Make the bssl::SealRecord out_suffix arg fixed length. Similarly, add EVP_AEAD_CTX_tag_len which computes the exact tag length for required by EVP_AEAD_CTX_seal_scatter. Change-Id: I069b0ad16fab314fd42f6048a3c1dc45e8376f7f Reviewed-on: https://boringssl-review.googlesource.com/18324 Reviewed-by: Adam Langley <agl@google.com>
diff --git a/ssl/internal.h b/ssl/internal.h index bd1d112..cb39a93 100644 --- a/ssl/internal.h +++ b/ssl/internal.h
@@ -498,10 +498,12 @@ /* MaxOverhead returns the maximum overhead of calling |Seal|. */ size_t MaxOverhead() const; - /* MaxSuffixLen returns the maximum suffix length written by |SealScatter|. - * |extra_in_len| should equal the argument of the same name passed to - * |SealScatter|. */ - size_t MaxSuffixLen(size_t extra_in_len) const; + /* SuffixLen calculates the suffix length written by |SealScatter| and writes + * it to |*out_suffix_len|. It returns true on success and false on error. + * |in_len| and |extra_in_len| should equal the argument of the same names + * passed to |SealScatter|. */ + bool SuffixLen(size_t *out_suffix_len, size_t in_len, + size_t extra_in_len) const; /* Open authenticates and decrypts |in_len| bytes from |in| in-place. On * success, it sets |*out| to the plaintext in |in| and returns true. @@ -523,19 +525,17 @@ * success and zero on error. * * On successful return, exactly |ExplicitNonceLen| bytes are written to - * |out_prefix|, |in_len| bytes to |out|, and up to |MaxSuffixLen| bytes to - * |out_suffix|. |*out_suffix_len| is set to the actual number of bytes - * written to |out_suffix|. + * |out_prefix|, |in_len| bytes to |out|, and |SuffixLen| bytes to + * |out_suffix|. * * |extra_in| may point to an additional plaintext buffer. If present, * |extra_in_len| additional bytes are encrypted and authenticated, and the - * ciphertext is written to the beginning of |out_suffix|. |MaxSuffixLen| - * may be used to size |out_suffix| accordingly. + * ciphertext is written to the beginning of |out_suffix|. |SuffixLen| should + * be used to size |out_suffix| accordingly. * * If |in| and |out| alias then |out| must be == |in|. Other arguments may not * alias anything. */ bool SealScatter(uint8_t *out_prefix, uint8_t *out, uint8_t *out_suffix, - size_t *out_suffix_len, size_t max_out_suffix_len, uint8_t type, uint16_t wire_version, const uint8_t seqnum[8], const uint8_t *in, size_t in_len, const uint8_t *extra_in, size_t extra_in_len);
diff --git a/ssl/ssl_aead_ctx.cc b/ssl/ssl_aead_ctx.cc index 3b8d1b2..53dff78 100644 --- a/ssl/ssl_aead_ctx.cc +++ b/ssl/ssl_aead_ctx.cc
@@ -150,15 +150,21 @@ return 0; } -size_t SSLAEADContext::MaxSuffixLen(size_t extra_in_len) const { - return extra_in_len + - (is_null_cipher() || FUZZER_MODE - ? 0 - : EVP_AEAD_max_overhead(EVP_AEAD_CTX_aead(ctx_.get()))); +bool SSLAEADContext::SuffixLen(size_t *out_suffix_len, const size_t in_len, + const size_t extra_in_len) const { + if (is_null_cipher() || FUZZER_MODE) { + *out_suffix_len = extra_in_len; + return true; + } + return !!EVP_AEAD_CTX_tag_len(ctx_.get(), out_suffix_len, in_len, + extra_in_len); } size_t SSLAEADContext::MaxOverhead() const { - return ExplicitNonceLen() + MaxSuffixLen(0); + return ExplicitNonceLen() + + (is_null_cipher() || FUZZER_MODE + ? 