tls: Separate TLS protection to abstracted AEAD modes

To better separate the code path for different TLS versions and modes of
operation, we introduce a TLS AEAD abstraction. We provide three implementations
using traditional transforms, and get prepared for TLS AEAD modes.

8 files changed, 874 insertions, 325 deletions

diff --git a/src/libtls/Makefile.am b/src/libtls/Makefile.am
index b83ea8eba..403a6868b 100644
--- a/src/libtls/Makefile.am
+++ b/src/libtls/Makefile.am
@@ -8,6 +8,7 @@ ipseclib_LTLIBRARIES = libtls.la
 libtls_la_SOURCES = \
 	tls_protection.c tls_compression.c tls_fragmentation.c tls_alert.c \
 	tls_crypto.c tls_prf.c tls_socket.c tls_eap.c tls_cache.c tls_peer.c \
+	tls_aead_expl.c tls_aead_impl.c tls_aead_null.c \
 	tls_server.c tls.c
 
 libtls_la_LIBADD = \
@@ -18,5 +19,5 @@ tls_includedir = ${dev_headers}/tls
 nobase_tls_include_HEADERS = \
 	tls_protection.h tls_compression.h tls_fragmentation.h tls_alert.h \
 	tls_crypto.h tls_prf.h tls_socket.h tls_eap.h tls_cache.h tls_peer.h \
-	tls_server.h tls_handshake.h tls_application.h tls.h
+	tls_server.h tls_handshake.h tls_application.h tls_aead.h tls.h
 endif
diff --git a/src/libtls/tls_aead.h b/src/libtls/tls_aead.h
new file mode 100644
index 000000000..48b16ccdb
--- /dev/null
+++ b/src/libtls/tls_aead.h
@@ -0,0 +1,147 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tls_aead tls_aead
+ * @{ @ingroup tls
+ */
+
+#ifndef TLS_AEAD_H_
+#define TLS_AEAD_H_
+
+typedef struct tls_aead_t tls_aead_t;
+
+#include "tls.h"
+
+/**
+ * TLS specific AEAD interface, includes padding.
+ *
+ * As TLS uses sign-then-encrypt instead of the more modern encrypt-then-sign,
+ * we can't directly abstract traditional transforms using our aead_t interface.
+ * With traditional transforms, the AEAD operation has to manage padding, as
+ * the MAC is calculated over unpadded data.
+ */
+struct tls_aead_t {
+
+	/**
+	 * Encrypt and sign a TLS record.
+	 *
+	 * The plain data chunk gets freed on success, and the data chunk
+	 * gets updated with a new allocation of the encrypted data.
+	 * If next_iv is given, it must contain the IV for this operation. It
+	 * gets updated to the IV for the next record.
+	 *
+	 * @param version		TLS version
+	 * @param type			TLS content type
+	 * @param seq			record sequence number
+	 * @param data			data to encrypt, encryption result
+	 * @return				TRUE if successfully encrypted
+	 */
+	bool (*encrypt)(tls_aead_t *this, tls_version_t version,
+					tls_content_type_t type, u_int64_t seq, chunk_t *data);
+
+	/**
+	 * Decrypt and verify a TLS record.
+	 *
+	 * The passed encrypted data chunk gets updated to the decrypted record
+	 * length, decryption is done inline.
+	 *
+	 * @param version		TLS version
+	 * @param type			TLS content type
+	 * @param seq			record sequence number
+	 * @param data			data to decrypt, decrypted result
+	 * @return				TRUE if successfully decrypted
+	 */
+	bool (*decrypt)(tls_aead_t *this, tls_version_t version,
+					tls_content_type_t type, u_int64_t seq, chunk_t *data);
+
+	/**
+	 * Get the authentication key size.
+	 *
+	 * @return		key size, in bytes, 0 if not used
+	 */
+	size_t (*get_mac_key_size)(tls_aead_t *this);
+
+	/**
+	 * Get the encrytion key size, if used.
+	 *
+	 * @return		key size, in bytes, 0 if not used
+	 */
+	size_t (*get_encr_key_size)(tls_aead_t *this);
+
+	/**
+	 * Get the size of implicit IV (or AEAD salt), if used.
+	 *
+	 * @return		IV/salt size, in bytes, 0 if not used
+	 */
+	size_t (*get_iv_size)(tls_aead_t *this);
+
+	/**
+	 * Set the keys used by an AEAD transform.
+	 *
+	 * @param mac		authentication key, if used
+	 * @param encr		encryption key, if used
+	 * @param iv		initial implicit IV or AEAD salt, if any
+	 * @return			TRUE if key valid and set
+	 */
+	bool (*set_keys)(tls_aead_t *this, chunk_t mac, chunk_t ecnr, chunk_t iv);
+
+	/**
+	 * Destroy a tls_aead_t.
+	 */
+	void (*destroy)(tls_aead_t *this);
+};
+
+/**
+ * Create a tls_aead instance using traditional transforms, explicit IV.
+ *
+ * An explicit IV means that the IV is prepended to each TLS record. This is
+ * the mechanism used in TLS 1.1 and newer.
+ *
+ * @param mac			integrity protection algorithm
+ * @param encr			encryption algorithm
+ * @param encr_size		encryption key size, in bytes
+ * @return				TLS AEAD transform
+ */
+tls_aead_t *tls_aead_create_explicit(integrity_algorithm_t mac,
+								encryption_algorithm_t encr, size_t encr_size);
+
+/**
+ * Create a tls_aead instance using traditional transforms, implicit IV.
+ *
+ * An implicit IV uses a first IV derived from the TLS keymat, which then
