mirror of https://github.com/openssl/openssl.git
KTLS: Handle TLS 1.3 in ssl3_get_record.
- Don't unpad records, check the outer record type, or extract the inner record type from TLS 1.3 records handled by the kernel. KTLS performs all of these steps and returns the inner record type in the TLS header. - When checking the length of a received TLS 1.3 record don't allow for the extra byte for the nested record type when KTLS is used. - Pass a pointer to the record type in the TLS header to the SSL3_RT_INNER_CONTENT_TYPE message callback. For KTLS, the old pointer pointed to the last byte of payload rather than the record type. For the non-KTLS case, the TLS header has been updated with the inner type before this callback is invoked. Co-authored-by: John Baldwin <jhb@FreeBSD.org> Signed-off-by: Daiki Ueno <dueno@redhat.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17942)
This commit is contained in:
Daiki Ueno
Tomas Mraz
parent
031132c297
commit
a5fb960532
|
|
@ -366,7 +366,9 @@ int ssl3_get_record(SSL *s)
|
|||
}
|
||||
}
|
||||
|
||||
if (SSL_IS_TLS13(s) && s->enc_read_ctx != NULL) {
|
||||
if (SSL_IS_TLS13(s)
|
||||
&& s->enc_read_ctx != NULL
|
||||
&& !using_ktls) {
|
||||
if (thisrr->type != SSL3_RT_APPLICATION_DATA
|
||||
&& (thisrr->type != SSL3_RT_CHANGE_CIPHER_SPEC
|
||||
|| !SSL_IS_FIRST_HANDSHAKE(s))
|
||||
|
|
@ -396,7 +398,13 @@ int ssl3_get_record(SSL *s)
|
|||
}
|
||||
|
||||
if (SSL_IS_TLS13(s)) {
|
||||
if (thisrr->length > SSL3_RT_MAX_TLS13_ENCRYPTED_LENGTH) {
|
||||
size_t len = SSL3_RT_MAX_TLS13_ENCRYPTED_LENGTH;
|
||||
|
||||
/* KTLS strips the inner record type. */
|
||||
if (using_ktls)
|
||||
len = SSL3_RT_MAX_ENCRYPTED_LENGTH;
|
||||
|
||||
if (thisrr->length > len) {
|
||||
SSLfatal(s, SSL_AD_RECORD_OVERFLOW,
|
||||
SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
|
||||
return -1;
|
||||
|
|
@ -678,21 +686,29 @@ int ssl3_get_record(SSL *s)
|
|||
if (SSL_IS_TLS13(s)
|
||||
&& s->enc_read_ctx != NULL
|
||||
&& thisrr->type != SSL3_RT_ALERT) {
|
||||
size_t end;
|
||||
/*
|
||||
* The following logic are irrelevant in KTLS: the kernel provides
|
||||
* unprotected record and thus record type represent the actual
|
||||
* content type, and padding is already removed and thisrr->type and
|
||||
* thisrr->length should have the correct values.
|
||||
*/
|
||||
if (!using_ktls) {
|
||||
size_t end;
|
||||
|
||||
if (thisrr->length == 0
|
||||
|| thisrr->type != SSL3_RT_APPLICATION_DATA) {
|
||||
SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_BAD_RECORD_TYPE);
|
||||
goto end;
|
||||
if (thisrr->length == 0
|
||||
|| thisrr->type != SSL3_RT_APPLICATION_DATA) {
|
||||
SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_BAD_RECORD_TYPE);
|
||||
goto end;
|
||||
}
|
||||
|
||||
/* Strip trailing padding */
|
||||
for (end = thisrr->length - 1; end > 0 && thisrr->data[end] == 0;
|
||||
end--)
|
||||
continue;
|
||||
|
||||
thisrr->length = end;
|
||||
thisrr->type = thisrr->data[end];
|
||||
}
|
||||
|
||||
/* Strip trailing padding */
|
||||
for (end = thisrr->length - 1; end > 0 && thisrr->data[end] == 0;
|
||||
end--)
|
||||
continue;
|
||||
|
||||
thisrr->length = end;
|
||||
thisrr->type = thisrr->data[end];
|
||||
if (thisrr->type != SSL3_RT_APPLICATION_DATA
|
||||
&& thisrr->type != SSL3_RT_ALERT
|
||||
&& thisrr->type != SSL3_RT_HANDSHAKE) {
|
||||
|
|
@ -701,7 +717,7 @@ int ssl3_get_record(SSL *s)
|
|||
}
|
||||
if (s->msg_callback)
|
||||
s->msg_callback(0, s->version, SSL3_RT_INNER_CONTENT_TYPE,
|
||||
&thisrr->data[end], 1, s, s->msg_callback_arg);
|
||||
&thisrr->type, 1, s, s->msg_callback_arg);
|
||||
}
|
||||
|
||||
/*
|
||||
|
|
|
|||
Loading…
Reference in New Issue