mirror of
https://github.com/openssl/openssl.git
synced 2024-11-27 05:21:51 +08:00
Convert SSLv3 handling to use provider side CBC/MAC removal
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12288)
This commit is contained in:
parent
63ee6ec177
commit
b558817823
@ -897,6 +897,34 @@ int ssl3_enc(SSL *s, SSL3_RECORD *inrecs, size_t n_recs, int sending,
|
||||
/* otherwise, rec->length >= bs */
|
||||
}
|
||||
|
||||
if (EVP_CIPHER_provider(enc) != NULL) {
|
||||
int outlen;
|
||||
|
||||
if (!EVP_CipherUpdate(ds, rec->data, &outlen, rec->input,
|
||||
(unsigned int)l))
|
||||
return 0;
|
||||
rec->length = outlen;
|
||||
|
||||
if (!sending && mac != NULL) {
|
||||
/* Now get a pointer to the MAC */
|
||||
OSSL_PARAM params[2], *p = params;
|
||||
|
||||
/* Get the MAC */
|
||||
mac->alloced = 0;
|
||||
|
||||
*p++ = OSSL_PARAM_construct_octet_ptr(OSSL_CIPHER_PARAM_TLS_MAC,
|
||||
(void **)&mac->mac,
|
||||
macsize);
|
||||
*p = OSSL_PARAM_construct_end();
|
||||
|
||||
if (!EVP_CIPHER_CTX_get_params(ds, params)) {
|
||||
/* Shouldn't normally happen */
|
||||
SSLfatal(s, SSL_AD_INTERNAL_ERROR, 0,
|
||||
ERR_R_INTERNAL_ERROR);
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
} else {
|
||||
/* TODO(size_t): Convert this call */
|
||||
if (EVP_Cipher(ds, rec->data, rec->input, (unsigned int)l) < 1) {
|
||||
/* Shouldn't happen */
|
||||
@ -914,6 +942,7 @@ int ssl3_enc(SSL *s, SSL3_RECORD *inrecs, size_t n_recs, int sending,
|
||||
macsize,
|
||||
s->ctx->libctx);
|
||||
}
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
@ -241,6 +241,12 @@ int ssl3_change_cipher_state(SSL *s, int which)
|
||||
goto err;
|
||||
}
|
||||
|
||||
if (EVP_CIPHER_provider(c) != NULL
|
||||
&& !tls_provider_set_tls_params(s, dd, c, m)) {
|
||||
/* SSLfatal already called */
|
||||
goto err;
|
||||
}
|
||||
|
||||
s->statem.enc_write_state = ENC_WRITE_STATE_VALID;
|
||||
return 1;
|
||||
err:
|
||||
|
@ -2804,6 +2804,9 @@ const EVP_MD *ssl_evp_md_fetch(OPENSSL_CTX *libctx,
|
||||
int ssl_evp_md_up_ref(const EVP_MD *md);
|
||||
void ssl_evp_md_free(const EVP_MD *md);
|
||||
|
||||
int tls_provider_set_tls_params(SSL *s, EVP_CIPHER_CTX *ctx,
|
||||
const EVP_CIPHER *ciph,
|
||||
const EVP_MD *md);
|
||||
|
||||
# else /* OPENSSL_UNIT_TEST */
|
||||
|
||||
|
73
ssl/t1_enc.c
73
ssl/t1_enc.c
@ -136,6 +136,45 @@ static int count_unprocessed_records(SSL *s)
|
||||
# endif
|
||||
#endif
|
||||
|
||||
|
||||
int tls_provider_set_tls_params(SSL *s, EVP_CIPHER_CTX *ctx,
|
||||
const EVP_CIPHER *ciph,
|
||||
const EVP_MD *md)
|
||||
{
|
||||
/*
|
||||
* Provided cipher, the TLS padding/MAC removal is performed provider
|
||||
* side so we need to tell the ctx about our TLS version and mac size
|
||||
*/
|
||||
OSSL_PARAM params[3], *pprm = params;
|
||||
size_t macsize = 0;
|
||||
int imacsize = -1;
|
||||
|
||||
if ((EVP_CIPHER_flags(ciph) & EVP_CIPH_FLAG_AEAD_CIPHER) == 0
|
||||
/*
|
||||
* We look at s->ext.use_etm instead of SSL_READ_ETM() or
|
||||
* SSL_WRITE_ETM() because this test applies to both reading
|
||||
* and writing.
|
||||
*/
|
||||
&& !s->ext.use_etm)
|
||||
imacsize = EVP_MD_size(md);
|
||||
if (imacsize >= 0)
|
||||
macsize = (size_t)imacsize;
|
||||
|
||||
*pprm++ = OSSL_PARAM_construct_int(OSSL_CIPHER_PARAM_TLS_VERSION,
|
||||
&s->version);
|
||||
*pprm++ = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_TLS_MAC_SIZE,
|
||||
&macsize);
|
||||
*pprm = OSSL_PARAM_construct_end();
|
||||
|
||||
if (!EVP_CIPHER_CTX_set_params(ctx, params)) {
|
||||
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_CHANGE_CIPHER_STATE,
|
||||
ERR_R_INTERNAL_ERROR);
|
||||
return 0;
|
||||
}
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
int tls1_change_cipher_state(SSL *s, int which)
|
||||
{
|
||||
unsigned char *p, *mac_secret;
|
||||
@ -396,38 +435,12 @@ int tls1_change_cipher_state(SSL *s, int which)
|
||||
ERR_R_INTERNAL_ERROR);
|
||||
goto err;
|
||||
}
|
||||
if (EVP_CIPHER_provider(c) != NULL) {
|
||||
/*
|
||||
* Provided cipher, the TLS padding/MAC removal is performed provider
|
||||
* side so we need to tell the ctx about our TLS version and mac size
|
||||
*/
|
||||
OSSL_PARAM params[3], *pprm = params;
|
||||
size_t macsize = 0;
|
||||
int imacsize = -1;
|
||||
|
||||
if ((EVP_CIPHER_flags(c) & EVP_CIPH_FLAG_AEAD_CIPHER) == 0
|
||||
/*
|
||||
* We look at s->ext.use_etm instead of SSL_READ_ETM() or
|
||||
* SSL_WRITE_ETM() because this test applies to both reading
|
||||
* and writing.
|
||||
*/
|
||||
&& !s->ext.use_etm)
|
||||
imacsize = EVP_MD_size(m);
|
||||
if (imacsize >= 0)
|
||||
macsize = (size_t)imacsize;
|
||||
|
||||
*pprm++ = OSSL_PARAM_construct_int(OSSL_CIPHER_PARAM_TLS_VERSION,
|
||||
&s->version);
|
||||
*pprm++ = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_TLS_MAC_SIZE,
|
||||
&macsize);
|
||||
*pprm = OSSL_PARAM_construct_end();
|
||||
|
||||
if (!EVP_CIPHER_CTX_set_params(dd, params)) {
|
||||
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_CHANGE_CIPHER_STATE,
|
||||
ERR_R_INTERNAL_ERROR);
|
||||
if (EVP_CIPHER_provider(c) != NULL
|
||||
&& !tls_provider_set_tls_params(s, dd, c, m)) {
|
||||
/* SSLfatal already called */
|
||||
goto err;
|
||||
}
|
||||
}
|
||||
|
||||
#ifndef OPENSSL_NO_KTLS
|
||||
if (s->compress)
|
||||
goto skip_ktls;
|
||||
|
Loading…
Reference in New Issue
Block a user