[openssl] master update
tmraz at fedoraproject.org
tmraz at fedoraproject.org
Mon Mar 16 09:42:31 UTC 2020
The branch master has been updated
via 074a6e86e695d9f2dadf9b4ffe405c2eed24fbdc (commit)
via b1f79e7ce54afc28bfb5dfcfdd379782ed501b0a (commit)
from fda127beb2b3c029741573b0dd931295b3446fd2 (commit)
- Log -----------------------------------------------------------------
commit 074a6e86e695d9f2dadf9b4ffe405c2eed24fbdc
Author: John Baldwin <jhb at FreeBSD.org>
Date: Wed Nov 20 13:40:12 2019 -0800
Use a flag in SSL3_BUFFER to track when an application buffer is reused.
With KTLS, writes to an SSL connection store the application buffer
pointer directly in the 'buf' member instead of allocating a separate
buffer to hold the encrypted data. As a result,
ssl3_release_write_buffer() has to avoid freeing these 'buf' pointers.
Previously, ssl3_release_write_buffer() checked for KTLS being enabled
on the write BIO to determine if a buffer should be freed. However, a
buffer can outlive a BIO. For example, 'openssl s_time' creates new
write BIOs when reusing sessions. Since the new BIO did not have KTLS
enabled at the start of a connection, ssl3_release_write_buffer()
would incorrectly try to free the 'buf' pointer from the previous KTLS
connection. To fix, track the state of 'buf' explicitly in
SSL3_BUFFER to determine if the 'buf' should be freed or simply
cleared.
Reviewed-by: Matt Caswell <matt at openssl.org>
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10489)
commit b1f79e7ce54afc28bfb5dfcfdd379782ed501b0a
Author: John Baldwin <jhb at FreeBSD.org>
Date: Tue Nov 19 14:12:56 2019 -0800
Support KTLS on connections using BIO_TYPE_CONNECT.
This requires duplicating the KTLS changes from bss_sock.c in
bss_conn.c. One difference from BIO_TYPE_SOCKET is that the call to
ktls_enable is performed after the socket is created in BIO_socket
rather than BIO_new_connect.
Some applications such as 'openssl s_time' use connect BIOs instead of
socket BIOs. Note that the new connections created for accept BIOs
use BIO_TYPE_SOCKET via BIO_new_socket, so bss_acpt.c does not require
changes.
Reviewed-by: Matt Caswell <matt at openssl.org>
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10489)
-----------------------------------------------------------------------
Summary of changes:
crypto/bio/b_sock2.c | 12 +++++++++++
crypto/bio/bss_conn.c | 54 +++++++++++++++++++++++++++++++++++++++++++++--
ssl/record/rec_layer_s3.c | 1 +
ssl/record/record.h | 2 ++
ssl/record/record_local.h | 2 ++
ssl/record/ssl3_buffer.c | 4 +++-
6 files changed, 72 insertions(+), 3 deletions(-)
diff --git a/crypto/bio/b_sock2.c b/crypto/bio/b_sock2.c
index 942825a8e0..df13d58c71 100644
--- a/crypto/bio/b_sock2.c
+++ b/crypto/bio/b_sock2.c
@@ -12,6 +12,7 @@
#include <errno.h>
#include "bio_local.h"
+#include "internal/ktls.h"
#include <openssl/err.h>
@@ -51,6 +52,17 @@ int BIO_socket(int domain, int socktype, int protocol, int options)
BIOerr(BIO_F_BIO_SOCKET, BIO_R_UNABLE_TO_CREATE_SOCKET);
return INVALID_SOCKET;
}
+# ifndef OPENSSL_NO_KTLS
+ {
+ /*
+ * The new socket is created successfully regardless of ktls_enable.
+ * ktls_enable doesn't change any functionality of the socket, except
+ * changing the setsockopt to enable the processing of ktls_start.
+ * Thus, it is not a problem to call it for non-TLS sockets.
