From 1588983ef0828df82a71db33b5ed5eeb574c94bc Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 8 Sep 2020 11:29:11 +0100 Subject: [PATCH] Introduce macros for max-{IV,block,key}-size for ciphers used in TLS See the documentation in ssl_internal.h that this commit introduces for more information. Signed-off-by: Hanno Becker --- include/mbedtls/cipher.h | 13 ++++++++++--- include/mbedtls/ssl_internal.h | 30 ++++++++++++++++++++++++++---- 2 files changed, 36 insertions(+), 7 deletions(-) diff --git a/include/mbedtls/cipher.h b/include/mbedtls/cipher.h index 8a6c8ebdb..8827e0b79 100644 --- a/include/mbedtls/cipher.h +++ b/include/mbedtls/cipher.h @@ -227,17 +227,24 @@ enum { }; /** Maximum length of any IV, in Bytes. */ -/* This should ideally be derived automatically from list of ciphers. */ +/* This should ideally be derived automatically from list of ciphers. + * This should be kept in sync with MBEDTLS_SSL_MAX_IV_LENGTH defined + * in ssl_internal.h. */ #define MBEDTLS_MAX_IV_LENGTH 16 /** Maximum block size of any cipher, in Bytes. */ -/* This should ideally be derived automatically from list of ciphers. */ +/* This should ideally be derived automatically from list of ciphers. + * This should be kept in sync with MBEDTLS_SSL_MAX_BLOCK_LENGTH defined + * in ssl_internal.h. */ #define MBEDTLS_MAX_BLOCK_LENGTH 16 /** Maximum key length, in Bytes. */ /* This should ideally be derived automatically from list of ciphers. * For now, only check whether XTS is enabled which uses 64 Byte keys, - * and use 32 Bytes as an upper bound for the maximum key length otherwise. */ + * and use 32 Bytes as an upper bound for the maximum key length otherwise. + * This should be kept in sync with MBEDTLS_SSL_MAX_BLOCK_LENGTH defined + * in ssl_internal.h, which however deliberately ignores the case of XTS + * since the latter isn't used in SSL/TLS. */ #if defined(MBEDTLS_CIPHER_MODE_XTS) #define MBEDTLS_MAX_KEY_LENGTH 64 #else diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h index 617bdc74f..2c30855f5 100644 --- a/include/mbedtls/ssl_internal.h +++ b/include/mbedtls/ssl_internal.h @@ -379,7 +379,29 @@ typedef int mbedtls_ssl_tls_prf_cb( const unsigned char *secret, size_t slen, const unsigned char *random, size_t rlen, unsigned char *dstbuf, size_t dlen ); +/* cipher.h exports the maximum IV, key and block length from all + * all ciphers enabled in the config, regardless of whether those + * ciphers are actually usable in SSL/TLS. Notably, XTS is enabled + * in the default configuration and uses 64 Byte keys, but it is + * not used for record protection in SSL/TLS. + * + * In order to prevent unnecessary inflation of key structures, + * we introduce SSL-specific variants of the max-{key,block,IV} + * macros here which are meant to only take those ciphers into + * account which can be negotiated in SSL/TLS. + * + * Since the current definitions of MBEDTLS_MAX_{KEY|BLOCK|IV}_LENGTH + * in cipher.h are rough overapproximations of the real maxima, here + * we content ourselves with defining replicating those overapproximations + * for the maximum block and IV length, and excluding XTS from the + * computation of the maximum key length. */ +#define MBEDTLS_SSL_MAX_BLOCK_LENGTH 16 +#define MBEDTLS_SSL_MAX_IV_LENGTH 16 +#define MBEDTLS_SSL_MAX_KEY_LENGTH 32 + + #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) + /** * \brief The data structure holding the cryptographic material (key and IV) * used for record protection in TLS 1.3. @@ -387,13 +409,13 @@ typedef int mbedtls_ssl_tls_prf_cb( const unsigned char *secret, size_t slen, struct mbedtls_ssl_key_set { /*! The key for client->server records. */ - unsigned char client_write_key[ MBEDTLS_MAX_KEY_LENGTH ]; + unsigned char client_write_key[ MBEDTLS_SSL_MAX_KEY_LENGTH ]; /*! The key for server->client records. */ - unsigned char server_write_key[ MBEDTLS_MAX_KEY_LENGTH ]; + unsigned char server_write_key[ MBEDTLS_SSL_MAX_KEY_LENGTH ]; /*! The IV for client->server records. */ - unsigned char client_write_iv[ MBEDTLS_MAX_IV_LENGTH ]; + unsigned char client_write_iv[ MBEDTLS_SSL_MAX_IV_LENGTH ]; /*! The IV for server->client records. */ - unsigned char server_write_iv[ MBEDTLS_MAX_IV_LENGTH ]; + unsigned char server_write_iv[ MBEDTLS_SSL_MAX_IV_LENGTH ]; size_t key_len; /*!< The length of client_write_key and * server_write_key, in Bytes. */