mirror of
https://github.com/openssl/openssl.git
synced 2025-01-18 13:44:20 +08:00
Remove some final references to the SSL object in the record layer
Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18132)
This commit is contained in:
Matt Caswell
parent
6366bdd9be
commit
8124ab56d4
@ -562,6 +562,8 @@ extern "C" {
|
||||
#define OSSL_LIBSSL_RECORD_LAYER_PARAM_MODE "mode"
|
||||
#define OSSL_LIBSSL_RECORD_LAYER_PARAM_READ_AHEAD "read_ahead"
|
||||
#define OSSL_LIBSSL_RECORD_LAYER_PARAM_USE_ETM "use_etm"
|
||||
#define OSSL_LIBSSL_RECORD_LAYER_PARAM_STREAM_MAC "stream_mac"
|
||||
#define OSSL_LIBSSL_RECORD_LAYER_PARAM_TLSTREE "tlstree"
|
||||
#define OSSL_LIBSSL_RECORD_LAYER_PARAM_MAX_FRAG_LEN "max_frag_len"
|
||||
#define OSSL_LIBSSL_RECORD_LAYER_PARAM_MAX_EARLY_DATA "max_early_data"
|
||||
|
||||
|
||||
@ -15,67 +15,6 @@
|
||||
#include "recmethod_local.h"
|
||||
#include "internal/ktls.h"
|
||||
|
||||
#ifndef OPENSSL_NO_KTLS_RX
|
||||
/*
|
||||
* Count the number of records that were not processed yet from record boundary.
|
||||
*
|
||||
* This function assumes that there are only fully formed records read in the
|
||||
* record layer. If read_ahead is enabled, then this might be false and this
|
||||
* function will fail.
|
||||
*/
|
||||
static int count_unprocessed_records(SSL_CONNECTION *s)
|
||||
{
|
||||
SSL3_BUFFER *rbuf = s->rrlmethod->get0_rbuf(s->rrl);
|
||||
PACKET pkt, subpkt;
|
||||
int count = 0;
|
||||
|
||||
if (!PACKET_buf_init(&pkt, rbuf->buf + rbuf->offset, rbuf->left))
|
||||
return -1;
|
||||
|
||||
while (PACKET_remaining(&pkt) > 0) {
|
||||
/* Skip record type and version */
|
||||
if (!PACKET_forward(&pkt, 3))
|
||||
return -1;
|
||||
|
||||
/* Read until next record */
|
||||
if (!PACKET_get_length_prefixed_2(&pkt, &subpkt))
|
||||
return -1;
|
||||
|
||||
count += 1;
|
||||
}
|
||||
|
||||
return count;
|
||||
}
|
||||
|
||||
/*
|
||||
* The kernel cannot offload receive if a partial TLS record has been read.
|
||||
* Check the read buffer for unprocessed records. If the buffer contains a
|
||||
* partial record, fail and return 0. Otherwise, update the sequence
|
||||
* number at *rec_seq for the count of unprocessed records and return 1.
|
||||
*/
|
||||
static int check_rx_read_ahead(SSL_CONNECTION *s, unsigned char *rec_seq)
|
||||
{
|
||||
int bit, count_unprocessed;
|
||||
|
||||
count_unprocessed = count_unprocessed_records(s);
|
||||
if (count_unprocessed < 0)
|
||||
return 0;
|
||||
|
||||
/* increment the crypto_info record sequence */
|
||||
while (count_unprocessed) {
|
||||
for (bit = 7; bit >= 0; bit--) { /* increment */
|
||||
++rec_seq[bit];
|
||||
if (rec_seq[bit] != 0)
|
||||
break;
|
||||
}
|
||||
count_unprocessed--;
|
||||
|
||||
}
|
||||
|
||||
return 1;
|
||||
}
|
||||
#endif
|
||||
|
||||
#if defined(__FreeBSD__)
|
||||
# include "crypto/cryptodev.h"
|
||||
|
||||
@ -168,57 +107,48 @@ static int ktls_int_check_supported_cipher(OSSL_RECORD_LAYER *rl,
|
||||
}
|
||||
|
||||
/* Function to configure kernel TLS structure */
|
||||
int ktls_configure_crypto(SSL_CONNECTION *s, const EVP_CIPHER *c,
|
||||
void *rl_sequence, ktls_crypto_info_t *crypto_info,
|
||||
int is_tx, unsigned char *iv, size_t ivlen,
|
||||
int ktls_configure_crypto(OSSL_LIB_CTX *libctx, int version, const EVP_CIPHER *c,
|
||||
EVP_MD *md, void *rl_sequence,
|
||||
ktls_crypto_info_t *crypto_info, int is_tx,
|
||||
unsigned char *iv, size_t ivlen,
|
||||
unsigned char *key, size_t keylen,
|
||||
unsigned char *mac_key, size_t mac_secret_size)
|
||||
{
|
||||
memset(crypto_info, 0, sizeof(*crypto_info));
|
||||
switch (s->s3.tmp.new_cipher->algorithm_enc) {
|
||||
case SSL_AES128GCM:
|
||||
case SSL_AES256GCM:
|
||||
if (EVP_CIPHER_is_a(c, "AES-128-GCM")
|
||||
|| EVP_CIPHER_is_a(c, "AES-256-GCM")) {
|
||||
crypto_info->cipher_algorithm = CRYPTO_AES_NIST_GCM_16;
|
||||
crypto_info->iv_len = ivlen;
|
||||
break;
|
||||
} else
|
||||
# ifdef OPENSSL_KTLS_CHACHA20_POLY1305
|
||||
case SSL_CHACHA20POLY1305:
|
||||
if (EVP_CIPHER_is_a(c, "CHACHA20-POLY1305")) {
|
||||
crypto_info->cipher_algorithm = CRYPTO_CHACHA20_POLY1305;
|
||||
crypto_info->iv_len = ivlen;
|
||||
break;
|
||||
} else
|
||||
# endif
|
||||
case SSL_AES128:
|
||||
case SSL_AES256:
|
||||
switch (s->s3.tmp.new_cipher->algorithm_mac) {
|
||||
case SSL_SHA1:
|
||||
if (EVP_CIPHER_is_a(c, "AES-128-CBC") || EVP_CIPHER_is_a(c, "AES-256-CBC")) {
|
||||
if (EVP_MD_is_a(md, "SHA1"))
|
||||
crypto_info->auth_algorithm = CRYPTO_SHA1_HMAC;
|
||||
break;
|
||||
case SSL_SHA256:
|
||||
else if (EVP_MD_is_a(md, "SHA2-256")) {
|
||||
crypto_info->auth_algorithm = CRYPTO_SHA2_256_HMAC;
|
||||
break;
|
||||
case SSL_SHA384:
|
||||
else if (EVP_MD_is_a(md, "SHA2-384"))
|
||||
crypto_info->auth_algorithm = CRYPTO_SHA2_384_HMAC;
|
||||
break;
|
||||
default:
|
||||
else
|
||||
return 0;
|
||||
}
|
||||
crypto_info->cipher_algorithm = CRYPTO_AES_CBC;
|
||||
crypto_info->iv_len = ivlen;
|
||||
crypto_info->auth_key = mac_key;
|
||||
crypto_info->auth_key_len = mac_secret_size;
|
||||
break;
|
||||
default:
|
||||
} else {
|
||||
return 0;
|
||||
}
|
||||
crypto_info->cipher_key = key;
|
||||
crypto_info->cipher_key_len = keylen;
|
||||
crypto_info->iv = iv;
|
||||
crypto_info->tls_vmajor = (s->version >> 8) & 0x000000ff;
|
||||
crypto_info->tls_vminor = (s->version & 0x000000ff);
|
||||
crypto_info->tls_vmajor = (version >> 8) & 0x000000ff;
|
||||
crypto_info->tls_vminor = (version & 0x000000ff);
|
||||
# ifdef TCP_RXTLS_ENABLE
|
||||
memcpy(crypto_info->rec_seq, rl_sequence, sizeof(crypto_info->rec_seq));
|
||||
if (!is_tx && !check_rx_read_ahead(s, crypto_info->rec_seq))
