Fix the types used in token counts.
The number of tokens is inconsistent throughout the API. max_batchsize
is a uint16_t. max_issuance is a size_t. out_tokens_issued is a
uint8_t*. The serialization only supports up to uint16_t.
Standardize on size_t. The natural size for a count of elements is
size_t. Protocol limitations can be handled within the implementation.
Additionally, it is best not to use small types for counters in public
APIs in C/C++ because the language has implicit truncating conversions.
(Whereas code points or other enum-like values are fine because the
caller won't managed to get a 32-bit cipher suite.)
Update-Note: Fix callers of TRUST_TOKEN_ISSUER_issue to use size_t
instead of uint8_t. The max_batchsize changes should go through without
changes to the caller.
Change-Id: I9be5dd8f61abdbe5a1dbe70b8dc72d06114b1022
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/41044
Commit-Queue: Steven Valdez <svaldez@google.com>
Reviewed-by: Steven Valdez <svaldez@google.com>
diff --git a/crypto/trust_token/trust_token.c b/crypto/trust_token/trust_token.c
index 08040f5..6f5756a 100644
--- a/crypto/trust_token/trust_token.c
+++ b/crypto/trust_token/trust_token.c
@@ -73,14 +73,20 @@
OPENSSL_free(token);
}
-TRUST_TOKEN_CLIENT *TRUST_TOKEN_CLIENT_new(uint16_t max_batchsize) {
+TRUST_TOKEN_CLIENT *TRUST_TOKEN_CLIENT_new(size_t max_batchsize) {
+ if (max_batchsize > 0xffff) {
+ // The protocol supports only two-byte token counts.
+ OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_OVERFLOW);
+ return NULL;
+ }
+
TRUST_TOKEN_CLIENT *ret = OPENSSL_malloc(sizeof(TRUST_TOKEN_CLIENT));
if (ret == NULL) {
OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_MALLOC_FAILURE);
return NULL;
}
OPENSSL_memset(ret, 0, sizeof(TRUST_TOKEN_CLIENT));
- ret->max_batchsize = max_batchsize;
+ ret->max_batchsize = (uint16_t)max_batchsize;
ret->pretokens = sk_PMBTOKEN_PRETOKEN_new_null();
if (ret->pretokens == NULL) {
OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_MALLOC_FAILURE);
@@ -363,14 +369,20 @@
return 1;
}
-TRUST_TOKEN_ISSUER *TRUST_TOKEN_ISSUER_new(uint16_t max_batchsize) {
+TRUST_TOKEN_ISSUER *TRUST_TOKEN_ISSUER_new(size_t max_batchsize) {
+ if (max_batchsize > 0xffff) {
+ // The protocol supports only two-byte token counts.
+ OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_OVERFLOW);
+ return NULL;
+ }
+
TRUST_TOKEN_ISSUER *ret = OPENSSL_malloc(sizeof(TRUST_TOKEN_ISSUER));
if (ret == NULL) {
OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_MALLOC_FAILURE);
return NULL;
}
OPENSSL_memset(ret, 0, sizeof(TRUST_TOKEN_ISSUER));
- ret->max_batchsize = max_batchsize;
+ ret->max_batchsize = (uint16_t)max_batchsize;
return ret;
}
@@ -449,7 +461,7 @@
}
int TRUST_TOKEN_ISSUER_issue(const TRUST_TOKEN_ISSUER *ctx, uint8_t **out,
- size_t *out_len, uint8_t *out_tokens_issued,
+ size_t *out_len, size_t *out_tokens_issued,
const uint8_t *request, size_t request_len,
uint32_t public_metadata, uint8_t private_metadata,
size_t max_issuance) {
diff --git a/crypto/trust_token/trust_token_test.cc b/crypto/trust_token/trust_token_test.cc
index ce832db..2da8b08 100644
--- a/crypto/trust_token/trust_token_test.cc
+++ b/crypto/trust_token/trust_token_test.cc
@@ -110,7 +110,7 @@
size_t msg_len, resp_len;
size_t key_index;
- uint8_t tokens_issued;
+ size_t tokens_issued;
ASSERT_TRUE(
TRUST_TOKEN_CLIENT_begin_issuance(client.get(), &issue_msg, &msg_len, 1));
bssl::UniquePtr<uint8_t> free_issue_msg(issue_msg);
@@ -152,7 +152,7 @@
&msg_len, 10));
bssl::UniquePtr<uint8_t> free_issue_msg(issue_msg);
msg_len = 10;
- uint8_t tokens_issued;
+ size_t tokens_issued;
ASSERT_FALSE(TRUST_TOKEN_ISSUER_issue(
