Commit Graph

114 Commits

Author SHA1 Message Date
Matt Caswell da1c088f59 Copyright year updates
Reviewed-by: Richard Levitte <levitte@openssl.org>
Release: yes
2023-09-07 09:59:15 +01:00
Tomas Mraz eb1eaa9af4 Always use uint8_t for TLS record type
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21823)
2023-08-25 12:04:00 +01:00
Tomas Mraz 1cc8c53b0f Avoid issues with endianness when type is used in SSL_trace()
The TLS record type is a single byte value so we can
use uint8_t for it. This allows passing its address
directly to SSL_trace() instead of converting it to
a single byte type first.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21823)
2023-08-25 12:03:46 +01:00
Matt Caswell 0577dbad07 Fix a memory leak in tls_new_record_layer
If setting the crypto state has failed then memory might have been
partially allocated to fields within the partially constructed record
layer. We need to call tls_int_free() to properly free it.

Found by the reproducible error patch in openssl#21668

Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21753)
2023-08-17 21:35:53 +02:00
Matt Caswell 73bac6e280 Ensure that the SSL_rstate_string*() API works as they used to
We initialise the record layer rstate variable to ensure the
SSL_rstate_string*() APIs return values that are consistent with
previous versions.

Fixes #20808

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20827)
2023-04-27 17:03:33 +01:00
Matt Caswell 7a4e109ebe Allow partially releasing a record for TLS
This enables the cleansing of plaintext to occur in the record layer and
avoids the need to cast away const above the record layer.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20404)
2023-04-12 11:02:01 +10:00
Matt Caswell 2eb91b0ec3 Make the data field for get_record() const
Improves consistency with the QUIC rstream implementation - and improves
the abstraction between the TLS implementation and the abstract record
layer. We should not expect that the TLS implementation should be able to
change the underlying buffer. Future record layers may not expect that.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20404)
2023-04-12 11:02:01 +10:00
Matt Caswell 79abf0dff9 Remove spurious error queue entries on early data
Early data decryption is expected to fail sometimes. If it does we should
not leave spurious error entries on the queue.

Fixes #20377

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20401)
2023-03-06 08:35:17 +11:00
Philippe Antoine 1dbfd7fe24 fuzz: fix coverity warnings
introduced by 2b9e2afc38

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/20253)
2023-02-20 10:04:30 -05:00
Tomas Mraz 25624c9087 Rationalize FIPS sources
Avoid including QUIC related stuff in the FIPS sources.
Also avoid including libssl headers in ssl3_cbc.c.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19658)
2023-02-08 16:20:55 +01:00
Philippe Antoine 2b9e2afc38 fuzz: make post handshake reachable
So that CVE-2021-3449 can be found through fuzzing

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/20128)
2023-02-08 16:13:17 +01:00
Matt Caswell 3f9175c7a4 Extend the new_record_layer function
Add the ability to pass the main secret and length, as well as the
digest used for the KDF.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19748)
2023-01-24 17:16:29 +00:00
Matt Caswell bea8d70498 Add support for setting a custom TLS Record Layer
This is just an internal API for now. Something like this will be made
public API at some point - but it is likely to be based on the provider
interface rather that a direct setting of a METHOD like we do for now.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19748)
2023-01-24 17:16:29 +00:00
Matt Caswell e5103dfc12 Remove an unneeded OSSL_RECORD_METHOD function
The reset() function was never called so it can be removed.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19748)
2023-01-24 17:16:29 +00:00
Matt Caswell 626618a09d Ensure our buffer allocation allows for the Explicit IV
Some ciphers/protocol versions have an explicit IV. We need to make sure we
have sufficient room for it in the underlying buffer.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20085)
2023-01-24 11:20:43 +11:00
Matt Caswell 22094d11a7 Rename SSL3_RECORD to TLS_RL_RECORD
The SSL3 prefix no longer seems appropriate. We choose TLS_RL_RECORD instead
of TLS_RECORD because that type already exists elsewhere.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19586)
2022-11-14 07:51:26 +00:00
Matt Caswell e9189cc4af Rename SSL3_BUFFER to TLS_BUFFER
The SSL3 prefix no longer seems appropriate.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19586)
2022-11-14 07:51:25 +00:00
Matt Caswell 23c57f001d Move declarations out of record.h and record_local.h
We move many of the declarations in record.h and record_local.h into
locations inside ssl/record/methods instead. Also many declarations were
no longer required and could be removed completely.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19586)
2022-11-14 07:51:17 +00:00
Matt Caswell ecacbc5e3c Use the same encryption growth macro consistently
We had two different macros for calculating the potential growth due to
encryption. The macro we use for allocating the underlying buffer should be
the same one that we use for reserving bytes for encryption growth.

