Enable the ability to query the COMP_METHOD being used in the record layer

We also convert to passing COMP_METHOD rather than SSL_COMP to the record
layer. The former is a public type while the latter is internal only - and
the only thing we need from SSL_COMP is the method.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19217)

diff --git a/ssl/record/methods/dtls_meth.c b/ssl/record/methods/dtls_meth.c
index bf8244ce31d949a7336eb94652f395ea264fc36c..7dcf984aed7855666974d9245b2493fa86ce2df3 100644 (file)
--- a/ssl/record/methods/dtls_meth.c
+++ b/ssl/record/methods/dtls_meth.c
@@ -628,7 +628,7 @@ dtls_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
                       size_t ivlen, unsigned char *mackey, size_t mackeylen,
                       const EVP_CIPHER *ciph, size_t taglen,
                       int mactype,
-                      const EVP_MD *md, const SSL_COMP *comp, BIO *prev,
+                      const EVP_MD *md, COMP_METHOD *comp, BIO *prev,
                       BIO *transport, BIO *next, BIO_ADDR *local, BIO_ADDR *peer,
                       const OSSL_PARAM *settings, const OSSL_PARAM *options,
                       const OSSL_DISPATCH *fns, void *cbarg,
@@ -712,5 +712,6 @@ const OSSL_RECORD_METHOD ossl_dtls_record_method = {
     tls_set_max_pipelines,
     dtls_set_in_init,
     tls_get_state,
-    tls_set_options
+    tls_set_options,
+    tls_get_compression
 };

diff --git a/ssl/record/methods/ktls_meth.c b/ssl/record/methods/ktls_meth.c
index 95f34d176f98580de593e26e96b21ab02f4e81de..f5295106504448d244c09bf202dc23438d4fab92 100644 (file)
--- a/ssl/record/methods/ktls_meth.c
+++ b/ssl/record/methods/ktls_meth.c
@@ -375,7 +375,7 @@ static int ktls_set_crypto_state(OSSL_RECORD_LAYER *rl, int level,
                                  size_t taglen,
                                  int mactype,
                                  const EVP_MD *md,
-                                 const SSL_COMP *comp)
+                                 COMP_METHOD *comp)
 {
     ktls_crypto_info_t crypto_info;
 
@@ -499,7 +499,7 @@ ktls_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
                       size_t ivlen, unsigned char *mackey, size_t mackeylen,
                       const EVP_CIPHER *ciph, size_t taglen,
                       int mactype,
-                      const EVP_MD *md, const SSL_COMP *comp, BIO *prev,
+                      const EVP_MD *md, COMP_METHOD *comp, BIO *prev,
                       BIO *transport, BIO *next, BIO_ADDR *local, BIO_ADDR *peer,
                       const OSSL_PARAM *settings, const OSSL_PARAM *options,
                       const OSSL_DISPATCH *fns, void *cbarg,
@@ -520,10 +520,11 @@ ktls_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
 
     /*
      * TODO(RECLAYER): We're not ready to set the crypto state for the write
-     * record layer. Fix this once we are
+     * record layer in TLSv1.3. Fix this once we are
      */
-    if (direction == OSSL_RECORD_DIRECTION_WRITE)
+    if (direction == OSSL_RECORD_DIRECTION_WRITE && vers == TLS1_3_VERSION)
         return 1;
+
     ret = (*retrl)->funcs->set_crypto_state(*retrl, level, key, keylen, iv,
                                             ivlen, mackey, mackeylen, ciph,
                                             taglen, mactype, md, comp);
@@ -563,5 +564,6 @@ const OSSL_RECORD_METHOD ossl_ktls_record_method = {
     tls_set_max_pipelines,
     NULL,
     tls_get_state,
-    tls_set_options
+    tls_set_options,
+    tls_get_compression
 };

diff --git a/ssl/record/methods/recmethod_local.h b/ssl/record/methods/recmethod_local.h
index d4907d3a1857c4836db5e283f77d345d3148b453..c6f936b7040b62253ae5c847db798290593b135b 100644 (file)
--- a/ssl/record/methods/recmethod_local.h
+++ b/ssl/record/methods/recmethod_local.h
@@ -36,7 +36,7 @@ struct record_functions_st
                             size_t taglen,
                             int mactype,
                             const EVP_MD *md,
-                            const SSL_COMP *comp);
+                            COMP_METHOD *comp);
 
