C++-ify SSL_AEAD_CTX.
This adds several utilities as replacements for new and delete and makes
bssl::UniquePtr work with our private types.
Later work can convert more incrementally. I did this one more
aggressively to see how it'd work. Unfortunately, in doing so, I needed
to remove the NULL SSL_AEAD_CTX "method" receiver trick to appease
clang. The null cipher is now represented by a concrete SSL_AEAD_CTX.
The long-lived references to SSL_AEAD_CTX are not yet in types with
constructors, so they still bare Delete rather than UniquePtr for now.
Though this does mean we may be able to move the sequence number into
SSLAEADContext later which is one less object for DTLS to carry around.
Bug: 132
Change-Id: I506b404addafb692055d5709b0ca6d5439a4e6be
Reviewed-on: https://boringssl-review.googlesource.com/18164
Reviewed-by: Adam Langley <agl@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
diff --git a/ssl/tls_record.cc b/ssl/tls_record.cc
index b7ac0a9..b5e101c 100644
--- a/ssl/tls_record.cc
+++ b/ssl/tls_record.cc
@@ -144,10 +144,10 @@
* state needs record-splitting and zero otherwise. */
static int ssl_needs_record_splitting(const SSL *ssl) {
#if !defined(BORINGSSL_UNSAFE_FUZZER_MODE)
- return ssl->s3->aead_write_ctx != NULL &&
- ssl->s3->aead_write_ctx->version < TLS1_1_VERSION &&
+ return !ssl->s3->aead_write_ctx->is_null_cipher() &&
+ ssl->s3->aead_write_ctx->version() < TLS1_1_VERSION &&
(ssl->mode & SSL_MODE_CBC_RECORD_SPLITTING) != 0 &&
- SSL_CIPHER_is_block_cipher(ssl->s3->aead_write_ctx->cipher);
+ SSL_CIPHER_is_block_cipher(ssl->s3->aead_write_ctx->cipher());
#else
return 0;
#endif
@@ -172,20 +172,19 @@
header_len = SSL3_RT_HEADER_LENGTH;
}
- return header_len + SSL_AEAD_CTX_explicit_nonce_len(ssl->s3->aead_read_ctx);
+ return header_len + ssl->s3->aead_read_ctx->ExplicitNonceLen();
}
size_t ssl_seal_align_prefix_len(const SSL *ssl) {
if (SSL_is_dtls(ssl)) {
- return DTLS1_RT_HEADER_LENGTH +
- SSL_AEAD_CTX_explicit_nonce_len(ssl->s3->aead_write_ctx);
+ return DTLS1_RT_HEADER_LENGTH + ssl->s3->aead_write_ctx->ExplicitNonceLen();
}
- size_t ret = SSL3_RT_HEADER_LENGTH +
- SSL_AEAD_CTX_explicit_nonce_len(ssl->s3->aead_write_ctx);
+ size_t ret =
+ SSL3_RT_HEADER_LENGTH + ssl->s3->aead_write_ctx->ExplicitNonceLen();
if (ssl_needs_record_splitting(ssl)) {
ret += SSL3_RT_HEADER_LENGTH;
- ret += ssl_cipher_get_record_split_len(ssl->s3->aead_write_ctx->cipher);
+ ret += ssl_cipher_get_record_split_len(ssl->s3->aead_write_ctx->cipher());
}
return ret;
}
@@ -209,7 +208,7 @@
}
int version_ok;
- if (ssl->s3->aead_read_ctx == NULL) {
+ if (ssl->s3->aead_read_ctx->is_null_cipher()) {
/* Only check the first byte. Enforcing beyond that can prevent decoding
* version negotiation failure alerts. */
version_ok = (version >> 8) == SSL3_VERSION_MAJOR;
@@ -249,17 +248,16 @@
/* Skip early data received when expecting a second ClientHello if we rejected
* 0RTT. */
if (ssl->s3->skip_early_data &&
- ssl->s3->aead_read_ctx == NULL &&
+ ssl->s3->aead_read_ctx->is_null_cipher() &&
type == SSL3_RT_APPLICATION_DATA) {
goto skipped_data;
}
/* Decrypt the body in-place. */
- if (!SSL_AEAD_CTX_open(ssl->s3->aead_read_ctx, out, type, version,
- ssl->s3->read_sequence, (uint8_t *)CBS_data(&body),
- CBS_len(&body))) {
- if (ssl->s3->skip_early_data &&
- ssl->s3->aead_read_ctx != NULL) {
+ if (!ssl->s3->aead_read_ctx->Open(out, type, version, ssl->s3->read_sequence,
+ (uint8_t *)CBS_data(&body),
+ CBS_len(&body))) {
+ if (ssl->s3->skip_early_data && !ssl->s3->aead_read_ctx->is_null_cipher()) {
ERR_clear_error();
goto skipped_data;
}
@@ -277,8 +275,8 @@
}
/* TLS 1.3 hides the record type inside the encrypted data. */
- if (ssl->s3->aead_read_ctx != NULL &&
- ssl->s3->aead_read_ctx->version >= TLS1_3_VERSION) {
+ if (!ssl->s3->aead_read_ctx->is_null_cipher() &&
+ ssl->s3->aead_read_ctx->version() >= TLS1_3_VERSION) {
/* The outer record type is always application_data. */
if (type != SSL3_RT_APPLICATION_DATA) {
OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_OUTER_RECORD_TYPE);
@@ -359,8 +357,8 @@
/* TLS 1.3 hides the actual record type inside the encrypted data. */
uint8_t *extra_in = NULL;