0 + : EVP_AEAD_max_overhead(EVP_AEAD_CTX_aead(ctx_.get()))); } size_t SSLAEADContext::GetAdditionalData(uint8_t out[13], uint8_t type, @@ -255,18 +261,20 @@ } bool SSLAEADContext::SealScatter(uint8_t *out_prefix, uint8_t *out, - uint8_t *out_suffix, size_t *out_suffix_len, - size_t max_out_suffix_len, uint8_t type, + uint8_t *out_suffix, uint8_t type, uint16_t wire_version, const uint8_t seqnum[8], const uint8_t *in, size_t in_len, const uint8_t *extra_in, size_t extra_in_len) { - if ((in != out && buffers_alias(in, in_len, out, in_len)) || - buffers_alias(in, in_len, out_suffix, max_out_suffix_len)) { - OPENSSL_PUT_ERROR(SSL, SSL_R_OUTPUT_ALIASES_INPUT); + const size_t prefix_len = ExplicitNonceLen(); + size_t suffix_len; + if (!SuffixLen(&suffix_len, in_len, extra_in_len)) { + OPENSSL_PUT_ERROR(SSL, SSL_R_RECORD_TOO_LARGE); return false; } - if (extra_in_len > max_out_suffix_len) { - OPENSSL_PUT_ERROR(SSL, SSL_R_BUFFER_TOO_SMALL); + if ((in != out && buffers_alias(in, in_len, out, in_len)) || + buffers_alias(in, in_len, out_prefix, prefix_len) || + buffers_alias(in, in_len, out_suffix, suffix_len)) { + OPENSSL_PUT_ERROR(SSL, SSL_R_OUTPUT_ALIASES_INPUT); return false; } @@ -274,7 +282,6 @@ /* Handle the initial NULL cipher. */ OPENSSL_memmove(out, in, in_len); OPENSSL_memmove(out_suffix, extra_in, extra_in_len); - *out_suffix_len = extra_in_len; return true; } @@ -327,32 +334,38 @@ } } - return !!EVP_AEAD_CTX_seal_scatter( - ctx_.get(), out, out_suffix, out_suffix_len, max_out_suffix_len, nonce, + size_t written_suffix_len; + bool result = !!EVP_AEAD_CTX_seal_scatter( + ctx_.get(), out, out_suffix, &written_suffix_len, suffix_len, nonce, nonce_len, in, in_len, extra_in, extra_in_len, ad, ad_len); + assert(!result || written_suffix_len == suffix_len); + return result; } bool SSLAEADContext::Seal(uint8_t *out, size_t *out_len, size_t max_out_len, uint8_t type, uint16_t wire_version, const uint8_t seqnum[8], const uint8_t *in, size_t in_len) { - size_t prefix_len = ExplicitNonceLen(); - if (in_len + prefix_len < in_len) { + const size_t prefix_len = ExplicitNonceLen(); + size_t suffix_len; + if (!SuffixLen(&suffix_len, in_len, 0)) { + OPENSSL_PUT_ERROR(SSL, SSL_R_RECORD_TOO_LARGE); + return false; + } + if (in_len + prefix_len < in_len || + in_len + prefix_len + suffix_len < in_len + prefix_len) { OPENSSL_PUT_ERROR(CIPHER, SSL_R_RECORD_TOO_LARGE); return false; } - if (in_len + prefix_len > max_out_len) { + if (in_len + prefix_len + suffix_len > max_out_len) { OPENSSL_PUT_ERROR(SSL, SSL_R_BUFFER_TOO_SMALL); return false; } - size_t suffix_len; - if (!SealScatter(out, out + prefix_len, out + prefix_len + in_len, - &suffix_len, max_out_len - prefix_len - in_len, type, + if (!SealScatter(out, out + prefix_len, out + prefix_len + in_len, type, wire_version, seqnum, in, in_len, 0, 0)) { return false; } - assert(suffix_len <= MaxSuffixLen(0)); *out_len = prefix_len + in_len + suffix_len; return true; }
diff --git a/ssl/ssl_test.cc b/ssl/ssl_test.cc index 2297964..4556fb7 100644 --- a/ssl/ssl_test.cc +++ b/ssl/ssl_test.cc
