From: Tomas Mraz Date: Wed, 28 Jun 2023 14:34:14 +0000 (+0200) Subject: Cleanse also the send stream data with SSL_OP_CLEANSE_PLAINTEXT X-Git-Tag: openssl-3.2.0-alpha1~540 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6ba2edb7143472e306cbb4cbee9bae3094bc01ef;p=thirdparty%2Fopenssl.git Cleanse also the send stream data with SSL_OP_CLEANSE_PLAINTEXT QUIC differs from TLS in this regard because it buffers the data to be sent. TLS just encrypts the data to send in place. Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/21311) --- diff --git a/include/internal/quic_stream.h b/include/internal/quic_stream.h index 4bd88d5b110..ad76488e8ba 100644 --- a/include/internal/quic_stream.h +++ b/include/internal/quic_stream.h @@ -295,6 +295,11 @@ void ossl_quic_sstream_adjust_iov(size_t len, OSSL_QTX_IOVEC *iov, size_t num_iov); +/* + * Sets flag to cleanse the buffered data when it is acked. + */ +void ossl_quic_sstream_set_cleanse(QUIC_SSTREAM *qss, int cleanse); + /* * QUIC Receive Stream Manager * =========================== diff --git a/ssl/quic/quic_channel.c b/ssl/quic/quic_channel.c index dc16d69a8d5..1aa14175e7f 100644 --- a/ssl/quic/quic_channel.c +++ b/ssl/quic/quic_channel.c @@ -2694,16 +2694,18 @@ static int ch_init_new_stream(QUIC_CHANNEL *ch, QUIC_STREAM *qs, int server_init = ossl_quic_stream_is_server_init(qs); int local_init = (ch->is_server == server_init); int is_uni = !ossl_quic_stream_is_bidi(qs); + int cleanse = (ch->tls->ctx->options & SSL_OP_CLEANSE_PLAINTEXT) != 0; - if (can_send && (qs->sstream = ossl_quic_sstream_new(INIT_APP_BUF_LEN)) == NULL) - goto err; + if (can_send) { + if ((qs->sstream = ossl_quic_sstream_new(INIT_APP_BUF_LEN)) == NULL) + goto err; + ossl_quic_sstream_set_cleanse(qs->sstream, cleanse); + } if (can_recv) { if ((qs->rstream = ossl_quic_rstream_new(NULL, NULL, 0)) == NULL) goto err; - ossl_quic_rstream_set_cleanse(qs->rstream, - (ch->tls->ctx->options - & SSL_OP_CLEANSE_PLAINTEXT) != 0); + ossl_quic_rstream_set_cleanse(qs->rstream, cleanse); } /* TXFC */ diff --git a/ssl/quic/quic_impl.c b/ssl/quic/quic_impl.c index 3454b35ef73..bbd995d5174 100644 --- a/ssl/quic/quic_impl.c +++ b/ssl/quic/quic_impl.c @@ -2802,15 +2802,19 @@ const SSL_CIPHER *ossl_quic_get_cipher(unsigned int u) int ossl_quic_set_ssl_op(SSL *ssl, uint64_t op) { QCTX ctx; + int cleanse; if (!expect_quic_with_stream_lock(ssl, /*remote_init=*/-1, &ctx)) return 0; - if (ctx.xso->stream == NULL || ctx.xso->stream->rstream == NULL) + if (ctx.xso->stream == NULL) goto out; - ossl_quic_rstream_set_cleanse(ctx.xso->stream->rstream, - (op & SSL_OP_CLEANSE_PLAINTEXT) != 0); + cleanse = (op & SSL_OP_CLEANSE_PLAINTEXT) != 0; + if (ctx.xso->stream->rstream != NULL) + ossl_quic_rstream_set_cleanse(ctx.xso->stream->rstream, cleanse); + if (ctx.xso->stream->sstream != NULL) + ossl_quic_sstream_set_cleanse(ctx.xso->stream->sstream, cleanse); out: quic_unlock(ctx.qc); diff --git a/ssl/quic/quic_sstream.c b/ssl/quic/quic_sstream.c index 5ead14038a0..a4bf7b025d5 100644 --- a/ssl/quic/quic_sstream.c +++ b/ssl/quic/quic_sstream.c @@ -52,6 +52,7 @@ struct quic_sstream_st { unsigned int have_final_size : 1; unsigned int sent_final_size : 1; unsigned int acked_final_size : 1; + unsigned int cleanse : 1; }; static void qss_cull(QUIC_SSTREAM *qss); @@ -349,7 +350,8 @@ static void qss_cull(QUIC_SSTREAM *qss) * can only cull contiguous areas at the start of the ring buffer anyway. */ if (h != NULL) - ring_buf_cpop_range(&qss->ring_buf, h->range.start, h->range.end, 0); + ring_buf_cpop_range(&qss->ring_buf, h->range.start, h->range.end, + qss->cleanse); } int ossl_quic_sstream_set_buffer_size(QUIC_SSTREAM *qss, size_t num_bytes) @@ -410,3 +412,8 @@ void ossl_quic_sstream_adjust_iov(size_t len, running += iovlen; } } + +void ossl_quic_sstream_set_cleanse(QUIC_SSTREAM *qss, int cleanse) +{ + qss->cleanse = cleanse; +}