+ * gets replaced by the last encrypted records tail. This is the mechanism
+ * used for TLS 1.0 and older.
+ *
+ * @param mac			integrity protection algorithm
+ * @param encr			encryption algorithm
+ * @param encr_size		encryption key size, in bytes
+ * @return				TLS AEAD transform
+ */
+tls_aead_t *tls_aead_create_implicit(integrity_algorithm_t mac,
+								encryption_algorithm_t encr, size_t encr_size);
+
+/**
+ * Create a tls_aead instance using NULL encryption.
+ *
+ * As no IV is involved with null encryption, this AEAD works with any
+ * version of TLS.
+ *
+ * @param mac			integrity protection algorithm
+ * @return				TLS AEAD transform
+ */
+tls_aead_t *tls_aead_create_null(integrity_algorithm_t mac);
+
+#endif /** TLS_AEAD_H_ @}*/
diff --git a/src/libtls/tls_aead_expl.c b/src/libtls/tls_aead_expl.c
new file mode 100644
index 000000000..f047d6584
--- /dev/null
+++ b/src/libtls/tls_aead_expl.c
@@ -0,0 +1,223 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tls_aead.h"
+
+#include <crypto/iv/iv_gen_rand.h>
+
+typedef struct private_tls_aead_t private_tls_aead_t;
+
+/**
+ * Private data of an tls_aead_t object.
+ */
+struct private_tls_aead_t {
+
+	/**
+	 * Public tls_aead_t interface.
+	 */
+	tls_aead_t public;
+
+	/**
+	 * traditional crypter
+	 */
+	crypter_t *crypter;
+
+	/**
+	 * traditional signer
+	 */
+	signer_t *signer;
+
+	/**
+	 * IV generator
+	 */
+	iv_gen_t *iv_gen;
+};
+
+/**
+ * Associated header data to create signature over
+ */
+typedef struct __attribute__((__packed__)) {
+	u_int64_t seq;
+	u_int8_t type;
+	u_int16_t version;
+	u_int16_t length;
+} sigheader_t;
+
+METHOD(tls_aead_t, encrypt, bool,
+	private_tls_aead_t *this, tls_version_t version, tls_content_type_t type,
+	u_int64_t seq, chunk_t *data)
+{
+	chunk_t assoc, mac, padding, iv;
+	u_int8_t bs, padlen;
+	sigheader_t hdr;
+
+	hdr.type = type;
+	htoun64(&hdr.seq, seq);
+	htoun16(&hdr.version, version);
+	htoun16(&hdr.length, data->len);
+
+	assoc = chunk_from_thing(hdr);
+	if (!this->signer->get_signature(this->signer, assoc, NULL) ||
+		!this->signer->allocate_signature(this->signer, *data, &mac))
+	{
+		return FALSE;
+	}
+	bs = this->crypter->get_block_size(this->crypter);
+	padlen = pad_len(data->len + mac.len + 1, bs);
+
+	padding = chunk_alloca(padlen);
+	memset(padding.ptr, padlen, padding.len);
+
+	/* TLSv1.1 uses random IVs, prepended to record */
+	iv.len = this->crypter->get_iv_size(this->crypter);
+	iv = chunk_alloca(iv.len);
+	if (!this->iv_gen->get_iv(this->iv_gen, seq, iv.len, iv.ptr))
+	{
+		return FALSE;
+	}
+	*data = chunk_cat("mmcc", *data, mac, padding, chunk_from_thing(padlen));
+	/* encrypt inline */
+	if (!this->crypter->encrypt(this->crypter, *data, iv, NULL))
+	{
+		free(data->ptr);
+		return FALSE;
+	}
+	/* prepend IV */
+	*data = chunk_cat("cm", iv, *data);
+	return TRUE;
+}
+
+METHOD(tls_aead_t, decrypt, bool,
+	private_tls_aead_t *this, tls_version_t version, tls_content_type_t type,
+	u_int64_t seq, chunk_t *data)
+{
+	chunk_t assoc, mac, iv;
+	u_int8_t bs, padlen;
+	sigheader_t hdr;
+
+	iv.len = this->crypter->get_iv_size(this->crypter);
+	if (data->len < iv.len)
+	{
+		return FALSE;
+	}
+	iv.ptr = data->ptr;
+	*data = chunk_skip(*data, iv.len);
+	bs = this->crypter->get_block_size(this->crypter);
+	if (data->len < bs || data->len % bs)
+	{
+		return FALSE;
+	}
+	if (!this->crypter->decrypt(this->crypter, *data, iv, NULL))
+	{
+		return FALSE;
+	}
+	padlen = data->ptr[data->len - 1];
+	if (padlen < data->len)
+	{	/* If padding looks valid, remove it */
+		data->len -= padlen + 1;
+	}
+
+	bs = this->signer->get_block_size(this->signer);
+	if (data->len < bs)
+	{
+		return FALSE;
+	}
+	mac = chunk_skip(*data, data->len - bs);
+	data->len -= bs;
+
+	hdr.type = type;
+	htoun64(&hdr.seq, seq);
+	htoun16(&hdr.version, version);
+	htoun16(&hdr.length, data->len);
+
+	assoc = chunk_from_thing(hdr);
+	if (!this->signer->get_signature(this->signer, assoc, NULL) ||
+		!this->signer->verify_signature(this->signer, *data, mac))
+	{
+		return FALSE;
+	}
+	return TRUE;
+}
+
+METHOD(tls_aead_t, get_mac_key_size, size_t,
+	private_tls_aead_t *this)
+{
+	return this->signer->get_key_size(this->signer);
+}
+
+METHOD(tls_aead_t, get_encr_key_size, size_t,
+	private_tls_aead_t *this)
+{
+	return this->crypter->get_key_size(this->crypter);
+}
+
+METHOD(tls_aead_t, get_iv_size, size_t,
+	private_tls_aead_t *this)
+{
+	return 0;
+}
+
+METHOD(tls_aead_t, set_keys, bool,
+	private_tls_aead_t *this, chunk_t mac, chunk_t encr, chunk_t iv)
+{
+	if (iv.len)
+	{
+		return FALSE;
+	}
+	return this->signer->set_key(this->signer, mac) &&
