diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h index 82ad706eb7..a53b278c28 100644 --- a/include/openssl/core_names.h +++ b/include/openssl/core_names.h @@ -562,6 +562,8 @@ extern "C" { #define OSSL_LIBSSL_RECORD_LAYER_PARAM_MODE "mode" #define OSSL_LIBSSL_RECORD_LAYER_PARAM_READ_AHEAD "read_ahead" #define OSSL_LIBSSL_RECORD_LAYER_PARAM_USE_ETM "use_etm" +#define OSSL_LIBSSL_RECORD_LAYER_PARAM_STREAM_MAC "stream_mac" +#define OSSL_LIBSSL_RECORD_LAYER_PARAM_TLSTREE "tlstree" #define OSSL_LIBSSL_RECORD_LAYER_PARAM_MAX_FRAG_LEN "max_frag_len" #define OSSL_LIBSSL_RECORD_LAYER_PARAM_MAX_EARLY_DATA "max_early_data" diff --git a/ssl/record/methods/ktls_meth.c b/ssl/record/methods/ktls_meth.c index e83cda603b..465795e578 100644 --- a/ssl/record/methods/ktls_meth.c +++ b/ssl/record/methods/ktls_meth.c @@ -15,67 +15,6 @@ #include "recmethod_local.h" #include "internal/ktls.h" -#ifndef OPENSSL_NO_KTLS_RX - /* - * Count the number of records that were not processed yet from record boundary. - * - * This function assumes that there are only fully formed records read in the - * record layer. If read_ahead is enabled, then this might be false and this - * function will fail. - */ -static int count_unprocessed_records(SSL_CONNECTION *s) -{ - SSL3_BUFFER *rbuf = s->rrlmethod->get0_rbuf(s->rrl); - PACKET pkt, subpkt; - int count = 0; - - if (!PACKET_buf_init(&pkt, rbuf->buf + rbuf->offset, rbuf->left)) - return -1; - - while (PACKET_remaining(&pkt) > 0) { - /* Skip record type and version */ - if (!PACKET_forward(&pkt, 3)) - return -1; - - /* Read until next record */ - if (!PACKET_get_length_prefixed_2(&pkt, &subpkt)) - return -1; - - count += 1; - } - - return count; -} - -/* - * The kernel cannot offload receive if a partial TLS record has been read. - * Check the read buffer for unprocessed records. If the buffer contains a - * partial record, fail and return 0. Otherwise, update the sequence - * number at *rec_seq for the count of unprocessed records and return 1. - */ -static int check_rx_read_ahead(SSL_CONNECTION *s, unsigned char *rec_seq) -{ - int bit, count_unprocessed; - - count_unprocessed = count_unprocessed_records(s); - if (count_unprocessed < 0) - return 0; - - /* increment the crypto_info record sequence */ - while (count_unprocessed) { - for (bit = 7; bit >= 0; bit--) { /* increment */ - ++rec_seq[bit]; - if (rec_seq[bit] != 0) - break; - } - count_unprocessed--; - - } - - return 1; -} -#endif - #if defined(__FreeBSD__) # include "crypto/cryptodev.h" @@ -168,57 +107,48 @@ static int ktls_int_check_supported_cipher(OSSL_RECORD_LAYER *rl, } /* Function to configure kernel TLS structure */ -int ktls_configure_crypto(SSL_CONNECTION *s, const EVP_CIPHER *c, - void *rl_sequence, ktls_crypto_info_t *crypto_info, - int is_tx, unsigned char *iv, size_t ivlen, +int ktls_configure_crypto(OSSL_LIB_CTX *libctx, int version, const EVP_CIPHER *c, + EVP_MD *md, void *rl_sequence, + ktls_crypto_info_t *crypto_info, int is_tx, + unsigned char *iv, size_t ivlen, unsigned char *key, size_t keylen, unsigned char *mac_key, size_t mac_secret_size) { memset(crypto_info, 0, sizeof(*crypto_info)); - switch (s->s3.tmp.new_cipher->algorithm_enc) { - case SSL_AES128GCM: - case SSL_AES256GCM: + if (EVP_CIPHER_is_a(c, "AES-128-GCM") + || EVP_CIPHER_is_a(c, "AES-256-GCM")) { crypto_info->cipher_algorithm = CRYPTO_AES_NIST_GCM_16; crypto_info->iv_len = ivlen; - break; + } else # ifdef OPENSSL_KTLS_CHACHA20_POLY1305 - case SSL_CHACHA20POLY1305: + if (EVP_CIPHER_is_a(c, "CHACHA20-POLY1305")) { crypto_info->cipher_algorithm = CRYPTO_CHACHA20_POLY1305; crypto_info->iv_len = ivlen; - break; + } else # endif - case SSL_AES128: - case SSL_AES256: - switch (s->s3.tmp.new_cipher->algorithm_mac) { - case SSL_SHA1: + if (EVP_CIPHER_is_a(c, "AES-128-CBC") || EVP_CIPHER_is_a(c, "AES-256-CBC")) { + if (EVP_MD_is_a(md, "SHA1")) crypto_info->auth_algorithm = CRYPTO_SHA1_HMAC; - break; - case SSL_SHA256: + else if (EVP_MD_is_a(md, "SHA2-256")) { crypto_info->auth_algorithm = CRYPTO_SHA2_256_HMAC; - break; - case SSL_SHA384: + else if (EVP_MD_is_a(md, "SHA2-384")) crypto_info->auth_algorithm = CRYPTO_SHA2_384_HMAC; - break; - default: + else return 0; - } crypto_info->cipher_algorithm = CRYPTO_AES_CBC; crypto_info->iv_len = ivlen; crypto_info->auth_key = mac_key; crypto_info->auth_key_len = mac_secret_size; - break; - default: + } else { return 0; } crypto_info->cipher_key = key; crypto_info->cipher_key_len = keylen; crypto_info->iv = iv; - crypto_info->tls_vmajor = (s->version >> 8) & 0x000000ff; - crypto_info->tls_vminor = (s->version & 0x000000ff); + crypto_info->tls_vmajor = (version >> 8) & 0x000000ff; + crypto_info->tls_vminor = (version & 0x000000ff); # ifdef TCP_RXTLS_ENABLE memcpy(crypto_info->rec_seq, rl_sequence, sizeof(crypto_info->rec_seq)); - if (!is_tx && !check_rx_read_ahead(s, crypto_info->rec_seq)) - return 0; # else if (!is_tx) return 0; @@ -315,15 +245,15 @@ static int ktls_int_check_supported_cipher(OSSL_RECORD_LAYER *rl, } /* Function to configure kernel TLS structure */ -int