|
||||
return 0;
|
||||
# else
|
||||
if (!is_tx)
|
||||
return 0;
|
||||
@ -315,15 +245,15 @@ static int ktls_int_check_supported_cipher(OSSL_RECORD_LAYER *rl,
|
||||
}
|
||||
|
||||
/* Function to configure kernel TLS structure */
|
||||
int ktls_configure_crypto(SSL_CONNECTION *s, const EVP_CIPHER *c,
|
||||
void *rl_sequence, ktls_crypto_info_t *crypto_info,
|
||||
int is_tx, unsigned char *iv, size_t ivlen,
|
||||
int ktls_configure_crypto(OSSL_LIB_CTX *libctx, int version, const EVP_CIPHER *c,
|
||||
const EVP_MD *md, void *rl_sequence,
|
||||
ktls_crypto_info_t *crypto_info, int is_tx,
|
||||
unsigned char *iv, size_t ivlen,
|
||||
unsigned char *key, size_t keylen,
|
||||
unsigned char *mac_key, size_t mac_secret_size)
|
||||
{
|
||||
unsigned char geniv[EVP_GCM_TLS_EXPLICIT_IV_LEN];
|
||||
unsigned char *eiv = NULL;
|
||||
SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
|
||||
|
||||
# ifdef OPENSSL_NO_KTLS_RX
|
||||
if (!is_tx)
|
||||
@ -336,11 +266,11 @@ int ktls_configure_crypto(SSL_CONNECTION *s, const EVP_CIPHER *c,
|
||||
|| !ossl_assert(EVP_GCM_TLS_EXPLICIT_IV_LEN
|
||||
== EVP_CCM_TLS_EXPLICIT_IV_LEN))
|
||||
return 0;
|
||||
if (s->version == TLS1_2_VERSION) {
|
||||
if (version == TLS1_2_VERSION) {
|
||||
if (!ossl_assert(ivlen == EVP_GCM_TLS_FIXED_IV_LEN))
|
||||
return 0;
|
||||
if (is_tx) {
|
||||
if (RAND_bytes_ex(sctx->libctx, geniv,
|
||||
if (RAND_bytes_ex(libctx, geniv,
|
||||
EVP_GCM_TLS_EXPLICIT_IV_LEN, 0) <= 0)
|
||||
return 0;
|
||||
} else {
|
||||
@ -364,15 +294,13 @@ int ktls_configure_crypto(SSL_CONNECTION *s, const EVP_CIPHER *c,
|
||||
|| !ossl_assert(TLS_CIPHER_AES_GCM_128_IV_SIZE == EVP_GCM_TLS_EXPLICIT_IV_LEN))
|
||||
return 0;
|
||||
crypto_info->gcm128.info.cipher_type = TLS_CIPHER_AES_GCM_128;
|
||||
crypto_info->gcm128.info.version = s->version;
|
||||
crypto_info->gcm128.info.version = version;
|
||||
crypto_info->tls_crypto_info_len = sizeof(crypto_info->gcm128);
|
||||
memcpy(crypto_info->gcm128.iv, eiv, TLS_CIPHER_AES_GCM_128_IV_SIZE);
|
||||
memcpy(crypto_info->gcm128.salt, iv, TLS_CIPHER_AES_GCM_128_SALT_SIZE);
|
||||
memcpy(crypto_info->gcm128.key, key, keylen);
|
||||
memcpy(crypto_info->gcm128.rec_seq, rl_sequence,
|
||||
TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
|
||||
if (!is_tx && !check_rx_read_ahead(s, crypto_info->gcm128.rec_seq))
|
||||
return 0;
|
||||
return 1;
|
||||
# endif
|
||||
# ifdef OPENSSL_KTLS_AES_GCM_256
|
||||
@ -381,15 +309,13 @@ int ktls_configure_crypto(SSL_CONNECTION *s, const EVP_CIPHER *c,
|
||||
|| !ossl_assert(TLS_CIPHER_AES_GCM_256_IV_SIZE == EVP_GCM_TLS_EXPLICIT_IV_LEN))
|
||||
return 0;
|
||||
crypto_info->gcm256.info.cipher_type = TLS_CIPHER_AES_GCM_256;
|
||||
crypto_info->gcm256.info.version = s->version;
|
||||
crypto_info->gcm256.info.version = version;
|
||||
crypto_info->tls_crypto_info_len = sizeof(crypto_info->gcm256);
|
||||
memcpy(crypto_info->gcm256.iv, eiv, TLS_CIPHER_AES_GCM_256_IV_SIZE);
|
||||
memcpy(crypto_info->gcm256.salt, iv, TLS_CIPHER_AES_GCM_256_SALT_SIZE);
|
||||
memcpy(crypto_info->gcm256.key, key, keylen);
|
||||
memcpy(crypto_info->gcm256.rec_seq, rl_sequence,
|
||||
TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
|
||||
if (!is_tx && !check_rx_read_ahead(s, crypto_info->gcm256.rec_seq))
|
||||
return 0;
|
||||
|
||||
return 1;
|
||||
# endif
|
||||
@ -399,15 +325,13 @@ int ktls_configure_crypto(SSL_CONNECTION *s, const EVP_CIPHER *c,
|
||||
|| !ossl_assert(TLS_CIPHER_AES_CCM_128_IV_SIZE == EVP_CCM_TLS_EXPLICIT_IV_LEN))
|
||||
return 0;
|
||||
crypto_info->ccm128.info.cipher_type = TLS_CIPHER_AES_CCM_128;
|
||||
crypto_info->ccm128.info.version = s->version;
|
||||
crypto_info->ccm128.info.version = version;
|
||||
crypto_info->tls_crypto_info_len = sizeof(crypto_info->ccm128);
|
||||
memcpy(crypto_info->ccm128.iv, eiv, TLS_CIPHER_AES_CCM_128_IV_SIZE);
|
||||
memcpy(crypto_info->ccm128.salt, iv, TLS_CIPHER_AES_CCM_128_SALT_SIZE);
|
||||
memcpy(crypto_info->ccm128.key, key, keylen);
|
||||
memcpy(crypto_info->ccm128.rec_seq, rl_sequence,
|
||||
TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
|
||||
if (!is_tx && !check_rx_read_ahead(s, crypto_info->ccm128.rec_seq))
|
||||
return 0;
|
||||
return 1;
|
||||
# endif
|
||||
# ifdef OPENSSL_KTLS_CHACHA20_POLY1305
|
||||
@ -415,16 +339,12 @@ int ktls_configure_crypto(SSL_CONNECTION *s, const EVP_CIPHER *c,
|
||||
if (!ossl_assert(ivlen == TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE))
|
||||
return 0;
|
||||
crypto_info->chacha20poly1305.info.cipher_type = TLS_CIPHER_CHACHA20_POLY1305;
|
||||
crypto_info->chacha20poly1305.info.version = s->version;
|
||||
crypto_info->chacha20poly1305.info.version = version;
|
||||
crypto_info->tls_crypto_info_len = sizeof(crypto_info->chacha20poly1305);
|
||||
memcpy(crypto_info->chacha20poly1305.iv, iv, ivlen);
|
||||
memcpy(crypto_info->chacha20poly1305.key, key, keylen);
|
||||
memcpy(crypto_info->chacha20poly1305.rec_seq, rl_sequence,
|
||||
TLS_CIPHER_CHACHA20_POLY1305_REC_SEQ_SIZE);
|
||||
if (!is_tx
|
||||
&& !check_rx_read_ahead(s,
|
||||
crypto_info->chacha20poly1305.rec_seq))
|
||||
return 0;
|
||||
return 1;
|
||||
# endif
|
||||
default:
|
||||
@ -445,9 +365,7 @@ static int ktls_set_crypto_state(OSSL_RECORD_LAYER *rl, int level,
|
||||
/* TODO(RECLAYER): This probably should not be an int */
|
||||
int mactype,
|
||||
const EVP_MD *md,
|
||||
const SSL_COMP *comp,
|
||||
/* TODO(RECLAYER): Remove me */
|
||||
SSL_CONNECTION *s)
|
||||
const SSL_COMP *comp)
|
||||
{
|
||||
ktls_crypto_info_t crypto_info;
|
||||
|
||||
@ -487,7 +405,8 @@ static int ktls_set_crypto_state(OSSL_RECORD_LAYER *rl, int level,
