[bogo] Compute length in record header before encrypting.
Change-Id: I55e33a605ce81a75e26e6d49ad7e7a76b17e39a0
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/69108
Commit-Queue: Bob Beck <bbe@google.com>
Reviewed-by: Bob Beck <bbe@google.com>
diff --git a/ssl/test/runner/conn.go b/ssl/test/runner/conn.go
index bda9b92..ca1a037 100644
--- a/ssl/test/runner/conn.go
+++ b/ssl/test/runner/conn.go
@@ -571,20 +571,6 @@
// encrypt
if hc.cipher != nil {
- // Add TLS 1.3 padding.
- if hc.version >= VersionTLS13 {
- paddingLen := hc.config.Bugs.RecordPadding
- if hc.config.Bugs.OmitRecordContents {
- b.resize(recordHeaderLen + paddingLen)
- } else {
- b.resize(len(b.data) + 1 + paddingLen)
- b.data[len(b.data)-paddingLen-1] = byte(typ)
- }
- for i := 0; i < paddingLen; i++ {
- b.data[len(b.data)-paddingLen+i] = 0
- }
- }
-
switch c := hc.cipher.(type) {
case cipher.Stream:
c.XORKeyStream(payload, payload)
@@ -606,11 +592,8 @@
additionalData[11] = byte(payloadLen >> 8)
additionalData[12] = byte(payloadLen)
} else {
- additionalData = make([]byte, 5)
- copy(additionalData, b.data[:3])
- n := len(b.data) - recordHeaderLen
- additionalData[3] = byte(n >> 8)
- additionalData[4] = byte(n)
+ additionalData = make([]byte, recordHeaderLen)
+ copy(additionalData, b.data)
}
c.Seal(payload[:0], nonce, payload, additionalData)
@@ -1186,6 +1169,28 @@
return c.doWriteRecord(typ, data)
}
+func (c *Conn) addTLS13Padding(b *block, recordHeaderLen, recordLen int, typ recordType) int {
+ if c.out.version < VersionTLS13 || c.out.cipher == nil {
+ return recordLen
+ }
+ paddingLen := c.config.Bugs.RecordPadding
+ if c.config.Bugs.OmitRecordContents {
+ recordLen = paddingLen
+ b.resize(recordHeaderLen + paddingLen)
+ } else {
+ recordLen += 1 + paddingLen
+ b.resize(len(b.data) + 1 + paddingLen)
+ b.data[len(b.data)-paddingLen-1] = byte(typ)
+ }
+ for i := 0; i < paddingLen; i++ {
+ b.data[len(b.data)-paddingLen+i] = 0
+ }
+ if c, ok := c.out.cipher.(*tlsAead); ok {
+ recordLen += c.Overhead()
+ }
+ return recordLen
+}
+
func (c *Conn) doWriteRecord(typ recordType, data []byte) (n int, err error) {
recordHeaderLen := c.out.recordHeaderLen()
b := c.out.newBlock()
@@ -1205,6 +1210,7 @@
m = 6
}
}
+ plaintextLen := m
explicitIVLen := 0
explicitIVIsSeq := false
first = false
@@ -1228,7 +1234,7 @@
explicitIVIsSeq = true
}
}
- b.resize(recordHeaderLen + explicitIVLen + m)
+ b.resize(recordHeaderLen + explicitIVLen + plaintextLen)
b.data[0] = byte(typ)
if c.vers >= VersionTLS13 && c.out.cipher != nil {
b.data[0] = byte(recordTypeApplicationData)
@@ -1255,10 +1261,13 @@
if c.vers == 0 && c.config.Bugs.SendInitialRecordVersion != 0 {
vers = c.config.Bugs.SendInitialRecordVersion
}
+ copy(b.data[recordHeaderLen+explicitIVLen:], data)
+ // Add TLS 1.3 padding.
+ recordLen := c.addTLS13Padding(b, recordHeaderLen, plaintextLen, typ)
b.data[1] = byte(vers >> 8)
b.data[2] = byte(vers)
- b.data[3] = byte(m >> 8)
- b.data[4] = byte(m)
+ b.data[3] = byte(recordLen >> 8)
+ b.data[4] = byte(recordLen)
if explicitIVLen > 0 {
explicitIV := b.data[recordHeaderLen : recordHeaderLen+explicitIVLen]
if explicitIVIsSeq {
@@ -1269,14 +1278,13 @@
}
}
}
- copy(b.data[recordHeaderLen+explicitIVLen:], data)
c.out.encrypt(b, explicitIVLen, typ)
_, err = c.conn.Write(b.data)
if err != nil {
break
}
- n += m
- data = data[m:]
+ n += plaintextLen
+ data = data[plaintextLen:]
}
c.out.freeBlock(b)