+		   this->crypter->set_key(this->crypter, encr);
+}
+
+METHOD(tls_aead_t, destroy, void,
+	private_tls_aead_t *this)
+{
+	this->iv_gen->destroy(this->iv_gen);
+	DESTROY_IF(this->crypter);
+	DESTROY_IF(this->signer);
+	free(this);
+}
+
+/**
+ * See header
+ */
+tls_aead_t *tls_aead_create_explicit(integrity_algorithm_t mac,
+								encryption_algorithm_t encr, size_t encr_size)
+{
+	private_tls_aead_t *this;
+
+	INIT(this,
+		.public = {
+			.encrypt = _encrypt,
+			.decrypt = _decrypt,
+			.get_iv_size = _get_iv_size,
+			.get_mac_key_size = _get_mac_key_size,
+			.get_encr_key_size = _get_encr_key_size,
+			.get_iv_size = _get_iv_size,
+			.set_keys = _set_keys,
+			.destroy = _destroy,
+		},
+		.crypter = lib->crypto->create_crypter(lib->crypto, encr, encr_size),
+		.signer = lib->crypto->create_signer(lib->crypto, mac),
+		.iv_gen = iv_gen_rand_create(),
+	);
+
+	if (!this->crypter || !this->signer)
+	{
+		destroy(this);
+		return NULL;
+	}
+
+	return &this->public;
+}
diff --git a/src/libtls/tls_aead_impl.c b/src/libtls/tls_aead_impl.c
new file mode 100644
index 000000000..9b259fc1d
--- /dev/null
+++ b/src/libtls/tls_aead_impl.c
@@ -0,0 +1,215 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tls_aead.h"
+
+typedef struct private_tls_aead_t private_tls_aead_t;
+
+/**
+ * Private data of an tls_aead_t object.
+ */
+struct private_tls_aead_t {
+
+	/**
+	 * Public tls_aead_t interface.
+	 */
+	tls_aead_t public;
+
+	/**
+	 * traditional crypter
+	 */
+	crypter_t *crypter;
+
+	/**
+	 * traditional signer
+	 */
+	signer_t *signer;
+
+	/**
+	 * Next implicit IV
+	 */
+	chunk_t iv;
+};
+
+/**
+ * Associated header data to create signature over
+ */
+typedef struct __attribute__((__packed__)) {
+	u_int64_t seq;
+	u_int8_t type;
+	u_int16_t version;
+	u_int16_t length;
+} sigheader_t;
+
+METHOD(tls_aead_t, encrypt, bool,
+	private_tls_aead_t *this, tls_version_t version,
+	tls_content_type_t type, u_int64_t seq, chunk_t *data)
+{
+	chunk_t assoc, mac, padding;
+	u_int8_t bs, padlen;
+	sigheader_t hdr;
+
+	hdr.type = type;
+	htoun64(&hdr.seq, seq);
+	htoun16(&hdr.version, version);
+	htoun16(&hdr.length, data->len);
+
+	assoc = chunk_from_thing(hdr);
+	if (!this->signer->get_signature(this->signer, assoc, NULL) ||
+		!this->signer->allocate_signature(this->signer, *data, &mac))
+	{
+		return FALSE;
+	}
+	bs = this->crypter->get_block_size(this->crypter);
+	padlen = pad_len(data->len + mac.len + 1, bs);
+
+	padding = chunk_alloca(padlen);
+	memset(padding.ptr, padlen, padding.len);
+
+	*data = chunk_cat("mmcc", *data, mac, padding, chunk_from_thing(padlen));
+	/* encrypt inline */
+	if (!this->crypter->encrypt(this->crypter, *data, this->iv, NULL))
+	{
+		return FALSE;
+	}
+	if (data->len < this->iv.len)
+	{
+		return FALSE;
+	}
+	/* next record IV is last ciphertext block of this record */
+	memcpy(this->iv.ptr, data->ptr + data->len - this->iv.len, this->iv.len);
+	return TRUE;
+}
+
+METHOD(tls_aead_t, decrypt, bool,
+	private_tls_aead_t *this, tls_version_t version,
+	tls_content_type_t type, u_int64_t seq, chunk_t *data)
+{
+	chunk_t assoc, mac, iv;
+	u_int8_t bs, padlen;
+	sigheader_t hdr;
+
+	bs = this->crypter->get_block_size(this->crypter);
+	if (data->len < bs || data->len < this->iv.len || data->len % bs)
+	{
+		return FALSE;
+	}
+	iv = chunk_alloca(this->iv.len);
+	memcpy(iv.ptr, this->iv.ptr, this->iv.len);
+	memcpy(this->iv.ptr, data->ptr + data->len - this->iv.len, this->iv.len);
+	if (!this->crypter->decrypt(this->crypter, *data, iv, NULL))
+	{
+		return FALSE;
+	}
+	padlen = data->ptr[data->len - 1];
+	if (padlen < data->len)
+	{	/* If padding looks valid, remove it */
+		data->len -= padlen + 1;
+	}
+
+	bs = this->signer->get_block_size(this->signer);
+	if (data->len < bs)
+	{
+		return FALSE;
+	}
+	mac = chunk_skip(*data, data->len - bs);
+	data->len -= bs;
+
+	hdr.type = type;
+	htoun64(&hdr.seq, seq);
+	htoun16(&hdr.version, version);
+	htoun16(&hdr.length, data->len);
+
+	assoc = chunk_from_thing(hdr);
+	if (!this->signer->get_signature(this->signer, assoc, NULL) ||
+		!this->signer->verify_signature(this->signer, *data, mac))
+	{
+		return FALSE;
+	}
+	return TRUE;
+}
+
+METHOD(tls_aead_t, get_mac_key_size, size_t,
+	private_tls_aead_t *this)
+{
+	return this->signer->get_key_size(this->signer);
+}
+
+METHOD(tls_aead_t, get_encr_key_size, size_t,
+	private_tls_aead_t *this)
+{
+	return this->crypter->get_key_size(this->crypter);
+}
+
+METHOD(tls_aead_t, get_iv_size, size_t,
+	private_tls_aead_t *this)
+{
+	return this->iv.len;
+}
+
+METHOD(tls_aead_t, set_keys, bool,
+	private_tls_aead_t *this, chunk_t mac, chunk_t encr, chunk_t iv)
