diff options
author | John Baldwin <jhb@FreeBSD.org> | 2019-11-20 13:40:12 -0800 |
---|---|---|
committer | Tomas Mraz <tmraz@fedoraproject.org> | 2020-03-16 10:41:51 +0100 |
commit | 074a6e86e695d9f2dadf9b4ffe405c2eed24fbdc (patch) | |
tree | 02ae0db68efd6c5ed133fe6acb833f8e2159d7e0 /ssl | |
parent | b1f79e7ce54afc28bfb5dfcfdd379782ed501b0a (diff) |
Use a flag in SSL3_BUFFER to track when an application buffer is reused.
With KTLS, writes to an SSL connection store the application buffer
pointer directly in the 'buf' member instead of allocating a separate
buffer to hold the encrypted data. As a result,
ssl3_release_write_buffer() has to avoid freeing these 'buf' pointers.
Previously, ssl3_release_write_buffer() checked for KTLS being enabled
on the write BIO to determine if a buffer should be freed. However, a
buffer can outlive a BIO. For example, 'openssl s_time' creates new
write BIOs when reusing sessions. Since the new BIO did not have KTLS
enabled at the start of a connection, ssl3_release_write_buffer()
would incorrectly try to free the 'buf' pointer from the previous KTLS
connection. To fix, track the state of 'buf' explicitly in
SSL3_BUFFER to determine if the 'buf' should be freed or simply
cleared.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10489)
Diffstat (limited to 'ssl')
-rw-r--r-- | ssl/record/rec_layer_s3.c | 1 | ||||
-rw-r--r-- | ssl/record/record.h | 2 | ||||
-rw-r--r-- | ssl/record/record_local.h | 2 | ||||
-rw-r--r-- | ssl/record/ssl3_buffer.c | 4 |
4 files changed, 8 insertions, 1 deletions
diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c index b4675f3c8c..426da9ff15 100644 --- a/ssl/record/rec_layer_s3.c +++ b/ssl/record/rec_layer_s3.c @@ -771,6 +771,7 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, */ SSL3_BUFFER_set_buf(&s->rlayer.wbuf[0], (unsigned char *)buf); SSL3_BUFFER_set_offset(&s->rlayer.wbuf[0], 0); + SSL3_BUFFER_set_app_buffer(&s->rlayer.wbuf[0], 1); goto wpacket_init_complete; } diff --git a/ssl/record/record.h b/ssl/record/record.h index 784ab322a4..f9d1924692 100644 --- a/ssl/record/record.h +++ b/ssl/record/record.h @@ -25,6 +25,8 @@ typedef struct ssl3_buffer_st { size_t offset; /* how many bytes left */ size_t left; + /* 'buf' is from application for KTLS */ + int app_buffer; } SSL3_BUFFER; #define SEQ_NUM_SIZE 8 diff --git a/ssl/record/record_local.h b/ssl/record/record_local.h index ed421881d8..2f6a4c98a4 100644 --- a/ssl/record/record_local.h +++ b/ssl/record/record_local.h @@ -65,6 +65,8 @@ void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap); #define SSL3_BUFFER_add_offset(b, o) ((b)->offset += (o)) #define SSL3_BUFFER_is_initialised(b) ((b)->buf != NULL) #define SSL3_BUFFER_set_default_len(b, l) ((b)->default_len = (l)) +#define SSL3_BUFFER_set_app_buffer(b, l) ((b)->app_buffer = (l)) +#define SSL3_BUFFER_is_app_buffer(b) ((b)->app_buffer) void SSL3_BUFFER_clear(SSL3_BUFFER *b); void SSL3_BUFFER_set_data(SSL3_BUFFER *b, const unsigned char *d, size_t n); diff --git a/ssl/record/ssl3_buffer.c b/ssl/record/ssl3_buffer.c index bffe521947..ab977a5c17 100644 --- a/ssl/record/ssl3_buffer.c +++ b/ssl/record/ssl3_buffer.c @@ -164,7 +164,9 @@ int ssl3_release_write_buffer(SSL *s) while (pipes > 0) { wb = &RECORD_LAYER_get_wbuf(&s->rlayer)[pipes - 1]; - if (s->wbio == NULL || !BIO_get_ktls_send(s->wbio)) + if (SSL3_BUFFER_is_app_buffer(wb)) + SSL3_BUFFER_set_app_buffer(wb, 0); + else OPENSSL_free(wb->buf); wb->buf = NULL; pipes--; |