runner: Slightly simplify sequence number management
No need to store outSeq on the halfConn, removed unused parameter.
Change-Id: I3f352acee0526be93531ce67fbb4c4634733771c
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/71407
Reviewed-by: Nick Harper <nharper@chromium.org>
Commit-Queue: David Benjamin <davidben@google.com>
diff --git a/ssl/test/runner/conn.go b/ssl/test/runner/conn.go
index 3287b01..4a31a3c 100644
--- a/ssl/test/runner/conn.go
+++ b/ssl/test/runner/conn.go
@@ -137,8 +137,6 @@
c.out.config = c.config
c.in.conn = c
c.out.conn = c
-
- c.out.updateOutSeq()
}
// Access to net.Conn methods.
@@ -188,7 +186,6 @@
recordNumberEncrypter recordNumberEncrypter
mac macFunction
seq [8]byte // 64-bit sequence number
- outSeq [8]byte // Mapped sequence number
nextCipher any // next encryption state
nextMac macFunction // next MAC algorithm
@@ -289,7 +286,7 @@
}
// incSeq increments the sequence number.
-func (hc *halfConn) incSeq(isOutgoing bool) {
+func (hc *halfConn) incSeq() {
limit := 0
increment := uint64(1)
if hc.isDTLS {
@@ -308,8 +305,6 @@
if increment != 0 {
panic("TLS: sequence number wraparound")
}
-
- hc.updateOutSeq()
}
// incNextSeq increments the starting sequence number for the next epoch.
@@ -345,8 +340,6 @@
hc.seq[i] = 0
}
}
-
- hc.updateOutSeq()
}
func (hc *halfConn) setEpoch(epoch uint16) {
@@ -359,21 +352,20 @@
for i := range hc.nextSeq {
hc.nextSeq[i] = 0
}
- hc.updateOutSeq()
}
-func (hc *halfConn) updateOutSeq() {
- if hc.config.Bugs.SequenceNumberMapping != nil {
- seqU64 := binary.BigEndian.Uint64(hc.seq[:])
- seqU64 = hc.config.Bugs.SequenceNumberMapping(seqU64)
- binary.BigEndian.PutUint64(hc.outSeq[:], seqU64)
-
- // The DTLS epoch cannot be changed.
- copy(hc.outSeq[:2], hc.seq[:2])
- return
+func (hc *halfConn) sequenceNumberForOutput() []byte {
+ if !hc.isDTLS || hc.config.Bugs.SequenceNumberMapping == nil {
+ return hc.seq[:]
}
- copy(hc.outSeq[:], hc.seq[:])
+ var seq [8]byte
+ seqU64 := binary.BigEndian.Uint64(hc.seq[:])
+ seqU64 = hc.config.Bugs.SequenceNumberMapping(seqU64)
+ binary.BigEndian.PutUint64(seq[:], seqU64)
+ // The DTLS epoch cannot be changed.
+ copy(seq[:2], hc.seq[:2])
+ return seq[:]
}
func (hc *halfConn) explicitIVLen() int {
@@ -560,7 +552,7 @@
return false, 0, nil, alertBadRecordMAC
}
}
- hc.incSeq(false)
+ hc.incSeq()
return true, contentType, payload, 0
}
@@ -636,7 +628,7 @@
// (which must be in the last two bytes of the header) should be computed for
// the unencrypted, unpadded payload. It will be updated, potentially in-place,
// with the final length.
-func (hc *halfConn) encrypt(record, payload []byte, typ recordType, headerLen int, headerHasLength bool) ([]byte, error) {
+func (hc *halfConn) encrypt(record, payload []byte, typ recordType, headerLen int, headerHasLength bool, seq []byte) ([]byte, error) {
prefixLen := len(record)
header := record[prefixLen-headerLen:]
explicitIVLen := hc.explicitIVLen()
@@ -662,7 +654,7 @@
}
if hc.mac != nil {
- record = append(record, hc.computeMAC(hc.outSeq[:], header, payload)...)
+ record = append(record, hc.computeMAC(seq, header, payload)...)