     /*
      * Returns:
@@ -295,7 +295,7 @@ tls_int_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
                          unsigned char *mackey, size_t mackeylen,
                          const EVP_CIPHER *ciph, size_t taglen,
                          int mactype,
-                         const EVP_MD *md, const SSL_COMP *comp, BIO *prev,
+                         const EVP_MD *md, COMP_METHOD *comp, BIO *prev,
                          BIO *transport, BIO *next,
                          BIO_ADDR *local, BIO_ADDR *peer,
                          const OSSL_PARAM *settings, const OSSL_PARAM *options,
@@ -327,6 +327,7 @@ void tls_set_max_pipelines(OSSL_RECORD_LAYER *rl, size_t max_pipelines);
 void tls_get_state(OSSL_RECORD_LAYER *rl, const char **shortstr,
                    const char **longstr);
 int tls_set_options(OSSL_RECORD_LAYER *rl, const OSSL_PARAM *options);
+const COMP_METHOD *tls_get_compression(OSSL_RECORD_LAYER *rl);
 int tls_setup_read_buffer(OSSL_RECORD_LAYER *rl);
 int tls_setup_write_buffer(OSSL_RECORD_LAYER *rl, size_t numwpipes,
                            size_t firstlen, size_t nextlen);

diff --git a/ssl/record/methods/ssl3_meth.c b/ssl/record/methods/ssl3_meth.c
index 1bbef2534564cdd02d262183eb54be2d616eb0d7..6ff67df7d770cb98ee6bba52c24e6b3aa11dae27 100644 (file)
--- a/ssl/record/methods/ssl3_meth.c
+++ b/ssl/record/methods/ssl3_meth.c
@@ -21,7 +21,7 @@ static int ssl3_set_crypto_state(OSSL_RECORD_LAYER *rl, int level,
                                  size_t taglen,
                                  int mactype,
                                  const EVP_MD *md,
-                                 const SSL_COMP *comp)
+                                 COMP_METHOD *comp)
 {
     EVP_CIPHER_CTX *ciph_ctx;
 
@@ -43,7 +43,7 @@ static int ssl3_set_crypto_state(OSSL_RECORD_LAYER *rl, int level,
     }
 #ifndef OPENSSL_NO_COMP
     if (comp != NULL) {
-        rl->compctx = COMP_CTX_new(comp->method);
+        rl->compctx = COMP_CTX_new(comp);
         if (rl->compctx == NULL) {
             ERR_raise(ERR_LIB_SSL, SSL_R_COMPRESSION_LIBRARY_ERROR);
             return OSSL_RECORD_RETURN_FATAL;

diff --git a/ssl/record/methods/tls13_meth.c b/ssl/record/methods/tls13_meth.c
index 5195fbd96345970a766c0d26d92e2b58de33f787..2227badb989350f5de518648c2eec03545e8de07 100644 (file)
--- a/ssl/record/methods/tls13_meth.c
+++ b/ssl/record/methods/tls13_meth.c
@@ -21,7 +21,7 @@ static int tls13_set_crypto_state(OSSL_RECORD_LAYER *rl, int level,
                                   size_t taglen,
                                   int mactype,
                                   const EVP_MD *md,
-                                  const SSL_COMP *comp)
+                                  COMP_METHOD *comp)
 {
     EVP_CIPHER_CTX *ciph_ctx;
     int mode;

diff --git a/ssl/record/methods/tls1_meth.c b/ssl/record/methods/tls1_meth.c
index 5dc17bc0c3a59e016c34a11c9bc0e5a054cab01d..a2612e8986245e546062470e0d494d79b874020e 100644 (file)
--- a/ssl/record/methods/tls1_meth.c
+++ b/ssl/record/methods/tls1_meth.c
@@ -22,7 +22,7 @@ static int tls1_set_crypto_state(OSSL_RECORD_LAYER *rl, int level,
                                  size_t taglen,
                                  int mactype,
                                  const EVP_MD *md,
-                                 const SSL_COMP *comp)
+                                 COMP_METHOD *comp)
 {
     EVP_CIPHER_CTX *ciph_ctx;
     EVP_PKEY *mac_key;
@@ -45,7 +45,7 @@ static int tls1_set_crypto_state(OSSL_RECORD_LAYER *rl, int level,
     }
 #ifndef OPENSSL_NO_COMP
     if (comp != NULL) {
-        rl->compctx = COMP_CTX_new(comp->method);
+        rl->compctx = COMP_CTX_new(comp);
         if (rl->compctx == NULL) {
             ERR_raise(ERR_LIB_SSL, SSL_R_COMPRESSION_LIBRARY_ERROR);
             return OSSL_RECORD_RETURN_FATAL;

