TLS AEAD ciphers: more bytes for key_block than needed #13035
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
maximmasiutin
changed the title
|
Could you please amend the commit message to be more descriptive and put the Fixes line in the commit message body not on the first line? Use git commit --amend and then git push --force to do that. |
maximmasiutin
force-pushed
the
master
branch
from
cb4cc47
to
ee9f28b
Compare
|
Unfortunately the formatting is less than perfect. There are missing line separators. For example the |
|
Also the message body does not need to include the history of the changes and it usually is not written in first person, but it also does not hurt so that is up to you. |
maximmasiutin
changed the title
Fixes openssl#12007 The key_block length was not written to trace, thus it was not obvious that extra key_bytes were generated for TLS AEAD. The problem was that EVP_CIPHER_iv_length was called even for AEAD ciphers to figure out how many bytes from the key_block were needed for the IV. The correct way was to take cipher mode (GCM, CCM, etc) into consideration rather than simply callin the general function EVP_CIPHER_iv_length. The new function tls_iv_length_within_key_block takes this into consideration. Besides that, the order of addendums was counter-intuitive MAC length was second, but it have to be first to correspond the order given in the RFC.
maximmasiutin
force-pushed
the
master
branch
from
ee9f28b
to
585008c
Compare
|
@t8m I have updated both the pull request description at the github and also the git commit description. It is now multiline. Can you please confirm that it is now OK? |
t8m
approved these changes
Sep 30, 2020
mattcaswell
approved these changes
Sep 30, 2020
mattcaswell
added
the
approval: done
openssl-machine
added
approval: ready to merge
|
This pull request is ready to merge |
openssl-machine
pushed a commit
that referenced
this pull request
Oct 2, 2020
Fixes #12007 The key_block length was not written to trace, thus it was not obvious that extra key_bytes were generated for TLS AEAD. The problem was that EVP_CIPHER_iv_length was called even for AEAD ciphers to figure out how many bytes from the key_block were needed for the IV. The correct way was to take cipher mode (GCM, CCM, etc) into consideration rather than simply callin the general function EVP_CIPHER_iv_length. The new function tls_iv_length_within_key_block takes this into consideration. Besides that, the order of addendums was counter-intuitive MAC length was second, but it have to be first to correspond the order given in the RFC. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from #13035)
|
Merged to master. Thank you for the PR. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
TLS AEAD ciphers: more bytes for key_block than needed.
This pull request fixes the issue "More bytes are generated for key_block than needed for AEAD ciphers". In doing the fix, I have reused existing code that was already calculating IV length within the key block. See the discussion at #12007 for more details. It was the idea of @jwalch to use the existing code. I have taken existing code using the so-called "extract function" refactoring pattern. After that, @richsalz has proposed to optimize the code that by removing "k", and just replacing the assignments with return statements, then removing the "else".
This pull request is basically about the two things:
(1) Enables tracing of the key block length to show the bug by adding 'BIO_printf(trc_out, "key block length: %ld\n", num);'
(2) Fixes the bug by creating a function 'tls_iv_length_within_key_block' from existing code and calling it from that old place and from a second (new) place where IV length was taking regardless its context within the key_block.
I have also changed the order of addendums to correspond to one given in the RFC. The old order was somewhat counter-intuitive.
Old:
New:
Here is the order in the RFC:
So, MAC_key comes first, then come cipher key and then the IV. That's why I put "mac_secret_size" first.
@mattcaswell - please review.
Fixes #12007