diff options
| author | Matt Caswell <matt@openssl.org> | 2022-05-25 17:30:33 +0100 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2022-08-18 16:38:13 +0100 |
| commit | 8124ab56d4e8985151c5a0c4dca6af128fa89f2c (patch) | |
| tree | e9029ff83a87bd64746a1d1b02284ad57b7728a6 /ssl | |
| parent | 6366bdd9be281984d675865ed5467bcf523640c5 (diff) | |
Remove some final references to the SSL object in the record layer
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18132)
Diffstat (limited to 'ssl')
| -rw-r--r-- | ssl/record/methods/ktls_meth.c | 158 | ||||
| -rw-r--r-- | ssl/record/methods/recmethod_local.h | 31 | ||||
| -rw-r--r-- | ssl/record/methods/ssl3_meth.c | 9 | ||||
| -rw-r--r-- | ssl/record/methods/tls13_meth.c | 12 | ||||
| -rw-r--r-- | ssl/record/methods/tls1_meth.c | 43 | ||||
| -rw-r--r-- | ssl/record/methods/tls_common.c | 61 | ||||
| -rw-r--r-- | ssl/record/methods/tlsany_meth.c | 7 | ||||
| -rw-r--r-- | ssl/record/rec_layer_s3.c | 37 | ||||
| -rw-r--r-- | ssl/record/recordmethod.h | 13 | ||||
| -rw-r--r-- | ssl/ssl_lib.c | 6 | ||||
| -rw-r--r-- | ssl/ssl_local.h | 11 | ||||
| -rw-r--r-- | ssl/t1_enc.c | 6 | ||||
| -rw-r--r-- | ssl/tls13_enc.c | 6 |
13 files changed, 168 insertions, 232 deletions
diff --git a/ssl/record/methods/ktls_meth.c b/ssl/record/methods/ktls_meth.c index e83cda603b..465795e578 100644 --- a/ssl/record/methods/ktls_meth.c +++ b/ssl/record/methods/ktls_meth.c @@ -15,67 +15,6 @@ #include "recmethod_local.h" #include "internal/ktls.h" -#ifndef OPENSSL_NO_KTLS_RX - /* - * Count the number of records that were not processed yet from record boundary. - * - * This function assumes that there are only fully formed records read in the - * record layer. If read_ahead is enabled, then this might be false and this - * function will fail. - */ -static int count_unprocessed_records(SSL_CONNECTION *s) -{ - SSL3_BUFFER *rbuf = s->rrlmethod->get0_rbuf(s->rrl); - PACKET pkt, subpkt; - int count = 0; - - if (!PACKET_buf_init(&pkt, rbuf->buf + rbuf->offset, rbuf->left)) - return -1; - - while (PACKET_remaining(&pkt) > 0) { - /* Skip record type and version */ - if (!PACKET_forward(&pkt, 3)) - return -1; - - /* Read until next record */ - if (!PACKET_get_length_prefixed_2(&pkt, &subpkt)) - return -1; - - count += 1; - } - - return count; -} - -/* - * The kernel cannot offload receive if a partial TLS record has been read. - * Check the read buffer for unprocessed records. If the buffer contains a - * partial record, fail and return 0. Otherwise, update the sequence - * number at *rec_seq for the count of unprocessed records and return 1. - */ -static int check_rx_read_ahead(SSL_CONNECTION *s, unsigned char *rec_seq) -{ - int bit, count_unprocessed; - - count_unprocessed = count_unprocessed_records(s); - if (count_unprocessed < 0) - return 0; - - /* increment the crypto_info record sequence */ - while (count_unprocessed) { - for (bit = 7; bit >= 0; bit--) { /* increment */ - ++rec_seq[bit]; - if (rec_seq[bit] != 0) - break; - } - count_unprocessed--; - - } - - return 1; -} -#endif - #if defined(__FreeBSD__) # include "crypto/cryptodev.h" @@ -168,57 +107,48 @@ static int ktls_int_check_supported_cipher(OSSL_RECORD_LAYER *rl, } /* Function to configure kernel TLS structure */ -int ktls_configure_crypto(SSL_CONNECTION *s, const EVP_CIPHER *c, - void *rl_sequence, ktls_crypto_info_t *crypto_info, - int is_tx, unsigned char *iv, size_t ivlen, +int ktls_configure_crypto(OSSL_LIB_CTX *libctx, int version, const EVP_CIPHER *c, + EVP_MD *md, void *rl_sequence, + ktls_crypto_info_t *crypto_info, int is_tx, + unsigned char *iv, size_t ivlen, unsigned char *key, size_t