diff --git a/ssl/record/methods/tls_common.c b/ssl/record/methods/tls_common.c
index 0dac60a3d563619643a88108db24eb00c5e58727..ef5f8e5e8fe48953d5290938dfd1776450590969 100644 (file)
--- a/ssl/record/methods/tls_common.c
+++ b/ssl/record/methods/tls_common.c
@@ -12,6 +12,7 @@
 #include <openssl/ssl.h>
 #include <openssl/err.h>
 #include <openssl/core_names.h>
+#include <openssl/comp.h>
 #include "internal/e_os.h"
 #include "internal/packet.h"
 #include "../../ssl_local.h"
@@ -1197,7 +1198,7 @@ tls_int_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
                          unsigned char *mackey, size_t mackeylen,
                          const EVP_CIPHER *ciph, size_t taglen,
                          int mactype,
-                         const EVP_MD *md, const SSL_COMP *comp, BIO *prev,
+                         const EVP_MD *md, COMP_METHOD *comp, BIO *prev,
                          BIO *transport, BIO *next, BIO_ADDR *local,
                          BIO_ADDR *peer, const OSSL_PARAM *settings,
                          const OSSL_PARAM *options,
@@ -1327,7 +1328,7 @@ tls_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
                      size_t ivlen, unsigned char *mackey, size_t mackeylen,
                      const EVP_CIPHER *ciph, size_t taglen,
                      int mactype,
-                     const EVP_MD *md, const SSL_COMP *comp, BIO *prev,
+                     const EVP_MD *md, COMP_METHOD *comp, BIO *prev,
                      BIO *transport, BIO *next, BIO_ADDR *local, BIO_ADDR *peer,
                      const OSSL_PARAM *settings, const OSSL_PARAM *options,
                      const OSSL_DISPATCH *fns, void *cbarg,
@@ -2140,6 +2141,15 @@ void tls_get_state(OSSL_RECORD_LAYER *rl, const char **shortstr,
         *longstr = lng;
 }
 
+const COMP_METHOD *tls_get_compression(OSSL_RECORD_LAYER *rl)
+{
+#ifndef OPENSSL_NO_COMP
+    return (rl->compctx == NULL) ? NULL : COMP_CTX_get_method(rl->compctx);
+#else
+    return NULL;
+#endif
+}
+
 const OSSL_RECORD_METHOD ossl_tls_record_method = {
     tls_new_record_layer,
     tls_free,
@@ -2162,5 +2172,6 @@ const OSSL_RECORD_METHOD ossl_tls_record_method = {
     tls_set_max_pipelines,
     NULL,
     tls_get_state,
-    tls_set_options
+    tls_set_options,
+    tls_get_compression
 };

diff --git a/ssl/record/methods/tlsany_meth.c b/ssl/record/methods/tlsany_meth.c
index e2ca41adf8bd9fc3cdc42e3bfd2a92c98394c041..141354b4357a3656cf393130b36cbce9d698249e 100644 (file)
--- a/ssl/record/methods/tlsany_meth.c
+++ b/ssl/record/methods/tlsany_meth.c
@@ -20,7 +20,7 @@ static int tls_any_set_crypto_state(OSSL_RECORD_LAYER *rl, int level,
                                     size_t taglen,
                                     int mactype,
                                     const EVP_MD *md,
-                                    const SSL_COMP *comp)
+                                    COMP_METHOD *comp)
 {
     if (level != OSSL_RECORD_PROTECTION_LEVEL_NONE) {
         ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);

diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c
index 0318b07a9fb63dd3fdd37234cfecb5fef9ab2066..de4e0a4f3f3c1607ccba28485a618eb85b838d26 100644 (file)
--- a/ssl/record/rec_layer_s3.c
+++ b/ssl/record/rec_layer_s3.c
@@ -1136,6 +1136,7 @@ int ssl_set_new_record_layer(SSL_CONNECTION *s, int version,
     unsigned int maxfrag = SSL3_RT_MAX_PLAIN_LENGTH;
     int use_early_data = 0;
     uint32_t max_early_data;
+    COMP_METHOD *compm = (comp == NULL) ? NULL : comp->method;
 
     meth = ssl_select_next_record_layer(s, level);
 