+{
+	if (iv.len != this->iv.len)
+	{
+		return FALSE;
+	}
+	memcpy(this->iv.ptr, iv.ptr, this->iv.len);
+	return this->signer->set_key(this->signer, mac) &&
+		   this->crypter->set_key(this->crypter, encr);
+}
+
+METHOD(tls_aead_t, destroy, void,
+	private_tls_aead_t *this)
+{
+	DESTROY_IF(this->crypter);
+	DESTROY_IF(this->signer);
+	chunk_free(&this->iv);
+	free(this);
+}
+
+/**
+ * See header
+ */
+tls_aead_t *tls_aead_create_implicit(integrity_algorithm_t mac,
+								encryption_algorithm_t encr, size_t encr_size)
+{
+	private_tls_aead_t *this;
+
+	INIT(this,
+		.public = {
+			.encrypt = _encrypt,
+			.decrypt = _decrypt,
+			.get_iv_size = _get_iv_size,
+			.get_mac_key_size = _get_mac_key_size,
+			.get_encr_key_size = _get_encr_key_size,
+			.get_iv_size = _get_iv_size,
+			.set_keys = _set_keys,
+			.destroy = _destroy,
+		},
+		.crypter = lib->crypto->create_crypter(lib->crypto, encr, encr_size),
+		.signer = lib->crypto->create_signer(lib->crypto, mac),
+	);
+
+	if (!this->crypter || !this->signer)
+	{
+		destroy(this);
+		return NULL;
+	}
+
+	this->iv = chunk_alloc(this->crypter->get_iv_size(this->crypter));
+
+	return &this->public;
+}
diff --git a/src/libtls/tls_aead_null.c b/src/libtls/tls_aead_null.c
new file mode 100644
index 000000000..b80a0bc54
--- /dev/null
+++ b/src/libtls/tls_aead_null.c
@@ -0,0 +1,160 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tls_aead.h"
+
+typedef struct private_tls_aead_t private_tls_aead_t;
+
+/**
+ * Private data of an tls_aead_t object.
+ */
+struct private_tls_aead_t {
+
+	/**
+	 * Public tls_aead_t interface.
+	 */
+	tls_aead_t public;
+
+	/**
+	 * traditional signer
+	 */
+	signer_t *signer;
+};
+
+/**
+ * Associated header data to create signature over
+ */
+typedef struct __attribute__((__packed__)) {
+	u_int64_t seq;
+	u_int8_t type;
+	u_int16_t version;
+	u_int16_t length;
+} sigheader_t;
+
+METHOD(tls_aead_t, encrypt, bool,
+	private_tls_aead_t *this, tls_version_t version,
+	tls_content_type_t type, u_int64_t seq, chunk_t *data)
+{
+	chunk_t assoc, mac;
+	sigheader_t hdr;
+
+	hdr.type = type;
+	htoun64(&hdr.seq, seq);
+	htoun16(&hdr.version, version);
+	htoun16(&hdr.length, data->len);
+
+	assoc = chunk_from_thing(hdr);
+	if (!this->signer->get_signature(this->signer, assoc, NULL) ||
+		!this->signer->allocate_signature(this->signer, *data, &mac))
+	{
+		return FALSE;
+	}
+	*data = chunk_cat("mm", *data, mac);
+	return TRUE;
+}
+
+METHOD(tls_aead_t, decrypt, bool,
+	private_tls_aead_t *this, tls_version_t version,
+	tls_content_type_t type, u_int64_t seq, chunk_t *data)
+{
+	chunk_t assoc, mac;
+	sigheader_t hdr;
+
+	mac.len = this->signer->get_block_size(this->signer);
+	if (data->len < mac.len)
+	{
+		return FALSE;
+	}
+	mac = chunk_skip(*data, data->len - mac.len);
+	data->len -= mac.len;
+
+	hdr.type = type;
+	htoun64(&hdr.seq, seq);
+	htoun16(&hdr.version, version);
+	htoun16(&hdr.length, data->len);
+
+	assoc = chunk_from_thing(hdr);
+	if (!this->signer->get_signature(this->signer, assoc, NULL) ||
+		!this->signer->verify_signature(this->signer, *data, mac))
+	{
+		return FALSE;
+	}
+	return TRUE;
+}
+
+METHOD(tls_aead_t, get_mac_key_size, size_t,
+	private_tls_aead_t *this)
+{
+	return this->signer->get_key_size(this->signer);
+}
+
+METHOD(tls_aead_t, get_encr_key_size, size_t,
+	private_tls_aead_t *this)
+{
+	return 0;
+}
+
+METHOD(tls_aead_t, get_iv_size, size_t,
+	private_tls_aead_t *this)
+{
+	return 0;
+}
+
+METHOD(tls_aead_t, set_keys, bool,
+	private_tls_aead_t *this, chunk_t mac, chunk_t encr, chunk_t iv)
+{
+	if (iv.len || encr.len)
+	{
+		return FALSE;
+	}
+	return this->signer->set_key(this->signer, mac);
+}
+
+METHOD(tls_aead_t, destroy, void,
+	private_tls_aead_t *this)
+{
+	this->signer->destroy(this->signer);
+	free(this);
+}
+
+/**
+ * See header
+ */
+tls_aead_t *tls_aead_create_null(integrity_algorithm_t alg)
+{
+	private_tls_aead_t *this;
+
+	INIT(this,
+		.public = {
+			.encrypt = _encrypt,
+			.decrypt = _decrypt,
+			.get_iv_size = _get_iv_size,
+			.get_mac_key_size = _get_mac_key_size,
+			.get_encr_key_size = _get_encr_key_size,
+			.get_iv_size = _get_iv_size,
+			.set_keys = _set_keys,
+			.destroy = _destroy,
+		},
+		.signer = lib->crypto->create_signer(lib->crypto, alg),
+	);
+
+	if (!this->signer)
+	{
+		free(this);
+		return NULL;
+	}
+
+	return &this->public;
+}
diff --git a/src/libtls/tls_crypto.c b/src/libtls/tls_crypto.c
index cc73ebaeb..03d19fa00 100644
--- a/src/libtls/tls_crypto.c
+++ b/src/libtls/tls_crypto.c
@@ -385,34 +385,14 @@ struct private_tls_crypto_t {
 	tls_prf_t *prf;
 
