Add support for setting a custom TLS Record Layer

This is just an internal API for now. Something like this will be made
public API at some point - but it is likely to be based on the provider
interface rather that a direct setting of a METHOD like we do for now.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19748)

diff --git a/include/internal/recordmethod.h b/include/internal/recordmethod.h
index aef2f1919226df9c7c9e30c85c887f7cb26c9c86..d6d432413a75ed6041be6a7571e73d2fda239843 100644 (file)
--- a/include/internal/recordmethod.h
+++ b/include/internal/recordmethod.h
@@ -144,6 +144,7 @@ struct ossl_record_method_st {
                             const OSSL_PARAM *options,
                             const OSSL_DISPATCH *fns,
                             void *cbarg,
+                            void *rlarg,
                             OSSL_RECORD_LAYER **ret);
     int (*free)(OSSL_RECORD_LAYER *rl);
 

diff --git a/ssl/record/methods/dtls_meth.c b/ssl/record/methods/dtls_meth.c
index 10a898abb464fa9656f3eb64c3df9d351e1ddfe3..55e49188cd1e1dd94fe3a08007f3913d26a58149 100644 (file)
--- a/ssl/record/methods/dtls_meth.c
+++ b/ssl/record/methods/dtls_meth.c
@@ -631,7 +631,7 @@ dtls_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
                       const EVP_MD *md, COMP_METHOD *comp, BIO *prev,
                       BIO *transport, BIO *next, BIO_ADDR *local, BIO_ADDR *peer,
                       const OSSL_PARAM *settings, const OSSL_PARAM *options,
-                      const OSSL_DISPATCH *fns, void *cbarg,
+                      const OSSL_DISPATCH *fns, void *cbarg, void *rlarg,
                       OSSL_RECORD_LAYER **retrl)
 {
     int ret;

diff --git a/ssl/record/methods/ktls_meth.c b/ssl/record/methods/ktls_meth.c
index acd94e180abc376f4b811c409cace8e47089770e..21f7c41b4483ad630725e1597b257b3885ed110e 100644 (file)
--- a/ssl/record/methods/ktls_meth.c
+++ b/ssl/record/methods/ktls_meth.c
@@ -409,7 +409,7 @@ ktls_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
                       const EVP_MD *md, COMP_METHOD *comp, BIO *prev,
                       BIO *transport, BIO *next, BIO_ADDR *local, BIO_ADDR *peer,
                       const OSSL_PARAM *settings, const OSSL_PARAM *options,
-                      const OSSL_DISPATCH *fns, void *cbarg,
+                      const OSSL_DISPATCH *fns, void *cbarg, void *rlarg,
                       OSSL_RECORD_LAYER **retrl)
 {
     int ret;

diff --git a/ssl/record/methods/tls_common.c b/ssl/record/methods/tls_common.c
index 0eddfa7c2f93651f3625259e379184ed2399d29f..9fca10c50e7872ca9331f82ce7514e461dae5ef2 100644 (file)
--- a/ssl/record/methods/tls_common.c
+++ b/ssl/record/methods/tls_common.c
@@ -1331,7 +1331,7 @@ tls_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
                      const EVP_MD *md, COMP_METHOD *comp, BIO *prev,
                      BIO *transport, BIO *next, BIO_ADDR *local, BIO_ADDR *peer,
                      const OSSL_PARAM *settings, const OSSL_PARAM *options,
-                     const OSSL_DISPATCH *fns, void *cbarg,
+                     const OSSL_DISPATCH *fns, void *cbarg, void *rlarg,
                      OSSL_RECORD_LAYER **retrl)
 {
     int ret;

diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c
index b4435bf0201b3458ad23760ad3a1ac9d90ff52af..7fa22bb02b31ed63825bb937f7dafd9fb1265bda 100644 (file)
--- a/ssl/record/rec_layer_s3.c
+++ b/ssl/record/rec_layer_s3.c
@@ -1086,10 +1086,20 @@ static const OSSL_DISPATCH rlayer_dispatch[] = {
     { 0, NULL }
 };
 