@@ -1282,7 +1283,7 @@ int ssl_set_new_record_layer(SSL_CONNECTION *s, int version,
                                        s->server, direction, level, epoch,
                                        key, keylen, iv, ivlen, mackey,
                                        mackeylen, ciph, taglen, mactype, md,
-                                       comp, prev, thisbio, next, NULL, NULL,
+                                       compm, prev, thisbio, next, NULL, NULL,
                                        settings, options, rlayer_dispatch_tmp,
                                        s, &newrl);
         BIO_free(prev);

diff --git a/ssl/record/recordmethod.h b/ssl/record/recordmethod.h
index 43c1cee578bd312c6e7234fe7d7ab4d69cc2b070..6c84737a7cddaf5a8ad146356ec673dbe5e420bd 100644 (file)
--- a/ssl/record/recordmethod.h
+++ b/ssl/record/recordmethod.h
@@ -134,7 +134,7 @@ struct ossl_record_method_st {
                             size_t taglen,
                             int mactype,
                             const EVP_MD *md,
-                            const SSL_COMP *comp,
+                            COMP_METHOD *comp,
                             BIO *prev,
                             BIO *transport,
                             BIO *next,
@@ -300,6 +300,8 @@ struct ossl_record_method_st {
      * new_record_layer call.
      */
     int (*set_options)(OSSL_RECORD_LAYER *rl, const OSSL_PARAM *options);
+
+    const COMP_METHOD *(*get_compression)(OSSL_RECORD_LAYER *rl);
 };
 
 

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 18a6a4865da5cfbf36087333b91d8a9313ac4c47..3facb703e7deccb1f9ea451898d9c39e68571b7d 100644 (file)
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -4786,7 +4786,11 @@ const COMP_METHOD *SSL_get_current_compression(const SSL *s)
     if (sc == NULL)
         return NULL;
 
-    return sc->compress ? COMP_CTX_get_method(sc->compress) : NULL;
+    /* TODO(RECLAYER): Remove me once SSLv3/DTLS moved to write record layer */
+    if (SSL_CONNECTION_IS_DTLS(sc) || sc->version == SSL3_VERSION)
+        return sc->compress ? COMP_CTX_get_method(sc->compress) : NULL;
+
+    return sc->rlayer.wrlmethod->get_compression(sc->rlayer.wrl);
 #else
     return NULL;
 #endif
@@ -4800,7 +4804,7 @@ const COMP_METHOD *SSL_get_current_expansion(const SSL *s)
     if (sc == NULL)
         return NULL;
 
-    return sc->expand ? COMP_CTX_get_method(sc->expand) : NULL;
+    return sc->rlayer.rrlmethod->get_compression(sc->rlayer.rrl);
 #else
     return NULL;
 #endif

diff --git a/test/sslapitest.c b/test/sslapitest.c
index f7aca5cde4de7de73d9591d1b248541440b4a613..aa1d045d8847dc95f9e0079b1150e4129400594e 100644 (file)
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -1073,9 +1073,15 @@ static int ping_pong_query(SSL *clientssl, SSL *serverssl)
         goto end;
 
     cbuf[0] = count++;
-    memcpy(crec_wseq_before, &clientsc->rlayer.write_sequence, SEQ_NUM_SIZE);
+    /* TODO(RECLAYER): Remove me once TLSv1.3 write side converted */
+    if (SSL_CONNECTION_IS_TLS13(serversc)) {
+        memcpy(crec_wseq_before, &clientsc->rlayer.write_sequence, SEQ_NUM_SIZE);
+        memcpy(srec_wseq_before, &serversc->rlayer.write_sequence, SEQ_NUM_SIZE);
+    } else {
+        memcpy(crec_wseq_before, &clientsc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
+        memcpy(srec_wseq_before, &serversc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
+    }
     memcpy(crec_rseq_before, &clientsc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
-    memcpy(srec_wseq_before, &serversc->rlayer.write_sequence, SEQ_NUM_SIZE);
     memcpy(srec_rseq_before, &serversc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
 
     if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf)))
@@ -1096,9 +1102,15 @@ static int ping_pong_query(SSL *clientssl, SSL *serverssl)
         }
     }
 
-    memcpy(crec_wseq_after, &clientsc->rlayer.write_sequence, SEQ_NUM_SIZE);
+    /* TODO(RECLAYER): Remove me once TLSv1.3 write side converted */
+    if (SSL_CONNECTION_IS_TLS13(serversc)) {
+        memcpy(crec_wseq_after, &clientsc->rlayer.write_sequence, SEQ_NUM_SIZE);
+        memcpy(srec_wseq_after, &serversc->rlayer.write_sequence, SEQ_NUM_SIZE);
+    } else {
+        memcpy(crec_wseq_after, &clientsc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
+        memcpy(srec_wseq_after, &serversc->rlayer.wrl->sequence, SEQ_NUM_SIZE);
+    }
     memcpy(crec_rseq_after, &clientsc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
-    memcpy(srec_wseq_after, &serversc->rlayer.write_sequence, SEQ_NUM_SIZE);
     memcpy(srec_rseq_after, &serversc->rlayer.rrl->sequence, SEQ_NUM_SIZE);
 
     /* verify the payload */