Fixing iv_length for TLS 1.3.

In TLS 1.3, the iv_length is equal to the explicit AEAD nonce length, and is required to be at least 8 bytes. Change-Id: Ib258f227d0a02c5abfc7b65adb4e4a689feffe33 Reviewed-on: https://boringssl-review.googlesource.com/8304 Reviewed-by: David Benjamin <davidben@google.com>
2016-06-16 06:38:04 -04:00 · 2016-06-16 06:38:04 -04:00 · 7975056ac1
commit 7975056ac1
parent 3675dddab9
2 changed files with 30 additions and 13 deletions
--- a/ssl/ssl_aead_ctx.c
+++ b/ssl/ssl_aead_ctx.c
@ -100,8 +100,10 @@ SSL_AEAD_CTX *SSL_AEAD_CTX_new(enum evp_aead_direction_t direction,
      aead_ctx->variable_nonce_len = 8;
      aead_ctx->variable_nonce_included_in_record = 0;
      aead_ctx->omit_ad = 1;
+      assert(fixed_iv_len >= aead_ctx->variable_nonce_len);
    }
  } else {
+    assert(version < TLS1_3_VERSION);
    aead_ctx->variable_nonce_included_in_record = 1;
    aead_ctx->random_variable_nonce = 1;
    aead_ctx->omit_length_in_ad = 1;
--- a/ssl/ssl_cipher.c
+++ b/ssl/ssl_cipher.c
@ -826,24 +826,24 @@ int ssl_cipher_get_evp_aead(const EVP_AEAD **out_aead,
    case SSL_AES128GCM:
      *out_aead = EVP_aead_aes_128_gcm();
      *out_fixed_iv_len = 4;
-      return 1;
+      break;

    case SSL_AES256GCM:
      *out_aead = EVP_aead_aes_256_gcm();
      *out_fixed_iv_len = 4;
-      return 1;
+      break;

 #if !defined(BORINGSSL_ANDROID_SYSTEM)
    case SSL_CHACHA20POLY1305_OLD:
      *out_aead = EVP_aead_chacha20_poly1305_old();
      *out_fixed_iv_len = 0;
-      return 1;
+      break;
 #endif

    case SSL_CHACHA20POLY1305:
      *out_aead = EVP_aead_chacha20_poly1305();
      *out_fixed_iv_len = 12;
-      return 1;
+      break;

    case SSL_RC4:
      switch (cipher->algorithm_mac) {
@ -854,7 +854,7 @@ int ssl_cipher_get_evp_aead(const EVP_AEAD **out_aead,
            *out_aead = EVP_aead_rc4_md5_tls();
          }
          *out_mac_secret_len = MD5_DIGEST_LENGTH;
-          return 1;
+          break;
        case SSL_SHA1:
          if (version == SSL3_VERSION) {
            *out_aead = EVP_aead_rc4_sha1_ssl3();
@ -862,10 +862,11 @@ int ssl_cipher_get_evp_aead(const EVP_AEAD **out_aead,
            *out_aead = EVP_aead_rc4_sha1_tls();
          }
          *out_mac_secret_len = SHA_DIGEST_LENGTH;
-          return 1;
+          break;
        default:
          return 0;
      }
+      break;

    case SSL_AES128:
      switch (cipher->algorithm_mac) {
@ -880,14 +881,15 @@ int ssl_cipher_get_evp_aead(const EVP_AEAD **out_aead,
            *out_aead = EVP_aead_aes_128_cbc_sha1_tls();
          }
          *out_mac_secret_len = SHA_DIGEST_LENGTH;
-          return 1;
+          break;
        case SSL_SHA256:
          *out_aead = EVP_aead_aes_128_cbc_sha256_tls();
          *out_mac_secret_len = SHA256_DIGEST_LENGTH;
-          return 1;
+          break;
        default:
          return 0;
      }
+      break;

    case SSL_AES256:
      switch (cipher->algorithm_mac) {
@ -902,18 +904,19 @@ int ssl_cipher_get_evp_aead(const EVP_AEAD **out_aead,
            *out_aead = EVP_aead_aes_256_cbc_sha1_tls();
          }
          *out_mac_secret_len = SHA_DIGEST_LENGTH;
-          return 1;
+          break;
        case SSL_SHA256:
          *out_aead = EVP_aead_aes_256_cbc_sha256_tls();
          *out_mac_secret_len = SHA256_DIGEST_LENGTH;
-          return 1;
+          break;
        case SSL_SHA384:
          *out_aead = EVP_aead_aes_256_cbc_sha384_tls();
          *out_mac_secret_len = SHA384_DIGEST_LENGTH;
-          return 1;
+          break;
        default:
          return 0;
      }
+      break;

    case SSL_3DES:
      switch (cipher->algorithm_mac) {
@ -928,10 +931,11 @@ int ssl_cipher_get_evp_aead(const EVP_AEAD **out_aead,
            *out_aead = EVP_aead_des_ede3_cbc_sha1_tls();
          }
          *out_mac_secret_len = SHA_DIGEST_LENGTH;
-          return 1;
+          break;
        default:
          return 0;
      }
+      break;

    case SSL_eNULL:
      switch (cipher->algorithm_mac) {
@ -942,14 +946,25 @@ int ssl_cipher_get_evp_aead(const EVP_AEAD **out_aead,
            *out_aead = EVP_aead_null_sha1_tls();
          }
          *out_mac_secret_len = SHA_DIGEST_LENGTH;
-          return 1;
+          break;
        default:
          return 0;
      }
+      break;

    default:
      return 0;
  }
+
+  /* In TLS 1.3, the iv_len is equal to the AEAD nonce length whereas the code
+   * above computes the TLS 1.2 construction.
+   *
+   * TODO(davidben,svaldez): Avoid computing the wrong value and fixing it. */
+  if (version >= TLS1_3_VERSION) {
+    *out_fixed_iv_len = EVP_AEAD_nonce_length(*out_aead);
+    assert(*out_fixed_iv_len >= 8);
+  }
+  return 1;
 }

 const EVP_MD *ssl_get_handshake_digest(uint32_t algorithm_prf) {