grpc 1.9.1 → 1.10.0.pre1

data/third_party/boringssl/crypto/{cipher → cipher_extra}/e_ssl3.c

@@ -26,6 +26,7 @@
 
 #include "internal.h"
 #include "../internal.h"
+#include "../fipsmodule/cipher/internal.h"
 
 
 typedef struct {
@@ -39,8 +40,8 @@ static int ssl3_mac(AEAD_SSL3_CTX *ssl3_ctx, uint8_t *out, unsigned *out_len,
   size_t md_size = EVP_MD_CTX_size(&ssl3_ctx->md_ctx);
   size_t pad_len = (md_size == 20) ? 40 : 48;
 
-  /* To allow for CBC mode which changes cipher length, |ad| doesn't include the
-   * length for legacy ciphers. */
+  // To allow for CBC mode which changes cipher length, |ad| doesn't include the
+  // length for legacy ciphers.
   uint8_t ad_extra[2];
   ad_extra[0] = (uint8_t)(in_len >> 8);
   ad_extra[1] = (uint8_t)(in_len & 0xff);
@@ -122,28 +123,48 @@ static int aead_ssl3_init(EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len,
   return 1;
 }
 
-static int aead_ssl3_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,
-                         size_t *out_len, size_t max_out_len,
-                         const uint8_t *nonce, size_t nonce_len,
-                         const uint8_t *in, size_t in_len,
-                         const uint8_t *ad, size_t ad_len) {
+static size_t aead_ssl3_tag_len(const EVP_AEAD_CTX *ctx, const size_t in_len,
+                                const size_t extra_in_len) {
+  assert(extra_in_len == 0);
+  const AEAD_SSL3_CTX *ssl3_ctx = (AEAD_SSL3_CTX*)ctx->aead_state;
+
+  const size_t digest_len = EVP_MD_CTX_size(&ssl3_ctx->md_ctx);
+  if (EVP_CIPHER_CTX_mode(&ssl3_ctx->cipher_ctx) != EVP_CIPH_CBC_MODE) {
+    // The NULL cipher.
+    return digest_len;
+  }
+
+  const size_t block_size = EVP_CIPHER_CTX_block_size(&ssl3_ctx->cipher_ctx);
+  // An overflow of |in_len + digest_len| doesn't affect the result mod
+  // |block_size|, provided that |block_size| is a smaller power of two.
+  assert(block_size != 0 && (block_size & (block_size - 1)) == 0);
+  const size_t pad_len = block_size - ((in_len + digest_len) % block_size);
+  return digest_len + pad_len;
+}
+
+static int aead_ssl3_seal_scatter(const EVP_AEAD_CTX *ctx, uint8_t *out,
+                                  uint8_t *out_tag, size_t *out_tag_len,
+                                  const size_t max_out_tag_len,
+                                  const uint8_t *nonce, const size_t nonce_len,
+                                  const uint8_t *in, const size_t in_len,
+                                  const uint8_t *extra_in,
+                                  const size_t extra_in_len, const uint8_t *ad,
+                                  const size_t ad_len) {
   AEAD_SSL3_CTX *ssl3_ctx = (AEAD_SSL3_CTX *)ctx->aead_state;
-  size_t total = 0;
 
   if (!ssl3_ctx->cipher_ctx.encrypt) {
-    /* Unlike a normal AEAD, an SSL3 AEAD may only be used in one direction. */
+    // Unlike a normal AEAD, an SSL3 AEAD may only be used in one direction.
     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_OPERATION);
     return 0;
   }
 
-  if (in_len + EVP_AEAD_max_overhead(ctx->aead) < in_len ||
-      in_len > INT_MAX) {
-    /* EVP_CIPHER takes int as input. */
+  if (in_len > INT_MAX) {
+    // EVP_CIPHER takes int as input.
     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
     return 0;
   }
 
-  if (max_out_len < in_len + EVP_AEAD_max_overhead(ctx->aead)) {
+  if (max_out_tag_len < aead_ssl3_tag_len(ctx, in_len, extra_in_len)) {
     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
     return 0;
   }
@@ -158,52 +179,71 @@ static int aead_ssl3_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,
     return 0;
   }
 
-  /* Compute the MAC. This must be first in case the operation is being done
-   * in-place. */
+  // Compute the MAC. This must be first in case the operation is being done
+  // in-place.
   uint8_t mac[EVP_MAX_MD_SIZE];
   unsigned mac_len;
   if (!ssl3_mac(ssl3_ctx, mac, &mac_len, ad, ad_len, in, in_len)) {
     return 0;
   }
 
-  /* Encrypt the input. */
+  // Encrypt the input.
   int len;
   if (!EVP_EncryptUpdate(&ssl3_ctx->cipher_ctx, out, &len, in,
                          (int)in_len)) {
     return 0;
   }
-  total = len;
 
