mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2025-01-24 13:55:42 +08:00
Code Issues Packages Projects Releases Wiki Activity

Extend the new_record_layer function

Browse Source 
Add the ability to pass the main secret and length, as well as the
digest used for the KDF.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19748)
This commit is contained in:
Matt Caswell 2022-11-14 14:19:53 +00:00
parent bea8d70498
commit 3f9175c7a4
14 changed files with 60 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
include/internal/recordmethod.h
View File

@ -124,6 +124,8 @@ struct ossl_record_method_st {
int role, int direction,
int level,
uint16_t epoch,
unsigned char *secret,
size_t secretlen,
unsigned char *key,
size_t keylen,
unsigned char *iv,
@ -135,6 +137,7 @@ struct ossl_record_method_st {
int mactype,
const EVP_MD *md,
COMP_METHOD *comp,
const EVP_MD *kdfdigest,
BIO *prev,
BIO *transport,
BIO *next,

4
ssl/d1_lib.c
View File

@ -820,9 +820,9 @@ int DTLSv1_listen(SSL *ssl, BIO_ADDR *client)
if (!ssl_set_new_record_layer(s,
DTLS_ANY_VERSION,
OSSL_RECORD_DIRECTION_READ,
OSSL_RECORD_PROTECTION_LEVEL_NONE,
OSSL_RECORD_PROTECTION_LEVEL_NONE, NULL, 0,
NULL, 0, NULL, 0, NULL, 0, NULL, 0,
NID_undef, NULL, NULL)) {
NID_undef, NULL, NULL, NULL)) {
/* SSLfatal already called */
ret = -1;
goto end;

6
ssl/record/methods/dtls_meth.c
View File

@ -624,12 +624,14 @@ static int dtls_free(OSSL_RECORD_LAYER *rl)
static int
dtls_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
int role, int direction, int level, uint16_t epoch,
unsigned char *secret, size_t secretlen,
unsigned char *key, size_t keylen, unsigned char *iv,
size_t ivlen, unsigned char *mackey, size_t mackeylen,
const EVP_CIPHER *ciph, size_t taglen,
int mactype,
const EVP_MD *md, COMP_METHOD *comp, BIO *prev,
BIO *transport, BIO *next, BIO_ADDR *local, BIO_ADDR *peer,
const EVP_MD *md, COMP_METHOD *comp,
const EVP_MD *kdfdigest, BIO *prev, BIO *transport,
BIO *next, BIO_ADDR *local, BIO_ADDR *peer,
const OSSL_PARAM *settings, const OSSL_PARAM *options,
const OSSL_DISPATCH *fns, void *cbarg, void *rlarg,
OSSL_RECORD_LAYER **retrl)

6
ssl/record/methods/ktls_meth.c
View File

@ -402,12 +402,14 @@ static int ktls_post_process_record(OSSL_RECORD_LAYER *rl, TLS_RL_RECORD *rec)
static int
ktls_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
int role, int direction, int level, uint16_t epoch,
unsigned char *secret, size_t secretlen,
unsigned char *key, size_t keylen, unsigned char *iv,
size_t ivlen, unsigned char *mackey, size_t mackeylen,
const EVP_CIPHER *ciph, size_t taglen,
int mactype,
const EVP_MD *md, COMP_METHOD *comp, BIO *prev,
BIO *transport, BIO *next, BIO_ADDR *local, BIO_ADDR *peer,
const EVP_MD *md, COMP_METHOD *comp,
const EVP_MD *kdfdigest, BIO *prev, BIO *transport,
BIO *next, BIO_ADDR *local, BIO_ADDR *peer,
const OSSL_PARAM *settings, const OSSL_PARAM *options,
const OSSL_DISPATCH *fns, void *cbarg, void *rlarg,
OSSL_RECORD_LAYER **retrl)

6
ssl/record/methods/tls_common.c
View File

@ -1324,12 +1324,14 @@ tls_int_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
static int
tls_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
int role, int direction, int level, uint16_t epoch,
unsigned char *secret, size_t secretlen,
unsigned char *key, size_t keylen, unsigned char *iv,
size_t ivlen, unsigned char *mackey, size_t mackeylen,
const EVP_CIPHER *ciph, size_t taglen,
int mactype,
const EVP_MD *md, COMP_METHOD *comp, BIO *prev,
BIO *transport, BIO *next, BIO_ADDR *local, BIO_ADDR *peer,
const EVP_MD *md, COMP_METHOD *comp,
const EVP_MD *kdfdigest, BIO *prev, BIO *transport,
BIO *next, BIO_ADDR *local, BIO_ADDR *peer,
const OSSL_PARAM *settings, const OSSL_PARAM *options,
const OSSL_DISPATCH *fns, void *cbarg, void *rlarg,
OSSL_RECORD_LAYER **retrl)