@@ -3773,12 +3773,11 @@ const std::vector<uint8_t> record = {1, 2, 3, 4, 5}; std::vector<uint8_t> prefix( bssl::SealRecordPrefixLen(client.get(), record.size())), - body(record.size()), suffix(bssl::SealRecordMaxSuffixLen(client.get())); - size_t suffix_size; + body(record.size()), + suffix(bssl::SealRecordSuffixLen(client.get(), record.size())); ASSERT_TRUE(bssl::SealRecord(client.get(), bssl::MakeSpan(prefix), bssl::MakeSpan(body), bssl::MakeSpan(suffix), - &suffix_size, record)); - suffix.resize(suffix_size); + record)); std::vector<uint8_t> sealed; sealed.insert(sealed.end(), prefix.begin(), prefix.end()); @@ -3819,12 +3818,10 @@ std::vector<uint8_t> record = plaintext; std::vector<uint8_t> prefix( bssl::SealRecordPrefixLen(client.get(), record.size())), - suffix(bssl::SealRecordMaxSuffixLen(client.get())); - size_t suffix_size; + suffix(bssl::SealRecordSuffixLen(client.get(), record.size())); ASSERT_TRUE(bssl::SealRecord(client.get(), bssl::MakeSpan(prefix), bssl::MakeSpan(record), bssl::MakeSpan(suffix), - &suffix_size, record)); - suffix.resize(suffix_size); + record)); record.insert(record.begin(), prefix.begin(), prefix.end()); record.insert(record.end(), suffix.begin(), suffix.end()); @@ -3860,12 +3857,10 @@ std::vector<uint8_t> record = plaintext; std::vector<uint8_t> prefix( bssl::SealRecordPrefixLen(client.get(), record.size())), - suffix(bssl::SealRecordMaxSuffixLen(client.get())); - size_t suffix_size; + suffix(bssl::SealRecordSuffixLen(client.get(), record.size())); ASSERT_TRUE(bssl::SealRecord(client.get(), bssl::MakeSpan(prefix), bssl::MakeSpan(record), bssl::MakeSpan(suffix), - &suffix_size, record)); - suffix.resize(suffix_size); + record)); record.insert(record.begin(), prefix.begin(), prefix.end()); record.insert(record.end(), suffix.begin(), suffix.end()); record.insert(record.end(), {5, 4, 3, 2, 1}); @@ -3901,8 +3896,8 @@ std::vector<uint8_t> record = {1, 2, 3, 4, 5}; std::vector<uint8_t> prefix( bssl::SealRecordPrefixLen(client.get(), record.size())), - suffix(bssl::SealRecordMaxSuffixLen(client.get())); - size_t suffix_size; + body(record.size()), + suffix(bssl::SealRecordSuffixLen(client.get(), record.size())); auto expect_err = []() { int err = ERR_get_error(); @@ -3912,31 +3907,31 @@ }; EXPECT_FALSE(bssl::SealRecord( client.get(), bssl::MakeSpan(prefix.data(), prefix.size() - 1), - bssl::MakeSpan(record), bssl::MakeSpan(suffix), &suffix_size, record)); + bssl::MakeSpan(record), bssl::MakeSpan(suffix), record)); expect_err(); EXPECT_FALSE(bssl::SealRecord( client.get(), bssl::MakeSpan(prefix.data(), prefix.size() + 1), - bssl::MakeSpan(record), bssl::MakeSpan(suffix), &suffix_size, record)); + bssl::MakeSpan(record), bssl::MakeSpan(suffix), record)); expect_err(); EXPECT_FALSE( bssl::SealRecord(client.get(), bssl::MakeSpan(prefix), bssl::MakeSpan(record.data(), record.size() - 1), - bssl::MakeSpan(suffix), &suffix_size, record)); + bssl::MakeSpan(suffix), record)); expect_err(); EXPECT_FALSE( bssl::SealRecord(client.get(), bssl::MakeSpan(prefix), bssl::MakeSpan(record.data(), record.size() + 1), - bssl::MakeSpan(suffix), &suffix_size, record)); + bssl::MakeSpan(suffix), record)); expect_err(); EXPECT_FALSE(bssl::SealRecord( client.get(), bssl::MakeSpan(prefix), bssl::MakeSpan(record), - bssl::MakeSpan(suffix.data(), suffix.size() - 1), &suffix_size, record)); + bssl::MakeSpan(suffix.data(), suffix.size() - 1), record)); expect_err(); EXPECT_FALSE(bssl::SealRecord( client.get(), bssl::MakeSpan(prefix), bssl::MakeSpan(record), - bssl::MakeSpan(suffix.data(), suffix.size() + 1), &suffix_size, record)); + bssl::MakeSpan(suffix.data(), suffix.size() + 1), record)); expect_err(); }
