Implement all TLS ciphers with stateful AEADs.

The EVP_CIPHER codepath should no longer be used with TLS. It still exists for
DTLS and SSLv3. The AEAD construction in TLS does not allow for
variable-overhead AEADs, so stateful AEADs do not include the length in the ad
parameter. Rather the AEADs internally append the unpadded length once it is
known. EVP_aead_rc4_md5_tls is modified to account for this.

Tests are added (and RC4-MD5's regenerated) for each of the new AEADs. The
cipher tests are all moved into crypto/cipher/test because there's now a lot of
them and they clutter the directory listing.

In ssl/, the stateful AEAD logic is also modified to account for stateful AEADs
with a fixed IV component, and for AEADs which use a random nonce (for the
explicit-IV CBC mode ciphers).

The new implementation fixes a bug/quirk in stateless CBC mode ciphers where
the fixed IV portion of the keyblock was generated regardless. This is at the
end, so it's only relevant for EAP-TLS which generates a MSK from the end of
the key block.

Change-Id: I2d8b8aa11deb43bde2fd733f4f90b5d5b8cb1334
Reviewed-on: https://boringssl-review.googlesource.com/2692
Reviewed-by: Adam Langley <agl@google.com>

1 files changed, 3 insertions, 1 deletions

diff --git a/include/openssl/ssl3.h b/include/openssl/ssl3.h
index 34c483e5..ae6c52c4 100644
--- a/include/openssl/ssl3.h
+++ b/include/openssl/ssl3.h
@@ -468,7 +468,9 @@ typedef struct ssl3_state_st
 		const EVP_AEAD *new_aead;
 		const EVP_MD *new_hash;
 		int new_mac_pkey_type;
-		int new_mac_secret_size;
+		uint8_t new_mac_secret_len;
+		uint8_t new_fixed_iv_len;
+		uint8_t new_variable_iv_len;
 
 		/* Server-only: cert_request is true if a client certificate was
 		 * requested. */