From 84ce747b1cddc1b92eabf258431664b71d73df28 Mon Sep 17 00:00:00 2001 From: Frederik Wedel-Heinen Date: Tue, 3 Oct 2023 09:39:47 +0200 Subject: Adds initial dtls 1.3 structs and definitions Reviewed-by: Neil Horman Reviewed-by: Matt Caswell Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/22259) --- include/openssl/prov_ssl.h | 1 + include/openssl/ssl.h.in | 1 + ssl/d1_lib.c | 15 +++++++++++++++ ssl/methods.c | 18 ++++++++++++++++++ ssl/record/methods/recmethod_local.h | 1 + ssl/record/methods/tls13_meth.c | 21 +++++++++++++++++++++ ssl/ssl_local.h | 11 ++++++++++- 7 files changed, 67 insertions(+), 1 deletion(-) diff --git a/include/openssl/prov_ssl.h b/include/openssl/prov_ssl.h index 76d01e1eb8..9f3e8197e3 100644 --- a/include/openssl/prov_ssl.h +++ b/include/openssl/prov_ssl.h @@ -27,6 +27,7 @@ extern "C" { # define TLS1_3_VERSION 0x0304 # define DTLS1_VERSION 0xFEFF # define DTLS1_2_VERSION 0xFEFD +# define DTLS1_3_VERSION 0xFEFC # define DTLS1_BAD_VER 0x0100 /* QUIC uses a 4 byte unsigned version number */ diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in index 988e637dda..9c56b27e12 100644 --- a/include/openssl/ssl.h.in +++ b/include/openssl/ssl.h.in @@ -406,6 +406,7 @@ typedef int (*SSL_async_callback_fn)(SSL *s, void *arg); # define SSL_OP_NO_TLSv1_3 SSL_OP_BIT(29) # define SSL_OP_NO_DTLSv1 SSL_OP_BIT(26) # define SSL_OP_NO_DTLSv1_2 SSL_OP_BIT(27) +# define SSL_OP_NO_DTLSv1_3 SSL_OP_BIT(29) /* Disallow all renegotiation */ # define SSL_OP_NO_RENEGOTIATION SSL_OP_BIT(30) /* diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c index 1ac0975d0a..f36d5a3d5f 100644 --- a/ssl/d1_lib.c +++ b/ssl/d1_lib.c @@ -51,6 +51,21 @@ const SSL3_ENC_METHOD DTLSv1_2_enc_data = { dtls1_handshake_write }; +const SSL3_ENC_METHOD DTLSv1_3_enc_data = { + tls13_setup_key_block, + tls13_generate_master_secret, + tls13_change_cipher_state, + tls13_final_finish_mac, + TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, + TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, + tls13_alert_code, + tls13_export_keying_material, + SSL_ENC_FLAG_DTLS | SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF, + dtls1_set_handshake_header, + dtls1_close_construct_packet, + dtls1_handshake_write +}; + OSSL_TIME dtls1_default_timeout(void) { /* diff --git a/ssl/methods.c b/ssl/methods.c index 525f59e912..836d859ec7 100644 --- a/ssl/methods.c +++ b/ssl/methods.c @@ -125,6 +125,12 @@ IMPLEMENT_dtls1_meth_func(DTLS1_2_VERSION, 0, SSL_OP_NO_DTLSv1_2, ossl_statem_accept, ossl_statem_connect, DTLSv1_2_enc_data) #endif +#ifndef OPENSSL_NO_DTLS1_3_METHOD +IMPLEMENT_dtls1_meth_func(DTLS1_3_VERSION, 0, SSL_OP_NO_DTLSv1_3, + dtlsv1_3_method, + ossl_statem_accept, + ossl_statem_connect, DTLSv1_3_enc_data) +#endif IMPLEMENT_dtls1_meth_func(DTLS_ANY_VERSION, 0, 0, DTLS_method, ossl_statem_accept, @@ -145,6 +151,12 @@ IMPLEMENT_dtls1_meth_func(DTLS1_2_VERSION, 0, SSL_OP_NO_DTLSv1_2, ossl_statem_accept, ssl_undefined_function, DTLSv1_2_enc_data) #endif +#ifndef OPENSSL_NO_DTLS1_3_METHOD +IMPLEMENT_dtls1_meth_func(DTLS1_3_VERSION, 0, SSL_OP_NO_DTLSv1_3, + dtlsv1_3_server_method, + ossl_statem_accept, + ssl_undefined_function, DTLSv1_3_enc_data) +#endif IMPLEMENT_dtls1_meth_func(DTLS_ANY_VERSION, 0, 0, DTLS_server_method, ossl_statem_accept, @@ -169,6 +181,12 @@ IMPLEMENT_dtls1_meth_func(DTLS1_2_VERSION, 0, SSL_OP_NO_DTLSv1_2, ssl_undefined_function, ossl_statem_connect, DTLSv1_2_enc_data) #endif +#ifndef OPENSSL_NO_DTLS1_3_METHOD +IMPLEMENT_dtls1_meth_func(DTLS1_3_VERSION, 