Since none of these will ever set read_hash and thus never hit the MAC code and also will never hit the constant-time CBC business, I believe the 0 / -1 distinction and constant-time worries aren't meaningful. (Hopefully once the refactoring in #1438 happens, it'll be less confusing.)

Er, I guess that bug is talking about lots of different things. By "the refactoring in #1438" I mean folding tls1_mac into tls1_enc, so that you always do encrypt + MAC checks as a unit, rather than the one to tidy up tls1_cbc_remove_padding's return value.

Perhaps not, although the return code values need to be consistent between tls1_enc and tls13_enc because this gets called by this line in ssl3_get_record() which has no awareness of TLSv1.3:

    enc_err = s->method->ssl3_enc->enc(s, rr, num_recs, 0);
    /*-
     * enc_err is:
     *    0: (in non-constant time) if the record is publically invalid.
     *    1: if the padding is valid
     *    -1: if the padding is invalid
     */
    if (enc_err == 0) {
        al = SSL_AD_DECRYPTION_FAILED;
        SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
        goto f_err;
    }

I guess the difference is that 0 means a failure occurred before we even attempted to decrypt because it is clearly wrong before we even start, a -1 means some failure occurred after decryption was attempted. 0 gets you decryption_failed, while -1 gets you bad_record_mac. I'm not sure whether we care about that difference or not.

Glancing at tls1_enc, I think this wants to be -1?

(The only zero return in tls1_enc is when tls1_cbc_remove_padding returns 0. This matches ssl3_get_record which sets SSL_R_BLOCK_CIPHER_PAD_IS_WRONG on zero return.)

The thinking here is that this goes into the category of "publicly invalid" (which is defined as a 0 return). We have received an encrypted record that is shorter than the tag length.

You get a double-free after this, if you don't add here a *key = NULL;

Fixed. Thanks.

Please add a comment that OPENSSL_malloc returns NULL if size is zero (since that's not guaranteed by regular malloc).

Done

squash to a single comment line.

Done

move up to the decl? it's what we usually do. or if not, then remove the blank line before the if.

Done

"can't" --> "doesn't"

Done

that looks longer than 509 chars and will therefore break on some platforms. and you need a comment saying how this data was generated or where it came from.

They came from: https://www.ietf.org/id/draft-thomson-tls-tls13-vectors-01.txt

I added a comment for that. The 509 chars thing is problematic...I might need to make a few changes to get around that. I'll give it some thought.

Maybe look at what I did in #1775 about gluing things together.

I know you don't like it, but "if ((a=..)==NULL" is the construct we use throughout the rest of the code.

No we don't!!!! There are examples of that, sure. But there are plenty of examples where we don't. It is definitely not our standard, and it isn't in our style guide. There are occasions where it makes sense, but those are rare and this isn't one of them.

interestingly, you're right that it's not style:

; g grep 'if.*==.*NULL' > /tmp/x
; wc /tmp/x
  3056  20404 156963 /tmp/x
; grep '=.*==' /tmp/x | wc
    939    8288   64894

If you're going to keep this multi-line comment, then the blank lines between the memcpy and the EVP_CIPHER setup should be removed. Comments should go only for a single "paragraph" of code ... Or split into three comments.

I split it into three.

remove this blank line, it's part of the same paragraph as above.

I think you mean the one between tls13_enc() and test_record(), rather than this one...at least that makes more sense to me in terms of paragraphs of code - so I removed that one.

remove this blank line too.

Done

move this blank line to just before the err label :)

Done