From 7975056ac1ca5917dff1943415864f12dc913657 Mon Sep 17 00:00:00 2001
From: Steven Valdez <svaldez@google.com>
Date: Thu, 16 Jun 2016 06:38:04 -0400
Subject: [PATCH] Fixing iv_length for TLS 1.3.

In TLS 1.3, the iv_length is equal to the explicit AEAD nonce length,
and is required to be at least 8 bytes.

Change-Id: Ib258f227d0a02c5abfc7b65adb4e4a689feffe33
Reviewed-on: https://boringssl-review.googlesource.com/8304
Reviewed-by: David Benjamin <davidben@google.com>
---
 ssl/ssl_aead_ctx.c |  2 ++
 ssl/ssl_cipher.c   | 41 ++++++++++++++++++++++++++++-------------
 2 files changed, 30 insertions(+), 13 deletions(-)

diff --git a/ssl/ssl_aead_ctx.c b/ssl/ssl_aead_ctx.c
index 88daddd9..e5bfe86a 100644
--- a/ssl/ssl_aead_ctx.c
+++ b/ssl/ssl_aead_ctx.c
@@ -100,8 +100,10 @@ SSL_AEAD_CTX *SSL_AEAD_CTX_new(enum evp_aead_direction_t direction,
       aead_ctx->variable_nonce_len = 8;
       aead_ctx->variable_nonce_included_in_record = 0;
       aead_ctx->omit_ad = 1;
+      assert(fixed_iv_len >= aead_ctx->variable_nonce_len);
     }
   } else {
+    assert(version < TLS1_3_VERSION);
     aead_ctx->variable_nonce_included_in_record = 1;
     aead_ctx->random_variable_nonce = 1;
     aead_ctx->omit_length_in_ad = 1;
diff --git a/ssl/ssl_cipher.c b/ssl/ssl_cipher.c
index e78374b9..1aad8c48 100644
--- a/ssl/ssl_cipher.c
+++ b/ssl/ssl_cipher.c
@@ -826,24 +826,24 @@ int ssl_cipher_get_evp_aead(const EVP_AEAD **out_aead,
     case SSL_AES128GCM:
       *out_aead = EVP_aead_aes_128_gcm();
       *out_fixed_iv_len = 4;
-      return 1;
+      break;
 
     case SSL_AES256GCM:
       *out_aead = EVP_aead_aes_256_gcm();
       *out_fixed_iv_len = 4;
-      return 1;
+      break;
 
 #if !defined(BORINGSSL_ANDROID_SYSTEM)
     case SSL_CHACHA20POLY1305_OLD:
       *out_aead = EVP_aead_chacha20_poly1305_old();
       *out_fixed_iv_len = 0;
-      return 1;
+      break;
 #endif
 
     case SSL_CHACHA20POLY1305:
       *out_aead = EVP_aead_chacha20_poly1305();
       *out_fixed_iv_len = 12;
-      return 1;
+      break;
 
     case SSL_RC4:
       switch (cipher->algorithm_mac) {
@@ -854,7 +854,7 @@ int ssl_cipher_get_evp_aead(const EVP_AEAD **out_aead,
             *out_aead = EVP_aead_rc4_md5_tls();
           }
           *out_mac_secret_len = MD5_DIGEST_LENGTH;
-          return 1;
+          break;
         case SSL_SHA1:
           if (version == SSL3_VERSION) {
             *out_aead = EVP_aead_rc4_sha1_ssl3();
@@ -862,10 +862,11 @@ int ssl_cipher_get_evp_aead(const EVP_AEAD **out_aead,
             *out_aead = EVP_aead_rc4_sha1_tls();
           }
           *out_mac_secret_len = SHA_DIGEST_LENGTH;
-          return 1;
+          break;
         default:
           return 0;
       }
+      break;
 
     case SSL_AES128:
       switch (cipher->algorithm_mac) {
@@ -880,14 +881,15 @@ int ssl_cipher_get_evp_aead(const EVP_AEAD **out_aead,
             *out_aead = EVP_aead_aes_128_cbc_sha1_tls();
           }
           *out_mac_secret_len = SHA_DIGEST_LENGTH;
-          return 1;
+          break;
         case SSL_SHA256:
           *out_aead = EVP_aead_aes_128_cbc_sha256_tls();
           *out_mac_secret_len = SHA256_DIGEST_LENGTH;
-          return 1;
+          break;
         default:
           return 0;
       }
+      break;
 
     case SSL_AES256:
       switch (cipher->algorithm_mac) {
@@ -902,18 +904,19 @@ int ssl_cipher_get_evp_aead(const EVP_AEAD **out_aead,
             *out_aead = EVP_aead_aes_256_cbc_sha1_tls();
           }
           *out_mac_secret_len = SHA_DIGEST_LENGTH;
-          return 1;
+          break;
         case SSL_SHA256:
           *out_aead = EVP_aead_aes_256_cbc_sha256_tls();
           *out_mac_secret_len = SHA256_DIGEST_LENGTH;
-          return 1;
+          break;
         case SSL_SHA384:
           *out_aead = EVP_aead_aes_256_cbc_sha384_tls();
           *out_mac_secret_len = SHA384_DIGEST_LENGTH;
-          return 1;
+          break;
         default:
           return 0;
       }
+      break;
 
     case SSL_3DES:
       switch (cipher->algorithm_mac) {
@@ -928,10 +931,11 @@ int ssl_cipher_get_evp_aead(const EVP_AEAD **out_aead,
             *out_aead = EVP_aead_des_ede3_cbc_sha1_tls();
           }
           *out_mac_secret_len = SHA_DIGEST_LENGTH;
-          return 1;
+          break;
         default:
           return 0;
       }
+      break;
 
     case SSL_eNULL:
       switch (cipher->algorithm_mac) {
@@ -942,14 +946,25 @@ int ssl_cipher_get_evp_aead(const EVP_AEAD **out_aead,
             *out_aead = EVP_aead_null_sha1_tls();
           }
           *out_mac_secret_len = SHA_DIGEST_LENGTH;
-          return 1;
+          break;
         default:
           return 0;
       }
+      break;
 
     default:
       return 0;
   }
+
+  /* In TLS 1.3, the iv_len is equal to the AEAD nonce length whereas the code
+   * above computes the TLS 1.2 construction.
+   *
+   * TODO(davidben,svaldez): Avoid computing the wrong value and fixing it. */
+  if (version >= TLS1_3_VERSION) {
+    *out_fixed_iv_len = EVP_AEAD_nonce_length(*out_aead);
+    assert(*out_fixed_iv_len >= 8);
+  }
+  return 1;
 }
 
 const EVP_MD *ssl_get_handshake_digest(uint32_t algorithm_prf) {