0, SSL_OP_NO_DTLSv1_3, + dtlsv1_3_client_method, + ssl_undefined_function, + ossl_statem_connect, DTLSv1_3_enc_data) +#endif IMPLEMENT_dtls1_meth_func(DTLS_ANY_VERSION, 0, 0, DTLS_client_method, ssl_undefined_function, diff --git a/ssl/record/methods/recmethod_local.h b/ssl/record/methods/recmethod_local.h index 1267f81385..74939ea174 100644 --- a/ssl/record/methods/recmethod_local.h +++ b/ssl/record/methods/recmethod_local.h @@ -382,6 +382,7 @@ extern const struct record_functions_st tls_1_funcs; extern const struct record_functions_st tls_1_3_funcs; extern const struct record_functions_st tls_any_funcs; extern const struct record_functions_st dtls_1_funcs; +extern const struct record_functions_st dtls_1_3_funcs; extern const struct record_functions_st dtls_any_funcs; void ossl_rlayer_fatal(OSSL_RECORD_LAYER *rl, int al, int reason, diff --git a/ssl/record/methods/tls13_meth.c b/ssl/record/methods/tls13_meth.c index fff81d3d08..b38bfefae9 100644 --- a/ssl/record/methods/tls13_meth.c +++ b/ssl/record/methods/tls13_meth.c @@ -323,3 +323,24 @@ const struct record_functions_st tls_1_3_funcs = { tls_post_encryption_processing_default, NULL }; + +const struct record_functions_st dtls_1_3_funcs = { + tls13_set_crypto_state, + tls13_cipher, + NULL, + tls_default_set_protocol_version, + tls_default_read_n, + dtls_get_more_records, + NULL, + tls13_post_process_record, + NULL, + tls_write_records_default, + tls_allocate_write_buffers_default, + tls_initialise_write_packets_default, + tls13_get_record_type, + dtls_prepare_record_header, + tls13_add_record_padding, + tls_prepare_for_encryption_default, + dtls_post_encryption_processing, + NULL +}; diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h index cae0c1202b..b4a10b7bfa 100644 --- a/ssl/ssl_local.h +++ b/ssl/ssl_local.h @@ -258,13 +258,18 @@ # define SSL_CONNECTION_IS_DTLS(s) \ (SSL_CONNECTION_GET_SSL(s)->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS) +/* Check if we are using DTLSv1.3 */ +# define SSL_CONNECTION_IS_DTLS13(s) (SSL_CONNECTION_IS_DTLS(s) \ + && DTLS_VERSION_GE(SSL_CONNECTION_GET_SSL(s)->method->version, DTLS1_3_VERSION) \ + && SSL_CONNECTION_GET_SSL(s)->method->version != DTLS_ANY_VERSION) + /* Check if we are using TLSv1.3 */ # define SSL_CONNECTION_IS_TLS13(s) (!SSL_CONNECTION_IS_DTLS(s) \ && SSL_CONNECTION_GET_SSL(s)->method->version >= TLS1_3_VERSION \ && SSL_CONNECTION_GET_SSL(s)->method->version != TLS_ANY_VERSION) # define SSL_CONNECTION_TREAT_AS_TLS13(s) \ - (SSL_CONNECTION_IS_TLS13(s) \ + ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) \ || (s)->early_data_state == SSL_EARLY_DATA_CONNECTING \ || (s)->early_data_state == SSL_EARLY_DATA_CONNECT_RETRY \ || (s)->early_data_state == SSL_EARLY_DATA_WRITING \ @@ -2261,6 +2266,9 @@ __owur const SSL_METHOD *dtls_bad_ver_client_method(void); __owur const SSL_METHOD *dtlsv1_2_method(void); __owur const SSL_METHOD *dtlsv1_2_server_method(void); __owur const SSL_METHOD *dtlsv1_2_client_method(void); +__owur const SSL_METHOD *dtlsv1_3_method(void); +__owur const SSL_METHOD *dtlsv1_3_server_method(void); +__owur const SSL_METHOD *dtlsv1_3_client_method(void); extern const SSL3_ENC_METHOD TLSv1_enc_data; extern const SSL3_ENC_METHOD TLSv1_1_enc_data; @@ -2269,6 +2277,7 @@ extern const SSL3_ENC_METHOD TLSv1_3_enc_data; extern const SSL3_ENC_METHOD SSLv3_enc_data; extern const SSL3_ENC_METHOD DTLSv1_enc_data; extern const SSL3_ENC_METHOD DTLSv1_2_enc_data; +extern const SSL3_ENC_METHOD DTLSv1_3_enc_data; /* * Flags for SSL methods -- cgit v1.2.3