-  /* Feed the MAC into the cipher. */
-  if (!EVP_EncryptUpdate(&ssl3_ctx->cipher_ctx, out + total, &len, mac,
-                         (int)mac_len)) {
+  const size_t block_size = EVP_CIPHER_CTX_block_size(&ssl3_ctx->cipher_ctx);
+
+  // Feed the MAC into the cipher in two steps. First complete the final partial
+  // block from encrypting the input and split the result between |out| and
+  // |out_tag|. Then encrypt the remainder.
+
+  size_t early_mac_len = (block_size - (in_len % block_size)) % block_size;
+  if (early_mac_len != 0) {
+    assert(len + block_size - early_mac_len == in_len);
+    uint8_t buf[EVP_MAX_BLOCK_LENGTH];
+    int buf_len;
+    if (!EVP_EncryptUpdate(&ssl3_ctx->cipher_ctx, buf, &buf_len, mac,
+                           (int)early_mac_len)) {
+      return 0;
+    }
+    assert(buf_len == (int)block_size);
+    OPENSSL_memcpy(out + len, buf, block_size - early_mac_len);
+    OPENSSL_memcpy(out_tag, buf + block_size - early_mac_len, early_mac_len);
+  }
+  size_t tag_len = early_mac_len;
+
+  if (!EVP_EncryptUpdate(&ssl3_ctx->cipher_ctx, out_tag + tag_len, &len,
+                         mac + tag_len, mac_len - tag_len)) {
     return 0;
   }
-  total += len;
+  tag_len += len;
 
-  unsigned block_size = EVP_CIPHER_CTX_block_size(&ssl3_ctx->cipher_ctx);
   if (block_size > 1) {
     assert(block_size <= 256);
     assert(EVP_CIPHER_CTX_mode(&ssl3_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE);
 
-    /* Compute padding and feed that into the cipher. */
+    // Compute padding and feed that into the cipher.
     uint8_t padding[256];
-    unsigned padding_len = block_size - ((in_len + mac_len) % block_size);
+    size_t padding_len = block_size - ((in_len + mac_len) % block_size);
     OPENSSL_memset(padding, 0, padding_len - 1);
     padding[padding_len - 1] = padding_len - 1;
-    if (!EVP_EncryptUpdate(&ssl3_ctx->cipher_ctx, out + total, &len, padding,
+    if (!EVP_EncryptUpdate(&ssl3_ctx->cipher_ctx, out_tag + tag_len, &len, padding,
                            (int)padding_len)) {
       return 0;
     }
-    total += len;
+    tag_len += len;
   }
 
-  if (!EVP_EncryptFinal_ex(&ssl3_ctx->cipher_ctx, out + total, &len)) {
+  if (!EVP_EncryptFinal_ex(&ssl3_ctx->cipher_ctx, out_tag + tag_len, &len)) {
     return 0;
   }
-  total += len;
+  tag_len += len;
+  assert(tag_len == aead_ssl3_tag_len(ctx, in_len, extra_in_len));
 
-  *out_len = total;
+  *out_tag_len = tag_len;
   return 1;
 }
 
@@ -215,7 +255,7 @@ static int aead_ssl3_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
   AEAD_SSL3_CTX *ssl3_ctx = (AEAD_SSL3_CTX *)ctx->aead_state;
 
   if (ssl3_ctx->cipher_ctx.encrypt) {
-    /* Unlike a normal AEAD, an SSL3 AEAD may only be used in one direction. */
+    // Unlike a normal AEAD, an SSL3 AEAD may only be used in one direction.
     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_OPERATION);
     return 0;
   }
@@ -227,8 +267,8 @@ static int aead_ssl3_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
   }
 
   if (max_out_len < in_len) {
-    /* This requires that the caller provide space for the MAC, even though it
-     * will always be removed on return. */
+    // This requires that the caller provide space for the MAC, even though it
+    // will always be removed on return.
     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
     return 0;
   }
@@ -244,12 +284,12 @@ static int aead_ssl3_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
   }
 
   if (in_len > INT_MAX) {
-    /* EVP_CIPHER takes int as input. */
+    // EVP_CIPHER takes int as input.
     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
     return 0;
   }
 
-  /* Decrypt to get the plaintext + MAC + padding. */
+  // Decrypt to get the plaintext + MAC + padding.
   size_t total = 0;
   int len;
   if (!EVP_DecryptUpdate(&ssl3_ctx->cipher_ctx, out, &len, in, (int)in_len)) {
@@ -262,9 +302,9 @@ static int aead_ssl3_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
   total += len;
   assert(total == in_len);
 
-  /* Remove CBC padding and MAC. This would normally be timing-sensitive, but
-   * SSLv3 CBC ciphers are already broken. Support will be removed eventually.
-   * https://www.openssl.org/~bodo/ssl-poodle.pdf */
+  // Remove CBC padding and MAC. This would normally be timing-sensitive, but
+  // SSLv3 CBC ciphers are already broken. Support will be removed eventually.
+  // https://www.openssl.org/~bodo/ssl-poodle.pdf
   size_t data_len;
   if (EVP_CIPHER_CTX_mode(&ssl3_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE) {
     unsigned padding_length = out[total - 1];
@@ -272,7 +312,7 @@ static int aead_ssl3_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
       OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
       return 0;
     }
-    /* The padding must be minimal. */
+    // The padding must be minimal.
     if (padding_length + 1 > EVP_CIPHER_CTX_block_size(&ssl3_ctx->cipher_ctx)) {
       OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
       return 0;
@@ -282,7 +322,7 @@ static int aead_ssl3_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
     data_len = total - mac_len;
   }
 
