From: Matt Caswell Date: Thu, 15 Sep 2022 15:03:02 +0000 (+0100) Subject: Enable the ability to query the COMP_METHOD being used in the record layer X-Git-Tag: openssl-3.2.0-alpha1~1962 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1e76110b7214a4fb39dc1397cbc4771538d06f39;p=thirdparty%2Fopenssl.git Enable the ability to query the COMP_METHOD being used in the record layer We also convert to passing COMP_METHOD rather than SSL_COMP to the record layer. The former is a public type while the latter is internal only - and the only thing we need from SSL_COMP is the method. Reviewed-by: Tomas Mraz Reviewed-by: Hugo Landau (Merged from https://github.com/openssl/openssl/pull/19217) --- diff --git a/ssl/record/methods/dtls_meth.c b/ssl/record/methods/dtls_meth.c index bf8244ce31d..7dcf984aed7 100644 --- a/ssl/record/methods/dtls_meth.c +++ b/ssl/record/methods/dtls_meth.c @@ -628,7 +628,7 @@ dtls_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers, size_t ivlen, unsigned char *mackey, size_t mackeylen, const EVP_CIPHER *ciph, size_t taglen, int mactype, - const EVP_MD *md, const SSL_COMP *comp, BIO *prev, + const EVP_MD *md, COMP_METHOD *comp, BIO *prev, BIO *transport, BIO *next, BIO_ADDR *local, BIO_ADDR *peer, const OSSL_PARAM *settings, const OSSL_PARAM *options, const OSSL_DISPATCH *fns, void *cbarg, @@ -712,5 +712,6 @@ const OSSL_RECORD_METHOD ossl_dtls_record_method = { tls_set_max_pipelines, dtls_set_in_init, tls_get_state, - tls_set_options + tls_set_options, + tls_get_compression }; diff --git a/ssl/record/methods/ktls_meth.c b/ssl/record/methods/ktls_meth.c index 95f34d176f9..f5295106504 100644 --- a/ssl/record/methods/ktls_meth.c +++ b/ssl/record/methods/ktls_meth.c @@ -375,7 +375,7 @@ static int ktls_set_crypto_state(OSSL_RECORD_LAYER *rl, int level, size_t taglen, int mactype, const EVP_MD *md, - const SSL_COMP *comp) + COMP_METHOD *comp) { ktls_crypto_info_t crypto_info; @@ -499,7 +499,7 @@ ktls_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers, size_t ivlen, unsigned char *mackey, size_t mackeylen, const EVP_CIPHER *ciph, size_t taglen, int mactype, - const EVP_MD *md, const SSL_COMP *comp, BIO *prev, + const EVP_MD *md, COMP_METHOD *comp, BIO *prev, BIO *transport, BIO *next, BIO_ADDR *local, BIO_ADDR *peer, const OSSL_PARAM *settings, const OSSL_PARAM *options, const OSSL_DISPATCH *fns, void *cbarg, @@ -520,10 +520,11 @@ ktls_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers, /* * TODO(RECLAYER): We're not ready to set the crypto state for the write - * record layer. Fix this once we are + * record layer in TLSv1.3. Fix this once we are */ - if (direction == OSSL_RECORD_DIRECTION_WRITE) + if (direction == OSSL_RECORD_DIRECTION_WRITE && vers == TLS1_3_VERSION) return 1; + ret = (*retrl)->funcs->set_crypto_state(*retrl, level, key, keylen, iv, ivlen, mackey, mackeylen, ciph, taglen, mactype, md, comp); @@ -563,5 +564,6 @@ const OSSL_RECORD_METHOD ossl_ktls_record_method = { tls_set_max_pipelines, NULL, tls_get_state, - tls_set_options + tls_set_options, + tls_get_compression }; diff --git a/ssl/record/methods/recmethod_local.h