ktls_configure_crypto(SSL_CONNECTION *s, const EVP_CIPHER *c, - void *rl_sequence, ktls_crypto_info_t *crypto_info, - int is_tx, unsigned char *iv, size_t ivlen, +int ktls_configure_crypto(OSSL_LIB_CTX *libctx, int version, const EVP_CIPHER *c, + const EVP_MD *md, void *rl_sequence, + ktls_crypto_info_t *crypto_info, int is_tx, + unsigned char *iv, size_t ivlen, unsigned char *key, size_t keylen, unsigned char *mac_key, size_t mac_secret_size) { unsigned char geniv[EVP_GCM_TLS_EXPLICIT_IV_LEN]; unsigned char *eiv = NULL; - SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); # ifdef OPENSSL_NO_KTLS_RX if (!is_tx) @@ -336,11 +266,11 @@ int ktls_configure_crypto(SSL_CONNECTION *s, const EVP_CIPHER *c, || !ossl_assert(EVP_GCM_TLS_EXPLICIT_IV_LEN == EVP_CCM_TLS_EXPLICIT_IV_LEN)) return 0; - if (s->version == TLS1_2_VERSION) { + if (version == TLS1_2_VERSION) { if (!ossl_assert(ivlen == EVP_GCM_TLS_FIXED_IV_LEN)) return 0; if (is_tx) { - if (RAND_bytes_ex(sctx->libctx, geniv, + if (RAND_bytes_ex(libctx, geniv, EVP_GCM_TLS_EXPLICIT_IV_LEN, 0) <= 0) return 0; } else { @@ -364,15 +294,13 @@ int ktls_configure_crypto(SSL_CONNECTION *s, const EVP_CIPHER *c, || !ossl_assert(TLS_CIPHER_AES_GCM_128_IV_SIZE == EVP_GCM_TLS_EXPLICIT_IV_LEN)) return 0; crypto_info->gcm128.info.cipher_type = TLS_CIPHER_AES_GCM_128; - crypto_info->gcm128.info.version = s->version; + crypto_info->gcm128.info.version = version; crypto_info->tls_crypto_info_len = sizeof(crypto_info->gcm128); memcpy(crypto_info->gcm128.iv, eiv, TLS_CIPHER_AES_GCM_128_IV_SIZE); memcpy(crypto_info->gcm128.salt, iv, TLS_CIPHER_AES_GCM_128_SALT_SIZE); memcpy(crypto_info->gcm128.key, key, keylen); memcpy(crypto_info->gcm128.rec_seq, rl_sequence, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE); - if (!is_tx && !check_rx_read_ahead(s, crypto_info->gcm128.rec_seq)) - return 0; return 1; # endif # ifdef OPENSSL_KTLS_AES_GCM_256 @@ -381,15 +309,13 @@ int ktls_configure_crypto(SSL_CONNECTION *s, const EVP_CIPHER *c, || !ossl_assert(TLS_CIPHER_AES_GCM_256_IV_SIZE == EVP_GCM_TLS_EXPLICIT_IV_LEN)) return 0; crypto_info->gcm256.info.cipher_type = TLS_CIPHER_AES_GCM_256; - crypto_info->gcm256.info.version = s->version; + crypto_info->gcm256.info.version = version; crypto_info->tls_crypto_info_len = sizeof(crypto_info->gcm256); memcpy(crypto_info->gcm256.iv, eiv, TLS_CIPHER_AES_GCM_256_IV_SIZE); memcpy(crypto_info->gcm256.salt, iv, TLS_CIPHER_AES_GCM_256_SALT_SIZE); memcpy(crypto_info->gcm256.key, key, keylen); memcpy(crypto_info->gcm256.rec_seq, rl_sequence, TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE); - if (!is_tx && !check_rx_read_ahead(s, crypto_info->gcm256.rec_seq)) - return 0; return 1; # endif @@ -399,15 +325,13 @@ int ktls_configure_crypto(SSL_CONNECTION *s, const EVP_CIPHER *c, || !ossl_assert(TLS_CIPHER_AES_CCM_128_IV_SIZE == EVP_CCM_TLS_EXPLICIT_IV_LEN)) return 0; crypto_info->ccm128.info.cipher_type = TLS_CIPHER_AES_CCM_128; - crypto_info->ccm128.info.version = s->version; + crypto_info->ccm128.info.version = version; crypto_info->tls_crypto_info_len = sizeof(crypto_info->ccm128); memcpy(crypto_info->ccm128.iv, eiv, TLS_CIPHER_AES_CCM_128_IV_SIZE); memcpy(crypto_info->ccm128.salt, iv, TLS_CIPHER_AES_CCM_128_SALT_SIZE); memcpy(crypto_info->ccm128.key, key, keylen); memcpy(crypto_info->ccm128.rec_seq, rl_sequence, TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE); - if (!is_tx && !check_rx_read_ahead(s, crypto_info->ccm128.rec_seq)) - return 0; return 1; # endif # ifdef OPENSSL_KTLS_CHACHA20_POLY1305 @@ -415,16 +339,12 @@ int ktls_configure_crypto(SSL_CONNECTION *s, const EVP_CIPHER *c, if (!ossl_assert(ivlen == TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE)) return 0; crypto_info->chacha20poly1305.info.cipher_type = TLS_CIPHER_CHACHA20_POLY1305; - crypto_info->chacha20poly1305.info.version = s->version; + crypto_info->chacha20poly1305.info.version = version; crypto_info->tls_crypto_info_len = sizeof(crypto_info->chacha20poly1305); memcpy(crypto_info->chacha20poly1305.iv, iv, ivlen); memcpy(crypto_info->chacha20poly1305.key, key, keylen); memcpy(crypto_info->chacha20poly1305.rec_seq, rl_sequence, TLS_CIPHER_CHACHA20_POLY1305_REC_SEQ_SIZE); - if (!is_tx - && !check_rx_read_ahead(s, - crypto_info->chacha20poly1305.rec_seq)) - return 0; return 1; # endif default: @@ -445,9 +365,7 @@ static int ktls_set_crypto_state(OSSL_RECORD_LAYER *rl, int level, /* TODO(RECLAYER): This probably should not be an int */ int mactype, const EVP_MD *md, - const SSL_COMP *comp, - /* TODO(RECLAYER): Remove me */ - SSL_CONNECTION *s) + const SSL_COMP *comp) { ktls_crypto_info_t crypto_info; @@ -487,7 +405,8 @@ static int ktls_set_crypto_state(OSSL_RECORD_LAYER *rl, int level, return OSSL_RECORD_RETURN_NON_FATAL_ERR; } - if (!ktls_configure_crypto(s, ciph, rl->sequence, &crypto_info, + if (!ktls_configure_crypto(rl->libctx, rl->version, ciph, md, rl->sequence, + &crypto_info, rl->direction == OSSL_RECORD_DIRECTION_WRITE, iv, ivlen, key, keylen, mackey, mackeylen)) return OSSL_RECORD_RETURN_NON_FATAL_ERR; @@ -528,8 +447,7 @@ static int ktls_read_n(OSSL_RECORD_LAYER *rl, size_t n, size_t max, int extend, } static int ktls_cipher(OSSL_RECORD_LAYER *rl, SSL3_RECORD *inrecs, size_t n_recs, - int sending, SSL_MAC_BUF *mac, size_t macsize, - /* TODO(RECLAYER): Remove me */ SSL_CONNECTION *s) + int sending, SSL_MAC_BUF *mac, size_t macsize) { return 1; } @@ -544,11 +462,10 @@ static int ktls_validate_record_header(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec) return 1; } -static int ktls_post_process_record(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec, - SSL_CONNECTION *s) +static int ktls_post_process_record(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec) { if (rl->version == TLS1_3_VERSION) - return tls13_common_post_process_record(rl, rec, s); + return tls13_common_post_process_record(rl, rec); return 1; } @@ -575,9 +492,7 @@ ktls_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers, BIO *transport, BIO *next, BIO_ADDR *local, BIO_ADDR *peer, const OSSL_PARAM *settings, const OSSL_PARAM *options, const OSSL_DISPATCH *fns, void *cbarg, - OSSL_RECORD_LAYER **retrl, - /* TODO(RECLAYER): Remove me */ - SSL_CONNECTION *s) + OSSL_RECORD_LAYER **retrl) { int ret; @@ -585,7 +500,7 @@ ktls_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers, key, keylen, iv, ivlen, mackey, mackeylen, ciph, taglen, mactype, md, comp, prev, transport, next, local, peer, settings, - options, fns, cbarg, retrl, s); + options, fns, cbarg, retrl); if (ret != OSSL_RECORD_RETURN_SUCCESS) return ret; @@ -594,7 +509,7 @@ ktls_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers, ret = (*retrl)->funcs->set_crypto_state(*retrl, level, key, keylen, iv, ivlen, mackey, mackeylen, ciph, - taglen, mactype, md, comp, s); + taglen, mactype, md, comp); if (ret != OSSL_RECORD_RETURN_SUCCESS) { OPENSSL_free(*retrl); @@ -628,6 +543,7 @@ const OSSL_RECORD_METHOD ossl_ktls_record_method = { tls_set_protocol_version, tls_set_plain_alerts, tls_set_first_handshake, + tls_set_max_pipelines, /* * TODO(RECLAYER): Remove these. These function pointers are temporary hacks diff --git a/ssl/record/methods/recmethod_local.h b/ssl/record/methods/recmethod_local.h index 2c677205a8..1aa7f9b3eb 100644 --- a/ssl/record/methods/recmethod_local.h +++ b/ssl/record/methods/recmethod_local.h @@ -30,9 +30,7 @@ struct record_functions_st /* TODO(RECLAYER): This probably should not be an int */ int mactype, const EVP_MD *md, - const SSL_COMP *comp, - /* TODO(RECLAYER): Remove me */ - SSL_CONNECTION *s); + const SSL_COMP *comp); int (*read_n)(OSSL_RECORD_LAYER *rl, size_t n, size_t max, int extend, int clearold, size_t *readbytes); @@ -43,11 +41,10 @@ struct record_functions_st * 1: Success or MtE decryption failed (MAC will be randomised) */ int (*cipher)(OSSL_RECORD_LAYER *rl, SSL3_RECORD *recs, size_t n_recs, - int sending, SSL_MAC_BUF *macs, size_t macsize, - /* TODO(RECLAYER): Remove me */ SSL_CONNECTION *s); + int sending, SSL_MAC_BUF *macs, size_t macsize); /* Returns 1 for success or 0 for error */ int (*mac)(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec, unsigned char *md, - int sending, /* TODO(RECLAYER): Remove me */SSL_CONNECTION *ssl); + int sending); /* Return 1 for success or 0 for error */ int (*set_protocol_version)(OSSL_RECORD_LAYER *rl, int version); @@ -56,8 +53,7 @@ struct record_functions_st int (*validate_record_header)(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec); /* Return 1 for success or 0 for error */ - int (*post_process_record)(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec, - /* TODO(RECLAYER): Remove me */ SSL_CONNECTION *s); + int (*post_process_record)(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec); }; struct ossl_record_layer_st @@ -156,6 +152,10 @@ struct ossl_record_layer_st /* TLSv1.0/TLSv1.1/TLSv1.2 */ int use_etm; + /* Flags for GOST ciphers */ + int stream_mac; + int tlstree; + /* TLSv1.3 fields */ /* static IV */ unsigned char iv[EVP_MAX_IV_LENGTH]; @@ -175,6 +175,8 @@ struct ossl_record_layer_st OSSL_FUNC_rlayer_msg_callback_fn *msg_callback; OSSL_FUNC_rlayer_security_fn *security; + size_t max_pipelines; + /* Function pointers for version specific functions */ struct record_functions_st *funcs; }; @@ -217,9 +219,8 @@ int tls_default_read_n(OSSL_RECORD_LAYER *rl, size_t n, size_t max, int extend, int tls_default_set_protocol_version(OSSL_RECORD_LAYER *rl, int version); int tls_default_validate_record_header(OSSL_RECORD_LAYER *rl, SSL3_RECORD *re); -int tls_default_post_process_record(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec, SSL_CONNECTION *s); -int tls13_common_post_process_record(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec, - SSL_CONNECTION *s); +int tls_default_post_process_record(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec); +int tls13_common_post_process_record(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec); int tls_int_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers, @@ -234,9 +235,7 @@ tls_int_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers, BIO_ADDR *local, BIO_ADDR *peer, const OSSL_PARAM *settings, const OSSL_PARAM *options, const OSSL_DISPATCH *fns, void *cbarg, - OSSL_RECORD_LAYER **retrl, - /* TODO(RECLAYER): Remove me */ - SSL_CONNECTION *s); + OSSL_RECORD_LAYER **retrl); int tls_free(OSSL_RECORD_LAYER *rl); int tls_reset(OSSL_RECORD_LAYER *rl); int tls_unprocessed_read_pending(OSSL_RECORD_LAYER *rl); @@ -253,13 +252,13 @@ int tls_get_alert_code(OSSL_RECORD_LAYER *rl); int tls_set1_bio(OSSL_RECORD_LAYER *rl, BIO *bio); int tls_read_record(OSSL_RECORD_LAYER *rl, void **rechandle, int *rversion, int *type, unsigned char **data, size_t *datalen, - uint16_t *epoch, unsigned char *seq_num, - /* TODO(RECLAYER): Remove me */ SSL_CONNECTION *s); + uint16_t *epoch, unsigned char *seq_num); int tls_release_record(OSSL_RECORD_LAYER *rl, void *rechandle); int tls_default_set_protocol_version(OSSL_RECORD_LAYER *rl, int version); int tls_set_protocol_version(OSSL_RECORD_LAYER *rl, int version); void tls_set_plain_alerts(OSSL_RECORD_LAYER *rl, int allow); void tls_set_first_handshake(OSSL_RECORD_LAYER *rl, int first); +void tls_set_max_pipelines(OSSL_RECORD_LAYER *rl, size_t max_pipelines); SSL3_BUFFER *tls_get0_rbuf(OSSL_RECORD_LAYER *rl); unsigned char *tls_get0_packet(OSSL_RECORD_LAYER *rl); void tls_set0_packet(OSSL_RECORD_LAYER *rl, unsigned char *packet, diff --git a/ssl/record/methods/ssl3_meth.c b/ssl/record/methods/ssl3_meth.c index c841bacce7..6d8fa14c16 100644 --- a/ssl/record/methods/ssl3_meth.c +++ b/ssl/record/methods/ssl3_meth.c @@ -23,9 +23,7 @@ static int ssl3_set_crypto_state(OSSL_RECORD_LAYER *rl, int level, /* TODO(RECLAYER): This probably should not be an int */ int mactype, const EVP_MD *md, - const SSL_COMP *comp, - /* TODO(RECLAYER): Remove me */ - SSL_CONNECTION *s) + const SSL_COMP *comp) { EVP_CIPHER_CTX *ciph_ctx; @@ -84,8 +82,7 @@ static int ssl3_set_crypto_state(OSSL_RECORD_LAYER *rl, int level, * 1: Success or Mac-then-encrypt decryption failed (MAC will be randomised) */ static int ssl3_cipher(OSSL_RECORD_LAYER *rl, SSL3_RECORD *inrecs, size_t n_recs, - int sending, SSL_MAC_BUF *mac, size_t macsize, - /* TODO(RECLAYER): Remove me */ SSL_CONNECTION *s) + int sending, SSL_MAC_BUF *mac, size_t macsize) { SSL3_RECORD *rec; EVP_CIPHER_CTX *ds; @@ -206,7 +203,7 @@ static const unsigned char ssl3_pad_2[48] = { }; static int ssl3_mac(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec, unsigned char *md, - int sending, SSL_CONNECTION *ssl) + int sending) { unsigned char *mac_sec, *seq = rl->sequence; const EVP_MD_CTX *hash; diff --git a/ssl/record/methods/tls13_meth.c b/ssl/record/methods/tls13_meth.c index 35270e6414..799df98237 100644 --- a/ssl/record/methods/tls13_meth.c +++ b/ssl/record/methods/tls13_meth.c @@ -22,9 +22,7 @@ static int tls13_set_crypto_state(OSSL_RECORD_LAYER *rl, int level, /* TODO(RECLAYER): This probably should not be an int */ int mactype, const EVP_MD *md, - const SSL_COMP *comp, - /* TODO(RECLAYER): Remove me */ - SSL_CONNECTION *s) + const SSL_COMP *comp) { EVP_CIPHER_CTX *ciph_ctx; int mode; @@ -58,8 +56,7 @@ static int tls13_set_crypto_state(OSSL_RECORD_LAYER *rl, int level, } static int tls13_cipher(OSSL_RECORD_LAYER *rl, SSL3_RECORD *recs, size_t n_recs, - int sending, SSL_MAC_BUF *mac, size_t macsize, - /* TODO(RECLAYER): Remove me */ SSL_CONNECTION *s) + int sending, SSL_MAC_BUF *mac, size_t macsize) { EVP_CIPHER_CTX *ctx; unsigned char iv[EVP_MAX_IV_LENGTH], recheader[SSL3_RT_HEADER_LENGTH]; @@ -206,8 +203,7 @@ static int tls13_validate_record_header(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec) return 1; } -static int tls13_post_process_record(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec, - SSL_CONNECTION *s) +static int tls13_post_process_record(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec) { /* Skip this if we've received a plaintext alert */ if (rec->type != SSL3_RT_ALERT) { @@ -234,7 +230,7 @@ static int tls13_post_process_record(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec, return 0; } - if (!tls13_common_post_process_record(rl, rec, s)) { + if (!tls13_common_post_process_record(rl, rec)) { /* RLAYERfatal already called */ return 0; } diff --git a/ssl/record/methods/tls1_meth.c b/ssl/record/methods/tls1_meth.c index 7b64793f87..bb15e4b1dd 100644 --- a/ssl/record/methods/tls1_meth.c +++ b/ssl/record/methods/tls1_meth.c @@ -24,9 +24,7 @@ static int tls1_set_crypto_state(OSSL_RECORD_LAYER *rl, int level, /* TODO(RECLAYER): This probably should not be an int */ int mactype, const EVP_MD *md, - const SSL_COMP *comp, - /* TODO(RECLAYER): Remove me */ - SSL_CONNECTION *s) + const SSL_COMP *comp) { EVP_CIPHER_CTX *ciph_ctx; EVP_PKEY *mac_key; @@ -141,8 +139,7 @@ static int tls1_set_crypto_state(OSSL_RECORD_LAYER *rl, int level, * 1: Success or Mac-then-encrypt decryption failed (MAC will be randomised) */ static int tls1_cipher(OSSL_RECORD_LAYER *rl, SSL3_RECORD *recs, size_t n_recs, - int sending, SSL_MAC_BUF *macs, size_t macsize, - /* TODO(RECLAYER): Remove me */ SSL_CONNECTION *s) + int sending, SSL_MAC_BUF *macs, size_t macsize) { EVP_CIPHER_CTX *ds; size_t reclen[SSL_MAX_PIPELINES]; @@ -151,9 +148,6 @@ static int tls1_cipher(OSSL_RECORD_LAYER *rl, SSL3_RECORD *recs, size_t n_recs, size_t bs, ctr, padnum, loop; unsigned char padval; const EVP_CIPHER *enc; - int tlstree_enc = sending ? (s->mac_flags & SSL_MAC_FLAG_WRITE_MAC_TLSTREE) - : (s->mac_flags & SSL_MAC_FLAG_READ_MAC_TLSTREE); - SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); if (n_recs == 0) { RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); @@ -180,7 +174,7 @@ static int tls1_cipher(OSSL_RECORD_LAYER *rl, SSL3_RECORD *recs, size_t n_recs, int ivlen; /* For TLSv1.1 and later explicit IV */ - if (RLAYER_USE_EXPLICIT_IV(s) + if (RLAYER_USE_EXPLICIT_IV(rl) && EVP_CIPHER_get_mode(enc) == EVP_CIPH_CBC_MODE) ivlen = EVP_CIPHER_get_iv_length(enc); else @@ -202,7 +196,7 @@ static int tls1_cipher(OSSL_RECORD_LAYER *rl, SSL3_RECORD *recs, size_t n_recs, } } } - if ((s->session == NULL) || (enc == NULL)) { + if (!ossl_assert(enc != NULL)) { RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); return 0; } @@ -231,7 +225,9 @@ static int tls1_cipher(OSSL_RECORD_LAYER *rl, SSL3_RECORD *recs, size_t n_recs, seq = rl->sequence; - if (SSL_CONNECTION_IS_DTLS(s)) { + if (rl->isdtls) { +#if 0 + /* TODO(RECLAYER): FIXME */ /* DTLS does not support pipelining */ unsigned char dtlsseq[8], *p = dtlsseq; @@ -239,6 +235,7 @@ static int tls1_cipher(OSSL_RECORD_LAYER *rl, SSL3_RECORD *recs, size_t n_recs, DTLS_RECORD_LAYER_get_r_epoch(&s->rlayer), p); memcpy(p, &seq[2], 6); memcpy(buf[ctr], dtlsseq, 8); +#endif } else { memcpy(buf[ctr], seq, 8); for (i = 7; i >= 0; i--) { /* increment */ @@ -318,7 +315,7 @@ static int tls1_cipher(OSSL_RECORD_LAYER *rl, SSL3_RECORD *recs, size_t n_recs, } } - if (!SSL_CONNECTION_IS_DTLS(s) && tlstree_enc) { + if (!rl->isdtls && rl->tlstree) { unsigned char *seq; int decrement_seq = 0; @@ -436,7 +433,7 @@ static int tls1_cipher(OSSL_RECORD_LAYER *rl, SSL3_RECORD *recs, size_t n_recs, pad ? (size_t)pad : macsize, (EVP_CIPHER_get_flags(enc) & EVP_CIPH_FLAG_AEAD_CIPHER) != 0, - sctx->libctx)) + rl->libctx)) return 0; } } @@ -445,7 +442,7 @@ static int tls1_cipher(OSSL_RECORD_LAYER *rl, SSL3_RECORD *recs, size_t n_recs, } static int tls1_mac(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec, unsigned char *md, - int sending, SSL_CONNECTION *ssl) + int sending) { unsigned char *seq = rl->sequence; EVP_MD_CTX *hash; @@ -453,10 +450,6 @@ static int tls1_mac(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec, unsigned char *md, int i; EVP_MD_CTX *hmac = NULL, *mac_ctx; unsigned char header[13]; - int stream_mac = sending ? (ssl->mac_flags & SSL_MAC_FLAG_WRITE_MAC_STREAM) - : (ssl->mac_flags & SSL_MAC_FLAG_READ_MAC_STREAM); - int tlstree_mac = sending ? (ssl->mac_flags & SSL_MAC_FLAG_WRITE_MAC_TLSTREE) - : (ssl->mac_flags & SSL_MAC_FLAG_READ_MAC_TLSTREE); int t; int ret = 0; @@ -467,8 +460,7 @@ static int tls1_mac(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec, unsigned char *md, return 0; md_size = t; - /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */ - if (stream_mac) { + if (rl->stream_mac) { mac_ctx = hash; } else { hmac = EVP_MD_CTX_new(); @@ -479,12 +471,14 @@ static int tls1_mac(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec, unsigned char *md, } if (!rl->isdtls - && tlstree_mac + && rl->tlstree && EVP_MD_CTX_ctrl(mac_ctx, EVP_MD_CTRL_TLSTREE, 0, seq) <= 0) { goto end; } if (rl->isdtls) { +#if 0 + /* TODO(RECLAYER): FIX ME */ unsigned char dtlsseq[8], *p = dtlsseq; s2n(sending ? DTLS_RECORD_LAYER_get_w_epoch(&ssl->rlayer) : @@ -492,12 +486,13 @@ static int tls1_mac(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec, unsigned char *md, memcpy(p, &seq[2], 6); memcpy(header, dtlsseq, 8); +#endif } else memcpy(header, seq, 8); header[8] = rec->type; - header[9] = (unsigned char)(ssl->version >> 8); - header[10] = (unsigned char)(ssl->version); + header[9] = (unsigned char)(rl->version >> 8); + header[10] = (unsigned char)(rl->version); header[11] = (unsigned char)(rec->length >> 8); header[12] = (unsigned char)(rec->length & 0xff); @@ -529,7 +524,7 @@ static int tls1_mac(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec, unsigned char *md, BIO_dump_indent(trc_out, rec->data, rec->length, 4); } OSSL_TRACE_END(TLS); - if (!SSL_CONNECTION_IS_DTLS(ssl)) { + if (!rl->isdtls) { for (i = 7; i >= 0; i--) { ++seq[i]; if (seq[i] != 0) diff --git a/ssl/record/methods/tls_common.c b/ssl/record/methods/tls_common.c index 49ca086d81..0f5aa4951c 100644 --- a/ssl/record/methods/tls_common.c +++ b/ssl/record/methods/tls_common.c @@ -425,8 +425,7 @@ static int rlayer_early_data_count_ok(OSSL_RECORD_LAYER *rl, size_t length, * SSL3_RT_APPLICATION_DATA. The number of records returned will always be <= * |max_pipelines| */ -static int tls_get_more_records(OSSL_RECORD_LAYER *rl, - /* TODO(RECLAYER): Remove me */ SSL_CONNECTION *s) +static int tls_get_more_records(OSSL_RECORD_LAYER *rl) { int enc_err, rret; int i; @@ -452,7 +451,8 @@ static int tls_get_more_records(OSSL_RECORD_LAYER *rl, } } - max_recs = s->max_pipelines; + max_recs = rl->max_pipelines; + if (max_recs == 0) max_recs = 1; @@ -681,7 +681,7 @@ static int tls_get_more_records(OSSL_RECORD_LAYER *rl, } thisrr->length -= mac_size; mac = thisrr->data + thisrr->length; - i = rl->funcs->mac(rl, thisrr, md, 0 /* not send */, s); + i = rl->funcs->mac(rl, thisrr, md, 0 /* not send */); if (i == 0 || CRYPTO_memcmp(md, mac, mac_size) != 0) { RLAYERfatal(rl, SSL_AD_BAD_RECORD_MAC, SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); @@ -707,7 +707,7 @@ static int tls_get_more_records(OSSL_RECORD_LAYER *rl, * TODO(RECLAYER): Only call rl functions once TLSv1.3/SSLv3 is moved to new * record layer code */ - enc_err = rl->funcs->cipher(rl, rr, num_recs, 0, macbufs, mac_size, s); + enc_err = rl->funcs->cipher(rl, rr, num_recs, 0, macbufs, mac_size); /*- * enc_err is: @@ -763,7 +763,7 @@ static int tls_get_more_records(OSSL_RECORD_LAYER *rl, SSL_MAC_BUF *thismb = &macbufs[j]; thisrr = &rr[j]; - i = rl->funcs->mac(rl, thisrr, md, 0 /* not send */, s); + i = rl->funcs->mac(rl, thisrr, md, 0 /* not send */); if (i == 0 || thismb == NULL || thismb->mac == NULL || CRYPTO_memcmp(md, thismb->mac, (size_t)mac_size) != 0) enc_err = 0; @@ -792,7 +792,7 @@ static int tls_get_more_records(OSSL_RECORD_LAYER *rl, for (j = 0; j < num_recs; j++) { thisrr = &rr[j]; - if (!rl->funcs->post_process_record(rl, thisrr, s)) { + if (!rl->funcs->post_process_record(rl, thisrr)) { /* RLAYERfatal already called */ goto end; } @@ -905,7 +905,7 @@ static int tls_do_uncompress(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec) } /* Shared by tlsany_meth, ssl3_meth and tls1_meth */ -int tls_default_post_process_record(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec, SSL_CONNECTION *s) +int tls_default_post_process_record(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec) { if (rl->expand != NULL) { if (rec->length > SSL3_RT_MAX_COMPRESSED_LENGTH) { @@ -929,8 +929,7 @@ int tls_default_post_process_record(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec, SSL } /* Shared by tls13_meth and ktls_meth */ -int tls13_common_post_process_record(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec, - SSL_CONNECTION *s) +int tls13_common_post_process_record(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec) { if (rec->type != SSL3_RT_APPLICATION_DATA && rec->type != SSL3_RT_ALERT @@ -958,8 +957,7 @@ int tls13_common_post_process_record(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec, int tls_read_record(OSSL_RECORD_LAYER *rl, void **rechandle, int *rversion, int *type, unsigned char **data, size_t *datalen, - uint16_t *epoch, unsigned char *seq_num, - /* TODO(RECLAYER): Remove me */ SSL_CONNECTION *s) + uint16_t *epoch, unsigned char *seq_num) { SSL3_RECORD *rec; @@ -977,7 +975,7 @@ int tls_read_record(OSSL_RECORD_LAYER *rl, void **rechandle, int *rversion, return OSSL_RECORD_RETURN_FATAL; } - ret = tls_get_more_records(rl, s); + ret = tls_get_more_records(rl); if (ret != OSSL_RECORD_RETURN_SUCCESS) return ret; @@ -1025,9 +1023,7 @@ tls_int_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers, BIO_ADDR *peer, const OSSL_PARAM *settings, const OSSL_PARAM *options, const OSSL_DISPATCH *fns, void *cbarg, - OSSL_RECORD_LAYER **retrl, - /* TODO(RECLAYER): Remove me */ - SSL_CONNECTION *s) + OSSL_RECORD_LAYER **retrl) { OSSL_RECORD_LAYER *rl = OPENSSL_zalloc(sizeof(*rl)); const OSSL_PARAM *p; @@ -1072,6 +1068,16 @@ tls_int_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers, RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_FAILED_TO_GET_PARAMETER); goto err; } + } else if (strcmp(p->key, OSSL_LIBSSL_RECORD_LAYER_PARAM_STREAM_MAC) == 0) { + if (!OSSL_PARAM_get_int(p, &rl->stream_mac)) { + RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_FAILED_TO_GET_PARAMETER); + goto err; + } + } else if (strcmp(p->key, OSSL_LIBSSL_RECORD_LAYER_PARAM_TLSTREE) == 0) { + if (!OSSL_PARAM_get_int(p, &rl->tlstree)) { + RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_FAILED_TO_GET_PARAMETER); + goto err; + } } else { RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_UNKNOWN_MANDATORY_PARAMETER); goto err; @@ -1156,9 +1162,7 @@ tls_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers, BIO *transport, BIO *next, BIO_ADDR *local, BIO_ADDR *peer, const OSSL_PARAM *settings, const OSSL_PARAM *options, const OSSL_DISPATCH *fns, void *cbarg, - OSSL_RECORD_LAYER **retrl, - /* TODO(RECLAYER): Remove me */ - SSL_CONNECTION *s) + OSSL_RECORD_LAYER **retrl) { int ret; @@ -1166,7 +1170,7 @@ tls_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers, key, keylen, iv, ivlen, mackey, mackeylen, ciph, taglen, mactype, md, comp, prev, transport, next, local, peer, settings, - options, fns, cbarg, retrl, s); + options, fns, cbarg, retrl); if (ret != OSSL_RECORD_RETURN_SUCCESS) return ret; @@ -1195,7 +1199,7 @@ tls_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers, ret = (*retrl)->funcs->set_crypto_state(*retrl, level, key, keylen, iv, ivlen, mackey, mackeylen, ciph, - taglen, mactype, md, comp, s); + taglen, mactype, md, comp); err: if (ret != OSSL_RECORD_RETURN_SUCCESS) { @@ -1232,9 +1236,7 @@ dtls_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers, BIO *transport, BIO *next, BIO_ADDR *local, BIO_ADDR *peer, const OSSL_PARAM *settings, const OSSL_PARAM *options, const OSSL_DISPATCH *fns, void *cbarg, - OSSL_RECORD_LAYER **retrl, - /* TODO(RECLAYER): Remove me */ - SSL_CONNECTION *s) + OSSL_RECORD_LAYER **retrl) { int ret; @@ -1243,7 +1245,7 @@ dtls_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers, key, keylen, iv, ivlen, mackey, mackeylen, ciph, taglen, mactype, md, comp, prev, transport, next, local, peer, settings, - options, fns, cbarg, retrl, s); + options, fns, cbarg, retrl); if (ret != OSSL_RECORD_RETURN_SUCCESS) return ret; @@ -1381,6 +1383,13 @@ void tls_set_first_handshake(OSSL_RECORD_LAYER *rl, int first) rl->is_first_handshake = first; } +void tls_set_max_pipelines(OSSL_RECORD_LAYER *rl, size_t max_pipelines) +{ + rl->max_pipelines = max_pipelines; + if (max_pipelines > 1) + rl->read_ahead = 1; +} + SSL3_BUFFER *tls_get0_rbuf(OSSL_RECORD_LAYER *rl) { return &rl->rbuf; @@ -1422,6 +1431,7 @@ const OSSL_RECORD_METHOD ossl_tls_record_method = { tls_set_protocol_version, tls_set_plain_alerts, tls_set_first_handshake, + tls_set_max_pipelines, /* * TODO(RECLAYER): Remove these. These function pointers are temporary hacks @@ -1455,6 +1465,7 @@ const OSSL_RECORD_METHOD ossl_dtls_record_method = { tls_set_protocol_version, NULL, tls_set_first_handshake, + tls_set_max_pipelines, /* * TODO(RECLAYER): Remove these. These function pointers are temporary hacks diff --git a/ssl/record/methods/tlsany_meth.c b/ssl/record/methods/tlsany_meth.c index 12443261ea..c0df9759e8 100644 --- a/ssl/record/methods/tlsany_meth.c +++ b/ssl/record/methods/tlsany_meth.c @@ -21,9 +21,7 @@ static int tls_any_set_crypto_state(OSSL_RECORD_LAYER *rl, int level, /* TODO(RECLAYER): This probably should not be an int */ int mactype, const EVP_MD *md, - const SSL_COMP *comp, - /* TODO(RECLAYER): Remove me */ - SSL_CONNECTION *s) + const SSL_COMP *comp) { if (level != OSSL_RECORD_PROTECTION_LEVEL_NONE) { ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); @@ -37,8 +35,7 @@ static int tls_any_set_crypto_state(OSSL_RECORD_LAYER *rl, int level, static int tls_any_cipher(OSSL_RECORD_LAYER *rl, SSL3_RECORD *recs, size_t n_recs, int sending, SSL_MAC_BUF *macs, - size_t macsize, - /* TODO(RECLAYER): Remove me */ SSL_CONNECTION *s) + size_t macsize) { return 1; } diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c index b49bf30de1..70e198be8b 100644 --- a/ssl/record/rec_layer_s3.c +++ b/ssl/record/rec_layer_s3.c @@ -1278,7 +1278,7 @@ int ssl3_read_bytes(SSL *ssl, int type, int *recvd_type, unsigned char *buf, s->rrlmethod->read_record(s->rrl, &rr->rechandle, &rr->version, &rr->type, &rr->data, &rr->length, - NULL, NULL, s)); + NULL, NULL)); if (ret <= 0) { /* SSLfatal() already called if appropriate */ return ret; @@ -1813,6 +1813,10 @@ static int ssl_post_record_layer_select(SSL_CONNECTION *s) #endif if (SSL_IS_FIRST_HANDSHAKE(s) && s->rrlmethod->set_first_handshake != NULL) s->rrlmethod->set_first_handshake(s->rrl, 1); + + if (s->max_pipelines != 0 && s->rrlmethod->set_max_pipelines != NULL) + s->rrlmethod->set_max_pipelines(s->rrl, s->max_pipelines); + return 1; } @@ -1826,11 +1830,11 @@ int ssl_set_new_record_layer(SSL_CONNECTION *s, int version, const SSL_COMP *comp) { OSSL_PARAM options[4], *opts = options; - OSSL_PARAM settings[4], *set = settings; + OSSL_PARAM settings[6], *set = settings; const OSSL_RECORD_METHOD *origmeth = s->rrlmethod; SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); const OSSL_RECORD_METHOD *meth; - int use_etm; + int use_etm, stream_mac = 0, tlstree = 0; unsigned int maxfrag = SSL3_RT_MAX_PLAIN_LENGTH; int use_early_data = 0; uint32_t max_early_data; @@ -1855,20 +1859,39 @@ int ssl_set_new_record_layer(SSL_CONNECTION *s, int version, &s->options); *opts++ = OSSL_PARAM_construct_uint32(OSSL_LIBSSL_RECORD_LAYER_PARAM_MODE, &s->mode); - *opts++ = OSSL_PARAM_construct_int(OSSL_LIBSSL_RECORD_LAYER_PARAM_MODE, + *opts++ = OSSL_PARAM_construct_int(OSSL_LIBSSL_RECORD_LAYER_PARAM_READ_AHEAD, &s->rlayer.read_ahead); *opts = OSSL_PARAM_construct_end(); /* Parameters that *must* be supported by a record layer if passed */ - if (direction == OSSL_RECORD_DIRECTION_READ) + if (direction == OSSL_RECORD_DIRECTION_READ) { use_etm = SSL_READ_ETM(s) ? 1 : 0; - else + if ((s->mac_flags & SSL_MAC_FLAG_READ_MAC_STREAM) != 0) + stream_mac = 1; + + if ((s->mac_flags & SSL_MAC_FLAG_READ_MAC_TLSTREE) != 0) + tlstree = 1; + } else { use_etm = SSL_WRITE_ETM(s) ? 