src/scripts/tls_suite_info.py on 2016-01-06
+* (tls-parameters.txt hash fe280cb8b13bfdd306a975ab39fda238f77ae3bc)
+* by ./src/scripts/tls_suite_info.py on 2016-03-23
 *
 * Botan is released under the Simplified BSD License (see license.txt)
 */
@@ -159,6 +159,12 @@ std::vector<u16bit> Ciphersuite::all_known_ciphersuite_ids()
       0xCC13,
       0xCC14,
       0xCC15,
+      0xCCA8,
+      0xCCA9,
+      0xCCAA,
+      0xCCAB,
+      0xCCAC,
+      0xCCAD,
       0xFFF0,
       0xFFF1,
       0xFFF2,
@@ -604,6 +610,24 @@ Ciphersuite Ciphersuite::by_id(u16bit suite)
       case 0xCC15: // DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
          return Ciphersuite(0xCC15, "RSA", "DH", "ChaCha20Poly1305", 32, 0, 0, "AEAD", 0, "SHA-256");
 
+      case 0xCCA8: // ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+         return Ciphersuite(0xCCA8, "RSA", "ECDH", "ChaCha20Poly1305", 32, 12, 0, "AEAD", 0, "SHA-256");
+
+      case 0xCCA9: // ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
+         return Ciphersuite(0xCCA9, "ECDSA", "ECDH", "ChaCha20Poly1305", 32, 12, 0, "AEAD", 0, "SHA-256");
+
+      case 0xCCAA: // DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+         return Ciphersuite(0xCCAA, "RSA", "DH", "ChaCha20Poly1305", 32, 12, 0, "AEAD", 0, "SHA-256");
+
+      case 0xCCAB: // PSK_WITH_CHACHA20_POLY1305_SHA256
+         return Ciphersuite(0xCCAB, "", "PSK", "ChaCha20Poly1305", 32, 12, 0, "AEAD", 0, "SHA-256");
+
+      case 0xCCAC: // ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256
+         return Ciphersuite(0xCCAC, "", "ECDHE_PSK", "ChaCha20Poly1305", 32, 12, 0, "AEAD", 0, "SHA-256");
+
+      case 0xCCAD: // DHE_PSK_WITH_CHACHA20_POLY1305_SHA256
+         return Ciphersuite(0xCCAD, "", "DHE_PSK", "ChaCha20Poly1305", 32, 12, 0, "AEAD", 0, "SHA-256");
+
       case 0xFFF0: // ECDHE_RSA_WITH_AES_128_OCB_SHA256
          return Ciphersuite(0xFFF0, "RSA", "ECDH", "AES-128/OCB(12)", 16, 4, 0, "AEAD", 0, "SHA-256");
 
diff --git a/src/scripts/tls_suite_info.py b/src/scripts/tls_suite_info.py
index 6ba807d68..2bff5ad34 100755
--- a/src/scripts/tls_suite_info.py
+++ b/src/scripts/tls_suite_info.py
@@ -114,9 +114,9 @@ def to_ciphersuite_info(code, name):
     ivlen = 0
 
     if cipher[0] == 'CHACHA20' and cipher[1] == 'POLY1305':
-        iv_len = 4
-        if (code[0:2] == 'CC'):
-            iv_len = 0
+        iv_len = 12
+        if code in ['CC13', 'CC14', 'CC15']:
+            iv_len = 0 # Google variant
         return 'Ciphersuite(0x%s, "%s", "%s", "%s", %d, %d, %d, "AEAD", %d, "%s")' % (
             code, sig_algo, kex_algo, "ChaCha20Poly1305", cipher_keylen, iv_len, 0, 0, mac_algo)
 
@@ -168,11 +168,6 @@ def process_command_line(args):
 
     parser = optparse.OptionParser()
 
-    parser.add_option('--with-chacha', action='store_true', default=True,
-                      help='enable experimental ChaCha suites')
-    parser.add_option('--without-chacha', action='store_false', dest='with_chacha',
-                      help='disable experimental ChaCha suites')
-
     parser.add_option('--with-ocb', action='store_true', default=True,
                       help='enable experimental OCB AEAD suites')
     parser.add_option('--without-ocb', action='store_false', dest='with_ocb',
@@ -224,7 +219,7 @@ def main(args = None):
                     should_use = False
 
             if should_use:
-                suites[name] = (code, to_ciphersuite_info(code, name))
+                suites[code] = (name, to_ciphersuite_info(code, name))
 
     sha1 = hashlib.sha1()
     sha1.update(contents)
@@ -236,23 +231,12 @@ def main(args = None):
         out.close()
 
     def define_custom_ciphersuite(name, code):
-        suites[name] = (code, to_ciphersuite_info(code, name))
-
-    if options.with_chacha:
-        # Google servers - draft-agl-tls-chacha20poly1305-04
-        define_custom_ciphersuite('ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256', 'CC13')
-        define_custom_ciphersuite('ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256', 'CC14')
-        define_custom_ciphersuite('DHE_RSA_WITH_CHACHA20_POLY1305_SHA256', 'CC15')
-
-    if options.with_chacha and False:
-        # Provisional IETF ChaCha suites
-        define_custom_ciphersuite('RSA_WITH_CHACHA20_POLY1305_SHA256', 'CD30')
-        define_custom_ciphersuite('ECDSA_RSA_WITH_CHACHA20_POLY1305_SHA256', 'CD31')
-        define_custom_ciphersuite('ECDSA_ECDSA_WITH_CHACHA20_POLY1305_SHA256', 'CD32')
-        define_custom_ciphersuite('DHE_RSA_WITH_CHACHA20_POLY1305_SHA256', 'CD33')
-        define_custom_ciphersuite('DHE_PSK_WITH_CHACHA20_POLY1305_SHA256', 'CD34')
-        define_custom_ciphersuite('PSK_WITH_CHACHA20_POLY1305_SHA256', 'CD35')
-        define_custom_ciphersuite('ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256', 'CD36')
+        suites[code] = (name, to_ciphersuite_info(code, name))
+
+    # Google servers - draft-agl-tls-chacha20poly1305-04
+    define_custom_ciphersuite('ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256', 'CC13')
+    define_custom_ciphersuite('ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256', 'CC14')
+    define_custom_ciphersuite('DHE_RSA_WITH_CHACHA20_POLY1305_SHA256', 'CC15')
 
     # Expermental things
     if options.with_ocb:
@@ -316,12 +300,7 @@ std::vector<u16bit> Ciphersuite::all_known_ciphersuite_ids()
    return std::vector<u16bit>{
 """
 
-    csuite_ids = {}
-
-    for (k,v) in suites.items():
-        csuite_ids[v[0]] = (k, v[1])
-
-    for i in sorted(csuite_ids.keys()):
+    for i in sorted(suites.keys()):
         suite_info += "      0x%s,\n" % (i)
 
     suite_info += """   };
@@ -333,9 +312,9 @@ Ciphersuite Ciphersuite::by_id(u16bit suite)
       {
 """
 
-    for i in sorted(csuite_ids.keys()):
-        suite_name = csuite_ids[i][0]
-        suite_expr = csuite_ids[i][1]
+    for i in sorted(suites.keys()):
+        suite_name = suites[i][0]
+        suite_expr = suites[i][1]
         suite_info += "      case 0x%s: // %s\n" % (i, suite_name)
         suite_info += "         return %s;\n\n" % (suite_expr)