}
explicitIV := record[prefixLen : prefixLen+explicitIVLen]
@@ -674,13 +666,13 @@
}
c.XORKeyStream(record[prefixLen:], record[prefixLen:])
case *tlsAead:
- nonce := hc.outSeq[:]
+ nonce := seq
if hc.isDTLS && hc.version >= VersionTLS13 && !hc.conn.useDTLSPlaintextHeader() {
// Unlike DTLS 1.2, DTLS 1.3's nonce construction does not use
// the epoch number. We store the epoch and nonce numbers
// together, so make a copy without the epoch.
nonce = make([]byte, 8)
- copy(nonce[2:], hc.outSeq[2:])
+ copy(nonce[2:], seq[2:])
}
// Save the explicit IV, if not empty.
@@ -695,7 +687,7 @@
if hc.version < VersionTLS13 {
// (D)TLS 1.2's AD is seq_num || type || version || plaintext length
additionalData = make([]byte, 13)
- copy(additionalData, hc.outSeq[:])
+ copy(additionalData, seq)
copy(additionalData[8:], header[:3])
additionalData[11] = byte(len(payload) >> 8)
additionalData[12] = byte(len(payload))
@@ -736,7 +728,7 @@
record[prefixLen-2] = byte(n >> 8)
record[prefixLen-1] = byte(n)
}
- hc.incSeq(true)
+ hc.incSeq()
return record, nil
}
@@ -1292,7 +1284,7 @@
record[3] = byte(m >> 8) // encrypt will update this
record[4] = byte(m)
- record, err = c.out.encrypt(record, data[:m], typ, tlsRecordHeaderLen, true /* header has length */)
+ record, err = c.out.encrypt(record, data[:m], typ, tlsRecordHeaderLen, true /* header has length */, c.out.seq[:])
if err != nil {
return
}
@@ -1470,7 +1462,7 @@
return errors.New("tls: sequence mismatch")
}
copy(c.in.seq[2:], seq)
- c.in.incSeq(false)
+ c.in.incSeq()
} else {
if bytes.Compare(seq, c.in.nextSeq[:]) < 0 {
return errors.New("tls: sequence mismatch")
diff --git a/ssl/test/runner/dtls.go b/ssl/test/runner/dtls.go
index 201b6b8..5eef430 100644
--- a/ssl/test/runner/dtls.go
+++ b/ssl/test/runner/dtls.go
@@ -411,7 +411,7 @@
// appendDTLS13RecordHeader appends to b the record header for a record of length
// recordLen.
-func (c *Conn) appendDTLS13RecordHeader(b []byte, recordLen int) []byte {
+func (c *Conn) appendDTLS13RecordHeader(b, seq []byte, recordLen int) []byte {
// Set the top 3 bits on the type byte to indicate the DTLS 1.3 record
// header format.
typ := byte(0x20)
@@ -428,12 +428,12 @@
typ |= 0x04
}
// Set the epoch bits
- typ |= c.out.outSeq[1] & 0x3
+ typ |= seq[1] & 0x3
b = append(b, typ)
if c.config.DTLSUseShortSeqNums {
- b = append(b, c.out.outSeq[7])
+ b = append(b, seq[7])
} else {
- b = append(b, c.out.outSeq[6], c.out.outSeq[7])
+ b = append(b, seq[6], seq[7])
}
if !c.config.DTLSRecordHeaderOmitLength {
b = append(b, byte(recordLen>>8), byte(recordLen))
@@ -467,21 +467,22 @@
useDTLS13RecordHeader := c.out.version >= VersionTLS13 && c.out.cipher != nil && !c.useDTLSPlaintextHeader()
headerHasLength := true
record := make([]byte, 0, dtlsMaxRecordHeaderLen+len(data)+c.out.maxEncryptOverhead(len(data)))
+ seq := c.out.sequenceNumberForOutput()
if useDTLS13RecordHeader {
- record = c.appendDTLS13RecordHeader(record, len(data))
+ record = c.appendDTLS13RecordHeader(record, seq, len(data))
headerHasLength = !c.config.DTLSRecordHeaderOmitLength
} else {
record = append(record, byte(typ))
record = append(record, byte(vers>>8))
record = append(record, byte(vers))
// DTLS records include an explicit sequence number.
- record = append(record, c.out.outSeq[:]...)
+ record = append(record, seq...)
record = append(record, byte(len(data)>>8))
record = append(record, byte(len(data)))
}
recordHeaderLen := len(record)
- record, err = c.out.encrypt(record, data, typ, recordHeaderLen, headerHasLength)
+ record, err = c.out.encrypt(record, data, typ, recordHeaderLen, headerHasLength, seq)
if err != nil {
return
}