 	/**
-	 * Signer instance for inbound traffic
+	 * AEAD transform for inbound traffic
 	 */
-	signer_t *signer_in;
+	tls_aead_t *aead_in;
 
 	/**
-	 * Signer instance for outbound traffic
+	 * AEAD transform for outbound traffic
 	 */
-	signer_t *signer_out;
-
-	/**
-	 * Crypter instance for inbound traffic
-	 */
-	crypter_t *crypter_in;
-
-	/**
-	 * Crypter instance for outbound traffic
-	 */
-	crypter_t *crypter_out;
-
-	/**
-	 * IV for input decryption, if < TLSv1.2
-	 */
-	chunk_t iv_in;
-
-	/**
-	 * IV for output decryption, if < TLSv1.2
-	 */
-	chunk_t iv_out;
+	tls_aead_t *aead_out;
 
 	/**
 	 * EAP-[T]TLS MSK
@@ -969,10 +949,66 @@ METHOD(tls_crypto_t, get_cipher_suites, int,
 }
 
 /**
+ * Create NULL encryption transforms
+ */
+static bool create_null(private_tls_crypto_t *this, suite_algs_t *algs)
+{
+	this->aead_in = tls_aead_create_null(algs->mac);
+	this->aead_out = tls_aead_create_null(algs->mac);
+	if (!this->aead_in || !this->aead_out)
+	{
+		DBG1(DBG_TLS, "selected TLS MAC %N not supported",
+			 integrity_algorithm_names, algs->mac);
+		return FALSE;
+	}
+	return TRUE;
+}
+
+/**
+ * Create traditional transforms
+ */
+static bool create_traditional(private_tls_crypto_t *this, suite_algs_t *algs)
+{
+	if (this->tls->get_version(this->tls) < TLS_1_1)
+	{
+		this->aead_in = tls_aead_create_implicit(algs->mac,
+								algs->encr, algs->encr_size);
+		this->aead_out = tls_aead_create_implicit(algs->mac,
+								algs->encr, algs->encr_size);
+	}
+	else
+	{
+		this->aead_in = tls_aead_create_explicit(algs->mac,
+								algs->encr, algs->encr_size);
+		this->aead_out = tls_aead_create_explicit(algs->mac,
+								algs->encr, algs->encr_size);
+	}
+	if (!this->aead_in || !this->aead_out)
+	{
+		DBG1(DBG_TLS, "selected TLS transforms %N-%u-%N not supported",
+			 encryption_algorithm_names, algs->encr, algs->encr_size * 8,
+			 integrity_algorithm_names, algs->mac);
+		return FALSE;
+	}
+	return TRUE;
+}
+
+/**
+ * Clean up and unset AEAD transforms
+ */
+static void destroy_aeads(private_tls_crypto_t *this)
+{
+	DESTROY_IF(this->aead_in);
+	DESTROY_IF(this->aead_out);
+	this->aead_in = this->aead_out = NULL;
+}
+
+/**
  * Create crypto primitives
  */
 static bool create_ciphers(private_tls_crypto_t *this, suite_algs_t *algs)
 {
+	destroy_aeads(this);
 	DESTROY_IF(this->prf);
 	if (this->tls->get_version(this->tls) < TLS_1_2)
 	{
@@ -987,38 +1023,22 @@ static bool create_ciphers(private_tls_crypto_t *this, suite_algs_t *algs)
 		DBG1(DBG_TLS, "selected TLS PRF not supported");
 		return FALSE;
 	}
-
-	DESTROY_IF(this->signer_in);
-	DESTROY_IF(this->signer_out);
-	this->signer_in = lib->crypto->create_signer(lib->crypto, algs->mac);
-	this->signer_out = lib->crypto->create_signer(lib->crypto, algs->mac);
-	if (!this->signer_in || !this->signer_out)
-	{
-		DBG1(DBG_TLS, "selected TLS MAC %N not supported",
-			 integrity_algorithm_names, algs->mac);
-		return FALSE;
-	}
-
-	DESTROY_IF(this->crypter_in);
-	DESTROY_IF(this->crypter_out);
 	if (algs->encr == ENCR_NULL)
 	{
-		this->crypter_in = this->crypter_out = NULL;
+		if (create_null(this, algs))
+		{
+			return TRUE;
+		}
 	}
 	else
 	{
-		this->crypter_in = lib->crypto->create_crypter(lib->crypto,
-												algs->encr, algs->encr_size);
-		this->crypter_out = lib->crypto->create_crypter(lib->crypto,
-												algs->encr, algs->encr_size);
-		if (!this->crypter_in || !this->crypter_out)
+		if (create_traditional(this, algs))
 		{
-			DBG1(DBG_TLS, "selected TLS crypter %N not supported",
-				 encryption_algorithm_names, algs->encr);
-			return FALSE;
+			return TRUE;
 		}
 	}
-	return TRUE;
+	destroy_aeads(this);
+	return FALSE;
 }
 