|
||||
return OSSL_RECORD_RETURN_NON_FATAL_ERR;
|
||||
}
|
||||
|
||||
if (!ktls_configure_crypto(s, ciph, rl->sequence, &crypto_info,
|
||||
if (!ktls_configure_crypto(rl->libctx, rl->version, ciph, md, rl->sequence,
|
||||
&crypto_info,
|
||||
rl->direction == OSSL_RECORD_DIRECTION_WRITE,
|
||||
iv, ivlen, key, keylen, mackey, mackeylen))
|
||||
return OSSL_RECORD_RETURN_NON_FATAL_ERR;
|
||||
@ -528,8 +447,7 @@ static int ktls_read_n(OSSL_RECORD_LAYER *rl, size_t n, size_t max, int extend,
|
||||
}
|
||||
|
||||
static int ktls_cipher(OSSL_RECORD_LAYER *rl, SSL3_RECORD *inrecs, size_t n_recs,
|
||||
int sending, SSL_MAC_BUF *mac, size_t macsize,
|
||||
/* TODO(RECLAYER): Remove me */ SSL_CONNECTION *s)
|
||||
int sending, SSL_MAC_BUF *mac, size_t macsize)
|
||||
{
|
||||
return 1;
|
||||
}
|
||||
@ -544,11 +462,10 @@ static int ktls_validate_record_header(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec)
|
||||
return 1;
|
||||
}
|
||||
|
||||
static int ktls_post_process_record(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec,
|
||||
SSL_CONNECTION *s)
|
||||
static int ktls_post_process_record(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec)
|
||||
{
|
||||
if (rl->version == TLS1_3_VERSION)
|
||||
return tls13_common_post_process_record(rl, rec, s);
|
||||
return tls13_common_post_process_record(rl, rec);
|
||||
|
||||
return 1;
|
||||
}
|
||||
@ -575,9 +492,7 @@ ktls_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
|
||||
BIO *transport, BIO *next, BIO_ADDR *local, BIO_ADDR *peer,
|
||||
const OSSL_PARAM *settings, const OSSL_PARAM *options,
|
||||
const OSSL_DISPATCH *fns, void *cbarg,
|
||||
OSSL_RECORD_LAYER **retrl,
|
||||
/* TODO(RECLAYER): Remove me */
|
||||
SSL_CONNECTION *s)
|
||||
OSSL_RECORD_LAYER **retrl)
|
||||
{
|
||||
int ret;
|
||||
|
||||
@ -585,7 +500,7 @@ ktls_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
|
||||
key, keylen, iv, ivlen, mackey, mackeylen,
|
||||
ciph, taglen, mactype, md, comp, prev,
|
||||
transport, next, local, peer, settings,
|
||||
options, fns, cbarg, retrl, s);
|
||||
options, fns, cbarg, retrl);
|
||||
|
||||
if (ret != OSSL_RECORD_RETURN_SUCCESS)
|
||||
return ret;
|
||||
@ -594,7 +509,7 @@ ktls_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
|
||||
|
||||
ret = (*retrl)->funcs->set_crypto_state(*retrl, level, key, keylen, iv,
|
||||
ivlen, mackey, mackeylen, ciph,
|
||||
taglen, mactype, md, comp, s);
|
||||
taglen, mactype, md, comp);
|
||||
|
||||
if (ret != OSSL_RECORD_RETURN_SUCCESS) {
|
||||
OPENSSL_free(*retrl);
|
||||
@ -628,6 +543,7 @@ const OSSL_RECORD_METHOD ossl_ktls_record_method = {
|
||||
tls_set_protocol_version,
|
||||
tls_set_plain_alerts,
|
||||
tls_set_first_handshake,
|
||||
tls_set_max_pipelines,
|
||||
|
||||
/*
|
||||
* TODO(RECLAYER): Remove these. These function pointers are temporary hacks
|
||||
|
||||
@ -30,9 +30,7 @@ struct record_functions_st
|
||||
/* TODO(RECLAYER): This probably should not be an int */
|
||||
int mactype,
|
||||
const EVP_MD *md,
|
||||
const SSL_COMP *comp,
|
||||
/* TODO(RECLAYER): Remove me */
|
||||
SSL_CONNECTION *s);
|
||||
const SSL_COMP *comp);
|
||||
|
||||
int (*read_n)(OSSL_RECORD_LAYER *rl, size_t n, size_t max, int extend,
|
||||
int clearold, size_t *readbytes);
|
||||
@ -43,11 +41,10 @@ struct record_functions_st
|
||||
* 1: Success or MtE decryption failed (MAC will be randomised)
|
||||
*/
|
||||
int (*cipher)(OSSL_RECORD_LAYER *rl, SSL3_RECORD *recs, size_t n_recs,
|
||||
int sending, SSL_MAC_BUF *macs, size_t macsize,
|
||||
/* TODO(RECLAYER): Remove me */ SSL_CONNECTION *s);
|
||||
int sending, SSL_MAC_BUF *macs, size_t macsize);
|
||||
/* Returns 1 for success or 0 for error */
|
||||
int (*mac)(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec, unsigned char *md,
|
||||
int sending, /* TODO(RECLAYER): Remove me */SSL_CONNECTION *ssl);
|
||||
int sending);
|
||||
|
||||
/* Return 1 for success or 0 for error */
|
||||
int (*set_protocol_version)(OSSL_RECORD_LAYER *rl, int version);
|
||||
@ -56,8 +53,7 @@ struct record_functions_st
|
||||
int (*validate_record_header)(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec);
|
||||
|
||||
/* Return 1 for success or 0 for error */
|
||||
int (*post_process_record)(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec,
|
||||
/* TODO(RECLAYER): Remove me */ SSL_CONNECTION *s);
|
||||
int (*post_process_record)(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec);
|
||||
};
|
||||
|
||||
struct ossl_record_layer_st
|
||||
@ -156,6 +152,10 @@ struct ossl_record_layer_st
|
||||
/* TLSv1.0/TLSv1.1/TLSv1.2 */
|
||||
int use_etm;
|
||||
|
||||
/* Flags for GOST ciphers */
|
||||
int stream_mac;
|
||||
int tlstree;
|
||||
|
||||
/* TLSv1.3 fields */
|
||||
/* static IV */
|
||||
unsigned char iv[EVP_MAX_IV_LENGTH];
|
||||
@ -175,6 +175,8 @@ struct ossl_record_layer_st
|
||||
OSSL_FUNC_rlayer_msg_callback_fn *msg_callback;
|
||||
OSSL_FUNC_rlayer_security_fn *security;
|
||||
|
||||
size_t max_pipelines;
|
||||
|
||||
/* Function pointers for version specific functions */
|
||||
struct record_functions_st *funcs;
|
||||
};
|
||||
@ -217,9 +219,8 @@ int tls_default_read_n(OSSL_RECORD_LAYER *rl, size_t n, size_t max, int extend,
|
||||
|
||||
int tls_default_set_protocol_version(OSSL_RECORD_LAYER *rl, int version);
|
||||
int tls_default_validate_record_header(OSSL_RECORD_LAYER *rl, SSL3_RECORD *re);
|
||||
int tls_default_post_process_record(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec, SSL_CONNECTION *s);
|
||||
int tls13_common_post_process_record(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec,