1 : 0; + if ((s->mac_flags & SSL_MAC_FLAG_WRITE_MAC_STREAM) != 0) + stream_mac = 1; + + if ((s->mac_flags & SSL_MAC_FLAG_WRITE_MAC_TLSTREE) != 0) + tlstree = 1; + } if (use_etm) *set++ = OSSL_PARAM_construct_int(OSSL_LIBSSL_RECORD_LAYER_PARAM_USE_ETM, &use_etm); + if (stream_mac) + *set++ = OSSL_PARAM_construct_int(OSSL_LIBSSL_RECORD_LAYER_PARAM_STREAM_MAC, + &stream_mac); + + if (tlstree) + *set++ = OSSL_PARAM_construct_int(OSSL_LIBSSL_RECORD_LAYER_PARAM_TLSTREE, + &tlstree); + if (s->session != NULL && USE_MAX_FRAGMENT_LENGTH_EXT(s->session)) maxfrag = GET_MAX_FRAGMENT_LENGTH(s->session); @@ -1917,7 +1940,7 @@ int ssl_set_new_record_layer(SSL_CONNECTION *s, int version, mactype, md, comp, prev, s->rbio, s->rrlnext, NULL, NULL, settings, options, rlayer_dispatch, s, - &s->rrl, s); + &s->rrl); BIO_free(prev); switch (rlret) { case OSSL_RECORD_RETURN_FATAL: diff --git a/ssl/record/recordmethod.h b/ssl/record/recordmethod.h index 2d7812fa00..f1c372b982 100644 --- a/ssl/record/recordmethod.h +++ b/ssl/record/recordmethod.h @@ -167,9 +167,7 @@ struct ossl_record_method_st { const OSSL_PARAM *options, const OSSL_DISPATCH *fns, void *cbarg, - OSSL_RECORD_LAYER **ret, - /* TODO(RECLAYER): Remove me */ - SSL_CONNECTION *s); + OSSL_RECORD_LAYER **ret); int (*free)(OSSL_RECORD_LAYER *rl); int (*reset)(OSSL_RECORD_LAYER *rl); /* Is this needed? */ @@ -267,8 +265,7 @@ struct ossl_record_method_st { */ int (*read_record)(OSSL_RECORD_LAYER *rl, void **rechandle, int *rversion, int *type, unsigned char **data, size_t *datalen, - uint16_t *epoch, unsigned char *seq_num, - /* TODO(RECLAYER): Remove me */ SSL_CONNECTION *s); + uint16_t *epoch, unsigned char *seq_num); /* * Release a buffer associated with a record previously read with * read_record. Records are guaranteed to be released in the order that they @@ -305,6 +302,12 @@ struct ossl_record_method_st { */ void (*set_first_handshake)(OSSL_RECORD_LAYER *rl, int first); + /* + * Set the maximum number of pipelines that the record layer should process. + * The default is 1. + */ + void (*set_max_pipelines)(OSSL_RECORD_LAYER *rl, size_t max_pipelines); + /* * TODO(RECLAYER): Remove these. These function pointers are temporary hacks * during the record layer refactoring. They need to be removed before the diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 402ae157b5..f20b10606f 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -812,8 +812,6 @@ SSL *ossl_ssl_connection_new(SSL_CTX *ctx) s->max_send_fragment = ctx->max_send_fragment; s->split_send_fragment = ctx->split_send_fragment; s->max_pipelines = ctx->max_pipelines; - if (s->max_pipelines > 1) - RECORD_LAYER_set_read_ahead(&s->rlayer, 1); if (ctx->default_read_buf_len > 0) SSL_set_default_read_buffer_len(ssl, ctx->default_read_buf_len); @@ -2779,8 +2777,8 @@ long SSL_ctrl(SSL *s, int cmd, long larg, void *parg) if (larg < 1 || larg > SSL_MAX_PIPELINES) return 0; sc->max_pipelines = larg; - if (larg > 1) - RECORD_LAYER_set_read_ahead(&sc->rlayer, 1); + if (sc->rrlmethod->set_max_pipelines != NULL) + sc->rrlmethod->set_max_pipelines(sc->rrl, (size_t)larg); return 1; case SSL_CTRL_GET_RI_SUPPORT: return sc->s3.send_connection_binding; diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h index 16cb7d64db..b544c39c70 100644 --- a/ssl/ssl_local.h +++ b/ssl/ssl_local.h @@ -2862,11 +2862,12 @@ __owur int ssl_log_secret(SSL_CONNECTION *s, const char *label, /* ktls.c */ int ktls_check_supported_cipher(const SSL_CONNECTION *s, const EVP_CIPHER *c, const EVP_MD *md, size_t taglen); -int ktls_configure_crypto(SSL_CONNECTION *s, const EVP_CIPHER *c, void *rl_sequence, - ktls_crypto_info_t *crypto_info, int is_tx, - unsigned char *iv, size_t ivlen, unsigned char *key, - size_t keylen, unsigned char *mac_key, - size_t mac_secret_size); +int ktls_configure_crypto(OSSL_LIB_CTX *libctx, int version, + const EVP_CIPHER *c, const EVP_MD *md, + void *rl_sequence, ktls_crypto_info_t *crypto_info, + int is_tx, unsigned char *iv, size_t ivlen, + unsigned char *key, size_t keylen, + unsigned char *mac_key, size_t mac_secret_size); # endif __owur int srp_generate_server_master_secret(SSL_CONNECTION *s); diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c index 7083cd8151..ab8acd71f8 100644 --- a/ssl/t1_enc.c +++ b/ssl/t1_enc.c @@ -456,9 +456,9 @@ int tls1_change_cipher_state(SSL_CONNECTION *s, int which) else rl_sequence = RECORD_LAYER_get_read_sequence(&s->rlayer); - if (!ktls_configure_crypto(s, c, rl_sequence, &crypto_info, - which & SSL3_CC_WRITE, iv, (size_t)k, key, cl, - mac_secret, mac_secret_size)) + if (!ktls_configure_crypto(sctx->libctx, s->version, c, m, rl_sequence, + &crypto_info, which & SSL3_CC_WRITE, iv, + (size_t)k, key, cl, mac_secret, mac_secret_size)) goto skip_ktls; /* ktls works with user provided buffers directly */ diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c index 01461894fe..7e609a4ba2 100644 --- a/ssl/tls13_enc.c +++ b/ssl/tls13_enc.c @@ -768,9 +768,9 @@ int tls13_change_cipher_state(SSL_CONNECTION *s, int which) else rl_sequence = RECORD_LAYER_get_read_sequence(&s->rlayer); - if (!ktls_configure_crypto(s, cipher, rl_sequence, &crypto_info, - which & SSL3_CC_WRITE, iv, ivlen, key, keylen, - NULL, 0)) + if (!ktls_configure_crypto(sctx->libctx, s->version, cipher, NULL, + rl_sequence, &crypto_info, which & SSL3_CC_WRITE, + iv, ivlen, key, keylen, NULL, 0)) goto skip_ktls; /* ktls works with user provided buffers directly */