keylen, unsigned char *mac_key, size_t mac_secret_size) { memset(crypto_info, 0, sizeof(*crypto_info)); - switch (s->s3.tmp.new_cipher->algorithm_enc) { - case SSL_AES128GCM: - case SSL_AES256GCM: + if (EVP_CIPHER_is_a(c, "AES-128-GCM") + || EVP_CIPHER_is_a(c, "AES-256-GCM")) { crypto_info->cipher_algorithm = CRYPTO_AES_NIST_GCM_16; crypto_info->iv_len = ivlen; - break; + } else # ifdef OPENSSL_KTLS_CHACHA20_POLY1305 - case SSL_CHACHA20POLY1305: + if (EVP_CIPHER_is_a(c, "CHACHA20-POLY1305")) { crypto_info->cipher_algorithm = CRYPTO_CHACHA20_POLY1305; crypto_info->iv_len = ivlen; - break; + } else # endif - case SSL_AES128: - case SSL_AES256: - switch (s->s3.tmp.new_cipher->algorithm_mac) { - case SSL_SHA1: + if (EVP_CIPHER_is_a(c, "AES-128-CBC") || EVP_CIPHER_is_a(c, "AES-256-CBC")) { + if (EVP_MD_is_a(md, "SHA1")) crypto_info->auth_algorithm = CRYPTO_SHA1_HMAC; - break; - case SSL_SHA256: + else if (EVP_MD_is_a(md, "SHA2-256")) { crypto_info->auth_algorithm = CRYPTO_SHA2_256_HMAC; - break; - case SSL_SHA384: + else if (EVP_MD_is_a(md, "SHA2-384")) crypto_info->auth_algorithm = CRYPTO_SHA2_384_HMAC; - break; - default: + else return 0; - } crypto_info->cipher_algorithm = CRYPTO_AES_CBC; crypto_info->iv_len = ivlen; crypto_info->auth_key = mac_key; crypto_info->auth_key_len = mac_secret_size; - break; - default: + } else { return 0; } crypto_info->cipher_key = key; crypto_info->cipher_key_len = keylen; crypto_info->iv = iv; - crypto_info->tls_vmajor = (s->version >> 8) & 0x000000ff; - crypto_info->tls_vminor = (s->version & 0x000000ff); + crypto_info->tls_vmajor = (version >> 8) & 0x000000ff; + crypto_info->tls_vminor = (version & 0x000000ff); # ifdef TCP_RXTLS_ENABLE memcpy(crypto_info->rec_seq, rl_sequence, sizeof(crypto_info->rec_seq)); - if (!is_tx && !check_rx_read_ahead(s, crypto_info->rec_seq)) - return 0; # else if (!is_tx) return 0; @@ -315,15 +245,15 @@ static int ktls_int_check_supported_cipher(OSSL_RECORD_LAYER *rl, } /* Function to configure kernel TLS structure */ -int ktls_configure_crypto(SSL_CONNECTION *s, const EVP_CIPHER *c, - void *rl_sequence, ktls_crypto_info_t *crypto_info, - int is_tx, unsigned char *iv, size_t ivlen, +int ktls_configure_crypto(OSSL_LIB_CTX *libctx, int version, const EVP_CIPHER *c, + const EVP_MD *md, void *rl_sequence, + ktls_crypto_info_t *crypto_info, int is_tx, + unsigned char *iv, size_t ivlen, unsigned char *key, size_t keylen, unsigned char *mac_key, size_t mac_secret_size) { unsigned char geniv[EVP_GCM_TLS_EXPLICIT_IV_LEN]; unsigned char *eiv = NULL; - SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); # ifdef OPENSSL_NO_KTLS_RX if (!is_tx) @@ -336,11 +266,11 @@ int ktls_configure_crypto(SSL_CONNECTION *s, const EVP_CIPHER *c, || !ossl_assert(EVP_GCM_TLS_EXPLICIT_IV_LEN == EVP_CCM_TLS_EXPLICIT_IV_LEN)) return 0; - if (s->version == TLS1_2_VERSION) { + if (version == TLS1_2_VERSION) { if (!ossl_assert(ivlen == EVP_GCM_TLS_FIXED_IV_LEN)) return 0; if (is_tx) { - if (RAND_bytes_ex(sctx->libctx, geniv, + if (RAND_bytes_ex(libctx, geniv, EVP_GCM_TLS_EXPLICIT_IV_LEN, 0) <= 0) return 0; } else { @@ -364,15 +294,13 @@ int ktls_configure_crypto(SSL_CONNECTION *s, const EVP_CIPHER *c, || !ossl_assert(TLS_CIPHER_AES_GCM_128_IV_SIZE == EVP_GCM_TLS_EXPLICIT_IV_LEN)) return 0; crypto_info->gcm128.info.cipher_type = TLS_CIPHER_AES_GCM_128; - crypto_info->gcm128.info.version = s->version; + crypto_info->gcm128.info.version = version; crypto_info->tls_crypto_info_len = sizeof(crypto_info->gcm128); memcpy(crypto_info->gcm128.iv, eiv, TLS_CIPHER_AES_GCM_128_IV_SIZE); memcpy(crypto_info->gcm128.salt, iv, TLS_CIPHER_AES_GCM_128_SALT_SIZE); memcpy(crypto_info->gcm128.key, key, keylen); memcpy(crypto_info->gcm128.rec_seq, rl_sequence, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE); - if (!is_tx && !check_rx_read_ahead(s, crypto_info->gcm128.rec_seq)) - return 0; return 1; # endif # ifdef OPENSSL_KTLS_AES_GCM_256 @@ -381,15 +309,13 @@ int ktls_configure_crypto(SSL_CONNECTION *s, const EVP_CIPHER *c, || !ossl_assert(TLS_CIPHER_AES_GCM_256_IV_SIZE == EVP_GCM_TLS_EXPLICIT_IV_LEN)) return 0; crypto_info->gcm256.info.cipher_type = TLS_CIPHER_AES_GCM_256; - crypto_info->gcm256.info.version = s->version; + crypto_info->gcm256.info.version = version; crypto_info->tls_crypto_info_len = sizeof(crypto_info->gcm256); memcpy(crypto_info->gcm256.iv, eiv, TLS_CIPHER_AES_GCM_256_IV_SIZE); memcpy(crypto_info->gcm256.salt, iv, TLS_CIPHER_AES_GCM_256_SALT_SIZE); memcpy(crypto_info->gcm256.key, key, keylen); memcpy(crypto_info->gcm256.rec_seq, rl_sequence, TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE); - if (!is_tx && !check_rx_read_ahead(s, crypto_info->gcm256.rec_seq)) - return 0; return 1; # endif @@ -399,15 +325,13 @@ int ktls_configure_crypto(SSL_CONNECTION *s, const EVP_CIPHER *c, || !ossl_assert(TLS_CIPHER_AES_CCM_128_IV_SIZE == EVP_CCM_TLS_EXPLICIT_IV_LEN)) return 0; crypto_info->ccm128.info.cipher_type = TLS_CIPHER_AES_CCM_128; - crypto_info->ccm128.info.version = s->version; + crypto_info->ccm128.info.version = version; crypto_info->tls_crypto_info_len = sizeof(crypto_info->ccm128); memcpy(crypto_info->ccm128.iv, eiv, TLS_CIPHER_AES_CCM_128_IV_SIZE); memcpy(crypto_info->ccm128.salt, iv, TLS_CIPHER_AES_CCM_128_SALT_SIZE); memcpy(crypto_info->ccm128.key, key, keylen); memcpy(crypto_info->ccm128.rec_seq, rl_sequence, TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE); - if (!is_tx && !check_rx_read_ahead(s, crypto_info->ccm128.rec_seq)) - return 0; return 1; # endif # ifdef OPENSSL_KTLS_CHACHA20_POLY1305 @@ -415,16 +339,12 @@ int ktls_configure_crypto(SSL_CONNECTION *s, const EVP_CIPHER *c, if (!ossl_assert(ivlen == TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE)) return 0; crypto_info->chacha20poly1305.info.cipher_type = TLS_CIPHER_CHACHA20_POLY1305; - crypto_info->chacha20poly1305.info.version = s->version; + crypto_info->chacha20poly1305.info.version = version; crypto_info->tls_crypto_info_len = sizeof(crypto_info->chacha20poly1305); memcpy(crypto_info->chacha20poly1305.iv, iv, ivlen); memcpy(crypto_info->chacha20poly1305.key, key, keylen); memcpy(crypto_info->chacha20poly1305.rec_seq, rl_sequence, TLS_CIPHER_CHACHA20_POLY1305_REC_SEQ_SIZE); - if (!is_tx - && !check_rx_read_ahead(s, - crypto_info->chacha20poly1305.rec_seq)) - return 0; return 1; # endif default: @@ -445,9 +365,7 @@ static int ktls_set_crypto_state(OSSL_RECORD_LAYER *rl, int level, /* TODO(RECLAYER): This probably should not be an int */ int mactype, const EVP_MD *md, - const SSL_COMP *comp, - /* TODO(RECLAYER): Remove me */ - SSL_CONNECTION *s) + const SSL_COMP *comp) { ktls_crypto_info_t crypto_info; @@ -487,7 +405,8 @@ static int ktls_set_crypto_state(OSSL_RECORD_LAYER *rl, int level, return OSSL_RECORD_RETURN_NON_FATAL_ERR; } - if (!ktls_configure_crypto(s, ciph, rl->sequence, &crypto_info, + if (!ktls_configure_crypto(rl->libctx, rl->version, ciph, md, rl->sequence, + &crypto_info, rl->direction == OSSL_RECORD_DIRECTION_WRITE, iv, ivlen, key, keylen, mackey, mackeylen)) return OSSL_RECORD_RETURN_NON_FATAL_ERR; @@ -528,8 +447,7 @@ static int ktls_read_n(OSSL_RECORD_LAYER *rl, size_t n, size_t max, int extend, } static int ktls_cipher(OSSL_RECORD_LAYER *rl, SSL3_RECORD *inrecs, size_t n_recs, - int sending, SSL_MAC_BUF *mac, size_t