Google Git
Sign in
boringssl/boringssl.git/2b2cb7d93cdf428fb8a484bb01eb72dce52e5028^!/.
commit
2b2cb7d93cdf428fb8a484bb01eb72dce52e5028
[log]
author
David Benjamin <davidben@google.com>
Tue May 04 15:13:56 2021 -0400
committer
CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Thu May 06 20:05:48 2021 +0000
tree
e1325b1936fd459490c437b543d1e97b50389c9f
parent
f39c81d5249ed59cc67d7930f64cec46bc184ec8 [diff]
Switch HPKE to a three-parameter output buffer.

This is a little tedious but aligns with some of our other
variable-length parameters. This is in preparation for making the HPKE
APIs KEM-agnostic, so we don't need to make so many variations on the
HPKE functions for each KEM. (Especially if we ever need to implement
SetupPSK*, SetupAuth*, or SetupAuthPSK*.)

Bug: 410
Change-Id: I0625580b15358ab1f02b7835122256e8f058a779
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47328
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Adam Langley <agl@google.com>

diff --git a/crypto/hpke/hpke.c b/crypto/hpke/hpke.c
index 3e98159..09bd020 100644
--- a/crypto/hpke/hpke.c
+++ b/crypto/hpke/hpke.c

@@ -292,7 +292,7 @@
 }
 
 int EVP_HPKE_CTX_setup_base_s_x25519(EVP_HPKE_CTX *hpke, uint8_t *out_enc,
-                                     size_t out_enc_len,
+                                     size_t *out_enc_len, size_t max_enc,
                                      const EVP_HPKE_KDF *kdf,
                                      const EVP_HPKE_AEAD *aead,
                                      const uint8_t *peer_public_value,
@@ -301,17 +301,17 @@
   uint8_t seed[X25519_PRIVATE_KEY_LEN];
   RAND_bytes(seed, sizeof(seed));
   return EVP_HPKE_CTX_setup_base_s_x25519_with_seed_for_testing(
-      hpke, out_enc, out_enc_len, kdf, aead, peer_public_value,
+      hpke, out_enc, out_enc_len, max_enc, kdf, aead, peer_public_value,
       peer_public_value_len, info, info_len, seed, sizeof(seed));
 }
 
 int EVP_HPKE_CTX_setup_base_s_x25519_with_seed_for_testing(
-    EVP_HPKE_CTX *hpke, uint8_t *out_enc, size_t out_enc_len,
+    EVP_HPKE_CTX *hpke, uint8_t *out_enc, size_t *out_enc_len, size_t max_enc,
     const EVP_HPKE_KDF *kdf, const EVP_HPKE_AEAD *aead,
     const uint8_t *peer_public_value, size_t peer_public_value_len,
     const uint8_t *info, size_t info_len, const uint8_t *seed,
     size_t seed_len) {
-  if (out_enc_len != X25519_PUBLIC_VALUE_LEN) {
+  if (max_enc < X25519_PUBLIC_VALUE_LEN) {
     OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_BUFFER_SIZE);
     return 0;
   }
@@ -334,6 +334,7 @@
                          info_len)) {
     return 0;
   }
+  *out_enc_len = X25519_PUBLIC_VALUE_LEN;
   return 1;
 }
 

diff --git a/crypto/hpke/hpke_test.cc b/crypto/hpke/hpke_test.cc
index 82ba229..c7bc2c4 100644
--- a/crypto/hpke/hpke_test.cc
+++ b/crypto/hpke/hpke_test.cc

@@ -63,16 +63,17 @@
     // Set up the sender.
     ScopedEVP_HPKE_CTX sender_ctx;
     uint8_t enc[X25519_PUBLIC_VALUE_LEN];
+    size_t enc_len;
     ASSERT_TRUE(EVP_HPKE_CTX_setup_base_s_x25519_with_seed_for_testing(
-        sender_ctx.get(), enc, sizeof(enc), kdf, aead, public_key_r_.data(),
-        public_key_r_.size(), info_.data(), info_.size(), secret_key_e_.data(),
-        secret_key_e_.size()));
-    EXPECT_EQ(Bytes(enc), Bytes(public_key_e_));
+        sender_ctx.get(), enc, &enc_len, sizeof(enc), kdf, aead,
+        public_key_r_.data(), public_key_r_.size(), info_.data(), info_.size(),
+        secret_key_e_.data(), secret_key_e_.size()));
+    EXPECT_EQ(Bytes(enc, enc_len), Bytes(public_key_e_));
 