issuer.get(), &issue_resp, &resp_len, &tokens_issued, issue_msg, msg_len,
/*public_metadata=*/KeyID(0), /*private_metadata=*/0,
@@ -168,7 +168,7 @@
ASSERT_TRUE(TRUST_TOKEN_CLIENT_begin_issuance(client.get(), &issue_msg,
&msg_len, 10));
bssl::UniquePtr<uint8_t> free_issue_msg(issue_msg);
- uint8_t tokens_issued;
+ size_t tokens_issued;
ASSERT_TRUE(TRUST_TOKEN_ISSUER_issue(
issuer.get(), &issue_resp, &resp_len, &tokens_issued, issue_msg, msg_len,
/*public_metadata=*/KeyID(0), /*private_metadata=*/0,
@@ -190,7 +190,7 @@
ASSERT_TRUE(TRUST_TOKEN_CLIENT_begin_issuance(client.get(), &request,
&request_len, 10));
bssl::UniquePtr<uint8_t> free_request(request);
- uint8_t tokens_issued;
+ size_t tokens_issued;
ASSERT_TRUE(TRUST_TOKEN_ISSUER_issue(issuer.get(), &response, &response_len,
&tokens_issued, request, request_len,
/*public_metadata=*/KeyID(0),
@@ -214,7 +214,7 @@
ASSERT_TRUE(TRUST_TOKEN_CLIENT_begin_issuance(client.get(), &issue_msg,
&msg_len, 10));
bssl::UniquePtr<uint8_t> free_issue_msg(issue_msg);
- uint8_t tokens_issued;
+ size_t tokens_issued;
ASSERT_TRUE(TRUST_TOKEN_ISSUER_issue(
issuer.get(), &issue_resp, &resp_len, &tokens_issued, issue_msg, msg_len,
/*public_metadata=*/KeyID(0), /*private_metadata=*/0,
@@ -255,7 +255,7 @@
ASSERT_TRUE(TRUST_TOKEN_CLIENT_begin_issuance(client.get(), &issue_msg,
&msg_len, 10));
bssl::UniquePtr<uint8_t> free_issue_msg(issue_msg);
- uint8_t tokens_issued;
+ size_t tokens_issued;
ASSERT_TRUE(TRUST_TOKEN_ISSUER_issue(
issuer.get(), &issue_resp, &resp_len, &tokens_issued, issue_msg, msg_len,
/*public_metadata=*/KeyID(0), /*private_metadata=*/0,
@@ -349,7 +349,7 @@
ASSERT_TRUE(TRUST_TOKEN_CLIENT_begin_issuance(client.get(), &issue_msg,
&msg_len, 10));
bssl::UniquePtr<uint8_t> free_issue_msg(issue_msg);
- uint8_t tokens_issued;
+ size_t tokens_issued;
ASSERT_TRUE(TRUST_TOKEN_ISSUER_issue(
issuer.get(), &issue_resp, &resp_len, &tokens_issued, issue_msg, msg_len,
/*public_metadata=*/42, /*private_metadata=*/0, /*max_issuance=*/10));
@@ -372,7 +372,7 @@
ASSERT_TRUE(TRUST_TOKEN_CLIENT_begin_issuance(client.get(), &issue_msg,
&msg_len, 10));
bssl::UniquePtr<uint8_t> free_issue_msg(issue_msg);
- uint8_t tokens_issued;
+ size_t tokens_issued;
ASSERT_TRUE(TRUST_TOKEN_ISSUER_issue(
issuer.get(), &issue_resp, &resp_len, &tokens_issued, issue_msg, msg_len,
std::get<0>(GetParam()), std::get<1>(GetParam()), /*max_issuance=*/1));
@@ -446,7 +446,7 @@
ASSERT_TRUE(TRUST_TOKEN_CLIENT_begin_issuance(client.get(), &issue_msg,
&msg_len, 10));
bssl::UniquePtr<uint8_t> free_issue_msg(issue_msg);
- uint8_t tokens_issued;
+ size_t tokens_issued;
ASSERT_TRUE(TRUST_TOKEN_ISSUER_issue(
issuer.get(), &issue_resp, &resp_len, &tokens_issued, issue_msg, msg_len,
std::get<0>(GetParam()), std::get<1>(GetParam()), /*max_issuance=*/1));
@@ -469,7 +469,7 @@
ASSERT_TRUE(TRUST_TOKEN_CLIENT_begin_issuance(client.get(), &issue_msg,
&msg_len, 10));
bssl::UniquePtr<uint8_t> free_issue_msg(issue_msg);
- uint8_t tokens_issued;
+ size_t tokens_issued;
ASSERT_TRUE(TRUST_TOKEN_ISSUER_issue(
issuer.get(), &issue_resp, &resp_len, &tokens_issued, issue_msg, msg_len,
std::get<0>(GetParam()), std::get<1>(GetParam()), /*max_issuance=*/1));
@@ -524,7 +524,7 @@
ASSERT_TRUE(TRUST_TOKEN_CLIENT_begin_issuance(client.get(), &issue_msg,
&msg_len, 10));
bssl::UniquePtr<uint8_t> free_issue_msg(issue_msg);
- uint8_t tokens_issued;
+ size_t tokens_issued;
ASSERT_TRUE(TRUST_TOKEN_ISSUER_issue(
issuer.get(), &issue_resp, &resp_len, &tokens_issued, issue_msg, msg_len,
std::get<0>(GetParam()), std::get<1>(GetParam()), /*max_issuance=*/1));
@@ -602,7 +602,7 @@
// Corrupt private key scalar.