macsize, - /* TODO(RECLAYER): Remove me */ SSL_CONNECTION *s) + int sending, SSL_MAC_BUF *mac, size_t macsize) { return 1; } @@ -544,11 +462,10 @@ static int ktls_validate_record_header(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec) return 1; } -static int ktls_post_process_record(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec, - SSL_CONNECTION *s) +static int ktls_post_process_record(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec) { if (rl->version == TLS1_3_VERSION) - return tls13_common_post_process_record(rl, rec, s); + return tls13_common_post_process_record(rl, rec); return 1; } @@ -575,9 +492,7 @@ ktls_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers, BIO *transport, BIO *next, BIO_ADDR *local, BIO_ADDR *peer, const OSSL_PARAM *settings, const OSSL_PARAM *options, const OSSL_DISPATCH *fns, void *cbarg, - OSSL_RECORD_LAYER **retrl, - /* TODO(RECLAYER): Remove me */ - SSL_CONNECTION *s) + OSSL_RECORD_LAYER **retrl) { int ret; @@ -585,7 +500,7 @@ ktls_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers, key, keylen, iv, ivlen, mackey, mackeylen, ciph, taglen, mactype, md, comp, prev, transport, next, local, peer, settings, - options, fns, cbarg, retrl, s); + options, fns, cbarg, retrl); if (ret != OSSL_RECORD_RETURN_SUCCESS) return ret; @@ -594,7 +509,7 @@ ktls_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers, ret = (*retrl)->funcs->set_crypto_state(*retrl, level, key, keylen, iv, ivlen, mackey, mackeylen, ciph, - taglen, mactype, md, comp, s); + taglen, mactype, md, comp); if (ret != OSSL_RECORD_RETURN_SUCCESS) { OPENSSL_free(*retrl); @@ -628,6 +543,7 @@ const OSSL_RECORD_METHOD ossl_ktls_record_method = { tls_set_protocol_version, tls_set_plain_alerts, tls_set_first_handshake, + tls_set_max_pipelines, /* * TODO(RECLAYER): Remove these. These function pointers are temporary hacks diff --git a/ssl/record/methods/recmethod_local.h b/ssl/record/methods/recmethod_local.h index 2c677205a8..1aa7f9b3eb 100644 --- a/ssl/record/methods/recmethod_local.h +++ b/ssl/record/methods/recmethod_local.h @@ -30,9 +30,7 @@ struct record_functions_st /* TODO(RECLAYER): This probably should not be an int */ int mactype, const EVP_MD *md, - const SSL_COMP *comp, - /* TODO(RECLAYER): Remove me */ - SSL_CONNECTION *s); + const SSL_COMP *comp); int (*read_n)(OSSL_RECORD_LAYER *rl, size_t n, size_t max, int extend, int clearold, size_t *readbytes); @@ -43,11 +41,10 @@ struct record_functions_st * 1: Success or MtE decryption failed (MAC will be randomised) */ int (*cipher)(OSSL_RECORD_LAYER *rl, SSL3_RECORD *recs, size_t n_recs, - int sending, SSL_MAC_BUF *macs, size_t macsize, - /* TODO(RECLAYER): Remove me */ SSL_CONNECTION *s); + int sending, SSL_MAC_BUF *macs, size_t macsize); /* Returns 1 for success or 0 for error */ int (*mac)(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec, unsigned char *md, - int sending, /* TODO(RECLAYER): Remove me */SSL_CONNECTION *ssl); + int sending); /* Return 1 for success or 0 for error */ int (*set_protocol_version)(OSSL_RECORD_LAYER *rl, int version); @@ -56,8 +53,7 @@ struct record_functions_st int (*validate_record_header)(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec); /* Return 1 for success or 0 for error */ - int (*post_process_record)(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec, - /* TODO(RECLAYER): Remove me */ SSL_CONNECTION *s); + int (*post_process_record)(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec); }; struct ossl_record_layer_st @@ -156,6 +152,10 @@ struct ossl_record_layer_st /* TLSv1.0/TLSv1.1/TLSv1.2 */ int use_etm; + /* Flags for GOST ciphers */ + int stream_mac; + int