 METHOD(tls_crypto_t, select_cipher_suite, tls_cipher_suite_t,
@@ -1512,93 +1532,63 @@ static bool derive_master(private_tls_crypto_t *this, chunk_t premaster,
 static bool expand_keys(private_tls_crypto_t *this,
 						chunk_t client_random, chunk_t server_random)
 {
-	chunk_t seed, block, client_write, server_write;
-	int mks, eks = 0, ivs = 0;
+	chunk_t seed, block;
+	chunk_t cw_mac, cw, cw_iv;
+	chunk_t sw_mac, sw, sw_iv;
+	int mklen, eklen, ivlen;
 
-	/* derive key block for key expansion */
-	mks = this->signer_out->get_key_size(this->signer_out);
-	if (this->crypter_out)
+	if (!this->aead_in || !this->aead_out)
 	{
-		eks = this->crypter_out->get_key_size(this->crypter_out);
-		if (this->tls->get_version(this->tls) < TLS_1_1)
-		{
-			ivs = this->crypter_out->get_iv_size(this->crypter_out);
-		}
+		return FALSE;
 	}
+
+	/* derive key block for key expansion */
+	mklen = this->aead_in->get_mac_key_size(this->aead_in);
+	eklen = this->aead_in->get_encr_key_size(this->aead_in);
+	ivlen = this->aead_in->get_iv_size(this->aead_in);
 	seed = chunk_cata("cc", server_random, client_random);
-	block = chunk_alloca((mks + eks + ivs) * 2);
+	block = chunk_alloca((mklen + eklen + ivlen) * 2);
 	if (!this->prf->get_bytes(this->prf, "key expansion", seed,
 							  block.len, block.ptr))
 	{
 		return FALSE;
 	}
 
-	/* signer keys */
-	client_write = chunk_create(block.ptr, mks);
-	block = chunk_skip(block, mks);
-	server_write = chunk_create(block.ptr, mks);
-	block = chunk_skip(block, mks);
+	/* client/server write signer keys */
+	cw_mac = chunk_create(block.ptr, mklen);
+	block = chunk_skip(block, mklen);
+	sw_mac = chunk_create(block.ptr, mklen);
+	block = chunk_skip(block, mklen);
+
+	/* client/server write encryption keys */
+	cw = chunk_create(block.ptr, eklen);
+	block = chunk_skip(block, eklen);
+	sw = chunk_create(block.ptr, eklen);
+	block = chunk_skip(block, eklen);
+
+	/* client/server write IV; TLS 1.0 implicit IVs or AEAD salt, if any */
+	cw_iv = chunk_create(block.ptr, ivlen);
+	block = chunk_skip(block, ivlen);
+	sw_iv = chunk_create(block.ptr, ivlen);
+	block = chunk_skip(block, ivlen);
+
 	if (this->tls->is_server(this->tls))
 	{
-		if (!this->signer_in->set_key(this->signer_in, client_write) ||
-			!this->signer_out->set_key(this->signer_out, server_write))
+		if (!this->aead_in->set_keys(this->aead_in, cw_mac, cw, cw_iv) ||
+			!this->aead_out->set_keys(this->aead_out, sw_mac, sw, sw_iv))
 		{
 			return FALSE;
 		}
 	}
 	else
 	{
-		if (!this->signer_out->set_key(this->signer_out, client_write) ||
-			!this->signer_in->set_key(this->signer_in, server_write))
+		if (!this->aead_out->set_keys(this->aead_out, cw_mac, cw, cw_iv) ||
+			!this->aead_in->set_keys(this->aead_in, sw_mac, sw, sw_iv))
 		{
 			return FALSE;
 		}
 	}
 
-	/* crypter keys, and IVs if < TLSv1.2 */
-	if (this->crypter_out && this->crypter_in)
-	{
-		client_write = chunk_create(block.ptr, eks);
-		block = chunk_skip(block, eks);
-		server_write = chunk_create(block.ptr, eks);
-		block = chunk_skip(block, eks);
-
-		if (this->tls->is_server(this->tls))
-		{
-			if (!this->crypter_in->set_key(this->crypter_in, client_write) ||
-				!this->crypter_out->set_key(this->crypter_out, server_write))
-			{
-				return FALSE;
-			}
-		}
-		else
-		{
-			if (!this->crypter_out->set_key(this->crypter_out, client_write) ||
-				!this->crypter_in->set_key(this->crypter_in, server_write))
-			{
-				return FALSE;
-			}
-		}
-		if (ivs)
-		{
-			client_write = chunk_create(block.ptr, ivs);
-			block = chunk_skip(block, ivs);
-			server_write = chunk_create(block.ptr, ivs);
-			block = chunk_skip(block, ivs);
-
-			if (this->tls->is_server(this->tls))
-			{
-				this->iv_in = chunk_clone(client_write);
-				this->iv_out = chunk_clone(server_write);
-			}
-			else
-			{
-				this->iv_out = chunk_clone(client_write);
-				this->iv_in = chunk_clone(server_write);
-			}
-		}
-	}
-
 	/* EAP-MSK */
 	if (this->msk_label)
 	{
@@ -1666,13 +1656,11 @@ METHOD(tls_crypto_t, change_cipher, void,
 	{
 		if (inbound)
 		{
-			this->protection->set_cipher(this->protection, TRUE,
-							this->signer_in, this->crypter_in, this->iv_in);
+			this->protection->set_cipher(this->protection, TRUE, this->aead_in);
 		}
 		else
 		{
-			this->protection->set_cipher(this->protection, FALSE,
-							this->signer_out, this->crypter_out, this->iv_out);
+			this->protection->set_cipher(this->protection, FALSE, this->aead_out);
 		}
 	}
 }
@@ -1686,12 +1674,7 @@ METHOD(tls_crypto_t, get_eap_msk, chunk_t,
 METHOD(tls_crypto_t, destroy, void,
 	private_tls_crypto_t *this)
 {
-	DESTROY_IF(this->signer_in);
-	DESTROY_IF(this->signer_out);
-	DESTROY_IF(this->crypter_in);
-	DESTROY_IF(this->crypter_out);
-	free(this->iv_in.ptr);
-	free(this->iv_out.ptr);
+	destroy_aeads(this);
 	free(this->handshake.ptr);
 	free(this->msk.ptr);
 	DESTROY_IF(this->prf);
diff --git a/src/libtls/tls_protection.c b/src/libtls/tls_protection.c
index 0d5df18f7..b016db21f 100644
--- a/src/libtls/tls_protection.c
+++ b/src/libtls/tls_protection.c
@@ -45,74 +45,26 @@ struct private_tls_protection_t {
 	tls_alert_t *alert;
 