     // Set up the receiver.
     ScopedEVP_HPKE_CTX receiver_ctx;
     ASSERT_TRUE(EVP_HPKE_CTX_setup_base_r_x25519(
-        receiver_ctx.get(), kdf, aead, enc, sizeof(enc), public_key_r_.data(),
+        receiver_ctx.get(), kdf, aead, enc, enc_len, public_key_r_.data(),
         public_key_r_.size(), secret_key_r_.data(), secret_key_r_.size(),
         info_.data(), info_.size()));
 
@@ -265,14 +266,15 @@
           // Set up the sender.
           ScopedEVP_HPKE_CTX sender_ctx;
           uint8_t enc[X25519_PUBLIC_VALUE_LEN];
+          size_t enc_len;
           ASSERT_TRUE(EVP_HPKE_CTX_setup_base_s_x25519(
-              sender_ctx.get(), enc, sizeof(enc), kdf(), aead(), public_key_r,
-              sizeof(public_key_r), info.data(), info.size()));
+              sender_ctx.get(), enc, &enc_len, sizeof(enc), kdf(), aead(),
+              public_key_r, sizeof(public_key_r), info.data(), info.size()));
 
           // Set up the receiver.
           ScopedEVP_HPKE_CTX receiver_ctx;
           ASSERT_TRUE(EVP_HPKE_CTX_setup_base_r_x25519(
-              receiver_ctx.get(), kdf(), aead(), enc, sizeof(enc), public_key_r,
+              receiver_ctx.get(), kdf(), aead(), enc, enc_len, public_key_r,
               sizeof(public_key_r), secret_key_r, sizeof(secret_key_r),
               info.data(), info.size()));
 
@@ -328,9 +330,10 @@
       // Set up the sender, passing in kSmallOrderPoint as |peer_public_value|.
       ScopedEVP_HPKE_CTX sender_ctx;
       uint8_t enc[X25519_PUBLIC_VALUE_LEN];
+      size_t enc_len;
       ASSERT_FALSE(EVP_HPKE_CTX_setup_base_s_x25519(
-          sender_ctx.get(), enc, sizeof(enc), kdf(), aead(), kSmallOrderPoint,
-          sizeof(kSmallOrderPoint), nullptr, 0));
+          sender_ctx.get(), enc, &enc_len, sizeof(enc), kdf(), aead(),
+          kSmallOrderPoint, sizeof(kSmallOrderPoint), nullptr, 0));
 
       // Set up the receiver, passing in kSmallOrderPoint as |enc|.
       ScopedEVP_HPKE_CTX receiver_ctx;
@@ -381,8 +384,9 @@
   // Set up the sender.
   ScopedEVP_HPKE_CTX sender_ctx;
   uint8_t enc[X25519_PUBLIC_VALUE_LEN];
+  size_t enc_len;
   ASSERT_TRUE(EVP_HPKE_CTX_setup_base_s_x25519(
-      sender_ctx.get(), enc, sizeof(enc), EVP_hpke_hkdf_sha256(),
+      sender_ctx.get(), enc, &enc_len, sizeof(enc), EVP_hpke_hkdf_sha256(),
       EVP_hpke_aes_128_gcm(), public_key_r, sizeof(public_key_r), nullptr, 0));
 
   // Call Open() on the sender.
@@ -393,15 +397,16 @@
                                  kMockCiphertextLen, nullptr, 0));
 }
 
-TEST(HPKETest, SetupSenderWrongLengthEnc) {
+TEST(HPKETest, SetupSenderBufferTooSmall) {
   uint8_t secret_key_r[X25519_PRIVATE_KEY_LEN];
   uint8_t public_key_r[X25519_PUBLIC_VALUE_LEN];
   X25519_keypair(public_key_r, secret_key_r);
 
   ScopedEVP_HPKE_CTX sender_ctx;
-  uint8_t bogus_enc[X25519_PUBLIC_VALUE_LEN + 5];
+  uint8_t enc[X25519_PUBLIC_VALUE_LEN - 1];
+  size_t enc_len;
   ASSERT_FALSE(EVP_HPKE_CTX_setup_base_s_x25519(
-      sender_ctx.get(), bogus_enc, sizeof(bogus_enc), EVP_hpke_hkdf_sha256(),
+      sender_ctx.get(), enc, &enc_len, sizeof(enc), EVP_hpke_hkdf_sha256(),
       EVP_hpke_aes_128_gcm(), public_key_r, sizeof(public_key_r), nullptr, 0));
   uint32_t err = ERR_get_error();
   EXPECT_EQ(ERR_LIB_EVP, ERR_GET_LIB(err));
@@ -409,6 +414,22 @@
   ERR_clear_error();
 }
 