-  /* Compute the MAC and compare against the one in the record. */
+  // Compute the MAC and compare against the one in the record.
   uint8_t mac[EVP_MAX_MD_SIZE];
   if (!ssl3_mac(ssl3_ctx, mac, NULL, ad, ad_len, out, data_len)) {
     return 0;
@@ -338,55 +378,71 @@ static int aead_null_sha1_ssl3_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
 }
 
 static const EVP_AEAD aead_aes_128_cbc_sha1_ssl3 = {
-    SHA_DIGEST_LENGTH + 16 + 16, /* key len (SHA1 + AES128 + IV) */
-    0,                           /* nonce len */
-    16 + SHA_DIGEST_LENGTH,      /* overhead (padding + SHA1) */
-    SHA_DIGEST_LENGTH,           /* max tag length */
-    NULL, /* init */
+    SHA_DIGEST_LENGTH + 16 + 16,  // key len (SHA1 + AES128 + IV)
+    0,                            // nonce len
+    16 + SHA_DIGEST_LENGTH,       // overhead (padding + SHA1)
+    SHA_DIGEST_LENGTH,            // max tag length
+    0,                            // seal_scatter_supports_extra_in
+
+    NULL,  // init
     aead_aes_128_cbc_sha1_ssl3_init,
     aead_ssl3_cleanup,
-    aead_ssl3_seal,
     aead_ssl3_open,
+    aead_ssl3_seal_scatter,
+    NULL,  // open_gather
     aead_ssl3_get_iv,
+    aead_ssl3_tag_len,
 };
 
 static const EVP_AEAD aead_aes_256_cbc_sha1_ssl3 = {
-    SHA_DIGEST_LENGTH + 32 + 16, /* key len (SHA1 + AES256 + IV) */
-    0,                           /* nonce len */
-    16 + SHA_DIGEST_LENGTH,      /* overhead (padding + SHA1) */
-    SHA_DIGEST_LENGTH,           /* max tag length */
-    NULL, /* init */
+    SHA_DIGEST_LENGTH + 32 + 16,  // key len (SHA1 + AES256 + IV)
+    0,                            // nonce len
+    16 + SHA_DIGEST_LENGTH,       // overhead (padding + SHA1)
+    SHA_DIGEST_LENGTH,            // max tag length
+    0,                            // seal_scatter_supports_extra_in
+
+    NULL,  // init
     aead_aes_256_cbc_sha1_ssl3_init,
     aead_ssl3_cleanup,
-    aead_ssl3_seal,
     aead_ssl3_open,
+    aead_ssl3_seal_scatter,
+    NULL,  // open_gather
     aead_ssl3_get_iv,
+    aead_ssl3_tag_len,
 };
 
 static const EVP_AEAD aead_des_ede3_cbc_sha1_ssl3 = {
-    SHA_DIGEST_LENGTH + 24 + 8, /* key len (SHA1 + 3DES + IV) */
-    0,                          /* nonce len */
-    8 + SHA_DIGEST_LENGTH,      /* overhead (padding + SHA1) */
-    SHA_DIGEST_LENGTH,          /* max tag length */
-    NULL, /* init */
+    SHA_DIGEST_LENGTH + 24 + 8,  // key len (SHA1 + 3DES + IV)
+    0,                           // nonce len
+    8 + SHA_DIGEST_LENGTH,       // overhead (padding + SHA1)
+    SHA_DIGEST_LENGTH,           // max tag length
+    0,                           // seal_scatter_supports_extra_in
+
+    NULL,  // init
     aead_des_ede3_cbc_sha1_ssl3_init,
     aead_ssl3_cleanup,
-    aead_ssl3_seal,
     aead_ssl3_open,
+    aead_ssl3_seal_scatter,
+    NULL,  // open_gather
     aead_ssl3_get_iv,
+    aead_ssl3_tag_len,
 };
 
 static const EVP_AEAD aead_null_sha1_ssl3 = {
-    SHA_DIGEST_LENGTH,          /* key len */
-    0,                          /* nonce len */
-    SHA_DIGEST_LENGTH,          /* overhead (SHA1) */
-    SHA_DIGEST_LENGTH,          /* max tag length */
-    NULL,                       /* init */
+    SHA_DIGEST_LENGTH,  // key len
+    0,                  // nonce len
+    SHA_DIGEST_LENGTH,  // overhead (SHA1)
+    SHA_DIGEST_LENGTH,  // max tag length
+    0,                  // seal_scatter_supports_extra_in
+
+    NULL,  // init
     aead_null_sha1_ssl3_init,
     aead_ssl3_cleanup,
-    aead_ssl3_seal,
     aead_ssl3_open,
-    NULL,                       /* get_iv */
+    aead_ssl3_seal_scatter,
+    NULL,  // open_gather
+    NULL,  // get_iv
+    aead_ssl3_tag_len,
 };
 
 const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_ssl3(void) {

data/third_party/boringssl/crypto/{cipher → cipher_extra}/e_tls.c

@@ -25,6 +25,7 @@
 #include <openssl/sha.h>
 #include <openssl/type_check.h>
 
+#include "../fipsmodule/cipher/internal.h"
 #include "../internal.h"
 #include "internal.h"
 