|
||||
SSL_CONNECTION *s);
|
||||
int tls_default_post_process_record(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec);
|
||||
int tls13_common_post_process_record(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec);
|
||||
|
||||
int
|
||||
tls_int_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
|
||||
@ -234,9 +235,7 @@ tls_int_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
|
||||
BIO_ADDR *local, BIO_ADDR *peer,
|
||||
const OSSL_PARAM *settings, const OSSL_PARAM *options,
|
||||
const OSSL_DISPATCH *fns, void *cbarg,
|
||||
OSSL_RECORD_LAYER **retrl,
|
||||
/* TODO(RECLAYER): Remove me */
|
||||
SSL_CONNECTION *s);
|
||||
OSSL_RECORD_LAYER **retrl);
|
||||
int tls_free(OSSL_RECORD_LAYER *rl);
|
||||
int tls_reset(OSSL_RECORD_LAYER *rl);
|
||||
int tls_unprocessed_read_pending(OSSL_RECORD_LAYER *rl);
|
||||
@ -253,13 +252,13 @@ int tls_get_alert_code(OSSL_RECORD_LAYER *rl);
|
||||
int tls_set1_bio(OSSL_RECORD_LAYER *rl, BIO *bio);
|
||||
int tls_read_record(OSSL_RECORD_LAYER *rl, void **rechandle, int *rversion,
|
||||
int *type, unsigned char **data, size_t *datalen,
|
||||
uint16_t *epoch, unsigned char *seq_num,
|
||||
/* TODO(RECLAYER): Remove me */ SSL_CONNECTION *s);
|
||||
uint16_t *epoch, unsigned char *seq_num);
|
||||
int tls_release_record(OSSL_RECORD_LAYER *rl, void *rechandle);
|
||||
int tls_default_set_protocol_version(OSSL_RECORD_LAYER *rl, int version);
|
||||
int tls_set_protocol_version(OSSL_RECORD_LAYER *rl, int version);
|
||||
void tls_set_plain_alerts(OSSL_RECORD_LAYER *rl, int allow);
|
||||
void tls_set_first_handshake(OSSL_RECORD_LAYER *rl, int first);
|
||||
void tls_set_max_pipelines(OSSL_RECORD_LAYER *rl, size_t max_pipelines);
|
||||
SSL3_BUFFER *tls_get0_rbuf(OSSL_RECORD_LAYER *rl);
|
||||
unsigned char *tls_get0_packet(OSSL_RECORD_LAYER *rl);
|
||||
void tls_set0_packet(OSSL_RECORD_LAYER *rl, unsigned char *packet,
|
||||
|
||||
@ -23,9 +23,7 @@ static int ssl3_set_crypto_state(OSSL_RECORD_LAYER *rl, int level,
|
||||
/* TODO(RECLAYER): This probably should not be an int */
|
||||
int mactype,
|
||||
const EVP_MD *md,
|
||||
const SSL_COMP *comp,
|
||||
/* TODO(RECLAYER): Remove me */
|
||||
SSL_CONNECTION *s)
|
||||
const SSL_COMP *comp)
|
||||
{
|
||||
EVP_CIPHER_CTX *ciph_ctx;
|
||||
|
||||
@ -84,8 +82,7 @@ static int ssl3_set_crypto_state(OSSL_RECORD_LAYER *rl, int level,
|
||||
* 1: Success or Mac-then-encrypt decryption failed (MAC will be randomised)
|
||||
*/
|
||||
static int ssl3_cipher(OSSL_RECORD_LAYER *rl, SSL3_RECORD *inrecs, size_t n_recs,
|
||||
int sending, SSL_MAC_BUF *mac, size_t macsize,
|
||||
/* TODO(RECLAYER): Remove me */ SSL_CONNECTION *s)
|
||||
int sending, SSL_MAC_BUF *mac, size_t macsize)
|
||||
{
|
||||
SSL3_RECORD *rec;
|
||||
EVP_CIPHER_CTX *ds;
|
||||
@ -206,7 +203,7 @@ static const unsigned char ssl3_pad_2[48] = {
|
||||
};
|
||||
|
||||
static int ssl3_mac(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec, unsigned char *md,
|
||||
int sending, SSL_CONNECTION *ssl)
|
||||
int sending)
|
||||
{
|
||||
unsigned char *mac_sec, *seq = rl->sequence;
|
||||
const EVP_MD_CTX *hash;
|
||||
|
||||
@ -22,9 +22,7 @@ static int tls13_set_crypto_state(OSSL_RECORD_LAYER *rl, int level,
|
||||
/* TODO(RECLAYER): This probably should not be an int */
|
||||
int mactype,
|
||||
const EVP_MD *md,
|
||||
const SSL_COMP *comp,
|
||||
/* TODO(RECLAYER): Remove me */
|
||||
SSL_CONNECTION *s)
|
||||
const SSL_COMP *comp)
|
||||
{
|
||||
EVP_CIPHER_CTX *ciph_ctx;
|
||||
int mode;
|
||||
@ -58,8 +56,7 @@ static int tls13_set_crypto_state(OSSL_RECORD_LAYER *rl, int level,
|
||||
}
|
||||
|
||||
static int tls13_cipher(OSSL_RECORD_LAYER *rl, SSL3_RECORD *recs, size_t n_recs,
|
||||
int sending, SSL_MAC_BUF *mac, size_t macsize,
|
||||
/* TODO(RECLAYER): Remove me */ SSL_CONNECTION *s)
|
||||
int sending, SSL_MAC_BUF *mac, size_t macsize)
|
||||
{
|
||||
EVP_CIPHER_CTX *ctx;
|
||||
unsigned char iv[EVP_MAX_IV_LENGTH], recheader[SSL3_RT_HEADER_LENGTH];
|
||||
@ -206,8 +203,7 @@ static int tls13_validate_record_header(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec)
|
||||
return 1;
|
||||
}
|
||||
|
||||
static int tls13_post_process_record(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec,
|
||||
SSL_CONNECTION *s)
|
||||
static int tls13_post_process_record(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec)
|
||||
{
|
||||
/* Skip this if we've received a plaintext alert */
|
||||
if (rec->type != SSL3_RT_ALERT) {
|
||||
@ -234,7 +230,7 @@ static int tls13_post_process_record(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec,
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (!tls13_common_post_process_record(rl, rec, s)) {
|
||||
if (!tls13_common_post_process_record(rl, rec)) {
|
||||
/* RLAYERfatal already called */
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -24,9 +24,7 @@ static int tls1_set_crypto_state(OSSL_RECORD_LAYER *rl, int level,
|
||||
/* TODO(RECLAYER): This probably should not be an int */
|
||||
int mactype,
|
||||
const EVP_MD *md,
|
||||
const SSL_COMP *comp,
|
||||
/* TODO(RECLAYER): Remove me */
|
||||
SSL_CONNECTION *s)
|
||||
const SSL_COMP *comp)
|
||||
{
|
||||
EVP_CIPHER_CTX *ciph_ctx;
|
||||
EVP_PKEY *mac_key;
|
||||
@ -141,8 +139,7 @@ static int tls1_set_crypto_state(OSSL_RECORD_LAYER *rl, int level,
|
||||
* 1: Success or Mac-then-encrypt decryption failed (MAC will be randomised)
|
||||
*/
|
||||
static int tls1_cipher(OSSL_RECORD_LAYER *rl, SSL3_RECORD *recs, size_t n_recs,
|
||||
int sending, SSL_MAC_BUF *macs, size_t macsize,
|
||||
/* TODO(RECLAYER): Remove me */ SSL_CONNECTION *s)