diff --git a/ssl/tls_record.cc b/ssl/tls_record.cc index 46132e1..745ddb8 100644 --- a/ssl/tls_record.cc +++ b/ssl/tls_record.cc
@@ -345,20 +345,35 @@ } static int do_seal_record(SSL *ssl, uint8_t *out_prefix, uint8_t *out, - uint8_t *out_suffix, size_t *out_suffix_len, - const size_t max_out_suffix_len, uint8_t type, - const uint8_t *in, const size_t in_len) { - assert(in == out || !buffers_alias(in, in_len, out, in_len)); - assert(!buffers_alias(in, in_len, out_prefix, ssl_record_prefix_len(ssl))); - assert(!buffers_alias(in, in_len, out_suffix, max_out_suffix_len)); - - /* TLS 1.3 hides the actual record type inside the encrypted data. */ + uint8_t *out_suffix, uint8_t type, const uint8_t *in, + const size_t in_len) { uint8_t *extra_in = NULL; size_t extra_in_len = 0; if (!ssl->s3->aead_write_ctx->is_null_cipher() && ssl->s3->aead_write_ctx->version() >= TLS1_3_VERSION) { + /* TLS 1.3 hides the actual record type inside the encrypted data. */ extra_in = &type; extra_in_len = 1; + } + + size_t suffix_len; + if (!ssl->s3->aead_write_ctx->SuffixLen(&suffix_len, in_len, extra_in_len)) { + OPENSSL_PUT_ERROR(SSL, SSL_R_RECORD_TOO_LARGE); + return 0; + } + size_t ciphertext_len = + ssl->s3->aead_write_ctx->ExplicitNonceLen() + suffix_len; + if (ciphertext_len + in_len < ciphertext_len) { + OPENSSL_PUT_ERROR(SSL, SSL_R_RECORD_TOO_LARGE); + return 0; + } + ciphertext_len += in_len; + + assert(in == out || !buffers_alias(in, in_len, out, in_len)); + assert(!buffers_alias(in, in_len, out_prefix, ssl_record_prefix_len(ssl))); + assert(!buffers_alias(in, in_len, out_suffix, suffix_len)); + + if (extra_in_len) { out_prefix[0] = SSL3_RT_APPLICATION_DATA; } else { out_prefix[0] = type; @@ -377,26 +392,17 @@ } out_prefix[1] = wire_version >> 8; out_prefix[2] = wire_version & 0xff; + out_prefix[3] = ciphertext_len >> 8; + out_prefix[4] = ciphertext_len & 0xff; - /* Write the ciphertext, leaving two bytes for the length. */ - if (!ssl->s3->aead_write_ctx->SealScatter( - out_prefix + SSL3_RT_HEADER_LENGTH, out, out_suffix, out_suffix_len, - max_out_suffix_len, type, wire_version, ssl->s3->write_sequence, in, - in_len, extra_in, extra_in_len) || + if (!ssl->s3->aead_write_ctx->SealScatter(out_prefix + SSL3_RT_HEADER_LENGTH, + out, out_suffix, type, wire_version, + ssl->s3->write_sequence, in, in_len, + extra_in, extra_in_len) || !ssl_record_sequence_update(ssl->s3->write_sequence, 8)) { return 0; } - /* Fill in the length. */ - const size_t ciphertext_len = - ssl->s3->aead_write_ctx->ExplicitNonceLen() + in_len + *out_suffix_len; - if (ciphertext_len >= 1 << 15) { - OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW); - return 0; - } - out_prefix[3] = ciphertext_len >> 8; - out_prefix[4] = ciphertext_len & 0xff; - ssl_do_msg_callback(ssl, 1 /* write */, SSL3_RT_HEADER, out_prefix, SSL3_RT_HEADER_LENGTH); return 1; @@ -419,28 +425,34 @@ return ret; } -static size_t tls_seal_scatter_max_suffix_len(const SSL *ssl) { - size_t ret = ssl->s3->aead_write_ctx->MaxOverhead(); - /* TLS 1.3 needs