tlstree; + /* TLSv1.3 fields */ /* static IV */ unsigned char iv[EVP_MAX_IV_LENGTH]; @@ -175,6 +175,8 @@ struct ossl_record_layer_st OSSL_FUNC_rlayer_msg_callback_fn *msg_callback; OSSL_FUNC_rlayer_security_fn *security; + size_t max_pipelines; + /* Function pointers for version specific functions */ struct record_functions_st *funcs; }; @@ -217,9 +219,8 @@ int tls_default_read_n(OSSL_RECORD_LAYER *rl, size_t n, size_t max, int extend, int tls_default_set_protocol_version(OSSL_RECORD_LAYER *rl, int version); int tls_default_validate_record_header(OSSL_RECORD_LAYER *rl, SSL3_RECORD *re); -int tls_default_post_process_record(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec, SSL_CONNECTION *s); -int tls13_common_post_process_record(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec, - SSL_CONNECTION *s); +int tls_default_post_process_record(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec); +int tls13_common_post_process_record(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec); int tls_int_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers, @@ -234,9 +235,7 @@ tls_int_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers, BIO_ADDR *local, BIO_ADDR *peer, const OSSL_PARAM *settings, const OSSL_PARAM *options, const OSSL_DISPATCH *fns, void *cbarg, - OSSL_RECORD_LAYER **retrl, - /* TODO(RECLAYER): Remove me */ - SSL_CONNECTION *s); + OSSL_RECORD_LAYER **retrl); int tls_free(OSSL_RECORD_LAYER *rl); int tls_reset(OSSL_RECORD_LAYER *rl); int tls_unprocessed_read_pending(OSSL_RECORD_LAYER *rl); @@ -253,13 +252,13 @@ int tls_get_alert_code(OSSL_RECORD_LAYER *rl); int tls_set1_bio(OSSL_RECORD_LAYER *rl, BIO *bio); int tls_read_record(OSSL_RECORD_LAYER *rl, void **rechandle, int *rversion, int *type, unsigned char **data, size_t *datalen, - uint16_t *epoch, unsigned char *seq_num, - /* TODO(RECLAYER): Remove me */ SSL_CONNECTION *s); + uint16_t *epoch, unsigned char *seq_num); int tls_release_record(OSSL_RECORD_LAYER *rl, void *rechandle); int tls_default_set_protocol_version(OSSL_RECORD_LAYER *rl, int version); int tls_set_protocol_version(OSSL_RECORD_LAYER *rl, int version); void tls_set_plain_alerts(OSSL_RECORD_LAYER *rl, int allow); void tls_set_first_handshake(OSSL_RECORD_LAYER *rl, int first); +void tls_set_max_pipelines(OSSL_RECORD_LAYER *rl, size_t max_pipelines); SSL3_BUFFER *tls_get0_rbuf(OSSL_RECORD_LAYER *rl); unsigned char *tls_get0_packet(OSSL_RECORD_LAYER *rl); void tls_set0_packet(OSSL_RECORD_LAYER *rl, unsigned char *packet, diff --git a/ssl/record/methods/ssl3_meth.c b/ssl/record/methods/ssl3_meth.c index c841bacce7..6d8fa14c16 100644 --- a/ssl/record/methods/ssl3_meth.c +++ b/ssl/record/methods/ssl3_meth.c @@ -23,9 +23,7 @@ static int ssl3_set_crypto_state(OSSL_RECORD_LAYER *rl, int level, /* TODO(RECLAYER): This probably should not be an int */ int mactype, const EVP_MD *md, - const SSL_COMP *comp, - /* TODO(RECLAYER): Remove me */ - SSL_CONNECTION *s) + const SSL_COMP *comp) { EVP_CIPHER_CTX *ciph_ctx; @@ -84,8 +82,7 @@ static int ssl3_set_crypto_state(OSSL_RECORD_LAYER *rl, int level, * 1: Success or Mac-then-encrypt decryption failed (MAC will be randomised) */ static int ssl3_cipher(OSSL_RECORD_LAYER *rl, SSL3_RECORD *inrecs, size_t n_recs, - int sending, SSL_MAC_BUF *mac, size_t macsize, - /* TODO(RECLAYER): Remove me */ SSL_CONNECTION *s) + int sending, SSL_MAC_BUF *mac, size_t macsize) { SSL3_RECORD *rec; EVP_CIPHER_CTX *ds; @@ -206,7 +203,7 @@ static const unsigned char ssl3_pad_2[48] = { }; static int ssl3_mac(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec, unsigned char *md, - int sending, SSL_CONNECTION *ssl) + int