|
||||
int sending, SSL_MAC_BUF *macs, size_t macsize)
|
||||
{
|
||||
EVP_CIPHER_CTX *ds;
|
||||
size_t reclen[SSL_MAX_PIPELINES];
|
||||
@ -151,9 +148,6 @@ static int tls1_cipher(OSSL_RECORD_LAYER *rl, SSL3_RECORD *recs, size_t n_recs,
|
||||
size_t bs, ctr, padnum, loop;
|
||||
unsigned char padval;
|
||||
const EVP_CIPHER *enc;
|
||||
int tlstree_enc = sending ? (s->mac_flags & SSL_MAC_FLAG_WRITE_MAC_TLSTREE)
|
||||
: (s->mac_flags & SSL_MAC_FLAG_READ_MAC_TLSTREE);
|
||||
SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
|
||||
|
||||
if (n_recs == 0) {
|
||||
RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
||||
@ -180,7 +174,7 @@ static int tls1_cipher(OSSL_RECORD_LAYER *rl, SSL3_RECORD *recs, size_t n_recs,
|
||||
int ivlen;
|
||||
|
||||
/* For TLSv1.1 and later explicit IV */
|
||||
if (RLAYER_USE_EXPLICIT_IV(s)
|
||||
if (RLAYER_USE_EXPLICIT_IV(rl)
|
||||
&& EVP_CIPHER_get_mode(enc) == EVP_CIPH_CBC_MODE)
|
||||
ivlen = EVP_CIPHER_get_iv_length(enc);
|
||||
else
|
||||
@ -202,7 +196,7 @@ static int tls1_cipher(OSSL_RECORD_LAYER *rl, SSL3_RECORD *recs, size_t n_recs,
|
||||
}
|
||||
}
|
||||
}
|
||||
if ((s->session == NULL) || (enc == NULL)) {
|
||||
if (!ossl_assert(enc != NULL)) {
|
||||
RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
||||
return 0;
|
||||
}
|
||||
@ -231,7 +225,9 @@ static int tls1_cipher(OSSL_RECORD_LAYER *rl, SSL3_RECORD *recs, size_t n_recs,
|
||||
|
||||
seq = rl->sequence;
|
||||
|
||||
if (SSL_CONNECTION_IS_DTLS(s)) {
|
||||
if (rl->isdtls) {
|
||||
#if 0
|
||||
/* TODO(RECLAYER): FIXME */
|
||||
/* DTLS does not support pipelining */
|
||||
unsigned char dtlsseq[8], *p = dtlsseq;
|
||||
|
||||
@ -239,6 +235,7 @@ static int tls1_cipher(OSSL_RECORD_LAYER *rl, SSL3_RECORD *recs, size_t n_recs,
|
||||
DTLS_RECORD_LAYER_get_r_epoch(&s->rlayer), p);
|
||||
memcpy(p, &seq[2], 6);
|
||||
memcpy(buf[ctr], dtlsseq, 8);
|
||||
#endif
|
||||
} else {
|
||||
memcpy(buf[ctr], seq, 8);
|
||||
for (i = 7; i >= 0; i--) { /* increment */
|
||||
@ -318,7 +315,7 @@ static int tls1_cipher(OSSL_RECORD_LAYER *rl, SSL3_RECORD *recs, size_t n_recs,
|
||||
}
|
||||
}
|
||||
|
||||
if (!SSL_CONNECTION_IS_DTLS(s) && tlstree_enc) {
|
||||
if (!rl->isdtls && rl->tlstree) {
|
||||
unsigned char *seq;
|
||||
int decrement_seq = 0;
|
||||
|
||||
@ -436,7 +433,7 @@ static int tls1_cipher(OSSL_RECORD_LAYER *rl, SSL3_RECORD *recs, size_t n_recs,
|
||||
pad ? (size_t)pad : macsize,
|
||||
(EVP_CIPHER_get_flags(enc)
|
||||
& EVP_CIPH_FLAG_AEAD_CIPHER) != 0,
|
||||
sctx->libctx))
|
||||
rl->libctx))
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
@ -445,7 +442,7 @@ static int tls1_cipher(OSSL_RECORD_LAYER *rl, SSL3_RECORD *recs, size_t n_recs,
|
||||
}
|
||||
|
||||
static int tls1_mac(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec, unsigned char *md,
|
||||
int sending, SSL_CONNECTION *ssl)
|
||||
int sending)
|
||||
{
|
||||
unsigned char *seq = rl->sequence;
|
||||
EVP_MD_CTX *hash;
|
||||
@ -453,10 +450,6 @@ static int tls1_mac(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec, unsigned char *md,
|
||||
int i;
|
||||
EVP_MD_CTX *hmac = NULL, *mac_ctx;
|
||||
unsigned char header[13];
|
||||
int stream_mac = sending ? (ssl->mac_flags & SSL_MAC_FLAG_WRITE_MAC_STREAM)
|
||||
: (ssl->mac_flags & SSL_MAC_FLAG_READ_MAC_STREAM);
|
||||
int tlstree_mac = sending ? (ssl->mac_flags & SSL_MAC_FLAG_WRITE_MAC_TLSTREE)
|
||||
: (ssl->mac_flags & SSL_MAC_FLAG_READ_MAC_TLSTREE);
|
||||
int t;
|
||||
int ret = 0;
|
||||
|
||||
@ -467,8 +460,7 @@ static int tls1_mac(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec, unsigned char *md,
|
||||
return 0;
|
||||
md_size = t;
|
||||
|
||||
/* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */
|
||||
if (stream_mac) {
|
||||
if (rl->stream_mac) {
|
||||
mac_ctx = hash;
|
||||
} else {
|
||||
hmac = EVP_MD_CTX_new();
|
||||
@ -479,12 +471,14 @@ static int tls1_mac(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec, unsigned char *md,
|
||||
}
|
||||
|
||||
if (!rl->isdtls
|
||||
&& tlstree_mac
|
||||
&& rl->tlstree
|
||||
&& EVP_MD_CTX_ctrl(mac_ctx, EVP_MD_CTRL_TLSTREE, 0, seq) <= 0) {
|
||||
goto end;
|
||||
}
|
||||
|
||||
if (rl->isdtls) {
|
||||
#if 0
|
||||
/* TODO(RECLAYER): FIX ME */
|
||||
unsigned char dtlsseq[8], *p = dtlsseq;
|
||||
|
||||
s2n(sending ? DTLS_RECORD_LAYER_get_w_epoch(&ssl->rlayer) :
|
||||
@ -492,12 +486,13 @@ static int tls1_mac(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec, unsigned char *md,
|
||||
memcpy(p, &seq[2], 6);
|
||||
|
||||
memcpy(header, dtlsseq, 8);
|
||||
#endif
|
||||
} else
|
||||
memcpy(header, seq, 8);
|
||||
|
||||
header[8] = rec->type;
|
||||
header[9] = (unsigned char)(ssl->version >> 8);
|
||||
header[10] = (unsigned char)(ssl->version);
|
||||
header[9] = (unsigned char)(rl->version >> 8);
|
||||
header[10] = (unsigned char)(rl->version);
|
||||
header[11] = (unsigned char)(rec->length >> 8);
|
||||
header[12] = (unsigned char)(rec->length & 0xff);
|
||||
|
||||
@ -529,7 +524,7 @@ static int tls1_mac(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec, unsigned char *md,
|
||||
BIO_dump_indent(trc_out, rec->data, rec->length, 4);
|
||||
} OSSL_TRACE_END(TLS);
|
||||
|
||||
if (!SSL_CONNECTION_IS_DTLS(ssl)) {
|
||||
if (!rl->isdtls) {
|
||||
for (i = 7; i >= 0; i--) {
|
||||
++seq[i];
|
||||
if (seq[i] != 0)
|
||||
|
||||
@ -425,8 +425,7 @@ static int rlayer_early_data_count_ok(OSSL_RECORD_LAYER *rl, size_t length,
|
||||
* SSL3_RT_APPLICATION_DATA. The number of records returned will always be <=
|
||||
* |max_pipelines|
|
||||
*/
|
||||
static int tls_get_more_records(OSSL_RECORD_LAYER *rl,