an extra byte for the encrypted record type. */ - if (ssl->s3->aead_write_ctx->is_null_cipher() && +static bool tls_seal_scatter_suffix_len(const SSL *ssl, size_t *out_suffix_len, + uint8_t type, size_t in_len) { + size_t extra_in_len = 0; + if (!ssl->s3->aead_write_ctx->is_null_cipher() && ssl->s3->aead_write_ctx->version() >= TLS1_3_VERSION) { - ret += 1; + /* TLS 1.3 adds an extra byte for encrypted record type. */ + extra_in_len = 1; } - return ret; + if (type == SSL3_RT_APPLICATION_DATA && // clang-format off + in_len > 1 && + ssl_needs_record_splitting(ssl)) { + /* With record splitting enabled, the first byte gets sealed into a separate + * record which is written into the prefix. */ + in_len -= 1; + } + return ssl->s3->aead_write_ctx->SuffixLen(out_suffix_len, in_len, extra_in_len); } /* tls_seal_scatter_record seals a new record of type |type| and body |in| and * splits it between |out_prefix|, |out|, and |out_suffix|. Exactly * |tls_seal_scatter_prefix_len| bytes are written to |out_prefix|, |in_len| - * bytes to |out|, and up to |tls_seal_scatter_max_suffix_len| bytes to - * |out_suffix|. |*out_suffix_len| is set to the actual number of bytes written - * to |out_suffix|. It returns one on success and zero on error. If enabled, + * bytes to |out|, and |tls_seal_scatter_suffix_len| bytes to |out_suffix|. It + * returns one on success and zero on error. If enabled, * |tls_seal_scatter_record| implements TLS 1.0 CBC 1/n-1 record splitting and * may write two records concatenated. */ static int tls_seal_scatter_record(SSL *ssl, uint8_t *out_prefix, uint8_t *out, - uint8_t *out_suffix, size_t *out_suffix_len, - size_t max_out_suffix_len, uint8_t type, - const uint8_t *in, size_t in_len) { + uint8_t *out_suffix, uint8_t type, + const uint8_t *in, size_t in_len) { if (type == SSL3_RT_APPLICATION_DATA && in_len > 1 && ssl_needs_record_splitting(ssl)) { assert(ssl->s3->aead_write_ctx->ExplicitNonceLen() == 0); @@ -450,17 +462,17 @@ uint8_t *split_body = out_prefix + prefix_len; uint8_t *split_suffix = split_body + 1; - /* TODO(martinkr): Make AEAD code not complain if max_suffix_len is lower - * than |EVP_AEAD_max_overhead| but still sufficiently large. */ - size_t split_max_suffix_len = ssl->s3->aead_write_ctx->MaxSuffixLen(0); - size_t split_suffix_len = 0; - if (!do_seal_record(ssl, out_prefix, split_body, split_suffix, - &split_suffix_len, split_max_suffix_len, type, in, 1)) { + if (!do_seal_record(ssl, out_prefix, split_body, split_suffix, type, in, + 1)) { return 0; } - size_t split_record_len = prefix_len + 1 + split_suffix_len; - + size_t split_record_suffix_len; + if (!ssl->s3->aead_write_ctx->SuffixLen(&split_record_suffix_len, 1, 0)) { + assert(false); + return 0; + } + const size_t split_record_len = prefix_len + 1 + split_record_suffix_len; assert(SSL3_RT_HEADER_LENGTH + ssl_cipher_get_record_split_len( ssl->s3->aead_write_ctx->cipher()) == split_record_len); @@ -468,8 +480,8 @@ /* Write the n-1-byte fragment. The header gets split between |out_prefix| * (header[:-1]) and |out| (header[-1:]). */ uint8_t tmp_prefix[SSL3_RT_HEADER_LENGTH]; - if (!do_seal_record(ssl, tmp_prefix, out + 1, out_suffix, out_suffix_len, - max_out_suffix_len, type, in + 1, in_len - 1)) { + if (!do_seal_record(ssl, tmp_prefix, out + 1, out_suffix, type, in + 1, + in_len - 1)) { return 0; } assert(tls_seal_scatter_prefix_len(ssl, type, in_len) == @@ -480,8 +492,7 @@ return 1; } - return do_seal_record(ssl, out_prefix, out, out_suffix, out_suffix_len, - max_out_suffix_len, type, in, in_len); + return do_seal_record(ssl, out_prefix, out, out_suffix, type, in, in_len); } int tls_seal_record(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out_len, @@ -492,12 +503,16 @@ } const size_t prefix_len = tls_seal_scatter_prefix_len(ssl, type, in_len); - - if (in_len + prefix_len < in_len) { + size_t suffix_len; + if (!tls_seal_scatter_suffix_len(ssl, &suffix_len, type, in_len)) { + return false; + } + if (in_len + prefix_len < in_len || + prefix_len + in_len + suffix_len < prefix_len + in_len) { OPENSSL_PUT_ERROR(SSL, SSL_R_RECORD_TOO_LARGE); return 0; } - if (max_out_len < in_len + prefix_len) { + if (max_out_len < in_len + prefix_len + suffix_len) { OPENSSL_PUT_ERROR(SSL, SSL_R_BUFFER_TOO_SMALL); return 0; } @@ -505,16 +520,7 @@ uint8_t *prefix = out; uint8_t *body = out + prefix_len; uint8_t *suffix = body + in_len; - size_t max_suffix_len = max_out_len - prefix_len - in_len; - size_t suffix_len = 0; - - if (!tls_seal_scatter_record(ssl, prefix, body, suffix, &suffix_len, - max_suffix_len, type, in, in_len)) { - return 0; - } - - if (prefix_len + in_len + suffix_len < prefix_len + in_len) { - OPENSSL_PUT_ERROR(SSL, SSL_R_RECORD_TOO_LARGE); + if (!tls_seal_scatter_record(ssl, prefix, body, suffix, type, in, in_len)) { return 0; } @@ -630,17 +636,26 @@ return ret; } -size_t SealRecordPrefixLen(SSL *ssl, size_t record_len) { +size_t SealRecordPrefixLen(const SSL *ssl, const size_t record_len) { return tls_seal_scatter_prefix_len(ssl, SSL3_RT_APPLICATION_DATA, record_len); } -size_t SealRecordMaxSuffixLen(SSL *ssl) { - return tls_seal_scatter_max_suffix_len(ssl); +size_t SealRecordSuffixLen(const SSL *ssl, const size_t plaintext_len) { + assert(plaintext_len <= SSL3_RT_MAX_PLAIN_LENGTH); + size_t suffix_len; + if (!tls_seal_scatter_suffix_len(ssl, &suffix_len, SSL3_RT_APPLICATION_DATA, + plaintext_len)) { + assert(false); + OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); + return 0; + } + assert(suffix_len <= SSL3_RT_MAX_ENCRYPTED_OVERHEAD); + return suffix_len; } bool SealRecord(SSL *ssl, const Span<uint8_t> out_prefix, const Span<uint8_t> out, Span<uint8_t> out_suffix, - size_t *out_suffix_len, const Span<const uint8_t> in) { + const Span<const uint8_t> in) { // This API is a work in progress and currently only works for TLS 1.2 servers // and below. if (SSL_in_init(ssl) || @@ -653,13 +668,13 @@ if (out_prefix.size() != SealRecordPrefixLen(ssl, in.size()) || out.size() != in.size() || - out_suffix.size() != SealRecordMaxSuffixLen(ssl)) { + out_suffix.size() != SealRecordSuffixLen(ssl, in.size())) { OPENSSL_PUT_ERROR(SSL, SSL_R_BUFFER_TOO_SMALL); return false; } - return tls_seal_scatter_record( - ssl, out_prefix.data(), out.data(), out_suffix.data(), out_suffix_len, - out_suffix.size(), SSL3_RT_APPLICATION_DATA, in.data(), in.size()); + return tls_seal_scatter_record(ssl, out_prefix.data(), out.data(), + out_suffix.data(), SSL3_RT_APPLICATION_DATA, + in.data(), in.size()); } } // namespace bssl