size_t extra_in_len = 0;
- if (ssl->s3->aead_write_ctx != NULL &&
- ssl->s3->aead_write_ctx->version >= TLS1_3_VERSION) {
+ if (!ssl->s3->aead_write_ctx->is_null_cipher() &&
+ ssl->s3->aead_write_ctx->version() >= TLS1_3_VERSION) {
extra_in = &type;
extra_in_len = 1;
out_prefix[0] = SSL3_RT_APPLICATION_DATA;
@@ -383,18 +381,17 @@
out_prefix[2] = wire_version & 0xff;
/* Write the ciphertext, leaving two bytes for the length. */
- if (!SSL_AEAD_CTX_seal_scatter(
- ssl->s3->aead_write_ctx, out_prefix + SSL3_RT_HEADER_LENGTH, out,
- out_suffix, out_suffix_len, max_out_suffix_len, type, wire_version,
- ssl->s3->write_sequence, in, in_len, extra_in, extra_in_len) ||
+ if (!ssl->s3->aead_write_ctx->SealScatter(
+ out_prefix + SSL3_RT_HEADER_LENGTH, out, out_suffix, out_suffix_len,
+ max_out_suffix_len, type, wire_version, ssl->s3->write_sequence, in,
+ in_len, extra_in, extra_in_len) ||
!ssl_record_sequence_update(ssl->s3->write_sequence, 8)) {
return 0;
}
/* Fill in the length. */
const size_t ciphertext_len =
- SSL_AEAD_CTX_explicit_nonce_len(ssl->s3->aead_write_ctx) + in_len +
- *out_suffix_len;
+ ssl->s3->aead_write_ctx->ExplicitNonceLen() + in_len + *out_suffix_len;
if (ciphertext_len >= 1 << 15) {
OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);
return 0;
@@ -416,10 +413,10 @@
* will be placed in the prefix, as will four of the five bytes of the
* record header for the main record. The final byte will replace the first
* byte of the plaintext that was used in the small record. */
- ret += ssl_cipher_get_record_split_len(ssl->s3->aead_write_ctx->cipher);
+ ret += ssl_cipher_get_record_split_len(ssl->s3->aead_write_ctx->cipher());
ret += SSL3_RT_HEADER_LENGTH - 1;
} else {
- ret += SSL_AEAD_CTX_explicit_nonce_len(ssl->s3->aead_write_ctx);
+ ret += ssl->s3->aead_write_ctx->ExplicitNonceLen();
}
return ret;
}
@@ -427,7 +424,7 @@
/* tls_seal_scatter_record seals a new record of type |type| and body |in| and
* splits it between |out_prefix|, |out|, and |out_suffix|. Exactly
* |tls_seal_scatter_prefix_len| bytes are written to |out_prefix|, |in_len|
- * bytes to |out|, and up to 1 + |SSL_AEAD_CTX_max_overhead| bytes to
+ * bytes to |out|, and up to 1 + |SSLAEADContext::MaxOverhead| bytes to
* |out_suffix|. |*out_suffix_len| is set to the actual number of bytes written
* to |out_suffix|. It returns one on success and zero on error. If enabled,
* |tls_seal_scatter_record| implements TLS 1.0 CBC 1/n-1 record splitting and
@@ -438,7 +435,7 @@
const uint8_t *in, size_t in_len) {
if (type == SSL3_RT_APPLICATION_DATA && in_len > 1 &&
ssl_needs_record_splitting(ssl)) {
- assert(SSL_AEAD_CTX_explicit_nonce_len(ssl->s3->aead_write_ctx) == 0);
+ assert(ssl->s3->aead_write_ctx->ExplicitNonceLen() == 0);
const size_t prefix_len = SSL3_RT_HEADER_LENGTH;
/* Write the 1-byte fragment into |out_prefix|. */
@@ -447,8 +444,7 @@
/* TODO(martinkr): Make AEAD code not complain if max_suffix_len is lower
* than |EVP_AEAD_max_overhead| but still sufficiently large. */
- size_t split_max_suffix_len =
- SSL_AEAD_CTX_max_suffix_len(ssl->s3->aead_write_ctx, 0);
+ size_t split_max_suffix_len = ssl->s3->aead_write_ctx->MaxSuffixLen(0);
size_t split_suffix_len = 0;
if (!do_seal_record(ssl, out_prefix, split_body, split_suffix,
&split_suffix_len, split_max_suffix_len, type, in, 1)) {
@@ -458,7 +454,7 @@
size_t split_record_len = prefix_len + 1 + split_suffix_len;
assert(SSL3_RT_HEADER_LENGTH + ssl_cipher_get_record_split_len(
- ssl->s3->aead_write_ctx->cipher) ==
+ ssl->s3->aead_write_ctx->cipher()) ==
split_record_len);
/* Write the n-1-byte fragment. The header gets split between |out_prefix|
@@ -583,10 +579,10 @@
}
size_t ret = SSL3_RT_HEADER_LENGTH;
- ret += SSL_AEAD_CTX_max_overhead(ssl->s3->aead_write_ctx);
+ ret += ssl->s3->aead_write_ctx->MaxOverhead();
/* TLS 1.3 needs an extra byte for the encrypted record type. */
- if (ssl->s3->aead_write_ctx != NULL &&
- ssl->s3->aead_write_ctx->version >= TLS1_3_VERSION) {
+ if (!ssl->s3->aead_write_ctx->is_null_cipher() &&
+ ssl->s3->aead_write_ctx->version() >= TLS1_3_VERSION) {
ret += 1;
}
if (ssl_needs_record_splitting(ssl)) {
