From bea8d70498c9ad0e2cca3652c748d327be7b841e Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Thu, 10 Nov 2022 16:05:16 +0000 Subject: [PATCH] Add support for setting a custom TLS Record Layer This is just an internal API for now. Something like this will be made public API at some point - but it is likely to be based on the provider interface rather that a direct setting of a METHOD like we do for now. Reviewed-by: Hugo Landau Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/19748) --- include/internal/recordmethod.h | 1 + ssl/record/methods/dtls_meth.c | 2 +- ssl/record/methods/ktls_meth.c | 2 +- ssl/record/methods/tls_common.c | 2 +- ssl/record/rec_layer_s3.c | 12 +++++++++++- ssl/record/record.h | 4 ++++ ssl/ssl_local.h | 4 ++++ test/tls13encryptiontest.c | 4 ++-- 8 files changed, 25 insertions(+), 6 deletions(-) diff --git a/include/internal/recordmethod.h b/include/internal/recordmethod.h index aef2f19192..d6d432413a 100644 --- a/include/internal/recordmethod.h +++ b/include/internal/recordmethod.h @@ -144,6 +144,7 @@ struct ossl_record_method_st { const OSSL_PARAM *options, const OSSL_DISPATCH *fns, void *cbarg, + void *rlarg, OSSL_RECORD_LAYER **ret); int (*free)(OSSL_RECORD_LAYER *rl); diff --git a/ssl/record/methods/dtls_meth.c b/ssl/record/methods/dtls_meth.c index 10a898abb4..55e49188cd 100644 --- a/ssl/record/methods/dtls_meth.c +++ b/ssl/record/methods/dtls_meth.c @@ -631,7 +631,7 @@ dtls_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers, const EVP_MD *md, COMP_METHOD *comp, BIO *prev, BIO *transport, BIO *next, BIO_ADDR *local, BIO_ADDR *peer, const OSSL_PARAM *settings, const OSSL_PARAM *options, - const OSSL_DISPATCH *fns, void *cbarg, + const OSSL_DISPATCH *fns, void *cbarg, void *rlarg, OSSL_RECORD_LAYER **retrl) { int ret; diff --git a/ssl/record/methods/ktls_meth.c b/ssl/record/methods/ktls_meth.c index acd94e180a..21f7c41b44 100644 --- a/ssl/record/methods/ktls_meth.c +++ b/ssl/record/methods/ktls_meth.c @@ -409,7 +409,7 @@ ktls_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers, const EVP_MD *md, COMP_METHOD *comp, BIO *prev, BIO *transport, BIO *next, BIO_ADDR *local, BIO_ADDR *peer, const OSSL_PARAM *settings, const OSSL_PARAM *options, - const OSSL_DISPATCH *fns, void *cbarg, + const OSSL_DISPATCH *fns, void *cbarg, void *rlarg, OSSL_RECORD_LAYER **retrl) { int ret; diff --git a/ssl/record/methods/tls_common.c b/ssl/record/methods/tls_common.c index 0eddfa7c2f..9fca10c50e 100644 --- a/ssl/record/methods/tls_common.c +++ b/ssl/record/methods/tls_common.c @@ -1331,7 +1331,7 @@ tls_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers, const EVP_MD *md, COMP_METHOD *comp, BIO *prev, BIO *transport, BIO *next, BIO_ADDR *local, BIO_ADDR *peer, const OSSL_PARAM *settings, const OSSL_PARAM *options, - const OSSL_DISPATCH *fns, void *cbarg, + const OSSL_DISPATCH *fns, void *cbarg, void *rlarg, OSSL_RECORD_LAYER **retrl) { int ret; diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c index b4435bf020..7fa22bb02b 100644 --- a/ssl/record/rec_layer_s3.c +++ b/ssl/record/rec_layer_s3.c @@ -1086,10 +1086,20 @@ static const OSSL_DISPATCH rlayer_dispatch[] = { { 0, NULL } }; +void ossl_ssl_set_custom_record_layer(SSL_CONNECTION *s, + const OSSL_RECORD_METHOD *meth, + void *rlarg) +{ + s->rlayer.custom_rlmethod = meth; + s->rlayer.rlarg = rlarg; +} + static const OSSL_RECORD_METHOD *ssl_select_next_record_layer(SSL_CONNECTION *s, int direction, int level) { + if (s->rlayer.custom_rlmethod != NULL) + return s->rlayer.custom_rlmethod; if (level == OSSL_RECORD_PROTECTION_LEVEL_NONE) { if (SSL_CONNECTION_IS_DTLS(s)) @@ -1324,7 +1334,7 @@ int ssl_set_new_record_layer(SSL_CONNECTION *s, int version, mackeylen, ciph, taglen, mactype, md, compm, prev, thisbio, next, NULL, NULL, settings, options, rlayer_dispatch_tmp, - s, &newrl); + s, s->rlayer.rlarg, &newrl); BIO_free(prev); switch (rlret) { case OSSL_RECORD_RETURN_FATAL: diff --git a/ssl/record/record.h b/ssl/record/record.h index 419e322f51..e2fdd05f0c 100644 --- a/ssl/record/record.h +++ b/ssl/record/record.h @@ -74,6 +74,10 @@ typedef struct record_layer_st { /* The parent SSL_CONNECTION structure */ SSL_CONNECTION *s; + /* Custom record layer: always selected if set */ + const OSSL_RECORD_METHOD *custom_rlmethod; + /* Record layer specific argument */ + void *rlarg; /* Method to use for the read record layer*/ const OSSL_RECORD_METHOD *rrlmethod; /* Method to use for the write record layer*/ diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h index 72aab22be8..25fa38137e 100644 --- a/ssl/ssl_local.h +++ b/ssl/ssl_local.h @@ -2984,4 +2984,8 @@ static ossl_unused ossl_inline void ssl_tsan_counter(const SSL_CTX *ctx, int ossl_comp_has_alg(int a); size_t ossl_calculate_comp_expansion(int alg, size_t length); +void ossl_ssl_set_custom_record_layer(SSL_CONNECTION *s, + const OSSL_RECORD_METHOD *meth, + void *rlarg); + #endif diff --git a/test/tls13encryptiontest.c b/test/tls13encryptiontest.c index b25dae88f0..1529e1b1ba 100644 --- a/test/tls13encryptiontest.c +++ b/test/tls13encryptiontest.c @@ -338,7 +338,7 @@ static int test_tls13_encryption(void) OSSL_RECORD_PROTECTION_LEVEL_APPLICATION, 0, key, 16, iv, ivlen, NULL, 0, EVP_aes_128_gcm(), EVP_GCM_TLS_TAG_LEN, 0, NULL, NULL, NULL, NULL, NULL, - NULL, NULL, NULL, NULL, NULL, NULL, &wrl))) + NULL, NULL, NULL, NULL, NULL, NULL, NULL, &wrl))) goto err; memcpy(wrl->sequence, seqbuf, sizeof(seqbuf)); @@ -360,7 +360,7 @@ static int test_tls13_encryption(void) OSSL_RECORD_PROTECTION_LEVEL_APPLICATION, 0, key, 16, iv, ivlen, NULL, 0, EVP_aes_128_gcm(), EVP_GCM_TLS_TAG_LEN, 0, NULL, NULL, NULL, NULL, NULL, - NULL, NULL, NULL, NULL, NULL, NULL, &rrl))) + NULL, NULL, NULL, NULL, NULL, NULL, NULL, &rrl))) goto err; memcpy(rrl->sequence, seqbuf, sizeof(seqbuf)); -- 2.34.1