Skip to content

Commit

Permalink
Add a prepare for encryption step
Browse files Browse the repository at this point in the history 
This applies any mac that might be necessary, ensures that we have
enough space in the WPACKET to perform the encryption and sets up the
SSL3_RECORD ready for that encryption.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from #19343)
  • Loading branch information
@mattcaswell
mattcaswell committed Oct 12, 2022
1 parent 2582de2 commit 757ef3b
Show file tree
Hide file tree
Showing 7 changed files with 97 additions and 44 deletions.
12 changes: 11 additions & 1 deletion ssl/record/methods/ktls_meth.c
View file
Expand Up @@ -492,6 +492,15 @@ static int ktls_prepare_record_header(OSSL_RECORD_LAYER *rl,
return 1;
}

static int ktls_prepare_for_encryption(OSSL_RECORD_LAYER *rl,
size_t mac_size,
WPACKET *thispkt,
SSL3_RECORD *thiswr)
{
/* No encryption, so nothing to do */
return 1;
}

static struct record_functions_st ossl_ktls_funcs = {
ktls_set_crypto_state,
ktls_cipher,
Expand All @@ -507,7 +516,8 @@ static struct record_functions_st ossl_ktls_funcs = {
ktls_initialise_write_packets,
NULL,
ktls_prepare_record_header,
NULL
NULL,
ktls_prepare_for_encryption
};

const OSSL_RECORD_METHOD ossl_ktls_record_method = {
Expand Down
14 changes: 14 additions & 0 deletions ssl/record/methods/recmethod_local.h
View file
Expand Up @@ -110,6 +110,16 @@ struct record_functions_st
OSSL_RECORD_TEMPLATE *thistempl,
WPACKET *thispkt,
SSL3_RECORD *thiswr);

/*
* This applies any mac that might be necessary, ensures that we have enough
* space in the WPACKET to perform the encryption and sets up the
* SSL3_RECORD ready for that encryption.
*/
int (*prepare_for_encryption)(OSSL_RECORD_LAYER *rl,
size_t mac_size,
WPACKET *thispkt,
SSL3_RECORD *thiswr);
};

struct ossl_record_layer_st
Expand Down Expand Up @@ -407,6 +417,10 @@ int tls_prepare_record_header_default(OSSL_RECORD_LAYER *rl,
OSSL_RECORD_TEMPLATE *templ,
unsigned int rectype,
unsigned char **recdata);
int tls_prepare_for_encryption_default(OSSL_RECORD_LAYER *rl,
size_t mac_size,
WPACKET *thispkt,
SSL3_RECORD *thiswr);
int tls_write_records_default(OSSL_RECORD_LAYER *rl,
OSSL_RECORD_TEMPLATE *templates,
size_t numtempl);
3 changes: 2 additions & 1 deletion ssl/record/methods/ssl3_meth.c
View file
Expand Up @@ -316,5 +316,6 @@ struct record_functions_st ssl_3_0_funcs = {
tls1_initialise_write_packets,
NULL,
tls_prepare_record_header_default,
NULL
NULL,
tls_prepare_for_encryption_default
};
3 changes: 2 additions & 1 deletion ssl/record/methods/tls13_meth.c
View file
Expand Up @@ -324,5 +324,6 @@ struct record_functions_st tls_1_3_funcs = {
tls_initialise_write_packets_default,
tls13_get_record_type,
tls_prepare_record_header_default,
tls13_add_record_padding
tls13_add_record_padding,
tls_prepare_for_encryption_default
};
4 changes: 3 additions & 1 deletion ssl/record/methods/tls1_meth.c
View file
Expand Up @@ -657,7 +657,8 @@ struct record_functions_st tls_1_funcs = {
tls1_initialise_write_packets,
NULL,
tls_prepare_record_header_default,
NULL
NULL,
tls_prepare_for_encryption_default
};

struct record_functions_st dtls_1_funcs = {
Expand All @@ -674,5 +675,6 @@ struct record_functions_st dtls_1_funcs = {
NULL,
NULL,
NULL,
NULL,
NULL
};
92 changes: 53 additions & 39 deletions ssl/record/methods/tls_common.c
View file
Expand Up @@ -1562,6 +1562,56 @@ int tls_prepare_record_header_default(OSSL_RECORD_LAYER *rl,
return 1;
}

int tls_prepare_for_encryption_default(OSSL_RECORD_LAYER *rl,
size_t mac_size,
WPACKET *thispkt,
SSL3_RECORD *thiswr)
{
size_t len;
unsigned char *recordstart;