@@ -32,12 +33,12 @@
 typedef struct {
   EVP_CIPHER_CTX cipher_ctx;
   HMAC_CTX hmac_ctx;
-  /* mac_key is the portion of the key used for the MAC. It is retained
-   * separately for the constant-time CBC code. */
+  // mac_key is the portion of the key used for the MAC. It is retained
+  // separately for the constant-time CBC code.
   uint8_t mac_key[EVP_MAX_MD_SIZE];
   uint8_t mac_key_len;
-  /* implicit_iv is one iff this is a pre-TLS-1.1 CBC cipher without an explicit
-   * IV. */
+  // implicit_iv is one iff this is a pre-TLS-1.1 CBC cipher without an explicit
+  // IV.
   char implicit_iv;
 } AEAD_TLS_CTX;
 
@@ -47,7 +48,6 @@ static void aead_tls_cleanup(EVP_AEAD_CTX *ctx) {
   AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)ctx->aead_state;
   EVP_CIPHER_CTX_cleanup(&tls_ctx->cipher_ctx);
   HMAC_CTX_cleanup(&tls_ctx->hmac_ctx);
-  OPENSSL_cleanse(&tls_ctx->mac_key, sizeof(tls_ctx->mac_key));
   OPENSSL_free(tls_ctx);
   ctx->aead_state = NULL;
 }
@@ -98,28 +98,48 @@ static int aead_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len,
   return 1;
 }
 
-static int aead_tls_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,
-                         size_t *out_len, size_t max_out_len,
-                         const uint8_t *nonce, size_t nonce_len,
-                         const uint8_t *in, size_t in_len,
-                         const uint8_t *ad, size_t ad_len) {
+static size_t aead_tls_tag_len(const EVP_AEAD_CTX *ctx, const size_t in_len,
+                               const size_t extra_in_len) {
+  assert(extra_in_len == 0);
+  AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)ctx->aead_state;
+
+  const size_t hmac_len = HMAC_size(&tls_ctx->hmac_ctx);
+  if (EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) != EVP_CIPH_CBC_MODE) {
+    // The NULL cipher.
+    return hmac_len;
+  }
+
+  const size_t block_size = EVP_CIPHER_CTX_block_size(&tls_ctx->cipher_ctx);
+  // An overflow of |in_len + hmac_len| doesn't affect the result mod
+  // |block_size|, provided that |block_size| is a smaller power of two.
+  assert(block_size != 0 && (block_size & (block_size - 1)) == 0);
+  const size_t pad_len = block_size - (in_len + hmac_len) % block_size;
+  return hmac_len + pad_len;
+}
+
+static int aead_tls_seal_scatter(const EVP_AEAD_CTX *ctx, uint8_t *out,
+                                 uint8_t *out_tag, size_t *out_tag_len,
+                                 const size_t max_out_tag_len,
+                                 const uint8_t *nonce, const size_t nonce_len,
+                                 const uint8_t *in, const size_t in_len,
+                                 const uint8_t *extra_in,
+                                 const size_t extra_in_len, const uint8_t *ad,
+                                 const size_t ad_len) {
   AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)ctx->aead_state;
-  size_t total = 0;
 
   if (!tls_ctx->cipher_ctx.encrypt) {
-    /* Unlike a normal AEAD, a TLS AEAD may only be used in one direction. */
+    // Unlike a normal AEAD, a TLS AEAD may only be used in one direction.
     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_OPERATION);
     return 0;
   }
 
-  if (in_len + EVP_AEAD_max_overhead(ctx->aead) < in_len ||
-      in_len > INT_MAX) {
-    /* EVP_CIPHER takes int as input. */
+  if (in_len > INT_MAX) {
+    // EVP_CIPHER takes int as input.
     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
     return 0;
   }
 
-  if (max_out_len < in_len + EVP_AEAD_max_overhead(ctx->aead)) {
+  if (max_out_tag_len < aead_tls_tag_len(ctx, in_len, extra_in_len)) {
     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
     return 0;
   }
@@ -134,14 +154,14 @@ static int aead_tls_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,
     return 0;
   }
 
-  /* To allow for CBC mode which changes cipher length, |ad| doesn't include the
-   * length for legacy ciphers. */
+  // To allow for CBC mode which changes cipher length, |ad| doesn't include the
+  // length for legacy ciphers.
   uint8_t ad_extra[2];
   ad_extra[0] = (uint8_t)(in_len >> 8);
   ad_extra[1] = (uint8_t)(in_len & 0xff);
 
-  /* Compute the MAC. This must be first in case the operation is being done
-   * in-place. */
+  // Compute the MAC. This must be first in case the operation is being done
+  // in-place.
   uint8_t mac[EVP_MAX_MD_SIZE];
   unsigned mac_len;
   if (!HMAC_Init_ex(&tls_ctx->hmac_ctx, NULL, 0, NULL, NULL) ||
@@ -152,62 +172,80 @@ static int aead_tls_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,
     return 0;
   }
 
-  /* Configure the explicit IV. */
+  // Configure the explicit IV.
   if (EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE &&
       !tls_ctx->implicit_iv &&
       !EVP_EncryptInit_ex(&tls_ctx->cipher_ctx, NULL, NULL, NULL, nonce)) {
     return 0;
   }
 
-  /* Encrypt the input. */
+  // Encrypt the input.
   int len;
-  if (!EVP_EncryptUpdate(&tls_ctx->cipher_ctx, out, &len, in,
-                         (int)in_len)) {
+  if (!EVP_EncryptUpdate(&tls_ctx->cipher_ctx, out, &len, in, (int)in_len)) {
     return 0;
   }
-  total = len;
 