|
||||
/* TODO(RECLAYER): Remove me */ SSL_CONNECTION *s)
|
||||
static int tls_get_more_records(OSSL_RECORD_LAYER *rl)
|
||||
{
|
||||
int enc_err, rret;
|
||||
int i;
|
||||
@ -452,7 +451,8 @@ static int tls_get_more_records(OSSL_RECORD_LAYER *rl,
|
||||
}
|
||||
}
|
||||
|
||||
max_recs = s->max_pipelines;
|
||||
max_recs = rl->max_pipelines;
|
||||
|
||||
if (max_recs == 0)
|
||||
max_recs = 1;
|
||||
|
||||
@ -681,7 +681,7 @@ static int tls_get_more_records(OSSL_RECORD_LAYER *rl,
|
||||
}
|
||||
thisrr->length -= mac_size;
|
||||
mac = thisrr->data + thisrr->length;
|
||||
i = rl->funcs->mac(rl, thisrr, md, 0 /* not send */, s);
|
||||
i = rl->funcs->mac(rl, thisrr, md, 0 /* not send */);
|
||||
if (i == 0 || CRYPTO_memcmp(md, mac, mac_size) != 0) {
|
||||
RLAYERfatal(rl, SSL_AD_BAD_RECORD_MAC,
|
||||
SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
|
||||
@ -707,7 +707,7 @@ static int tls_get_more_records(OSSL_RECORD_LAYER *rl,
|
||||
* TODO(RECLAYER): Only call rl functions once TLSv1.3/SSLv3 is moved to new
|
||||
* record layer code
|
||||
*/
|
||||
enc_err = rl->funcs->cipher(rl, rr, num_recs, 0, macbufs, mac_size, s);
|
||||
enc_err = rl->funcs->cipher(rl, rr, num_recs, 0, macbufs, mac_size);
|
||||
|
||||
/*-
|
||||
* enc_err is:
|
||||
@ -763,7 +763,7 @@ static int tls_get_more_records(OSSL_RECORD_LAYER *rl,
|
||||
SSL_MAC_BUF *thismb = &macbufs[j];
|
||||
thisrr = &rr[j];
|
||||
|
||||
i = rl->funcs->mac(rl, thisrr, md, 0 /* not send */, s);
|
||||
i = rl->funcs->mac(rl, thisrr, md, 0 /* not send */);
|
||||
if (i == 0 || thismb == NULL || thismb->mac == NULL
|
||||
|| CRYPTO_memcmp(md, thismb->mac, (size_t)mac_size) != 0)
|
||||
enc_err = 0;
|
||||
@ -792,7 +792,7 @@ static int tls_get_more_records(OSSL_RECORD_LAYER *rl,
|
||||
for (j = 0; j < num_recs; j++) {
|
||||
thisrr = &rr[j];
|
||||
|
||||
if (!rl->funcs->post_process_record(rl, thisrr, s)) {
|
||||
if (!rl->funcs->post_process_record(rl, thisrr)) {
|
||||
/* RLAYERfatal already called */
|
||||
goto end;
|
||||
}
|
||||
@ -905,7 +905,7 @@ static int tls_do_uncompress(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec)
|
||||
}
|
||||
|
||||
/* Shared by tlsany_meth, ssl3_meth and tls1_meth */
|
||||
int tls_default_post_process_record(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec, SSL_CONNECTION *s)
|
||||
int tls_default_post_process_record(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec)
|
||||
{
|
||||
if (rl->expand != NULL) {
|
||||
if (rec->length > SSL3_RT_MAX_COMPRESSED_LENGTH) {
|
||||
@ -929,8 +929,7 @@ int tls_default_post_process_record(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec, SSL
|
||||
}
|
||||
|
||||
/* Shared by tls13_meth and ktls_meth */
|
||||
int tls13_common_post_process_record(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec,
|
||||
SSL_CONNECTION *s)
|
||||
int tls13_common_post_process_record(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec)
|
||||
{
|
||||
if (rec->type != SSL3_RT_APPLICATION_DATA
|
||||
&& rec->type != SSL3_RT_ALERT
|
||||
@ -958,8 +957,7 @@ int tls13_common_post_process_record(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec,
|
||||
|
||||
int tls_read_record(OSSL_RECORD_LAYER *rl, void **rechandle, int *rversion,
|
||||
int *type, unsigned char **data, size_t *datalen,
|
||||
uint16_t *epoch, unsigned char *seq_num,
|
||||
/* TODO(RECLAYER): Remove me */ SSL_CONNECTION *s)
|
||||
uint16_t *epoch, unsigned char *seq_num)
|
||||
{
|
||||
SSL3_RECORD *rec;
|
||||
|
||||
@ -977,7 +975,7 @@ int tls_read_record(OSSL_RECORD_LAYER *rl, void **rechandle, int *rversion,
|
||||
return OSSL_RECORD_RETURN_FATAL;
|
||||
}
|
||||
|
||||
ret = tls_get_more_records(rl, s);
|
||||
ret = tls_get_more_records(rl);
|
||||
|
||||
if (ret != OSSL_RECORD_RETURN_SUCCESS)
|
||||
return ret;
|
||||
@ -1025,9 +1023,7 @@ tls_int_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
|
||||
BIO_ADDR *peer, const OSSL_PARAM *settings,
|
||||
const OSSL_PARAM *options,
|
||||
const OSSL_DISPATCH *fns, void *cbarg,
|
||||
OSSL_RECORD_LAYER **retrl,
|
||||
/* TODO(RECLAYER): Remove me */
|
||||
SSL_CONNECTION *s)
|
||||
OSSL_RECORD_LAYER **retrl)
|
||||
{
|
||||
OSSL_RECORD_LAYER *rl = OPENSSL_zalloc(sizeof(*rl));
|
||||
const OSSL_PARAM *p;
|
||||
@ -1072,6 +1068,16 @@ tls_int_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
|
||||
RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_FAILED_TO_GET_PARAMETER);
|
||||
goto err;
|
||||
}
|
||||
} else if (strcmp(p->key, OSSL_LIBSSL_RECORD_LAYER_PARAM_STREAM_MAC) == 0) {
|
||||
if (!OSSL_PARAM_get_int(p, &rl->stream_mac)) {
|
||||
RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_FAILED_TO_GET_PARAMETER);
|
||||
goto err;
|
||||
}
|
||||
} else if (strcmp(p->key, OSSL_LIBSSL_RECORD_LAYER_PARAM_TLSTREE) == 0) {
|
||||
if (!OSSL_PARAM_get_int(p, &rl->tlstree)) {
|
||||
RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_FAILED_TO_GET_PARAMETER);
|
||||
goto err;
|
||||
}
|
||||
} else {
|
||||
RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_UNKNOWN_MANDATORY_PARAMETER);
|
||||
goto err;
|
||||
@ -1156,9 +1162,7 @@ tls_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
|
||||
BIO *transport, BIO *next, BIO_ADDR *local, BIO_ADDR *peer,
|
||||
const OSSL_PARAM *settings, const OSSL_PARAM *options,
|
||||
const OSSL_DISPATCH *fns, void *cbarg,
|
||||
OSSL_RECORD_LAYER **retrl,
|
||||
/* TODO(RECLAYER): Remove me */
|
||||
SSL_CONNECTION *s)
|
||||
OSSL_RECORD_LAYER **retrl)
|
||||
{
|
||||
int ret;
|
||||
|
||||
@ -1166,7 +1170,7 @@ tls_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
|
