diff options
-rw-r--r-- | CHANGES.md | 4 | ||||
-rw-r--r-- | ssl/tls13_enc.c | 32 | ||||
-rw-r--r-- | test/sslapitest.c | 2 |
3 files changed, 26 insertions, 12 deletions
diff --git a/CHANGES.md b/CHANGES.md index d82d857782..6ef8e7c5c8 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -24,6 +24,10 @@ OpenSSL 3.1 ### Changes between 3.0 and 3.1 [xx XXX xxxx] + * Extended Kernel TLS (KTLS) to support TLS 1.3 receive offload. + + *Daiki Ueno, John Baldwin and Dmitry Podgorny* + * Add support for TCP Fast Open (RFC7413) to macOS, Linux, and FreeBSD where supported and enabled. diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c index 32ce92f572..e497eabca0 100644 --- a/ssl/tls13_enc.c +++ b/ssl/tls13_enc.c @@ -434,6 +434,7 @@ int tls13_change_cipher_state(SSL *s, int which) const EVP_CIPHER *cipher = NULL; #if !defined(OPENSSL_NO_KTLS) && defined(OPENSSL_KTLS_TLS13) ktls_crypto_info_t crypto_info; + void *rl_sequence; BIO *bio; #endif @@ -688,8 +689,7 @@ int tls13_change_cipher_state(SSL *s, int which) s->statem.enc_write_state = ENC_WRITE_STATE_VALID; #ifndef OPENSSL_NO_KTLS # if defined(OPENSSL_KTLS_TLS13) - if (!(which & SSL3_CC_WRITE) - || !(which & SSL3_CC_APPLICATION) + if (!(which & SSL3_CC_APPLICATION) || (s->options & SSL_OP_ENABLE_KTLS) == 0) goto skip_ktls; @@ -705,7 +705,10 @@ int tls13_change_cipher_state(SSL *s, int which) if (!ktls_check_supported_cipher(s, cipher, ciph_ctx)) goto skip_ktls; - bio = s->wbio; + if (which & SSL3_CC_WRITE) + bio = s->wbio; + else + bio = s->rbio; if (!ossl_assert(bio != NULL)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); @@ -713,19 +716,26 @@ int tls13_change_cipher_state(SSL *s, int which) } /* All future data will get encrypted by ktls. Flush the BIO or skip ktls */ - if (BIO_flush(bio) <= 0) - goto skip_ktls; + if (which & SSL3_CC_WRITE) { + if (BIO_flush(bio) <= 0) + goto skip_ktls; + } /* configure kernel crypto structure */ - if (!ktls_configure_crypto(s, cipher, ciph_ctx, - RECORD_LAYER_get_write_sequence(&s->rlayer), - &crypto_info, which & SSL3_CC_WRITE, iv, key, - NULL, 0)) + if (which & SSL3_CC_WRITE) + rl_sequence = RECORD_LAYER_get_write_sequence(&s->rlayer); + else + rl_sequence = RECORD_LAYER_get_read_sequence(&s->rlayer); + + if (!ktls_configure_crypto(s, cipher, ciph_ctx, rl_sequence, &crypto_info, + which & SSL3_CC_WRITE, iv, key, NULL, 0)) goto skip_ktls; /* ktls works with user provided buffers directly */ - if (BIO_set_ktls(bio, &crypto_info, which & SSL3_CC_WRITE)) - ssl3_release_write_buffer(s); + if (BIO_set_ktls(bio, &crypto_info, which & SSL3_CC_WRITE)) { + if (which & SSL3_CC_WRITE) + ssl3_release_write_buffer(s); + } skip_ktls: # endif #endif diff --git a/test/sslapitest.c b/test/sslapitest.c index c7d52817e5..b95d6201ed 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -1242,7 +1242,7 @@ static int execute_test_ktls(int cis_ktls, int sis_ktls, #if defined(OPENSSL_NO_KTLS_RX) rx_supported = 0; #else - rx_supported = (tls_version != TLS1_3_VERSION); + rx_supported = 1; #endif if (!cis_ktls || !rx_supported) { if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio))) |