 	/**
-	 * RNG if we generate IVs ourself
-	 */
-	rng_t *rng;
-
-	/**
 	 * Sequence number of incoming records
 	 */
-	u_int32_t seq_in;
+	u_int64_t seq_in;
 
 	/**
 	 * Sequence number for outgoing records
 	 */
-	u_int32_t seq_out;
-
-	/**
-	 * Signer instance for inbound traffic
-	 */
-	signer_t *signer_in;
-
-	/**
-	 * Signer instance for outbound traffic
-	 */
-	signer_t *signer_out;
+	u_int64_t seq_out;
 
 	/**
-	 * Crypter instance for inbound traffic
+	 * AEAD transform for inbound traffic
 	 */
-	crypter_t *crypter_in;
+	tls_aead_t *aead_in;
 
 	/**
-	 * Crypter instance for outbound traffic
+	 * AEAD transform for outbound traffic
 	 */
-	crypter_t *crypter_out;
-
-	/**
-	 * Current IV for input decryption
-	 */
-	chunk_t iv_in;
-
-	/**
-	 * Current IV for output decryption
-	 */
-	chunk_t iv_out;
+	tls_aead_t *aead_out;
 };
 
-/**
- * Create the header and feed it into a signer for MAC verification
- */
-static bool sigheader(signer_t *signer, u_int32_t seq, u_int8_t type,
-					  u_int16_t version, u_int16_t length)
-{
-	/* we only support 32 bit sequence numbers, but TLS uses 64 bit */
-	struct __attribute__((__packed__)) {
-		u_int32_t seq_high;
-		u_int32_t seq_low;
-		u_int8_t type;
-		u_int16_t version;
-		u_int16_t length;
-	} header = {
-		.type = type,
-	};
-	htoun32(&header.seq_low, seq);
-	htoun16(&header.version, version);
-	htoun16(&header.length, length);
-
-	return signer->get_signature(signer, chunk_from_thing(header), NULL);
-}
-
 METHOD(tls_protection_t, process, status_t,
 	private_tls_protection_t *this, tls_content_type_t type, chunk_t data)
 {
@@ -121,75 +73,12 @@ METHOD(tls_protection_t, process, status_t,
 		return NEED_MORE;
 	}
 
-	if (this->crypter_in)
-	{
-		chunk_t iv, next_iv = chunk_empty;
-		u_int8_t bs, padding_length;
-
-		bs = this->crypter_in->get_block_size(this->crypter_in);
-		if (this->iv_in.len)
-		{	/* < TLSv1.1 uses IV from key derivation/last block */
-			if (data.len < bs || data.len % bs)
-			{
-				DBG1(DBG_TLS, "encrypted TLS record length invalid");
-				this->alert->add(this->alert, TLS_FATAL, TLS_BAD_RECORD_MAC);
-				return NEED_MORE;
-			}
-			iv = this->iv_in;
-			next_iv = chunk_clone(chunk_create(data.ptr + data.len - bs, bs));
-		}
-		else
-		{	/* TLSv1.1 uses random IVs, prepended to record */
-			iv.len = this->crypter_in->get_iv_size(this->crypter_in);
-			iv = chunk_create(data.ptr, iv.len);
-			data = chunk_skip(data, iv.len);
-			if (data.len < bs || data.len % bs)
-			{
-				DBG1(DBG_TLS, "encrypted TLS record length invalid");
-				this->alert->add(this->alert, TLS_FATAL, TLS_BAD_RECORD_MAC);
-				return NEED_MORE;
-			}
-		}
-		if (!this->crypter_in->decrypt(this->crypter_in, data, iv, NULL))
-		{
-			free(next_iv.ptr);
-			this->alert->add(this->alert, TLS_FATAL, TLS_BAD_RECORD_MAC);
-			return NEED_MORE;
-		}
-
-		if (next_iv.len)
-		{	/* next record IV is last ciphertext block of this record */
-			memcpy(this->iv_in.ptr, next_iv.ptr, next_iv.len);
-			free(next_iv.ptr);
-		}
-
-		padding_length = data.ptr[data.len - 1];
-		if (padding_length < data.len)
-		{	/* remove padding if it looks valid. Continue with no padding, try
-			 * to prevent timing attacks. */
-			data.len -= padding_length + 1;
-		}
-	}
-	if (this->signer_in)
+	if (this->aead_in)
 	{
-		chunk_t mac;
-		u_int8_t bs;
-
-		bs = this->signer_in->get_block_size(this->signer_in);
-		if (data.len < bs)
+		if (!this->aead_in->decrypt(this->aead_in, this->version,
+									type, this->seq_in, &data))
 		{
-			DBG1(DBG_TLS, "TLS record too short to verify MAC");
-			this->alert->add(this->alert, TLS_FATAL, TLS_BAD_RECORD_MAC);
-			return NEED_MORE;
-		}
-		mac = chunk_skip(data, data.len - bs);
-		data.len -= bs;
-
-		if (!sigheader(this->signer_in, this->seq_in, type,
-					   this->version, data.len) ||
-			!this->signer_in->verify_signature(this->signer_in, data, mac))
-		{
-			DBG1(DBG_TLS, "TLS record MAC verification failed");
+			DBG1(DBG_TLS, "TLS record decryption failed");
 			this->alert->add(this->alert, TLS_FATAL, TLS_BAD_RECORD_MAC);
 			return NEED_MORE;
 		}
@@ -220,72 +109,15 @@ METHOD(tls_protection_t, build, status_t,
 
