From: Matt Caswell Date: Thu, 10 Nov 2022 16:05:16 +0000 (+0000) Subject: Add support for setting a custom TLS Record Layer X-Git-Tag: openssl-3.2.0-alpha1~1394 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bea8d70498c9ad0e2cca3652c748d327be7b841e;p=thirdparty%2Fopenssl.git Add support for setting a custom TLS Record Layer This is just an internal API for now. Something like this will be made public API at some point - but it is likely to be based on the provider interface rather that a direct setting of a METHOD like we do for now. Reviewed-by: Hugo Landau Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/19748) --- diff --git a/include/internal/recordmethod.h b/include/internal/recordmethod.h index aef2f191922..d6d432413a7 100644 --- a/include/internal/recordmethod.h +++ b/include/internal/recordmethod.h @@ -144,6 +144,7 @@ struct ossl_record_method_st { const OSSL_PARAM *options, const OSSL_DISPATCH *fns, void *cbarg, + void *rlarg, OSSL_RECORD_LAYER **ret); int (*free)(OSSL_RECORD_LAYER *rl); diff --git a/ssl/record/methods/dtls_meth.c b/ssl/record/methods/dtls_meth.c index 10a898abb46..55e49188cd1 100644 --- a/ssl/record/methods/dtls_meth.c +++ b/ssl/record/methods/dtls_meth.c @@ -631,7 +631,7 @@ dtls_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers, const EVP_MD *md, COMP_METHOD *comp, BIO *prev, BIO *transport, BIO *next, BIO_ADDR *local, BIO_ADDR *peer, const OSSL_PARAM *settings, const OSSL_PARAM *options, - const OSSL_DISPATCH *fns, void *cbarg, + const OSSL_DISPATCH *fns, void *cbarg, void *rlarg, OSSL_RECORD_LAYER **retrl) { int ret; diff --git a/ssl/record/methods/ktls_meth.c b/ssl/record/methods/ktls_meth.c index acd94e180ab..21f7c41b448 100644 --- a/ssl/record/methods/ktls_meth.c +++ b/ssl/record/methods/ktls_meth.c @@ -409,7 +409,7 @@ ktls_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers, const EVP_MD *md, COMP_METHOD *comp, BIO *prev, BIO *transport, BIO *next, BIO_ADDR *local, BIO_ADDR *peer, const OSSL_PARAM *settings, const OSSL_PARAM *options, - const OSSL_DISPATCH *fns, void *cbarg, + const OSSL_DISPATCH *fns, void *cbarg, void *rlarg, OSSL_RECORD_LAYER **retrl) { int ret; diff --git a/ssl/record/methods/tls_common.c b/ssl/record/methods/tls_common.c index 0eddfa7c2f9..9fca10c50e7 100644 --- a/ssl/record/methods/tls_common.c +++ b/ssl/record/methods/tls_common.c @@ -1331,7 +1331,7 @@ tls_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers, const EVP_MD *md, COMP_METHOD *comp, BIO *prev, BIO *transport, BIO *next, BIO_ADDR *local, BIO_ADDR *peer, const OSSL_PARAM *settings, const OSSL_PARAM *options, - const OSSL_DISPATCH *fns, void *cbarg, + const OSSL_DISPATCH *fns, void *cbarg, void *rlarg, OSSL_RECORD_LAYER **retrl) { int ret; diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c index b4435bf0201..7fa22bb02b3 100644 --- a/ssl/record/rec_layer_s3.c +++ b/ssl/record/rec_layer_s3.c @@ -1086,10 +1086,20 @@ static const OSSL_DISPATCH rlayer_dispatch[] = { { 0, NULL } }; +void ossl_ssl_set_custom_record_layer(SSL_CONNECTION *s, + const OSSL_RECORD_METHOD *meth, + void *rlarg) +{ + s->rlayer.custom_rlmethod = meth; + s->rlayer.rlarg = rlarg; +} + static const OSSL_RECORD_METHOD *ssl_select_next_record_layer(SSL_CONNECTION *s, int direction, int level) { + if (s->rlayer.custom_rlmethod != NULL) + return s->rlayer.custom_rlmethod; if (level == OSSL_RECORD_PROTECTION_LEVEL_NONE) { if (SSL_CONNECTION_IS_DTLS(s)) @@ -1324,7 +1334,7 @@ int ssl_set_new_record_layer(SSL_CONNECTION *s, int version, mackeylen, ciph, taglen, mactype, md, compm, prev, thisbio, next, NULL, NULL, settings, options, rlayer_dispatch_tmp, - s, &newrl); + s, s->rlayer.rlarg, &newrl); BIO_free(prev); switch (rlret) { case OSSL_RECORD_RETURN_FATAL: diff --git a/ssl/record/record.h b/ssl/record/record.h index 419e322f510..e2fdd05f0c9 100644 --- a/ssl/record/record.h +++ b/ssl/record/record.h @@ -74,6 +74,10 @@ typedef struct record_layer_st { /* The parent SSL_CONNECTION structure */ SSL_CONNECTION *s; + /* Custom record layer: always selected if set */ + const OSSL_RECORD_METHOD *custom_rlmethod; + /* Record layer specific argument */ + void *rlarg; /* Method to use for the read record layer*/ const OSSL_RECORD_METHOD *rrlmethod; /* Method to use for the write record layer*/ diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h index 72aab22be81..25fa38137e2 100644 --- a/ssl/ssl_local.h +++ b/ssl/ssl_local.h @@ -2984,4 +2984,8 @@ static ossl_unused ossl_inline void ssl_tsan_counter(const SSL_CTX *ctx, int ossl_comp_has_alg(int a); size_t ossl_calculate_comp_expansion(int alg, size_t length); +void ossl_ssl_set_custom_record_layer(SSL_CONNECTION *s, + const OSSL_RECORD_METHOD *meth, + void *rlarg); + #endif diff --git a/test/tls13encryptiontest.c b/test/tls13encryptiontest.c index b25dae88f03..1529e1b1ba4 100644 --- a/test/tls13encryptiontest.c +++ b/test/tls13encryptiontest.c @@ -338,7 +338,7 @@ static int test_tls13_encryption(void) OSSL_RECORD_PROTECTION_LEVEL_APPLICATION, 0, key, 16, iv, ivlen, NULL, 0, EVP_aes_128_gcm(), EVP_GCM_TLS_TAG_LEN, 0, NULL, NULL, NULL, NULL, NULL, - NULL, NULL, NULL, NULL, NULL, NULL, &wrl))) + NULL, NULL, NULL, NULL, NULL, NULL, NULL, &wrl))) goto err; memcpy(wrl->sequence, seqbuf, sizeof(seqbuf)); @@ -360,7 +360,7 @@ static int test_tls13_encryption(void) OSSL_RECORD_PROTECTION_LEVEL_APPLICATION, 0, key, 16, iv, ivlen, NULL, 0, EVP_aes_128_gcm(), EVP_GCM_TLS_TAG_LEN, 0, NULL, NULL, NULL, NULL, NULL, - NULL, NULL, NULL, NULL, NULL, NULL, &rrl))) + NULL, NULL, NULL, NULL, NULL, NULL, NULL, &rrl))) goto err; memcpy(rrl->sequence, seqbuf, sizeof(seqbuf));