-  /* Feed the MAC into the cipher. */
-  if (!EVP_EncryptUpdate(&tls_ctx->cipher_ctx, out + total, &len, mac,
-                         (int)mac_len)) {
+  unsigned block_size = EVP_CIPHER_CTX_block_size(&tls_ctx->cipher_ctx);
+
+  // Feed the MAC into the cipher in two steps. First complete the final partial
+  // block from encrypting the input and split the result between |out| and
+  // |out_tag|. Then feed the rest.
+
+  const size_t early_mac_len =
+      (block_size - (in_len % block_size) % block_size);
+  if (early_mac_len != 0) {
+    assert(len + block_size - early_mac_len == in_len);
+    uint8_t buf[EVP_MAX_BLOCK_LENGTH];
+    int buf_len;
+    if (!EVP_EncryptUpdate(&tls_ctx->cipher_ctx, buf, &buf_len, mac,
+                           (int)early_mac_len)) {
+      return 0;
+    }
+    assert(buf_len == (int)block_size);
+    OPENSSL_memcpy(out + len, buf, block_size - early_mac_len);
+    OPENSSL_memcpy(out_tag, buf + block_size - early_mac_len, early_mac_len);
+  }
+  size_t tag_len = early_mac_len;
+
+  if (!EVP_EncryptUpdate(&tls_ctx->cipher_ctx, out_tag + tag_len, &len,
+                         mac + tag_len, mac_len - tag_len)) {
     return 0;
   }
-  total += len;
+  tag_len += len;
 
-  unsigned block_size = EVP_CIPHER_CTX_block_size(&tls_ctx->cipher_ctx);
   if (block_size > 1) {
     assert(block_size <= 256);
     assert(EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE);
 
-    /* Compute padding and feed that into the cipher. */
+    // Compute padding and feed that into the cipher.
     uint8_t padding[256];
     unsigned padding_len = block_size - ((in_len + mac_len) % block_size);
     OPENSSL_memset(padding, padding_len - 1, padding_len);
-    if (!EVP_EncryptUpdate(&tls_ctx->cipher_ctx, out + total, &len, padding,
-                           (int)padding_len)) {
+    if (!EVP_EncryptUpdate(&tls_ctx->cipher_ctx, out_tag + tag_len, &len,
+                           padding, (int)padding_len)) {
       return 0;
     }
-    total += len;
+    tag_len += len;
   }
 
-  if (!EVP_EncryptFinal_ex(&tls_ctx->cipher_ctx, out + total, &len)) {
+  if (!EVP_EncryptFinal_ex(&tls_ctx->cipher_ctx, out_tag + tag_len, &len)) {
     return 0;
   }
-  total += len;
+  assert(len == 0);  // Padding is explicit.
+  assert(tag_len == aead_tls_tag_len(ctx, in_len, extra_in_len));
 
-  *out_len = total;
+  *out_tag_len = tag_len;
   return 1;
 }
 
-static int aead_tls_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
-                         size_t *out_len, size_t max_out_len,
-                         const uint8_t *nonce, size_t nonce_len,
-                         const uint8_t *in, size_t in_len,
+static int aead_tls_open(const EVP_AEAD_CTX *ctx, uint8_t *out, size_t *out_len,
+                         size_t max_out_len, const uint8_t *nonce,
+                         size_t nonce_len, const uint8_t *in, size_t in_len,
                          const uint8_t *ad, size_t ad_len) {
   AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)ctx->aead_state;
 
   if (tls_ctx->cipher_ctx.encrypt) {
-    /* Unlike a normal AEAD, a TLS AEAD may only be used in one direction. */
+    // Unlike a normal AEAD, a TLS AEAD may only be used in one direction.
     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_OPERATION);
     return 0;
   }
@@ -218,8 +256,8 @@ static int aead_tls_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
   }
 
   if (max_out_len < in_len) {
-    /* This requires that the caller provide space for the MAC, even though it
-     * will always be removed on return. */
+    // This requires that the caller provide space for the MAC, even though it
+    // will always be removed on return.
     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
     return 0;
   }
@@ -235,19 +273,19 @@ static int aead_tls_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
   }
 
   if (in_len > INT_MAX) {
-    /* EVP_CIPHER takes int as input. */
+    // EVP_CIPHER takes int as input.
     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
     return 0;
   }
 
-  /* Configure the explicit IV. */
+  // Configure the explicit IV.
   if (EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE &&
       !tls_ctx->implicit_iv &&
       !EVP_DecryptInit_ex(&tls_ctx->cipher_ctx, NULL, NULL, NULL, nonce)) {
     return 0;
   }
 
-  /* Decrypt to get the plaintext + MAC + padding. */
+  // Decrypt to get the plaintext + MAC + padding.
   size_t total = 0;
   int len;
   if (!EVP_DecryptUpdate(&tls_ctx->cipher_ctx, out, &len, in, (int)in_len)) {
@@ -260,40 +298,41 @@ static int aead_tls_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
   total += len;
   assert(total == in_len);
 