sending) { unsigned char *mac_sec, *seq = rl->sequence; const EVP_MD_CTX *hash; diff --git a/ssl/record/methods/tls13_meth.c b/ssl/record/methods/tls13_meth.c index 35270e6414..799df98237 100644 --- a/ssl/record/methods/tls13_meth.c +++ b/ssl/record/methods/tls13_meth.c @@ -22,9 +22,7 @@ static int tls13_set_crypto_state(OSSL_RECORD_LAYER *rl, int level, /* TODO(RECLAYER): This probably should not be an int */ int mactype, const EVP_MD *md, - const SSL_COMP *comp, - /* TODO(RECLAYER): Remove me */ - SSL_CONNECTION *s) + const SSL_COMP *comp) { EVP_CIPHER_CTX *ciph_ctx; int mode; @@ -58,8 +56,7 @@ static int tls13_set_crypto_state(OSSL_RECORD_LAYER *rl, int level, } static int tls13_cipher(OSSL_RECORD_LAYER *rl, SSL3_RECORD *recs, size_t n_recs, - int sending, SSL_MAC_BUF *mac, size_t macsize, - /* TODO(RECLAYER): Remove me */ SSL_CONNECTION *s) + int sending, SSL_MAC_BUF *mac, size_t macsize) { EVP_CIPHER_CTX *ctx; unsigned char iv[EVP_MAX_IV_LENGTH], recheader[SSL3_RT_HEADER_LENGTH]; @@ -206,8 +203,7 @@ static int tls13_validate_record_header(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec) return 1; } -static int tls13_post_process_record(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec, - SSL_CONNECTION *s) +static int tls13_post_process_record(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec) { /* Skip this if we've received a plaintext alert */ if (rec->type != SSL3_RT_ALERT) { @@ -234,7 +230,7 @@ static int tls13_post_process_record(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec, return 0; } - if (!tls13_common_post_process_record(rl, rec, s)) { + if (!tls13_common_post_process_record(rl, rec)) { /* RLAYERfatal already called */ return 0; } diff --git a/ssl/record/methods/tls1_meth.c b/ssl/record/methods/tls1_meth.c index 7b64793f87..bb15e4b1dd 100644 --- a/ssl/record/methods/tls1_meth.c +++ b/ssl/record/methods/tls1_meth.c @@ -24,9 +24,7 @@ static int tls1_set_crypto_state(OSSL_RECORD_LAYER *rl, int level, /* TODO(RECLAYER): This probably should not be an int */ int mactype, const EVP_MD *md, - const SSL_COMP *comp, - /* TODO(RECLAYER): Remove me */ - SSL_CONNECTION *s) + const SSL_COMP *comp) { EVP_CIPHER_CTX *ciph_ctx; EVP_PKEY *mac_key; @@ -141,8 +139,7 @@ static int tls1_set_crypto_state(OSSL_RECORD_LAYER *rl, int level, * 1: Success or Mac-then-encrypt decryption failed (MAC will be randomised) */ static int tls1_cipher(OSSL_RECORD_LAYER *rl, SSL3_RECORD *recs, size_t n_recs, - int sending, SSL_MAC_BUF *macs, size_t macsize, - /* TODO(RECLAYER): Remove me */ SSL_CONNECTION *s) + int sending, SSL_MAC_BUF *macs, size_t macsize) { EVP_CIPHER_CTX *ds; size_t reclen[SSL_MAX_PIPELINES]; @@ -151,9 +148,6 @@ static int tls1_cipher(OSSL_RECORD_LAYER *rl, SSL3_RECORD *recs, size_t n_recs, size_t bs, ctr, padnum, loop; unsigned char padval; const EVP_CIPHER *enc; - int tlstree_enc = sending ? (s->mac_flags & SSL_MAC_FLAG_WRITE_MAC_TLSTREE) - : (s->mac_flags & SSL_MAC_FLAG_READ_MAC_TLSTREE); - SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); if (n_recs == 0) { RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); @@ -180,7 +174,7 @@ static int tls1_cipher(OSSL_RECORD_LAYER *rl, SSL3_RECORD *recs, size_t n_recs, int ivlen; /* For TLSv1.1 and later explicit IV */ - if (RLAYER_USE_EXPLICIT_IV(s) + if (RLAYER_USE_EXPLICIT_IV(rl) && EVP_CIPHER_get_mode(enc) == EVP_CIPH_CBC_MODE) ivlen = EVP_CIPHER_get_iv_length(enc); else @@ -202,7 +196,7 @@ static int tls1_cipher(OSSL_RECORD_LAYER *rl, SSL3_RECORD *recs, size_t n_recs, } } } - if ((s->session == NULL) || (enc == NULL)) { + if (!ossl_assert(enc != NULL)) { RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); return 