 	if (status == NEED_MORE)
 	{
-		if (this->signer_out)
+		if (this->aead_out)
 		{
-			chunk_t mac;
-
-			if (!sigheader(this->signer_out, this->seq_out, *type,
-						   this->version, data->len) ||
-				!this->signer_out->allocate_signature(this->signer_out,
-						   *data, &mac))
+			if (!this->aead_out->encrypt(this->aead_out, this->version,
+										 *type, this->seq_out, data))
 			{
+				DBG1(DBG_TLS, "TLS record encryption failed");
+				chunk_free(data);
 				return FAILED;
 			}
-			if (this->crypter_out)
-			{
-				chunk_t padding, iv;
-				u_int8_t bs, padding_length;
-
-				bs = this->crypter_out->get_block_size(this->crypter_out);
-				padding_length = bs - ((data->len + mac.len + 1) % bs);
-
-				padding = chunk_alloca(padding_length);
-				memset(padding.ptr, padding_length, padding.len);
-
-				if (this->iv_out.len)
-				{	/* < TLSv1.1 uses IV from key derivation/last block */
-					iv = this->iv_out;
-				}
-				else
-				{	/* TLSv1.1 uses random IVs, prepended to record */
-					iv.len = this->crypter_out->get_iv_size(this->crypter_out);
-					if (!this->rng ||
-						!this->rng->allocate_bytes(this->rng, iv.len, &iv))
-					{
-						DBG1(DBG_TLS, "failed to generate TLS IV");
-						free(data->ptr);
-						return FAILED;
-					}
-				}
-
-				*data = chunk_cat("mmcc", *data, mac, padding,
-								  chunk_from_thing(padding_length));
-				/* encrypt inline */
-				if (!this->crypter_out->encrypt(this->crypter_out, *data,
-												iv, NULL))
-				{
-					if (!this->iv_out.len)
-					{
-						free(iv.ptr);
-					}
-					free(data->ptr);
-					return FAILED;
-				}
-
-				if (this->iv_out.len)
-				{	/* next record IV is last ciphertext block of this record */
-					memcpy(this->iv_out.ptr, data->ptr + data->len -
-						   this->iv_out.len, this->iv_out.len);
-				}
-				else
-				{	/* prepend IV */
-					*data = chunk_cat("mm", iv, *data);
-				}
-			}
-			else
-			{	/* NULL encryption */
-				*data = chunk_cat("mm", *data, mac);
-			}
 		}
 		this->seq_out++;
 	}
@@ -293,24 +125,15 @@ METHOD(tls_protection_t, build, status_t,
 }
 
 METHOD(tls_protection_t, set_cipher, void,
-	private_tls_protection_t *this, bool inbound, signer_t *signer,
-	crypter_t *crypter, chunk_t iv)
+	private_tls_protection_t *this, bool inbound, tls_aead_t *aead)
 {
 	if (inbound)
 	{
-		this->signer_in = signer;
-		this->crypter_in = crypter;
-		this->iv_in = iv;
+		this->aead_in = aead;
 	}
 	else
 	{
-		this->signer_out = signer;
-		this->crypter_out = crypter;
-		this->iv_out = iv;
-		if (!iv.len)
-		{	/* generate IVs if none given */
-			this->rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
-		}
+		this->aead_out = aead;
 	}
 }
 
@@ -323,7 +146,6 @@ METHOD(tls_protection_t, set_version, void,
 METHOD(tls_protection_t, destroy, void,
 	private_tls_protection_t *this)
 {
-	DESTROY_IF(this->rng);
 	free(this);
 }
 
diff --git a/src/libtls/tls_protection.h b/src/libtls/tls_protection.h
index 05cf3df45..3280fb5a9 100644
--- a/src/libtls/tls_protection.h
+++ b/src/libtls/tls_protection.h
@@ -26,6 +26,7 @@
 typedef struct tls_protection_t tls_protection_t;
 
 #include "tls.h"
+#include "tls_aead.h"
 #include "tls_alert.h"
 #include "tls_compression.h"
 
@@ -62,15 +63,12 @@ struct tls_protection_t {
 					  tls_content_type_t *type, chunk_t *data);
 
 	/**
-	 * Set a new cipher, including encryption and integrity algorithms.
+	 * Set a new transforms to use at protection layer
 	 *
 	 * @param inbound	TRUE to use cipher for inbound data, FALSE for outbound
-	 * @param signer	new signer to use, gets owned by protection layer
-	 * @param crypter	new crypter to use, gets owned by protection layer
-	 * @param iv		initial IV for crypter, gets owned by protection layer
+	 * @param aead		new AEAD transform
 	 */
-	void (*set_cipher)(tls_protection_t *this, bool inbound, signer_t *signer,
-					   crypter_t *crypter, chunk_t iv);
+	void (*set_cipher)(tls_protection_t *this, bool inbound, tls_aead_t *aead);
 
 	/**
 	 * Set the TLS version negotiated, used for MAC calculation.