14
ssl/record/rec_layer_s3.c
View File

@ -1155,12 +1155,13 @@ static int ssl_post_record_layer_select(SSL_CONNECTION *s, int direction)
int ssl_set_new_record_layer(SSL_CONNECTION *s, int version,
int direction, int level,
unsigned char *secret, size_t secretlen,
unsigned char *key, size_t keylen,
unsigned char *iv, size_t ivlen,
unsigned char *mackey, size_t mackeylen,
const EVP_CIPHER *ciph, size_t taglen,
int mactype, const EVP_MD *md,
const SSL_COMP *comp)
const SSL_COMP *comp, const EVP_MD *kdfdigest)
{
OSSL_PARAM options[5], *opts = options;
OSSL_PARAM settings[6], *set = settings;
@ -1330,11 +1331,12 @@ int ssl_set_new_record_layer(SSL_CONNECTION *s, int version,
rlret = meth->new_record_layer(sctx->libctx, sctx->propq, version,
s->server, direction, level, epoch,
key, keylen, iv, ivlen, mackey,
mackeylen, ciph, taglen, mactype, md,
compm, prev, thisbio, next, NULL, NULL,
settings, options, rlayer_dispatch_tmp,
s, s->rlayer.rlarg, &newrl);
secret, secretlen, key, keylen, iv,
ivlen, mackey, mackeylen, ciph, taglen,
mactype, md, compm, kdfdigest, prev,
thisbio, next, NULL, NULL, settings,
options, rlayer_dispatch_tmp, s,
s->rlayer.rlarg, &newrl);
BIO_free(prev);
switch (rlret) {
case OSSL_RECORD_RETURN_FATAL:

8
ssl/record/record.h
View File

@ -173,13 +173,15 @@ void ssl_release_record(SSL_CONNECTION *s, TLS_RECORD *rr);
int ossl_tls_handle_rlayer_return(SSL_CONNECTION *s, int writing, int ret,
char *file, int line);
int ssl_set_new_record_layer(SSL_CONNECTION *s, int version, int direction,
int level, unsigned char *key, size_t keylen,
int ssl_set_new_record_layer(SSL_CONNECTION *s, int version,
int direction, int level,
unsigned char *secret, size_t secretlen,
unsigned char *key, size_t keylen,
unsigned char *iv, size_t ivlen,
unsigned char *mackey, size_t mackeylen,
const EVP_CIPHER *ciph, size_t taglen,
int mactype, const EVP_MD *md,
const SSL_COMP *comp);
const SSL_COMP *comp, const EVP_MD *kdfdigest);
int ssl_set_record_protocol_version(SSL_CONNECTION *s, int vers);
# define OSSL_FUNC_RLAYER_SKIP_EARLY_DATA 1

4
ssl/s3_enc.c
View File

@ -146,8 +146,8 @@ int ssl3_change_cipher_state(SSL_CONNECTION *s, int which)
if (!ssl_set_new_record_layer(s, SSL3_VERSION,
direction,
OSSL_RECORD_PROTECTION_LEVEL_APPLICATION,
key, key_len, iv, iv_len, mac_secret,
md_len, ciph, 0, NID_undef, md, comp)) {
NULL, 0, key, key_len, iv, iv_len, mac_secret,
md_len, ciph, 0, NID_undef, md, comp, NULL)) {
/* SSLfatal already called */
goto err;
}

9
ssl/ssl_lib.c
View File

@ -553,17 +553,18 @@ static int clear_record_layer(SSL_CONNECTION *s)
SSL_CONNECTION_IS_DTLS(s) ? DTLS_ANY_VERSION
: TLS_ANY_VERSION,
OSSL_RECORD_DIRECTION_READ,
OSSL_RECORD_PROTECTION_LEVEL_NONE,
OSSL_RECORD_PROTECTION_LEVEL_NONE, NULL, 0,
NULL, 0, NULL, 0, NULL, 0, NULL, 0,
NID_undef, NULL, NULL);
NID_undef, NULL, NULL, NULL);
ret &= ssl_set_new_record_layer(s,
SSL_CONNECTION_IS_DTLS(s) ? DTLS_ANY_VERSION
: TLS_ANY_VERSION,
OSSL_RECORD_DIRECTION_WRITE,
OSSL_RECORD_PROTECTION_LEVEL_NONE,
OSSL_RECORD_PROTECTION_LEVEL_NONE, NULL, 0,
NULL, 0, NULL, 0, NULL, 0, NULL, 0,
NID_undef, NULL, NULL);
NID_undef, NULL, NULL, NULL);
/* SSLfatal already called in the event of failure */
return ret;
}

9
ssl/statem/statem_clnt.c
View File

@ -720,8 +720,9 @@ WORK_STATE ossl_statem_client_pre_work(SSL_CONNECTION *s, WORK_STATE wst)
TLS_ANY_VERSION,
OSSL_RECORD_DIRECTION_WRITE,
OSSL_RECORD_PROTECTION_LEVEL_NONE,
NULL, 0, NULL, 0, NULL, 0, NULL, 0,
NID_undef, NULL, NULL)) {
NULL, 0, NULL, 0, NULL, 0, NULL, 0,
NULL, 0, NID_undef, NULL, NULL,
NULL)) {
/* SSLfatal already called */
return WORK_ERROR;
}
@ -1793,8 +1794,8 @@ static MSG_PROCESS_RETURN tls_process_as_hello_retry_request(SSL_CONNECTION *s,
TLS_ANY_VERSION,
OSSL_RECORD_DIRECTION_WRITE,
OSSL_RECORD_PROTECTION_LEVEL_NONE,
NULL, 0, NULL, 0, NULL, 0, NULL, 0,
NID_undef, NULL, NULL)) {
NULL, 0, NULL, 0, NULL, 0, NULL, 0,
NULL, 0, NID_undef, NULL, NULL, NULL)) {
/* SSLfatal already called */
goto err;
}

