diff options
author | Matt Caswell <matt@openssl.org> | 2022-09-27 16:43:23 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2022-10-12 15:53:31 +0100 |
commit | 757ef3bab02e976500ffd2b1ae2229ed62f85a61 (patch) | |
tree | 71a82132d0efecf69df17420f1e073297b717ce1 /ssl/record/methods | |
parent | 2582de25902510cdb934c5ff59845fc26a7f2e28 (diff) | |
download | openssl-new-757ef3bab02e976500ffd2b1ae2229ed62f85a61.tar.gz |
Add a prepare for encryption step
This applies any mac that might be necessary, ensures that we have
enough space in the WPACKET to perform the encryption and sets up the
SSL3_RECORD ready for that encryption.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19343)
Diffstat (limited to 'ssl/record/methods')
-rw-r--r-- | ssl/record/methods/ktls_meth.c | 12 | ||||
-rw-r--r-- | ssl/record/methods/recmethod_local.h | 14 | ||||
-rw-r--r-- | ssl/record/methods/ssl3_meth.c | 3 | ||||
-rw-r--r-- | ssl/record/methods/tls13_meth.c | 3 | ||||
-rw-r--r-- | ssl/record/methods/tls1_meth.c | 4 | ||||
-rw-r--r-- | ssl/record/methods/tls_common.c | 92 | ||||
-rw-r--r-- | ssl/record/methods/tlsany_meth.c | 13 |
7 files changed, 97 insertions, 44 deletions
diff --git a/ssl/record/methods/ktls_meth.c b/ssl/record/methods/ktls_meth.c index f73334604a..bd694a8948 100644 --- a/ssl/record/methods/ktls_meth.c +++ b/ssl/record/methods/ktls_meth.c @@ -492,6 +492,15 @@ static int ktls_prepare_record_header(OSSL_RECORD_LAYER *rl, return 1; } +static int ktls_prepare_for_encryption(OSSL_RECORD_LAYER *rl, + size_t mac_size, + WPACKET *thispkt, + SSL3_RECORD *thiswr) +{ + /* No encryption, so nothing to do */ + return 1; +} + static struct record_functions_st ossl_ktls_funcs = { ktls_set_crypto_state, ktls_cipher, @@ -507,7 +516,8 @@ static struct record_functions_st ossl_ktls_funcs = { ktls_initialise_write_packets, NULL, ktls_prepare_record_header, - NULL + NULL, + ktls_prepare_for_encryption }; const OSSL_RECORD_METHOD ossl_ktls_record_method = { diff --git a/ssl/record/methods/recmethod_local.h b/ssl/record/methods/recmethod_local.h index 0a4c97a29d..2e30d2f133 100644 --- a/ssl/record/methods/recmethod_local.h +++ b/ssl/record/methods/recmethod_local.h @@ -110,6 +110,16 @@ struct record_functions_st OSSL_RECORD_TEMPLATE *thistempl, WPACKET *thispkt, SSL3_RECORD *thiswr); + + /* + * This applies any mac that might be necessary, ensures that we have enough + * space in the WPACKET to perform the encryption and sets up the + * SSL3_RECORD ready for that encryption. + */ + int (*prepare_for_encryption)(OSSL_RECORD_LAYER *rl, + size_t mac_size, + WPACKET *thispkt, + SSL3_RECORD *thiswr); }; struct ossl_record_layer_st @@ -407,6 +417,10 @@ int tls_prepare_record_header_default(OSSL_RECORD_LAYER *rl, OSSL_RECORD_TEMPLATE *templ, unsigned int rectype, unsigned char **recdata); +int tls_prepare_for_encryption_default(OSSL_RECORD_LAYER *rl, + size_t mac_size, + WPACKET *thispkt, + SSL3_RECORD *thiswr); int tls_write_records_default(OSSL_RECORD_LAYER *rl, OSSL_RECORD_TEMPLATE *templates, size_t numtempl); diff --git a/ssl/record/methods/ssl3_meth.c b/ssl/record/methods/ssl3_meth.c index 544d4d07e0..ef9a6ae499 100644 --- a/ssl/record/methods/ssl3_meth.c +++ b/ssl/record/methods/ssl3_meth.c @@ -316,5 +316,6 @@ struct record_functions_st ssl_3_0_funcs = { tls1_initialise_write_packets, NULL, tls_prepare_record_header_default, - NULL + NULL, + tls_prepare_for_encryption_default }; diff --git a/ssl/record/methods/tls13_meth.c b/ssl/record/methods/tls13_meth.c index 4b0142391b..a9d90f6577 100644 --- a/ssl/record/methods/tls13_meth.c +++ b/ssl/record/methods/tls13_meth.c @@ -324,5 +324,6 @@ struct record_functions_st tls_1_3_funcs = { tls_initialise_write_packets_default, tls13_get_record_type, tls_prepare_record_header_default, - tls13_add_record_padding + tls13_add_record_padding, + tls_prepare_for_encryption_default }; diff --git a/ssl/record/methods/tls1_meth.c b/ssl/record/methods/tls1_meth.c index b02c53d649..71138abc28 100644 --- a/ssl/record/methods/tls1_meth.c +++ b/ssl/record/methods/tls1_meth.c @@ -657,7 +657,8 @@ struct record_functions_st tls_1_funcs = { tls1_initialise_write_packets, NULL, tls_prepare_record_header_default, - NULL + NULL, + tls_prepare_for_encryption_default }; struct record_functions_st dtls_1_funcs = { @@ -674,5 +675,6 @@ struct record_functions_st dtls_1_funcs = { NULL, NULL, NULL, + NULL, NULL }; diff --git a/ssl/record/methods/tls_common.c b/ssl/record/methods/tls_common.c index e3be430336..97e2714042 100644 --- a/ssl/record/methods/tls_common.c +++ b/ssl/record/methods/tls_common.c @@ -1562,6 +1562,56 @@ int tls_prepare_record_header_default(OSSL_RECORD_LAYER *rl, return 1; } +int tls_prepare_for_encryption_default(OSSL_RECORD_LAYER *rl, + size_t mac_size, + WPACKET *thispkt, + SSL3_RECORD *thiswr) +{ + size_t len; + unsigned char *recordstart; + + /* + * we should still have the output to thiswr->data and the input from + * wr->input. Length should be thiswr->length. thiswr->data still points + * in the wb->buf + */ + + if (!rl->use_etm && mac_size != 0) { + unsigned char *mac; + + if (!WPACKET_allocate_bytes(thispkt, mac_size, &mac) + || !rl->funcs->mac(rl, thiswr, mac, 1)) { + RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); + return 0; + } + } + + /* + * Reserve some bytes for any growth that may occur during encryption. + * This will be at most one cipher block or the tag length if using + * AEAD. SSL_RT_MAX_CIPHER_BLOCK_SIZE covers either case. + */ + if (!WPACKET_reserve_bytes(thispkt, + SSL_RT_MAX_CIPHER_BLOCK_SIZE, + NULL) + /* + * We also need next the amount of bytes written to this + * sub-packet + */ + || !WPACKET_get_length(thispkt, &len)) { + RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); + return 0; + } + + /* Get a pointer to the start of this record excluding header */ + recordstart = WPACKET_get_curr(thispkt) - len; + SSL3_RECORD_set_data(thiswr, recordstart); + SSL3_RECORD_reset_input(thiswr); + SSL3_RECORD_set_length(thiswr, len); + + return 1; +} + int tls_write_records_default(OSSL_RECORD_LAYER *rl, OSSL_RECORD_TEMPLATE *templates, size_t numtempl) @@ -1665,45 +1715,9 @@ int tls_write_records_default(OSSL_RECORD_LAYER *rl, goto err; } - /* - * we should still have the output to thiswr->data and the input from - * wr->input. Length should be thiswr->length. thiswr->data still points - * in the wb->buf - */ - - if (!using_ktls && !rl->use_etm && mac_size != 0) { - unsigned char *mac; - - if (!WPACKET_allocate_bytes(thispkt, mac_size, &mac) - || !rl->funcs->mac(rl, thiswr, mac, 1)) { - RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); - goto err; - } - } - - /* - * Reserve some bytes for any growth that may occur during encryption. - * This will be at most one cipher block or the tag length if using - * AEAD. SSL_RT_MAX_CIPHER_BLOCK_SIZE covers either case. - */ - if (!using_ktls) { - if (!WPACKET_reserve_bytes(thispkt, - SSL_RT_MAX_CIPHER_BLOCK_SIZE, - NULL) - /* - * We also need next the amount of bytes written to this - * sub-packet - */ - || !WPACKET_get_length(thispkt, &len)) { - RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); - goto err; - } - - /* Get a pointer to the start of this record excluding header */ - recordstart = WPACKET_get_curr(thispkt) - len; - SSL3_RECORD_set_data(thiswr, recordstart); - SSL3_RECORD_reset_input(thiswr); - SSL3_RECORD_set_length(thiswr, len); + if (!rl->funcs->prepare_for_encryption(rl, mac_size, thispkt, thiswr)) { + /* RLAYERfatal() already called */ + goto err; } } diff --git a/ssl/record/methods/tlsany_meth.c b/ssl/record/methods/tlsany_meth.c index 8d4486547c..bf4fe6a31c 100644 --- a/ssl/record/methods/tlsany_meth.c +++ b/ssl/record/methods/tlsany_meth.c @@ -134,6 +134,15 @@ static int tls_any_set_protocol_version(OSSL_RECORD_LAYER *rl, int vers) return 1; } +static int tls_any_prepare_for_encryption(OSSL_RECORD_LAYER *rl, + size_t mac_size, + WPACKET *thispkt, + SSL3_RECORD *thiswr) +{ + /* No encryption, so nothing to do */ + return 1; +} + struct record_functions_st tls_any_funcs = { tls_any_set_crypto_state, tls_any_cipher, @@ -149,7 +158,8 @@ struct record_functions_st tls_any_funcs = { tls_initialise_write_packets_default, NULL, tls_prepare_record_header_default, - NULL + NULL, + tls_any_prepare_for_encryption }; static int dtls_any_set_protocol_version(OSSL_RECORD_LAYER *rl, int vers) @@ -176,5 +186,6 @@ struct record_functions_st dtls_any_funcs = { NULL, NULL, NULL, + NULL, NULL }; |