Google Git
Sign in
boringssl / boringssl / bc42402f316a5056c226a6555870b175b755b496^! / .
commitbc42402f316a5056c226a6555870b175b755b496[log] [tgz]
authorDavid Benjamin <davidben@google.com>Sun Jul 21 12:05:20 2019 -0400
committerAdam Langley <agl@google.com>Tue Jul 23 20:18:33 2019 +0000
tree1bdc678820bf7ed03a9a40016f4b79c75d7e4be6
parent94b2871bc5877b6e40890e670cdf9ca43b0c6d83 [diff]
Trim some more per-connection memory.

EVP_MAX_MD_SIZE is sized for the largest hash function supported, SHA-512, but
TLS never uses anything larger than SHA-384, which is plenty large enough. This
shaves 16 * 3 = 48 bytes of per-connection overhead plus an addition 16 * 7 =
112 bytes of per-handshake overhead. (Per-handshake structures are discarded
when the handshake completes, so this matters less.)

Change-Id: Iabe15d25fc9182ffcdde876facbe4d80c8143197
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/36790
Reviewed-by: Adam Langley <agl@google.com>

diff --git a/ssl/internal.h b/ssl/internal.h
index 81242ca..5a787b8 100644
--- a/ssl/internal.h
+++ b/ssl/internal.h

@@ -465,6 +465,9 @@
 #define SSL_HANDSHAKE_MAC_SHA256 0x2
 #define SSL_HANDSHAKE_MAC_SHA384 0x4
 
+// SSL_MAX_MD_SIZE is size of the largest hash function used in TLS, SHA-384.
+#define SSL_MAX_MD_SIZE 48
+
 // An SSLCipherPreferenceList contains a list of SSL_CIPHERs with equal-
 // preference groups. For TLS clients, the groups are moot because the server
 // picks the cipher and groups cannot be expressed on the wire. However, for
@@ -1452,13 +1455,13 @@
   uint16_t max_version = 0;
 
   size_t hash_len = 0;
-  uint8_t secret[EVP_MAX_MD_SIZE] = {0};
-  uint8_t early_traffic_secret[EVP_MAX_MD_SIZE] = {0};
-  uint8_t client_handshake_secret[EVP_MAX_MD_SIZE] = {0};
-  uint8_t server_handshake_secret[EVP_MAX_MD_SIZE] = {0};
-  uint8_t client_traffic_secret_0[EVP_MAX_MD_SIZE] = {0};
-  uint8_t server_traffic_secret_0[EVP_MAX_MD_SIZE] = {0};
-  uint8_t expected_client_finished[EVP_MAX_MD_SIZE] = {0};
+  uint8_t secret[SSL_MAX_MD_SIZE] = {0};
+  uint8_t early_traffic_secret[SSL_MAX_MD_SIZE] = {0};
+  uint8_t client_handshake_secret[SSL_MAX_MD_SIZE] = {0};
+  uint8_t server_handshake_secret[SSL_MAX_MD_SIZE] = {0};
+  uint8_t client_traffic_secret_0[SSL_MAX_MD_SIZE] = {0};
+  uint8_t server_traffic_secret_0[SSL_MAX_MD_SIZE] = {0};
+  uint8_t expected_client_finished[SSL_MAX_MD_SIZE] = {0};
 
   union {
     // sent is a bitset where the bits correspond to elements of kExtensions
@@ -2293,9 +2296,9 @@
   // one.
   UniquePtr<SSL_HANDSHAKE> hs;
 
-  uint8_t write_traffic_secret[EVP_MAX_MD_SIZE] = {0};
-  uint8_t read_traffic_secret[EVP_MAX_MD_SIZE] = {0};
-  uint8_t exporter_secret[EVP_MAX_MD_SIZE] = {0};
+  uint8_t write_traffic_secret[SSL_MAX_MD_SIZE] = {0};
+  uint8_t read_traffic_secret[SSL_MAX_MD_SIZE] = {0};
+  uint8_t exporter_secret[SSL_MAX_MD_SIZE] = {0};
   uint8_t write_traffic_secret_len = 0;
   uint8_t read_traffic_secret_len = 0;
   uint8_t exporter_secret_len = 0;

diff --git a/ssl/tls13_enc.cc b/ssl/tls13_enc.cc
index f457c2f..b6a402f 100644
--- a/ssl/tls13_enc.cc
+++ b/ssl/tls13_enc.cc

@@ -38,6 +38,7 @@
     return false;
   }
 
+  assert(hs->transcript.DigestLen() <= SSL_MAX_MD_SIZE);
   hs->hash_len = hs->transcript.DigestLen();
 
   // Initialize the secret to the zero key.