||||
key, keylen, iv, ivlen, mackey, mackeylen,
|
||||
ciph, taglen, mactype, md, comp, prev,
|
||||
transport, next, local, peer, settings,
|
||||
options, fns, cbarg, retrl, s);
|
||||
options, fns, cbarg, retrl);
|
||||
|
||||
if (ret != OSSL_RECORD_RETURN_SUCCESS)
|
||||
return ret;
|
||||
@ -1195,7 +1199,7 @@ tls_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
|
||||
|
||||
ret = (*retrl)->funcs->set_crypto_state(*retrl, level, key, keylen, iv,
|
||||
ivlen, mackey, mackeylen, ciph,
|
||||
taglen, mactype, md, comp, s);
|
||||
taglen, mactype, md, comp);
|
||||
|
||||
err:
|
||||
if (ret != OSSL_RECORD_RETURN_SUCCESS) {
|
||||
@ -1232,9 +1236,7 @@ dtls_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
|
||||
BIO *transport, BIO *next, BIO_ADDR *local, BIO_ADDR *peer,
|
||||
const OSSL_PARAM *settings, const OSSL_PARAM *options,
|
||||
const OSSL_DISPATCH *fns, void *cbarg,
|
||||
OSSL_RECORD_LAYER **retrl,
|
||||
/* TODO(RECLAYER): Remove me */
|
||||
SSL_CONNECTION *s)
|
||||
OSSL_RECORD_LAYER **retrl)
|
||||
{
|
||||
int ret;
|
||||
|
||||
@ -1243,7 +1245,7 @@ dtls_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
|
||||
key, keylen, iv, ivlen, mackey, mackeylen,
|
||||
ciph, taglen, mactype, md, comp, prev,
|
||||
transport, next, local, peer, settings,
|
||||
options, fns, cbarg, retrl, s);
|
||||
options, fns, cbarg, retrl);
|
||||
|
||||
if (ret != OSSL_RECORD_RETURN_SUCCESS)
|
||||
return ret;
|
||||
@ -1381,6 +1383,13 @@ void tls_set_first_handshake(OSSL_RECORD_LAYER *rl, int first)
|
||||
rl->is_first_handshake = first;
|
||||
}
|
||||
|
||||
void tls_set_max_pipelines(OSSL_RECORD_LAYER *rl, size_t max_pipelines)
|
||||
{
|
||||
rl->max_pipelines = max_pipelines;
|
||||
if (max_pipelines > 1)
|
||||
rl->read_ahead = 1;
|
||||
}
|
||||
|
||||
SSL3_BUFFER *tls_get0_rbuf(OSSL_RECORD_LAYER *rl)
|
||||
{
|
||||
return &rl->rbuf;
|
||||
@ -1422,6 +1431,7 @@ const OSSL_RECORD_METHOD ossl_tls_record_method = {
|
||||
tls_set_protocol_version,
|
||||
tls_set_plain_alerts,
|
||||
tls_set_first_handshake,
|
||||
tls_set_max_pipelines,
|
||||
|
||||
/*
|
||||
* TODO(RECLAYER): Remove these. These function pointers are temporary hacks
|
||||
@ -1455,6 +1465,7 @@ const OSSL_RECORD_METHOD ossl_dtls_record_method = {
|
||||
tls_set_protocol_version,
|
||||
NULL,
|
||||
tls_set_first_handshake,
|
||||
tls_set_max_pipelines,
|
||||
|
||||
/*
|
||||
* TODO(RECLAYER): Remove these. These function pointers are temporary hacks
|
||||
|
||||
@ -21,9 +21,7 @@ static int tls_any_set_crypto_state(OSSL_RECORD_LAYER *rl, int level,
|
||||
/* TODO(RECLAYER): This probably should not be an int */
|
||||
int mactype,
|
||||
const EVP_MD *md,
|
||||
const SSL_COMP *comp,
|
||||
/* TODO(RECLAYER): Remove me */
|
||||
SSL_CONNECTION *s)
|
||||
const SSL_COMP *comp)
|
||||
{
|
||||
if (level != OSSL_RECORD_PROTECTION_LEVEL_NONE) {
|
||||
ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
|
||||
@ -37,8 +35,7 @@ static int tls_any_set_crypto_state(OSSL_RECORD_LAYER *rl, int level,
|
||||
|
||||
static int tls_any_cipher(OSSL_RECORD_LAYER *rl, SSL3_RECORD *recs,
|
||||
size_t n_recs, int sending, SSL_MAC_BUF *macs,
|
||||
size_t macsize,
|
||||
/* TODO(RECLAYER): Remove me */ SSL_CONNECTION *s)
|
||||
size_t macsize)
|
||||
{
|
||||
return 1;
|
||||
}
|
||||
|
||||
@ -1278,7 +1278,7 @@ int ssl3_read_bytes(SSL *ssl, int type, int *recvd_type, unsigned char *buf,
|
||||
s->rrlmethod->read_record(s->rrl, &rr->rechandle,
|
||||
&rr->version, &rr->type,
|
||||
&rr->data, &rr->length,
|
||||
NULL, NULL, s));
|
||||
NULL, NULL));
|
||||
if (ret <= 0) {
|
||||
/* SSLfatal() already called if appropriate */
|
||||
return ret;
|
||||
@ -1813,6 +1813,10 @@ static int ssl_post_record_layer_select(SSL_CONNECTION *s)
|
||||
#endif
|
||||
if (SSL_IS_FIRST_HANDSHAKE(s) && s->rrlmethod->set_first_handshake != NULL)
|
||||
s->rrlmethod->set_first_handshake(s->rrl, 1);
|
||||
|
||||
if (s->max_pipelines != 0 && s->rrlmethod->set_max_pipelines != NULL)
|
||||
s->rrlmethod->set_max_pipelines(s->rrl, s->max_pipelines);
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
@ -1826,11 +1830,11 @@ int ssl_set_new_record_layer(SSL_CONNECTION *s, int version,
|
||||
const SSL_COMP *comp)
|
||||
{
|
||||
OSSL_PARAM options[4], *opts = options;
|
||||
OSSL_PARAM settings[4], *set = settings;
|
||||
OSSL_PARAM settings[6], *set = settings;
|
||||
const OSSL_RECORD_METHOD *origmeth = s->rrlmethod;
|
||||
SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
|
||||
const OSSL_RECORD_METHOD *meth;
|
||||
int use_etm;
|
||||
int use_etm, stream_mac = 0, tlstree = 0;
|
||||
unsigned int maxfrag = SSL3_RT_MAX_PLAIN_LENGTH;
|
||||
int use_early_data = 0;
|
||||
uint32_t max_early_data;
|
||||
@ -1855,20 +1859,39 @@ int ssl_set_new_record_layer(SSL_CONNECTION *s, int version,
|
||||
&s->options);
|
||||
*opts++ = OSSL_PARAM_construct_uint32(OSSL_LIBSSL_RECORD_LAYER_PARAM_MODE,
|
||||
&s->mode);
|
||||
*opts++ = OSSL_PARAM_construct_int(OSSL_LIBSSL_RECORD_LAYER_PARAM_MODE,
|
||||
*opts++ = OSSL_PARAM_construct_int(OSSL_LIBSSL_RECORD_LAYER_PARAM_READ_AHEAD,
|
||||
&s->rlayer.read_ahead);
|
||||
*opts = OSSL_PARAM_construct_end();
|
||||
|
||||
/* Parameters that *must* be supported by a record layer if passed */
|
||||
if (direction == OSSL_RECORD_DIRECTION_READ)
|
||||
if (direction == OSSL_RECORD_DIRECTION_READ) {
|
||||
use_etm = SSL_READ_ETM(s) ? 1 : 0;
|
||||
else
|
||||
if ((s->mac_flags & SSL_MAC_FLAG_READ_MAC_STREAM) != 0)
|
||||
stream_mac = 1;
|
||||
|
||||
if ((s->mac_flags & SSL_MAC_FLAG_READ_MAC_TLSTREE) != 0)
|
||||
tlstree = 1;
|
||||
} else {
|
||||