-  /* Remove CBC padding. Code from here on is timing-sensitive with respect to
-   * |padding_ok| and |data_plus_mac_len| for CBC ciphers. */
-  unsigned padding_ok, data_plus_mac_len;
+  // Remove CBC padding. Code from here on is timing-sensitive with respect to
+  // |padding_ok| and |data_plus_mac_len| for CBC ciphers.
+  size_t data_plus_mac_len;
+  crypto_word_t padding_ok;
   if (EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE) {
     if (!EVP_tls_cbc_remove_padding(
             &padding_ok, &data_plus_mac_len, out, total,
             EVP_CIPHER_CTX_block_size(&tls_ctx->cipher_ctx),
-            (unsigned)HMAC_size(&tls_ctx->hmac_ctx))) {
-      /* Publicly invalid. This can be rejected in non-constant time. */
+            HMAC_size(&tls_ctx->hmac_ctx))) {
+      // Publicly invalid. This can be rejected in non-constant time.
       OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
       return 0;
     }
   } else {
-    padding_ok = ~0u;
+    padding_ok = CONSTTIME_TRUE_W;
     data_plus_mac_len = total;
-    /* |data_plus_mac_len| = |total| = |in_len| at this point. |in_len| has
-     * already been checked against the MAC size at the top of the function. */
+    // |data_plus_mac_len| = |total| = |in_len| at this point. |in_len| has
+    // already been checked against the MAC size at the top of the function.
     assert(data_plus_mac_len >= HMAC_size(&tls_ctx->hmac_ctx));
   }
-  unsigned data_len = data_plus_mac_len - HMAC_size(&tls_ctx->hmac_ctx);
+  size_t data_len = data_plus_mac_len - HMAC_size(&tls_ctx->hmac_ctx);
 
-  /* At this point, if the padding is valid, the first |data_plus_mac_len| bytes
-   * after |out| are the plaintext and MAC. Otherwise, |data_plus_mac_len| is
-   * still large enough to extract a MAC, but it will be irrelevant. */
+  // At this point, if the padding is valid, the first |data_plus_mac_len| bytes
+  // after |out| are the plaintext and MAC. Otherwise, |data_plus_mac_len| is
+  // still large enough to extract a MAC, but it will be irrelevant.
 
-  /* To allow for CBC mode which changes cipher length, |ad| doesn't include the
-   * length for legacy ciphers. */
+  // To allow for CBC mode which changes cipher length, |ad| doesn't include the
+  // length for legacy ciphers.
   uint8_t ad_fixed[13];
   OPENSSL_memcpy(ad_fixed, ad, 11);
   ad_fixed[11] = (uint8_t)(data_len >> 8);
   ad_fixed[12] = (uint8_t)(data_len & 0xff);
   ad_len += 2;
 
-  /* Compute the MAC and extract the one in the record. */
+  // Compute the MAC and extract the one in the record.
   uint8_t mac[EVP_MAX_MD_SIZE];
   size_t mac_len;
   uint8_t record_mac_tmp[EVP_MAX_MD_SIZE];
@@ -311,8 +350,8 @@ static int aead_tls_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
     record_mac = record_mac_tmp;
     EVP_tls_cbc_copy_mac(record_mac, mac_len, out, data_plus_mac_len, total);
   } else {
-    /* We should support the constant-time path for all CBC-mode ciphers
-     * implemented. */
+    // We should support the constant-time path for all CBC-mode ciphers
+    // implemented.
     assert(EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) != EVP_CIPH_CBC_MODE);
 
     unsigned mac_len_u;
@@ -328,19 +367,19 @@ static int aead_tls_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
     record_mac = &out[data_len];
   }
 
-  /* Perform the MAC check and the padding check in constant-time. It should be
-   * safe to simply perform the padding check first, but it would not be under a
-   * different choice of MAC location on padding failure. See
-   * EVP_tls_cbc_remove_padding. */
-  unsigned good = constant_time_eq_int(CRYPTO_memcmp(record_mac, mac, mac_len),
-                                       0);
+  // Perform the MAC check and the padding check in constant-time. It should be
+  // safe to simply perform the padding check first, but it would not be under a
+  // different choice of MAC location on padding failure. See
+  // EVP_tls_cbc_remove_padding.
+  crypto_word_t good =
+      constant_time_eq_int(CRYPTO_memcmp(record_mac, mac, mac_len), 0);
   good &= padding_ok;
   if (!good) {
     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
     return 0;
   }
 
-  /* End of timing-sensitive code. */
+  // End of timing-sensitive code.
 
   *out_len = data_len;
   return 1;
@@ -434,133 +473,173 @@ static int aead_null_sha1_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
 }
 
 static const EVP_AEAD aead_aes_128_cbc_sha1_tls = {
-    SHA_DIGEST_LENGTH + 16, /* key len (SHA1 + AES128) */
-    16,                     /* nonce len (IV) */
-    16 + SHA_DIGEST_LENGTH, /* overhead (padding + SHA1) */
-    SHA_DIGEST_LENGTH,      /* max tag length */
-    NULL, /* init */
+    SHA_DIGEST_LENGTH + 16,  // key len (SHA1 + AES128)
+    16,                      // nonce len (IV)
+    16 + SHA_DIGEST_LENGTH,  // overhead (padding + SHA1)
+    SHA_DIGEST_LENGTH,       // max tag length
+    0,                       // seal_scatter_supports_extra_in
+
+    NULL,  // init
     aead_aes_128_cbc_sha1_tls_init,
     aead_tls_cleanup,
-    aead_tls_seal,
     aead_tls_open,
-    NULL,                   /* get_iv */
+    aead_tls_seal_scatter,
+    NULL,  // open_gather
+    NULL,  // get_iv
+    aead_tls_tag_len,
 };
 