0; } @@ -231,7 +225,9 @@ static int tls1_cipher(OSSL_RECORD_LAYER *rl, SSL3_RECORD *recs, size_t n_recs, seq = rl->sequence; - if (SSL_CONNECTION_IS_DTLS(s)) { + if (rl->isdtls) { +#if 0 + /* TODO(RECLAYER): FIXME */ /* DTLS does not support pipelining */ unsigned char dtlsseq[8], *p = dtlsseq; @@ -239,6 +235,7 @@ static int tls1_cipher(OSSL_RECORD_LAYER *rl, SSL3_RECORD *recs, size_t n_recs, DTLS_RECORD_LAYER_get_r_epoch(&s->rlayer), p); memcpy(p, &seq[2], 6); memcpy(buf[ctr], dtlsseq, 8); +#endif } else { memcpy(buf[ctr], seq, 8); for (i = 7; i >= 0; i--) { /* increment */ @@ -318,7 +315,7 @@ static int tls1_cipher(OSSL_RECORD_LAYER *rl, SSL3_RECORD *recs, size_t n_recs, } } - if (!SSL_CONNECTION_IS_DTLS(s) && tlstree_enc) { + if (!rl->isdtls && rl->tlstree) { unsigned char *seq; int decrement_seq = 0; @@ -436,7 +433,7 @@ static int tls1_cipher(OSSL_RECORD_LAYER *rl, SSL3_RECORD *recs, size_t n_recs, pad ? (size_t)pad : macsize, (EVP_CIPHER_get_flags(enc) & EVP_CIPH_FLAG_AEAD_CIPHER) != 0, - sctx->libctx)) + rl->libctx)) return 0; } } @@ -445,7 +442,7 @@ static int tls1_cipher(OSSL_RECORD_LAYER *rl, SSL3_RECORD *recs, size_t n_recs, } static int tls1_mac(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec, unsigned char *md, - int sending, SSL_CONNECTION *ssl) + int sending) { unsigned char *seq = rl->sequence; EVP_MD_CTX *hash; @@ -453,10 +450,6 @@ static int tls1_mac(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec, unsigned char *md, int i; EVP_MD_CTX *hmac = NULL, *mac_ctx; unsigned char header[13]; - int stream_mac = sending ? (ssl->mac_flags & SSL_MAC_FLAG_WRITE_MAC_STREAM) - : (ssl->mac_flags & SSL_MAC_FLAG_READ_MAC_STREAM); - int tlstree_mac = sending ? (ssl->mac_flags & SSL_MAC_FLAG_WRITE_MAC_TLSTREE) - : (ssl->mac_flags & SSL_MAC_FLAG_READ_MAC_TLSTREE); int t; int ret = 0; @@ -467,8 +460,7 @@ static int tls1_mac(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec, unsigned char *md, return 0; md_size = t; - /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */ - if (stream_mac) { + if (rl->stream_mac) { mac_ctx = hash; } else { hmac = EVP_MD_CTX_new(); @@ -479,12 +471,14 @@ static int tls1_mac(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec, unsigned char *md, } if (!rl->isdtls - && tlstree_mac + && rl->tlstree && EVP_MD_CTX_ctrl(mac_ctx, EVP_MD_CTRL_TLSTREE, 0, seq) <= 0) { goto end; } if (rl->isdtls) { +#if 0 + /* TODO(RECLAYER): FIX ME */ unsigned char dtlsseq[8], *p = dtlsseq; s2n(sending ? DTLS_RECORD_LAYER_get_w_epoch(&ssl->rlayer) : @@ -492,12 +486,13 @@ static int tls1_mac(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec, unsigned char *md, memcpy(p, &seq[2], 6); memcpy(header, dtlsseq, 8); +#endif } else memcpy(header, seq, 8); header[8] = rec->type; - header[9] = (unsigned char)(ssl->version >> 8); - header[10] = (unsigned char)(ssl->version); + header[9] = (unsigned char)(rl->version >> 8); + header[10] = (unsigned char)(rl->version); header[11] = (unsigned char)(rec->length >> 8); header[12] = (unsigned char)(rec->length & 0xff); @@ -529,7 +524,7 @@ static int tls1_mac(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec, unsigned char *md, BIO_dump_indent(trc_out, rec->data, rec->length, 4); } OSSL_TRACE_END(TLS); - if (!SSL_CONNECTION_IS_DTLS(ssl)) { + if (!rl->isdtls) { for (i = 7; i >= 0; i--) { ++seq[i]; if (seq[i] != 0) diff --git a/ssl/record/methods/tls_common.c b/ssl/record/methods/tls_common.c index 49ca086d81..0f5aa4951c 100644 --- a/ssl/record/methods/tls_common.c +++ b/ssl/record/methods/tls_common.c @@ -425,8 +425,7 @@ static int rlayer_early_data_count_ok(OSSL_RECORD_LAYER *rl, size_t