4
ssl/t1_enc.c
View File

@ -268,9 +268,9 @@ int tls1_change_cipher_state(SSL_CONNECTION *s, int which)
if (!ssl_set_new_record_layer(s, s->version, direction,
OSSL_RECORD_PROTECTION_LEVEL_APPLICATION,
key, cl, iv, (size_t)k, mac_secret,
NULL, 0, key, cl, iv, (size_t)k, mac_secret,
mac_secret_size, c, taglen, mac_type,
m, comp)) {
m, comp, NULL)) {
/* SSLfatal already called */
goto err;
}

9
ssl/tls13_enc.c
View File

@ -678,8 +678,9 @@ int tls13_change_cipher_state(SSL_CONNECTION *s, int which)
if (!ssl_set_new_record_layer(s, s->version,
direction,
level, key, keylen, iv, ivlen, NULL, 0,
cipher, taglen, NID_undef, NULL, NULL)) {
level, insecret, hashlen, key, keylen, iv,
ivlen, NULL, 0, cipher, taglen, NID_undef,
NULL, NULL, md)) {
/* SSLfatal already called */
goto err;
}
@ -736,9 +737,9 @@ int tls13_update_key(SSL_CONNECTION *s, int sending)
if (!ssl_set_new_record_layer(s, s->version,
direction,
OSSL_RECORD_PROTECTION_LEVEL_APPLICATION,
key, keylen, iv, ivlen, NULL, 0,
insecret, hashlen, key, keylen, iv, ivlen, NULL, 0,
s->s3.tmp.new_sym_enc, taglen, NID_undef, NULL,
NULL)) {
NULL, md)) {
/* SSLfatal already called */
goto err;
}

14
test/tls13encryptiontest.c
View File

@ -335,10 +335,11 @@ static int test_tls13_encryption(void)
if (!TEST_true(ossl_tls_record_method.new_record_layer(
NULL, NULL, TLS1_3_VERSION, OSSL_RECORD_ROLE_SERVER,
OSSL_RECORD_DIRECTION_WRITE,
OSSL_RECORD_PROTECTION_LEVEL_APPLICATION, 0, key, 16,
iv, ivlen, NULL, 0, EVP_aes_128_gcm(),
OSSL_RECORD_PROTECTION_LEVEL_APPLICATION, 0, NULL, 0,
key, 16, iv, ivlen, NULL, 0, EVP_aes_128_gcm(),
EVP_GCM_TLS_TAG_LEN, 0, NULL, NULL, NULL, NULL, NULL,
NULL, NULL, NULL, NULL, NULL, NULL, NULL, &wrl)))
NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
&wrl)))
goto err;
memcpy(wrl->sequence, seqbuf, sizeof(seqbuf));
@ -357,10 +358,11 @@ static int test_tls13_encryption(void)
if (!TEST_true(ossl_tls_record_method.new_record_layer(
NULL, NULL, TLS1_3_VERSION, OSSL_RECORD_ROLE_SERVER,
OSSL_RECORD_DIRECTION_READ,
OSSL_RECORD_PROTECTION_LEVEL_APPLICATION, 0, key, 16,
iv, ivlen, NULL, 0, EVP_aes_128_gcm(),
OSSL_RECORD_PROTECTION_LEVEL_APPLICATION, 0, NULL, 0,
key, 16, iv, ivlen, NULL, 0, EVP_aes_128_gcm(),
EVP_GCM_TLS_TAG_LEN, 0, NULL, NULL, NULL, NULL, NULL,
NULL, NULL, NULL, NULL, NULL, NULL, NULL, &rrl)))
NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
&rrl)))
goto err;
memcpy(rrl->sequence, seqbuf, sizeof(seqbuf));

5
test/tls13secretstest.c
View File

@ -218,12 +218,13 @@ void ssl_evp_md_free(const EVP_MD *md)
}
int ssl_set_new_record_layer(SSL_CONNECTION *s, int version, int direction,
int level, unsigned char *key, size_t keylen,
int level, unsigned char *secret, size_t secretlen,
unsigned char *key, size_t keylen,
unsigned char *iv, size_t ivlen,
unsigned char *mackey, size_t mackeylen,
const EVP_CIPHER *ciph, size_t taglen,
int mactype, const EVP_MD *md,
const SSL_COMP *comp)
const SSL_COMP *comp, const EVP_MD *kdfdigest)
{
return 0;
}