 static const EVP_AEAD aead_aes_128_cbc_sha1_tls_implicit_iv = {
-    SHA_DIGEST_LENGTH + 16 + 16, /* key len (SHA1 + AES128 + IV) */
-    0,                           /* nonce len */
-    16 + SHA_DIGEST_LENGTH,      /* overhead (padding + SHA1) */
-    SHA_DIGEST_LENGTH,           /* max tag length */
-    NULL, /* init */
+    SHA_DIGEST_LENGTH + 16 + 16,  // key len (SHA1 + AES128 + IV)
+    0,                            // nonce len
+    16 + SHA_DIGEST_LENGTH,       // overhead (padding + SHA1)
+    SHA_DIGEST_LENGTH,            // max tag length
+    0,                            // seal_scatter_supports_extra_in
+
+    NULL,  // init
     aead_aes_128_cbc_sha1_tls_implicit_iv_init,
     aead_tls_cleanup,
-    aead_tls_seal,
     aead_tls_open,
-    aead_tls_get_iv,             /* get_iv */
+    aead_tls_seal_scatter,
+    NULL,             // open_gather
+    aead_tls_get_iv,  // get_iv
+    aead_tls_tag_len,
 };
 
 static const EVP_AEAD aead_aes_128_cbc_sha256_tls = {
-    SHA256_DIGEST_LENGTH + 16, /* key len (SHA256 + AES128) */
-    16,                        /* nonce len (IV) */
-    16 + SHA256_DIGEST_LENGTH, /* overhead (padding + SHA256) */
-    SHA256_DIGEST_LENGTH,      /* max tag length */
-    NULL, /* init */
+    SHA256_DIGEST_LENGTH + 16,  // key len (SHA256 + AES128)
+    16,                         // nonce len (IV)
+    16 + SHA256_DIGEST_LENGTH,  // overhead (padding + SHA256)
+    SHA256_DIGEST_LENGTH,       // max tag length
+    0,                          // seal_scatter_supports_extra_in
+
+    NULL,  // init
     aead_aes_128_cbc_sha256_tls_init,
     aead_tls_cleanup,
-    aead_tls_seal,
     aead_tls_open,
-    NULL,                      /* get_iv */
+    aead_tls_seal_scatter,
+    NULL,  // open_gather
+    NULL,  // get_iv
+    aead_tls_tag_len,
 };
 
 static const EVP_AEAD aead_aes_256_cbc_sha1_tls = {
-    SHA_DIGEST_LENGTH + 32, /* key len (SHA1 + AES256) */
-    16,                     /* nonce len (IV) */
-    16 + SHA_DIGEST_LENGTH, /* overhead (padding + SHA1) */
-    SHA_DIGEST_LENGTH,      /* max tag length */
-    NULL, /* init */
+    SHA_DIGEST_LENGTH + 32,  // key len (SHA1 + AES256)
+    16,                      // nonce len (IV)
+    16 + SHA_DIGEST_LENGTH,  // overhead (padding + SHA1)
+    SHA_DIGEST_LENGTH,       // max tag length
+    0,                       // seal_scatter_supports_extra_in
+
+    NULL,  // init
     aead_aes_256_cbc_sha1_tls_init,
     aead_tls_cleanup,
-    aead_tls_seal,
     aead_tls_open,
-    NULL,                   /* get_iv */
+    aead_tls_seal_scatter,
+    NULL,  // open_gather
+    NULL,  // get_iv
+    aead_tls_tag_len,
 };
 
 static const EVP_AEAD aead_aes_256_cbc_sha1_tls_implicit_iv = {
-    SHA_DIGEST_LENGTH + 32 + 16, /* key len (SHA1 + AES256 + IV) */
-    0,                           /* nonce len */
-    16 + SHA_DIGEST_LENGTH,      /* overhead (padding + SHA1) */
-    SHA_DIGEST_LENGTH,           /* max tag length */
-    NULL, /* init */
+    SHA_DIGEST_LENGTH + 32 + 16,  // key len (SHA1 + AES256 + IV)
+    0,                            // nonce len
+    16 + SHA_DIGEST_LENGTH,       // overhead (padding + SHA1)
+    SHA_DIGEST_LENGTH,            // max tag length
+    0,                            // seal_scatter_supports_extra_in
+
+    NULL,  // init
     aead_aes_256_cbc_sha1_tls_implicit_iv_init,
     aead_tls_cleanup,
-    aead_tls_seal,
     aead_tls_open,
-    aead_tls_get_iv,             /* get_iv */
+    aead_tls_seal_scatter,
+    NULL,             // open_gather
+    aead_tls_get_iv,  // get_iv
+    aead_tls_tag_len,
 };
 