+TEST(HPKETest, SetupSenderBufferTooLarge) {
+  uint8_t secret_key_r[X25519_PRIVATE_KEY_LEN];
+  uint8_t public_key_r[X25519_PUBLIC_VALUE_LEN];
+  X25519_keypair(public_key_r, secret_key_r);
+
+  // Too large of an output buffer is fine because the function reports the
+  // actual length.
+  ScopedEVP_HPKE_CTX sender_ctx;
+  uint8_t enc[X25519_PUBLIC_VALUE_LEN + 1];
+  size_t enc_len;
+  EXPECT_TRUE(EVP_HPKE_CTX_setup_base_s_x25519(
+      sender_ctx.get(), enc, &enc_len, sizeof(enc), EVP_hpke_hkdf_sha256(),
+      EVP_hpke_aes_128_gcm(), public_key_r, sizeof(public_key_r), nullptr, 0));
+  EXPECT_EQ(size_t{X25519_PUBLIC_VALUE_LEN}, enc_len);
+}
+
 TEST(HPKETest, SetupReceiverWrongLengthEnc) {
   uint8_t private_key[X25519_PRIVATE_KEY_LEN];
   uint8_t public_key[X25519_PUBLIC_VALUE_LEN];
@@ -431,8 +452,9 @@
   const uint8_t bogus_public_key_r[X25519_PRIVATE_KEY_LEN + 5] = {0xff};
   ScopedEVP_HPKE_CTX sender_ctx;
   uint8_t enc[X25519_PUBLIC_VALUE_LEN];
+  size_t enc_len;
   ASSERT_FALSE(EVP_HPKE_CTX_setup_base_s_x25519(
-      sender_ctx.get(), enc, sizeof(enc), EVP_hpke_hkdf_sha256(),
+      sender_ctx.get(), enc, &enc_len, sizeof(enc), EVP_hpke_hkdf_sha256(),
       EVP_hpke_aes_128_gcm(), bogus_public_key_r, sizeof(bogus_public_key_r),
       nullptr, 0));
   uint32_t err = ERR_get_error();

diff --git a/crypto/hpke/internal.h b/crypto/hpke/internal.h
index 6dee25a..db98d72 100644
--- a/crypto/hpke/internal.h
+++ b/crypto/hpke/internal.h

@@ -89,11 +89,12 @@
 // recipient's public key). It returns one on success, and zero otherwise. Note
 // that this function will fail if |peer_public_value| is invalid.
 //
-// This function writes the encapsulated shared secret, a Diffie-Hellman public
-// key, to |out_enc|. It will fail if the buffer's size in |out_enc_len| is not
-// exactly |X25519_PUBLIC_VALUE_LEN|.
+// This function writes the encapsulated shared secret to |out_enc| and sets
+// |*out_enc_len| to the number of bytes written. It writes at most |max_enc|
+// bytes and fails if the buffer is too small. |max_enc| must be at least
+// |X25519_PUBLIC_VALUE_LEN| to ensure the buffer is large enough.
 OPENSSL_EXPORT int EVP_HPKE_CTX_setup_base_s_x25519(
-    EVP_HPKE_CTX *hpke, uint8_t *out_enc, size_t out_enc_len,
+    EVP_HPKE_CTX *hpke, uint8_t *out_enc, size_t *out_enc_len, size_t max_enc,
     const EVP_HPKE_KDF *kdf, const EVP_HPKE_AEAD *aead,
     const uint8_t *peer_public_value, size_t peer_public_value_len,
     const uint8_t *info, size_t info_len);
@@ -102,7 +103,7 @@
 // |EVP_HPKE_CTX_setup_base_s_x25519|, but takes a seed value to behave
 // deterministically. This seed is the sender's ephemeral X25519 key.
 OPENSSL_EXPORT int EVP_HPKE_CTX_setup_base_s_x25519_with_seed_for_testing(
-    EVP_HPKE_CTX *hpke, uint8_t *out_enc, size_t out_enc_len,
+    EVP_HPKE_CTX *hpke, uint8_t *out_enc, size_t *out_enc_len, size_t max_enc,
     const EVP_HPKE_KDF *kdf, const EVP_HPKE_AEAD *aead,
     const uint8_t *peer_public_value, size_t peer_public_value_len,
     const uint8_t *info, size_t info_len, const uint8_t *seed, size_t seed_len);