b/ssl/record/methods/recmethod_local.h index d4907d3a185..c6f936b7040 100644 --- a/ssl/record/methods/recmethod_local.h +++ b/ssl/record/methods/recmethod_local.h @@ -36,7 +36,7 @@ struct record_functions_st size_t taglen, int mactype, const EVP_MD *md, - const SSL_COMP *comp); + COMP_METHOD *comp); /* * Returns: @@ -295,7 +295,7 @@ tls_int_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers, unsigned char *mackey, size_t mackeylen, const EVP_CIPHER *ciph, size_t taglen, int mactype, - const EVP_MD *md, const SSL_COMP *comp, BIO *prev, + const EVP_MD *md, COMP_METHOD *comp, BIO *prev, BIO *transport, BIO *next, BIO_ADDR *local, BIO_ADDR *peer, const OSSL_PARAM *settings, const OSSL_PARAM *options, @@ -327,6 +327,7 @@ void tls_set_max_pipelines(OSSL_RECORD_LAYER *rl, size_t max_pipelines); void tls_get_state(OSSL_RECORD_LAYER *rl, const char **shortstr, const char **longstr); int tls_set_options(OSSL_RECORD_LAYER *rl, const OSSL_PARAM *options); +const COMP_METHOD *tls_get_compression(OSSL_RECORD_LAYER *rl); int tls_setup_read_buffer(OSSL_RECORD_LAYER *rl); int tls_setup_write_buffer(OSSL_RECORD_LAYER *rl, size_t numwpipes, size_t firstlen, size_t nextlen); diff --git a/ssl/record/methods/ssl3_meth.c b/ssl/record/methods/ssl3_meth.c index 1bbef253456..6ff67df7d77 100644 --- a/ssl/record/methods/ssl3_meth.c +++ b/ssl/record/methods/ssl3_meth.c @@ -21,7 +21,7 @@ static int ssl3_set_crypto_state(OSSL_RECORD_LAYER *rl, int level, size_t taglen, int mactype, const EVP_MD *md, - const SSL_COMP *comp) + COMP_METHOD *comp) { EVP_CIPHER_CTX *ciph_ctx; @@ -43,7 +43,7 @@ static int ssl3_set_crypto_state(OSSL_RECORD_LAYER *rl, int level, } #ifndef OPENSSL_NO_COMP if (comp != NULL) { - rl->compctx = COMP_CTX_new(comp->method); + rl->compctx = COMP_CTX_new(comp); if (rl->compctx == NULL) { ERR_raise(ERR_LIB_SSL, SSL_R_COMPRESSION_LIBRARY_ERROR); return OSSL_RECORD_RETURN_FATAL; diff --git a/ssl/record/methods/tls13_meth.c b/ssl/record/methods/tls13_meth.c index 5195fbd9634..2227badb989 100644 --- a/ssl/record/methods/tls13_meth.c +++ b/ssl/record/methods/tls13_meth.c @@ -21,7 +21,7 @@ static int tls13_set_crypto_state(OSSL_RECORD_LAYER *rl, int level, size_t taglen, int mactype, const EVP_MD *md, - const SSL_COMP *comp) + COMP_METHOD *comp) { EVP_CIPHER_CTX *ciph_ctx; int mode; diff --git a/ssl/record/methods/tls1_meth.c b/ssl/record/methods/tls1_meth.c index 5dc17bc0c3a..a2612e89862 100644 --- a/ssl/record/methods/tls1_meth.c +++ b/ssl/record/methods/tls1_meth.c @@ -22,7 +22,7 @@ static int tls1_set_crypto_state(OSSL_RECORD_LAYER *rl, int level, size_t taglen, int mactype, const EVP_MD *md, - const SSL_COMP *comp) + COMP_METHOD *comp) { EVP_CIPHER_CTX *ciph_ctx; EVP_PKEY *mac_key; @@ -45,7 +45,7 @@ static int tls1_set_crypto_state(OSSL_RECORD_LAYER *rl, int level, } #ifndef OPENSSL_NO_COMP if (comp != NULL) { - rl->compctx = COMP_CTX_new(comp->method); + rl->compctx = COMP_CTX_new(comp); if (rl->compctx == NULL) { ERR_raise(ERR_LIB_SSL, SSL_R_COMPRESSION_LIBRARY_ERROR); return OSSL_RECORD_RETURN_FATAL; diff --git a/ssl/record/methods/tls_common.c