 static const EVP_AEAD aead_aes_256_cbc_sha256_tls = {
-    SHA256_DIGEST_LENGTH + 32, /* key len (SHA256 + AES256) */
-    16,                        /* nonce len (IV) */
-    16 + SHA256_DIGEST_LENGTH, /* overhead (padding + SHA256) */
-    SHA256_DIGEST_LENGTH,      /* max tag length */
-    NULL, /* init */
+    SHA256_DIGEST_LENGTH + 32,  // key len (SHA256 + AES256)
+    16,                         // nonce len (IV)
+    16 + SHA256_DIGEST_LENGTH,  // overhead (padding + SHA256)
+    SHA256_DIGEST_LENGTH,       // max tag length
+    0,                          // seal_scatter_supports_extra_in
+
+    NULL,  // init
     aead_aes_256_cbc_sha256_tls_init,
     aead_tls_cleanup,
-    aead_tls_seal,
     aead_tls_open,
-    NULL,                      /* get_iv */
+    aead_tls_seal_scatter,
+    NULL,  // open_gather
+    NULL,  // get_iv
+    aead_tls_tag_len,
 };
 
 static const EVP_AEAD aead_aes_256_cbc_sha384_tls = {
-    SHA384_DIGEST_LENGTH + 32, /* key len (SHA384 + AES256) */
-    16,                        /* nonce len (IV) */
-    16 + SHA384_DIGEST_LENGTH, /* overhead (padding + SHA384) */
-    SHA384_DIGEST_LENGTH,      /* max tag length */
-    NULL, /* init */
+    SHA384_DIGEST_LENGTH + 32,  // key len (SHA384 + AES256)
+    16,                         // nonce len (IV)
+    16 + SHA384_DIGEST_LENGTH,  // overhead (padding + SHA384)
+    SHA384_DIGEST_LENGTH,       // max tag length
+    0,                          // seal_scatter_supports_extra_in
+
+    NULL,  // init
     aead_aes_256_cbc_sha384_tls_init,
     aead_tls_cleanup,
-    aead_tls_seal,
     aead_tls_open,
-    NULL,                      /* get_iv */
+    aead_tls_seal_scatter,
+    NULL,  // open_gather
+    NULL,  // get_iv
+    aead_tls_tag_len,
 };
 
 static const EVP_AEAD aead_des_ede3_cbc_sha1_tls = {
-    SHA_DIGEST_LENGTH + 24, /* key len (SHA1 + 3DES) */
-    8,                      /* nonce len (IV) */
-    8 + SHA_DIGEST_LENGTH,  /* overhead (padding + SHA1) */
-    SHA_DIGEST_LENGTH,      /* max tag length */
-    NULL, /* init */
+    SHA_DIGEST_LENGTH + 24,  // key len (SHA1 + 3DES)
+    8,                       // nonce len (IV)
+    8 + SHA_DIGEST_LENGTH,   // overhead (padding + SHA1)
+    SHA_DIGEST_LENGTH,       // max tag length
+    0,                       // seal_scatter_supports_extra_in
+
+    NULL,  // init
     aead_des_ede3_cbc_sha1_tls_init,
     aead_tls_cleanup,
-    aead_tls_seal,
     aead_tls_open,
-    NULL,                   /* get_iv */
+    aead_tls_seal_scatter,
+    NULL,  // open_gather
+    NULL,  // get_iv
+    aead_tls_tag_len,
 };
 
 static const EVP_AEAD aead_des_ede3_cbc_sha1_tls_implicit_iv = {
-    SHA_DIGEST_LENGTH + 24 + 8, /* key len (SHA1 + 3DES + IV) */
-    0,                          /* nonce len */
-    8 + SHA_DIGEST_LENGTH,      /* overhead (padding + SHA1) */
-    SHA_DIGEST_LENGTH,          /* max tag length */
-    NULL, /* init */
+    SHA_DIGEST_LENGTH + 24 + 8,  // key len (SHA1 + 3DES + IV)
+    0,                           // nonce len
+    8 + SHA_DIGEST_LENGTH,       // overhead (padding + SHA1)
+    SHA_DIGEST_LENGTH,           // max tag length
+    0,                           // seal_scatter_supports_extra_in
+
+    NULL,  // init
     aead_des_ede3_cbc_sha1_tls_implicit_iv_init,
     aead_tls_cleanup,
-    aead_tls_seal,
     aead_tls_open,
-    aead_tls_get_iv,            /* get_iv */
+    aead_tls_seal_scatter,
+    NULL,             // open_gather
+    aead_tls_get_iv,  // get_iv
+    aead_tls_tag_len,
 };
 
 static const EVP_AEAD aead_null_sha1_tls = {
-    SHA_DIGEST_LENGTH,          /* key len */
-    0,                          /* nonce len */
-    SHA_DIGEST_LENGTH,          /* overhead (SHA1) */
-    SHA_DIGEST_LENGTH,          /* max tag length */
-    NULL,                       /* init */
+    SHA_DIGEST_LENGTH,  // key len
+    0,                  // nonce len
+    SHA_DIGEST_LENGTH,  // overhead (SHA1)
+    SHA_DIGEST_LENGTH,  // max tag length
+    0,                  // seal_scatter_supports_extra_in
+
+    NULL,  // init
     aead_null_sha1_tls_init,
     aead_tls_cleanup,
-    aead_tls_seal,
     aead_tls_open,
-    NULL,                       /* get_iv */
+    aead_tls_seal_scatter,
+    NULL,  // open_gather
+    NULL,  // get_iv
+    aead_tls_tag_len,
 };
 
 const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_tls(void) {