Also if we are adding the MAC independently of the cipher algorithm then
the encryption growth will not include that MAC so we should remove it
from the amount of bytes that we reserve for that growth. Otherwise we
might exceed our buffer size and the WPACKET_reserve operation will
fail.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19622)
2022-11-07 17:12:01 +00:00
Matt Caswell b05fbac1fc Fix dtls_get_max_record_overhead()
We fix dtls_get_max_record_overhead() to give a better value for the max
record overhead. We can't realistically handle the compression case so we
just ignore that.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19516)
2022-11-07 10:59:20 +00:00
Matt Caswell 830eae60a6 Fix the ceiling on how much encryption growth we can have
Stitched ciphersuites can grow by more during encryption than the code
allowed for. We fix the calculation and add an assert to check we go it
right.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19516)
2022-11-07 10:59:20 +00:00
Matt Caswell 8ccde3fc78 Fix read pipelining
During read pipelining we must ensure that the buffer is sufficiently large
to read enough data to fill our pipelines. We also remove some code that
moved data to the start of the packet if we can. This was unnecessary
because of later code which would end up moving it anyway. The earlier move
was also incorrect in the case that |clearold| was 0. This would cause the
read pipelining code to fail with sufficiently large records.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19456)
2022-11-02 11:11:40 +01:00
Matt Caswell b718f6fcc4 Add a test for TLS pipelining
TLS pipelining provides the ability for libssl to read or write multiple
records in parallel. It requires special ciphers to do this, and there are
currently no built-in ciphers that provide this capability. However, the
dasync engine does have such a cipher, so we add a test for this capability
using that engine.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19456)
2022-11-02 11:11:40 +01:00
Matt Caswell fba0206da7 Remove some unused OSSL_RECORD_METHOD functions
Remove two function pointers from the OSSL_RECORD_METHOD. Those functions
were no-ops and were never called.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19472)
2022-10-27 10:52:52 +01:00
Matt Caswell 7eb39ecb29 Make SSL_alloc_buffers() and SSL_free_buffers() work again
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19472)
2022-10-27 10:52:52 +01:00
Matt Caswell 50bed93a76 Fix test_tls13_encryption()
This test was disabled during the record write record layer refactor.
We can now enable it again.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19470)
2022-10-25 11:42:11 +01:00
Matt Caswell b92fc4ae18 Remove some redundant code
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19424)
2022-10-20 14:39:33 +01:00
Matt Caswell e158ada6a7 Remove the old buffer management code
We no longer use the old buffer management code now that it has all been
moved to the new record layer.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19424)
2022-10-20 14:39:33 +01:00
Matt Caswell 3abc0d3e85 Remove supurious set of the record type
We already set the record type on the SSL3_RECORD structure. We don't
need to do it again (inconsistently).

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19424)
2022-10-20 14:39:33 +01:00
Matt Caswell bed07b1875 Consolidate sequence counter incrementing code
The sequence counter was incremented in numerous different ways in
numerous different locations. We introduce a single function to do this
inside the record layer.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19424)
2022-10-20 14:39:33 +01:00
Matt Caswell 4f428e86d8 Ensure the record layer is responsible for calculating record overheads
Don't calculate the potential record layer expansion outside of the
record layer. We move some code that was doing that into the record
layer.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19424)
2022-10-20 14:39:33 +01:00
Matt Caswell b9e37f8f57 Convert dtls_write_records to use standard record layer functions
We have standard functions for most of the work that dtls_write_records
does - so we convert it to use those functions instead.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19424)
2022-10-20 14:39:33 +01:00
Matt Caswell f78c51995e Fix a return value in tls_default_read_n
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19343)
2022-10-12 15:53:31 +01:00
Matt Caswell ace3819506 Introduce a step to prepare the BIO before writing
This removes some KTLS specific code from tls_retry_write_records().