length, * SSL3_RT_APPLICATION_DATA. The number of records returned will always be <= * |max_pipelines| */ -static int tls_get_more_records(OSSL_RECORD_LAYER *rl, - /* TODO(RECLAYER): Remove me */ SSL_CONNECTION *s) +static int tls_get_more_records(OSSL_RECORD_LAYER *rl) { int enc_err, rret; int i; @@ -452,7 +451,8 @@ static int tls_get_more_records(OSSL_RECORD_LAYER *rl, } } - max_recs = s->max_pipelines; + max_recs = rl->max_pipelines; + if (max_recs == 0) max_recs = 1; @@ -681,7 +681,7 @@ static int tls_get_more_records(OSSL_RECORD_LAYER *rl, } thisrr->length -= mac_size; mac = thisrr->data + thisrr->length; - i = rl->funcs->mac(rl, thisrr, md, 0 /* not send */, s); + i = rl->funcs->mac(rl, thisrr, md, 0 /* not send */); if (i == 0 || CRYPTO_memcmp(md, mac, mac_size) != 0) { RLAYERfatal(rl, SSL_AD_BAD_RECORD_MAC, SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); @@ -707,7 +707,7 @@ static int tls_get_more_records(OSSL_RECORD_LAYER *rl, * TODO(RECLAYER): Only call rl functions once TLSv1.3/SSLv3 is moved to new * record layer code */ - enc_err = rl->funcs->cipher(rl, rr, num_recs, 0, macbufs, mac_size, s); + enc_err = rl->funcs->cipher(rl, rr, num_recs, 0, macbufs, mac_size); /*- * enc_err is: @@ -763,7 +763,7 @@ static int tls_get_more_records(OSSL_RECORD_LAYER *rl, SSL_MAC_BUF *thismb = &macbufs[j]; thisrr = &rr[j]; - i = rl->funcs->mac(rl, thisrr, md, 0 /* not send */, s); + i = rl->funcs->mac(rl, thisrr, md, 0 /* not send */); if (i == 0 || thismb == NULL || thismb->mac == NULL || CRYPTO_memcmp(md, thismb->mac, (size_t)mac_size) != 0) enc_err = 0; @@ -792,7 +792,7 @@ static int tls_get_more_records(OSSL_RECORD_LAYER *rl, for (j = 0; j < num_recs; j++) { thisrr = &rr[j]; - if (!rl->funcs->post_process_record(rl, thisrr, s)) { + if (!rl->funcs->post_process_record(rl, thisrr)) { /* RLAYERfatal already called */ goto end; } @@ -905,7 +905,7 @@ static int tls_do_uncompress(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec) } /* Shared by tlsany_meth, ssl3_meth and tls1_meth */ -int tls_default_post_process_record(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec, SSL_CONNECTION *s) +int tls_default_post_process_record(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec) { if (rl->expand != NULL) { if (rec->length > SSL3_RT_MAX_COMPRESSED_LENGTH) { @@ -929,8 +929,7 @@ int tls_default_post_process_record(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec, SSL } /* Shared by tls13_meth and ktls_meth */ -int tls13_common_post_process_record(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec, - SSL_CONNECTION *s) +int tls13_common_post_process_record(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec) { if (rec->type != SSL3_RT_APPLICATION_DATA && rec->type != SSL3_RT_ALERT @@ -958,8 +957,7 @@ int tls13_common_post_process_record(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec, int tls_read_record(OSSL_RECORD_LAYER *rl, void **rechandle, int *rversion, int *type, unsigned char **data, size_t *datalen, - uint16_t *epoch, unsigned char *seq_num, - /* TODO(RECLAYER): Remove me */ SSL_CONNECTION *s) + uint16_t *epoch, unsigned char *seq_num) { SSL3_RECORD *rec; @@ -977,7 +975,7 @@ int tls_read_record(OSSL_RECORD_LAYER *rl, void **rechandle, int *rversion, return OSSL_RECORD_RETURN_FATAL; } - ret = tls_get_more_records(rl, s); + ret = tls_get_more_records(rl); if (ret != OSSL_RECORD_RETURN_SUCCESS) return ret; @@ -1025,9 +1023,7 @@ tls_int_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers, BIO_ADDR *peer, const OSSL_PARAM *settings, const OSSL_PARAM *options, const OSSL_DISPATCH *fns, void *cbarg, - OSSL_RECORD_LAYER **retrl, - /* TODO(RECLAY |