b/ssl/record/methods/tls_common.c index 0dac60a3d56..ef5f8e5e8fe 100644 --- a/ssl/record/methods/tls_common.c +++ b/ssl/record/methods/tls_common.c @@ -12,6 +12,7 @@ #include #include #include +#include #include "internal/e_os.h" #include "internal/packet.h" #include "../../ssl_local.h" @@ -1197,7 +1198,7 @@ tls_int_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers, unsigned char *mackey, size_t mackeylen, const EVP_CIPHER *ciph, size_t taglen, int mactype, - const EVP_MD *md, const SSL_COMP *comp, BIO *prev, + const EVP_MD *md, COMP_METHOD *comp, BIO *prev, BIO *transport, BIO *next, BIO_ADDR *local, BIO_ADDR *peer, const OSSL_PARAM *settings, const OSSL_PARAM *options, @@ -1327,7 +1328,7 @@ tls_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers, size_t ivlen, unsigned char *mackey, size_t mackeylen, const EVP_CIPHER *ciph, size_t taglen, int mactype, - const EVP_MD *md, const SSL_COMP *comp, BIO *prev, + const EVP_MD *md, COMP_METHOD *comp, BIO *prev, BIO *transport, BIO *next, BIO_ADDR *local, BIO_ADDR *peer, const OSSL_PARAM *settings, const OSSL_PARAM *options, const OSSL_DISPATCH *fns, void *cbarg, @@ -2140,6 +2141,15 @@ void tls_get_state(OSSL_RECORD_LAYER *rl, const char **shortstr, *longstr = lng; } +const COMP_METHOD *tls_get_compression(OSSL_RECORD_LAYER *rl) +{ +#ifndef OPENSSL_NO_COMP + return (rl->compctx == NULL) ? NULL : COMP_CTX_get_method(rl->compctx); +#else + return NULL; +#endif +} + const OSSL_RECORD_METHOD ossl_tls_record_method = { tls_new_record_layer, tls_free, @@ -2162,5 +2172,6 @@ const OSSL_RECORD_METHOD ossl_tls_record_method = { tls_set_max_pipelines, NULL, tls_get_state, - tls_set_options + tls_set_options, + tls_get_compression }; diff --git a/ssl/record/methods/tlsany_meth.c b/ssl/record/methods/tlsany_meth.c index e2ca41adf8b..141354b4357 100644 --- a/ssl/record/methods/tlsany_meth.c +++ b/ssl/record/methods/tlsany_meth.c @@ -20,7 +20,7 @@ static int tls_any_set_crypto_state(OSSL_RECORD_LAYER *rl, int level, size_t taglen, int mactype, const EVP_MD *md, - const SSL_COMP *comp) + COMP_METHOD *comp) { if (level != OSSL_RECORD_PROTECTION_LEVEL_NONE) { ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c index 0318b07a9fb..de4e0a4f3f3 100644 --- a/ssl/record/rec_layer_s3.c +++ b/ssl/record/rec_layer_s3.c @@ -1136,6 +1136,7 @@ int ssl_set_new_record_layer(SSL_CONNECTION *s, int version, unsigned int maxfrag = SSL3_RT_MAX_PLAIN_LENGTH; int use_early_data = 0; uint32_t max_early_data; + COMP_METHOD *compm = (comp == NULL) ? NULL : comp->method; meth = ssl_select_next_record_layer(s, level); @@ -1282,7 +1283,7 @@ int ssl_set_new_record_layer(SSL_CONNECTION *s, int version, s->server, direction, level, epoch, key, keylen, iv, ivlen, mackey, mackeylen, ciph, taglen, mactype, md, - comp, prev, thisbio, next, NULL, NULL, + compm, prev, thisbio, next, NULL, NULL, settings, options, rlayer_dispatch_tmp, s, &newrl); BIO_free(prev); diff --git a/ssl/record/recordmethod.h b/ssl/record/recordmethod.h index 43c1cee578b..6c84737a7cd 100644 --- a/ssl/record/recordmethod.h +++ b/ssl/record/recordmethod.h @@ -134,7 +134,7 @@ struct ossl_record_method_st { size_t taglen, int mactype, const EVP_MD *md, - const SSL_COMP *comp, + COMP_METHOD *comp, BIO *prev, BIO *transport, BIO *next, @@ -300,6 +300,8 @@ struct ossl_record_method_st { * new_record_layer call. */ int (*set_options)(OSSL_RECORD_LAYER *rl, const OSSL_PARAM *options); + + const COMP_METHOD *(*get_compression)(OSSL_RECORD_LAYER *rl); }; diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 18a6a4865da..3facb703e7d 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -4786,7 +4786,11 @@ const COMP_METHOD *SSL_get_current_compression(const SSL *s) if (sc == NULL) return NULL; - return sc->compress ? COMP_CTX_get_method(sc->compress) : NULL; + /* TODO(RECLAYER): Remove me once SSLv3/DTLS moved to write record layer */ + if (SSL_CONNECTION_IS_DTLS(sc) || sc->version == SSL3_VERSION) + return sc->compress ? COMP_CTX_get_method(sc->compress) : NULL; + + return sc->rlayer.wrlmethod->get_compression(sc->rlayer.wrl); #else return NULL; #endif @@ -4800,7 +4804,7 @@ const COMP_METHOD *SSL_get_current_expansion(const SSL *s) if (sc == NULL) return NULL; - return sc->expand ? COMP_CTX_get_method(sc->expand) : NULL; + return sc->rlayer.rrlmethod->get_compression(sc->rlayer.rrl); #else return NULL; #endif diff --git a/test/sslapitest.c b/test/sslapitest.c index f7aca5cde4d..aa1d045d884 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -1073,9 +1073,15 @@ static int ping_pong_query(SSL *clientssl, SSL *serverssl) goto end; cbuf[0] = count++; - memcpy(crec_wseq_before, &clientsc->rlayer.write_sequence, SEQ_NUM_SIZE); + /* TODO(RECLAYER): Remove me once TLSv1.3 write side converted */ + if (SSL_CONNECTION_IS_TLS13(serversc)) { + memcpy(crec_wseq_before, &clientsc->rlayer.write_sequence, SEQ_NUM_SIZE); + memcpy(srec_wseq_before, &serversc->rlayer.write_sequence, SEQ_NUM_SIZE); + } else { + memcpy(crec_wseq_before, &clientsc->rlayer.wrl->sequence, SEQ_NUM_SIZE); + memcpy(srec_wseq_before, &serversc->rlayer.wrl->sequence, SEQ_NUM_SIZE); + } memcpy(crec_rseq_before, &clientsc->rlayer.rrl->sequence, SEQ_NUM_SIZE); - memcpy(srec_wseq_before, &serversc->rlayer.write_sequence, SEQ_NUM_SIZE); memcpy(srec_rseq_before, &serversc->rlayer.rrl->sequence, SEQ_NUM_SIZE); if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf))) @@ -1096,9 +1102,15 @@ static int ping_pong_query(SSL *clientssl, SSL *serverssl) } } - memcpy(crec_wseq_after, &clientsc->rlayer.write_sequence, SEQ_NUM_SIZE); + /* TODO(RECLAYER): Remove me once TLSv1.3 write side converted */ + if (SSL_CONNECTION_IS_TLS13(serversc)) { + memcpy(crec_wseq_after, &clientsc->rlayer.write_sequence, SEQ_NUM_SIZE); + memcpy(srec_wseq_after, &serversc->rlayer.write_sequence, SEQ_NUM_SIZE); + } else { + memcpy(crec_wseq_after, &clientsc->rlayer.wrl->sequence, SEQ_NUM_SIZE); + memcpy(srec_wseq_after, &serversc->rlayer.wrl->sequence, SEQ_NUM_SIZE); + } memcpy(crec_rseq_after, &clientsc->rlayer.rrl->sequence, SEQ_NUM_SIZE); - memcpy(srec_wseq_after, &serversc->rlayer.write_sequence, SEQ_NUM_SIZE); memcpy(srec_rseq_after, &serversc->rlayer.rrl->sequence, SEQ_NUM_SIZE); /* verify the payload */