+void ossl_ssl_set_custom_record_layer(SSL_CONNECTION *s,
+                                      const OSSL_RECORD_METHOD *meth,
+                                      void *rlarg)
+{
+    s->rlayer.custom_rlmethod = meth;
+    s->rlayer.rlarg = rlarg;
+}
+
 static const OSSL_RECORD_METHOD *ssl_select_next_record_layer(SSL_CONNECTION *s,
                                                               int direction,
                                                               int level)
 {
+    if (s->rlayer.custom_rlmethod != NULL)
+        return s->rlayer.custom_rlmethod;
 
     if (level == OSSL_RECORD_PROTECTION_LEVEL_NONE) {
         if (SSL_CONNECTION_IS_DTLS(s))
@@ -1324,7 +1334,7 @@ int ssl_set_new_record_layer(SSL_CONNECTION *s, int version,
                                        mackeylen, ciph, taglen, mactype, md,
                                        compm, prev, thisbio, next, NULL, NULL,
                                        settings, options, rlayer_dispatch_tmp,
-                                       s, &newrl);
+                                       s, s->rlayer.rlarg, &newrl);
         BIO_free(prev);
         switch (rlret) {
         case OSSL_RECORD_RETURN_FATAL:

diff --git a/ssl/record/record.h b/ssl/record/record.h
index 419e322f51062c6f00ae4a8c1c402993fef1210b..e2fdd05f0c95e829279647323e4adbf4ce52b51d 100644 (file)
--- a/ssl/record/record.h
+++ b/ssl/record/record.h
@@ -74,6 +74,10 @@ typedef struct record_layer_st {
     /* The parent SSL_CONNECTION structure */
     SSL_CONNECTION *s;
 
+    /* Custom record layer: always selected if set */
+    const OSSL_RECORD_METHOD *custom_rlmethod;
+    /* Record layer specific argument */
+    void *rlarg;
     /* Method to use for the read record layer*/
     const OSSL_RECORD_METHOD *rrlmethod;
     /* Method to use for the write record layer*/

diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h
index 72aab22be81525fad4163ed5d993da09f19618ba..25fa38137e2c798f014208ab5f672f5613ec250a 100644 (file)
--- a/ssl/ssl_local.h
+++ b/ssl/ssl_local.h
@@ -2984,4 +2984,8 @@ static ossl_unused ossl_inline void ssl_tsan_counter(const SSL_CTX *ctx,
 int ossl_comp_has_alg(int a);
 size_t ossl_calculate_comp_expansion(int alg, size_t length);
 
+void ossl_ssl_set_custom_record_layer(SSL_CONNECTION *s,
+                                      const OSSL_RECORD_METHOD *meth,
+                                      void *rlarg);
+
 #endif

diff --git a/test/tls13encryptiontest.c b/test/tls13encryptiontest.c
index b25dae88f03827ef08732a4fdc4f6f3941288d54..1529e1b1ba4c542adf322d3832e5bc1322c3910f 100644 (file)
--- a/test/tls13encryptiontest.c
+++ b/test/tls13encryptiontest.c
@@ -338,7 +338,7 @@ static int test_tls13_encryption(void)
                           OSSL_RECORD_PROTECTION_LEVEL_APPLICATION, 0, key, 16,
                           iv, ivlen, NULL, 0, EVP_aes_128_gcm(),
                           EVP_GCM_TLS_TAG_LEN, 0, NULL, NULL, NULL, NULL, NULL,
-                          NULL, NULL, NULL, NULL, NULL, NULL, &wrl)))
+                          NULL, NULL, NULL, NULL, NULL, NULL, NULL, &wrl)))
             goto err;
         memcpy(wrl->sequence, seqbuf, sizeof(seqbuf));
 
@@ -360,7 +360,7 @@ static int test_tls13_encryption(void)
                           OSSL_RECORD_PROTECTION_LEVEL_APPLICATION, 0, key, 16,
                           iv, ivlen, NULL, 0, EVP_aes_128_gcm(),
                           EVP_GCM_TLS_TAG_LEN, 0, NULL, NULL, NULL, NULL, NULL,
-                          NULL, NULL, NULL, NULL, NULL, NULL, &rrl)))
+                          NULL, NULL, NULL, NULL, NULL, NULL, NULL, &rrl)))
             goto err;
         memcpy(rrl->sequence, seqbuf, sizeof(seqbuf));