scalars[corrupted_key]->bytes[0] ^= 42;
- uint8_t tokens_issued;
+ size_t tokens_issued;
ASSERT_TRUE(TRUST_TOKEN_ISSUER_issue(
issuer.get(), &issue_resp, &resp_len, &tokens_issued, issue_msg, msg_len,
/*public_metadata=*/7, std::get<0>(GetParam()), /*max_issuance=*/1));
diff --git a/include/openssl/trust_token.h b/include/openssl/trust_token.h
index 8bd1eda..008857e 100644
--- a/include/openssl/trust_token.h
+++ b/include/openssl/trust_token.h
@@ -83,9 +83,10 @@
// TRUST_TOKEN_CLIENT_new returns a newly-allocated |TRUST_TOKEN_CLIENT|
// configured to use a max batchsize of |max_batchsize| or NULL on error.
-// Issuance requests must be made in batches smaller than |max_batchsize|.
-OPENSSL_EXPORT TRUST_TOKEN_CLIENT *TRUST_TOKEN_CLIENT_new(
- uint16_t max_batchsize);
+// Issuance requests must be made in batches smaller than |max_batchsize|. This
+// function will return an error if |max_batchsize| is too large for Trust
+// Tokens.
+OPENSSL_EXPORT TRUST_TOKEN_CLIENT *TRUST_TOKEN_CLIENT_new(size_t max_batchsize);
// TRUST_TOKEN_CLIENT_free releases memory associated with |ctx|.
OPENSSL_EXPORT void TRUST_TOKEN_CLIENT_free(TRUST_TOKEN_CLIENT *ctx);
@@ -162,9 +163,10 @@
// TRUST_TOKEN_ISSUER_new returns a newly-allocated |TRUST_TOKEN_ISSUER|
// configured to use a max batchsize of |max_batchsize| or NULL on error.
-// Issuance requests must be made in batches smaller than |max_batchsize|.
-OPENSSL_EXPORT TRUST_TOKEN_ISSUER *TRUST_TOKEN_ISSUER_new(
- uint16_t max_batchsize);
+// Issuance requests must be made in batches smaller than |max_batchsize|. This
+// function will return an error if |max_batchsize| is too large for Trust
+// Tokens.
+OPENSSL_EXPORT TRUST_TOKEN_ISSUER *TRUST_TOKEN_ISSUER_new(size_t max_batchsize);
// TRUST_TOKEN_ISSUER_free releases memory associated with |ctx|.
OPENSSL_EXPORT void TRUST_TOKEN_ISSUER_free(TRUST_TOKEN_ISSUER *ctx);
@@ -202,7 +204,7 @@
// error.
OPENSSL_EXPORT int TRUST_TOKEN_ISSUER_issue(
const TRUST_TOKEN_ISSUER *ctx, uint8_t **out, size_t *out_len,
- uint8_t *out_tokens_issued, const uint8_t *request, size_t request_len,
+ size_t *out_tokens_issued, const uint8_t *request, size_t request_len,
uint32_t public_metadata, uint8_t private_metadata, size_t max_issuance);
// TRUST_TOKEN_ISSUER_redeem ingests a |request| for token redemption and
diff --git a/tool/speed.cc b/tool/speed.cc
index c91c25b..b1f530d 100644
--- a/tool/speed.cc
+++ b/tool/speed.cc
@@ -1109,8 +1109,7 @@
if (!TimeFunction(&results, [&]() -> bool {
uint8_t *issue_resp = NULL;
- size_t resp_len;
- uint8_t tokens_issued;
+ size_t resp_len, tokens_issued;
int ok = TRUST_TOKEN_ISSUER_issue(issuer.get(), &issue_resp, &resp_len,
&tokens_issued, issue_msg, msg_len,
/*public_metadata=*/0,
@@ -1125,8 +1124,7 @@
results.Print(name + " issue");
uint8_t *issue_resp = NULL;
- size_t resp_len;
- uint8_t tokens_issued;
+ size_t resp_len, tokens_issued;
if (!TRUST_TOKEN_ISSUER_issue(issuer.get(), &issue_resp, &resp_len,
&tokens_issued, issue_msg, msg_len,
/*public_metadata=*/0, /*private_metadata=*/0,