use_etm = SSL_WRITE_ETM(s) ? 1 : 0;
|
||||
if ((s->mac_flags & SSL_MAC_FLAG_WRITE_MAC_STREAM) != 0)
|
||||
stream_mac = 1;
|
||||
|
||||
if ((s->mac_flags & SSL_MAC_FLAG_WRITE_MAC_TLSTREE) != 0)
|
||||
tlstree = 1;
|
||||
}
|
||||
|
||||
if (use_etm)
|
||||
*set++ = OSSL_PARAM_construct_int(OSSL_LIBSSL_RECORD_LAYER_PARAM_USE_ETM,
|
||||
&use_etm);
|
||||
|
||||
if (stream_mac)
|
||||
*set++ = OSSL_PARAM_construct_int(OSSL_LIBSSL_RECORD_LAYER_PARAM_STREAM_MAC,
|
||||
&stream_mac);
|
||||
|
||||
if (tlstree)
|
||||
*set++ = OSSL_PARAM_construct_int(OSSL_LIBSSL_RECORD_LAYER_PARAM_TLSTREE,
|
||||
&tlstree);
|
||||
|
||||
if (s->session != NULL && USE_MAX_FRAGMENT_LENGTH_EXT(s->session))
|
||||
maxfrag = GET_MAX_FRAGMENT_LENGTH(s->session);
|
||||
|
||||
@ -1917,7 +1940,7 @@ int ssl_set_new_record_layer(SSL_CONNECTION *s, int version,
|
||||
mactype, md, comp, prev, s->rbio,
|
||||
s->rrlnext, NULL, NULL, settings,
|
||||
options, rlayer_dispatch, s,
|
||||
&s->rrl, s);
|
||||
&s->rrl);
|
||||
BIO_free(prev);
|
||||
switch (rlret) {
|
||||
case OSSL_RECORD_RETURN_FATAL:
|
||||
|
||||
@ -167,9 +167,7 @@ struct ossl_record_method_st {
|
||||
const OSSL_PARAM *options,
|
||||
const OSSL_DISPATCH *fns,
|
||||
void *cbarg,
|
||||
OSSL_RECORD_LAYER **ret,
|
||||
/* TODO(RECLAYER): Remove me */
|
||||
SSL_CONNECTION *s);
|
||||
OSSL_RECORD_LAYER **ret);
|
||||
int (*free)(OSSL_RECORD_LAYER *rl);
|
||||
|
||||
int (*reset)(OSSL_RECORD_LAYER *rl); /* Is this needed? */
|
||||
@ -267,8 +265,7 @@ struct ossl_record_method_st {
|
||||
*/
|
||||
int (*read_record)(OSSL_RECORD_LAYER *rl, void **rechandle, int *rversion,
|
||||
int *type, unsigned char **data, size_t *datalen,
|
||||
uint16_t *epoch, unsigned char *seq_num,
|
||||
/* TODO(RECLAYER): Remove me */ SSL_CONNECTION *s);
|
||||
uint16_t *epoch, unsigned char *seq_num);
|
||||
/*
|
||||
* Release a buffer associated with a record previously read with
|
||||
* read_record. Records are guaranteed to be released in the order that they
|
||||
@ -305,6 +302,12 @@ struct ossl_record_method_st {
|
||||
*/
|
||||
void (*set_first_handshake)(OSSL_RECORD_LAYER *rl, int first);
|
||||
|
||||
/*
|
||||
* Set the maximum number of pipelines that the record layer should process.
|
||||
* The default is 1.
|
||||
*/
|
||||
void (*set_max_pipelines)(OSSL_RECORD_LAYER *rl, size_t max_pipelines);
|
||||
|
||||
/*
|
||||
* TODO(RECLAYER): Remove these. These function pointers are temporary hacks
|
||||
* during the record layer refactoring. They need to be removed before the
|
||||
|
||||
@ -812,8 +812,6 @@ SSL *ossl_ssl_connection_new(SSL_CTX *ctx)
|
||||
s->max_send_fragment = ctx->max_send_fragment;
|
||||
s->split_send_fragment = ctx->split_send_fragment;
|
||||
s->max_pipelines = ctx->max_pipelines;
|
||||
if (s->max_pipelines > 1)
|
||||
RECORD_LAYER_set_read_ahead(&s->rlayer, 1);
|
||||
if (ctx->default_read_buf_len > 0)
|
||||
SSL_set_default_read_buffer_len(ssl, ctx->default_read_buf_len);
|
||||
|
||||
@ -2779,8 +2777,8 @@ long SSL_ctrl(SSL *s, int cmd, long larg, void *parg)
|
||||
if (larg < 1 || larg > SSL_MAX_PIPELINES)
|
||||
return 0;
|
||||
sc->max_pipelines = larg;
|
||||
if (larg > 1)
|
||||
RECORD_LAYER_set_read_ahead(&sc->rlayer, 1);
|
||||
if (sc->rrlmethod->set_max_pipelines != NULL)
|
||||
sc->rrlmethod->set_max_pipelines(sc->rrl, (size_t)larg);
|
||||
return 1;
|
||||
case SSL_CTRL_GET_RI_SUPPORT:
|
||||
return sc->s3.send_connection_binding;
|
||||
|
||||
@ -2862,11 +2862,12 @@ __owur int ssl_log_secret(SSL_CONNECTION *s, const char *label,
|
||||
/* ktls.c */
|
||||
int ktls_check_supported_cipher(const SSL_CONNECTION *s, const EVP_CIPHER *c,
|
||||
const EVP_MD *md, size_t taglen);
|
||||
int ktls_configure_crypto(SSL_CONNECTION *s, const EVP_CIPHER *c, void *rl_sequence,
|
||||
ktls_crypto_info_t *crypto_info, int is_tx,
|
||||
unsigned char *iv, size_t ivlen, unsigned char *key,
|
||||
size_t keylen, unsigned char *mac_key,
|
||||
size_t mac_secret_size);
|
||||
int ktls_configure_crypto(OSSL_LIB_CTX *libctx, int version,
|
||||
const EVP_CIPHER *c, const EVP_MD *md,
|
||||
void *rl_sequence, ktls_crypto_info_t *crypto_info,
|
||||
int is_tx, unsigned char *iv, size_t ivlen,
|
||||
unsigned char *key, size_t keylen,
|
||||
unsigned char *mac_key, size_t mac_secret_size);
|
||||
# endif
|
||||
|
||||
__owur int srp_generate_server_master_secret(SSL_CONNECTION *s);
|
||||
|
||||
@ -456,9 +456,9 @@ int tls1_change_cipher_state(SSL_CONNECTION *s, int which)
|
||||
else
|
||||
rl_sequence = RECORD_LAYER_get_read_sequence(&s->rlayer);
|
||||
|
||||
if (!ktls_configure_crypto(s, c, rl_sequence, &crypto_info,
|
||||
which & SSL3_CC_WRITE, iv, (size_t)k, key, cl,
|
||||
mac_secret, mac_secret_size))
|
||||
if (!ktls_configure_crypto(sctx->libctx, s->version, c, m, rl_sequence,
|
||||
&crypto_info, which & SSL3_CC_WRITE, iv,
|
||||
(size_t)k, key, cl, mac_secret, mac_secret_size))
|
||||
goto skip_ktls;
|
||||
|
||||
/* ktls works with user provided buffers directly */
|
||||
|
||||
@ -768,9 +768,9 @@ int tls13_change_cipher_state(SSL_CONNECTION *s, int which)
|
||||
else
|
||||
rl_sequence = RECORD_LAYER_get_read_sequence(&s->rlayer);
|
||||
|
||||
if (!ktls_configure_crypto(s, cipher, rl_sequence, &crypto_info,
|
||||
which & SSL3_CC_WRITE, iv, ivlen, key, keylen,
|
||||
NULL, 0))
|
||||
if (!ktls_configure_crypto(sctx->libctx, s->version, cipher, NULL,
|
||||
rl_sequence, &crypto_info, which & SSL3_CC_WRITE,
|
||||
iv, ivlen, key, keylen, NULL, 0))
|
||||
goto skip_ktls;
|
||||
|
||||
/* ktls works with user provided buffers directly */
|
||||
|
||||
Loading…
Reference in New Issue
Block a user