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19343)
2022-10-12 15:53:31 +01:00
Matt Caswell 5bc226ab32 Remove ktls specific code from tls_setup_write_buffers
The KTLS code no longer calls this function so this is not necessary.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19343)
2022-10-12 15:53:31 +01:00
Matt Caswell 2a354d5463 Add a post encryption processing step
For example in this we add the MAC if we are doing encrypt-then-mac.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19343)
2022-10-12 15:53:31 +01:00
Matt Caswell 757ef3bab0 Add a prepare for encryption step
This applies any mac that might be necessary, ensures that we have
enough space in the WPACKET to perform the encryption and sets up the
SSL3_RECORD ready for that encryption.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19343)
2022-10-12 15:53:31 +01:00
Matt Caswell 2582de2590 Move record padding out of tls_common.c
Only tls13_meth.c needs to handle adding record padding. All other
*_meth.c files can ignore it.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19343)
2022-10-12 15:53:31 +01:00
Matt Caswell b6f7519bc4 Don't check whether we are using KTLS before calling the cipher function
The KTLS cipher function is a no-op so it doesn't matter if we call it.
We shouldn't special case KTLS in tls_common.c

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19343)
2022-10-12 15:53:31 +01:00
Matt Caswell aca70ca81c Defer record header preparation to the protocol methods
We introduce a new function to prepare the record header. KTLS has its own
version since this is done by the kernel.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19343)
2022-10-12 15:53:31 +01:00
Matt Caswell 7ca61d63e9 Abstract out the record type processing
Remove TLSv1.3 specific processing of the record type out of tls_common.c
and into tls13_meth.c

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19343)
2022-10-12 15:53:31 +01:00
Matt Caswell 91fe8ff02a Defer write buffer and WPACKET allocation/initialisation to protocol code
We move some protocol specific code for write buffer and WPACKET allocation
and initialisation out of tls_common.c and into the protocol specific files.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19343)
2022-10-12 15:53:31 +01:00
Matt Caswell 435d88d708 Use the configured max_send_fragment value in the write record layer
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19343)
2022-10-12 15:53:31 +01:00
Matt Caswell 4bf610bdce Remove enc_write_state
This field was used to track whether a cipher ctx was valid for writing
or not, and also whether we should write out plaintext alerts. With the new
record layer design we no longer need to track whether a cipher ctx is valid
since the whole record layer will be aborted if it is not. Also we have a
different mechanism for tracking whether we should write out plaintext
alerts. Therefore this field is removed from the SSL object.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19343)
2022-10-12 15:53:31 +01:00
Matt Caswell 2f6e24eb5b Remove some unneeded usage of the SSL_CONNECTION object
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19343)
2022-10-12 15:53:31 +01:00
Matt Caswell bfda3aeec5 Remove most of the DTLS special casing from the write record code
Most of this was unnecessary anyway since DTLS isn't using these codepaths.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19343)
2022-10-12 15:53:31 +01:00
Matt Caswell 2c50d7fb06 Convert the TLSv1.3 crypto code to the new write record layer
We also clean up some of the KTLS code while we are doing it now that all
users of KTLS have been moved to the new write record layer.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19343)
2022-10-12 15:53:31 +01:00
Matt Caswell a8572674f1 Move the SSLv3 crypto code into the new record layer
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19217)
2022-10-05 15:21:37 +01:00
Matt Caswell 1e76110b72 Enable the ability to query the COMP_METHOD being used in the record layer
We also convert to passing COMP_METHOD rather than SSL_COMP to the record
layer. The former is a public type while the latter is internal only - and
the only thing we need from SSL_COMP is the method.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19217)
2022-10-05 15:21:37 +01:00
Matt Caswell 9251c3c4c7 Convert the TLSv1.0/1.1/1.2 crypto code to use the new write record layer
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19217)
2022-10-05 15:21:37 +01:00