/*
* we should still have the output to thiswr->data and the input from
* wr->input. Length should be thiswr->length. thiswr->data still points
* in the wb->buf
*/

if (!rl->use_etm && mac_size != 0) {
unsigned char *mac;

if (!WPACKET_allocate_bytes(thispkt, mac_size, &mac)
|| !rl->funcs->mac(rl, thiswr, mac, 1)) {
RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
return 0;
}
}

/*
* Reserve some bytes for any growth that may occur during encryption.
* This will be at most one cipher block or the tag length if using
* AEAD. SSL_RT_MAX_CIPHER_BLOCK_SIZE covers either case.
*/
if (!WPACKET_reserve_bytes(thispkt,
SSL_RT_MAX_CIPHER_BLOCK_SIZE,
NULL)
/*
* We also need next the amount of bytes written to this
* sub-packet
*/
|| !WPACKET_get_length(thispkt, &len)) {
RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
return 0;
}

/* Get a pointer to the start of this record excluding header */
recordstart = WPACKET_get_curr(thispkt) - len;
SSL3_RECORD_set_data(thiswr, recordstart);
SSL3_RECORD_reset_input(thiswr);
SSL3_RECORD_set_length(thiswr, len);

return 1;
}

int tls_write_records_default(OSSL_RECORD_LAYER *rl,
OSSL_RECORD_TEMPLATE *templates,
size_t numtempl)
Expand Down Expand Up @@ -1665,45 +1715,9 @@ int tls_write_records_default(OSSL_RECORD_LAYER *rl,
goto err;
}

/*
* we should still have the output to thiswr->data and the input from
* wr->input. Length should be thiswr->length. thiswr->data still points
* in the wb->buf
*/

if (!using_ktls && !rl->use_etm && mac_size != 0) {
unsigned char *mac;

if (!WPACKET_allocate_bytes(thispkt, mac_size, &mac)
|| !rl->funcs->mac(rl, thiswr, mac, 1)) {
RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
goto err;
}
}

/*
* Reserve some bytes for any growth that may occur during encryption.
* This will be at most one cipher block or the tag length if using
* AEAD. SSL_RT_MAX_CIPHER_BLOCK_SIZE covers either case.
*/
if (!using_ktls) {
if (!WPACKET_reserve_bytes(thispkt,
SSL_RT_MAX_CIPHER_BLOCK_SIZE,
NULL)
/*
* We also need next the amount of bytes written to this
* sub-packet
*/
|| !WPACKET_get_length(thispkt, &len)) {
RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
goto err;
}

/* Get a pointer to the start of this record excluding header */
recordstart = WPACKET_get_curr(thispkt) - len;
SSL3_RECORD_set_data(thiswr, recordstart);
SSL3_RECORD_reset_input(thiswr);
SSL3_RECORD_set_length(thiswr, len);
if (!rl->funcs->prepare_for_encryption(rl, mac_size, thispkt, thiswr)) {
/* RLAYERfatal() already called */
goto err;
}
}

Expand Down
13 changes: 12 additions & 1 deletion ssl/record/methods/tlsany_meth.c
View file
Expand Up @@ -134,6 +134,15 @@ static int tls_any_set_protocol_version(OSSL_RECORD_LAYER *rl, int vers)
return 1;
}

static int tls_any_prepare_for_encryption(OSSL_RECORD_LAYER *rl,
size_t mac_size,
WPACKET *thispkt,
SSL3_RECORD *thiswr)
{
/* No encryption, so nothing to do */
return 1;
}

struct record_functions_st tls_any_funcs = {
tls_any_set_crypto_state,
tls_any_cipher,
Expand All @@ -149,7 +158,8 @@ struct record_functions_st tls_any_funcs = {
tls_initialise_write_packets_default,
NULL,
tls_prepare_record_header_default,
NULL
NULL,
tls_any_prepare_for_encryption
};

static int dtls_any_set_protocol_version(OSSL_RECORD_LAYER *rl, int vers)
Expand All @@ -176,5 +186,6 @@ struct record_functions_st dtls_any_funcs = {
NULL,
NULL,
NULL,
NULL,
NULL
};

0 comments on commit 757ef3b

Please sign in to comment.