+ */
+ ktls_enable(sock);
+ }
+# endif
return sock;
}
diff --git a/crypto/bio/bss_conn.c b/crypto/bio/bss_conn.c
index 6c554ff6e6..87009fb61d 100644
--- a/crypto/bio/bss_conn.c
+++ b/crypto/bio/bss_conn.c
@@ -11,6 +11,7 @@
#include <errno.h>
#include "bio_local.h"
+#include "internal/ktls.h"
#ifndef OPENSSL_NO_SOCK
@@ -20,6 +21,9 @@ typedef struct bio_connect_st {
char *param_hostname;
char *param_service;
int connect_mode;
+# ifndef OPENSSL_NO_KTLS
+ unsigned char record_type;
+# endif
BIO_ADDRINFO *addr_first;
const BIO_ADDRINFO *addr_iter;
@@ -308,7 +312,12 @@ static int conn_read(BIO *b, char *out, int outl)
if (out != NULL) {
clear_socket_error();
- ret = readsocket(b->num, out, outl);
+# ifndef OPENSSL_NO_KTLS
+ if (BIO_get_ktls_recv(b))
+ ret = ktls_read_record(b->num, out, outl);
+ else
+# endif
+ ret = readsocket(b->num, out, outl);
BIO_clear_retry_flags(b);
if (ret <= 0) {
if (BIO_sock_should_retry(ret))
@@ -333,7 +342,16 @@ static int conn_write(BIO *b, const char *in, int inl)
}
clear_socket_error();
- ret = writesocket(b->num, in, inl);
+# ifndef OPENSSL_NO_KTLS
+ if (BIO_should_ktls_ctrl_msg_flag(b)) {
+ ret = ktls_send_ctrl_message(b->num, data->record_type, in, inl);
+ if (ret >= 0) {
+ ret = inl;
+ BIO_clear_ktls_ctrl_msg_flag(b);
+ }
+ } else
+# endif
+ ret = writesocket(b->num, in, inl);
BIO_clear_retry_flags(b);
if (ret <= 0) {
if (BIO_sock_should_retry(ret))
@@ -349,6 +367,13 @@ static long conn_ctrl(BIO *b, int cmd, long num, void *ptr)
const char **pptr = NULL;
long ret = 1;
BIO_CONNECT *data;
+# ifndef OPENSSL_NO_KTLS
+# ifdef __FreeBSD__
+ struct tls_enable *crypto_info;
+# else
+ struct tls12_crypto_info_aes_gcm_128 *crypto_info;
+# endif
+# endif
data = (BIO_CONNECT *)b->ptr;
@@ -497,6 +522,31 @@ static long conn_ctrl(BIO *b, int cmd, long num, void *ptr)
case BIO_CTRL_EOF:
ret = (b->flags & BIO_FLAGS_IN_EOF) != 0 ? 1 : 0;
break;
+# ifndef OPENSSL_NO_KTLS
+ case BIO_CTRL_SET_KTLS:
+# ifdef __FreeBSD__
+ crypto_info = (struct tls_enable *)ptr;
+# else
+ crypto_info = (struct tls12_crypto_info_aes_gcm_128 *)ptr;
+# endif
+ ret = ktls_start(b->num, crypto_info, sizeof(*crypto_info), num);
+ if (ret)
+ BIO_set_ktls_flag(b, num);
+ break;
+ case BIO_CTRL_GET_KTLS_SEND:
+ return BIO_should_ktls_flag(b, 1);
+ case BIO_CTRL_GET_KTLS_RECV:
+ return BIO_should_ktls_flag(b, 0);
+ case BIO_CTRL_SET_KTLS_TX_SEND_CTRL_MSG:
+ BIO_set_ktls_ctrl_msg_flag(b);
+ data->record_type = num;
+ ret = 0;
+ break;
+ case BIO_CTRL_CLEAR_KTLS_TX_CTRL_MSG:
+ BIO_clear_ktls_ctrl_msg_flag(b);
+ ret = 0;
+ break;
+# endif
default:
ret = 0;
break;
diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c
index b4675f3c8c..426da9ff15 100644
--- a/ssl/record/rec_layer_s3.c
+++ b/ssl/record/rec_layer_s3.c
@@ -771,6 +771,7 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
*/
SSL3_BUFFER_set_buf(&s->rlayer.wbuf[0], (unsigned char *)buf);
SSL3_BUFFER_set_offset(&s->rlayer.wbuf[0], 0);
+ SSL3_BUFFER_set_app_buffer(&s->rlayer.wbuf[0], 1);
goto wpacket_init_complete;
}
diff --git a/ssl/record/record.h b/ssl/record/record.h
index 784ab322a4..f9d1924692 100644
--- a/ssl/record/record.h
+++ b/ssl/record/record.h
@@ -25,6 +25,8 @@ typedef struct ssl3_buffer_st {
size_t offset;
/* how many bytes left */
size_t left;
+ /* 'buf' is from application for KTLS */
+ int app_buffer;
} SSL3_BUFFER;
#define SEQ_NUM_SIZE 8
diff --git a/ssl/record/record_local.h b/ssl/record/record_local.h
index ed421881d8..2f6a4c98a4 100644
--- a/ssl/record/record_local.h
+++ b/ssl/record/record_local.h
@@ -65,6 +65,8 @@ void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap);
#define SSL3_BUFFER_add_offset(b, o) ((b)->offset += (o))
#define SSL3_BUFFER_is_initialised(b) ((b)->buf != NULL)
#define SSL3_BUFFER_set_default_len(b, l) ((b)->default_len = (l))
+#define SSL3_BUFFER_set_app_buffer(b, l) ((b)->app_buffer = (l))
+#define SSL3_BUFFER_is_app_buffer(b) ((b)->app_buffer)
void SSL3_BUFFER_clear(SSL3_BUFFER *b);
void SSL3_BUFFER_set_data(SSL3_BUFFER *b, const unsigned char *d, size_t n);
diff --git a/ssl/record/ssl3_buffer.c b/ssl/record/ssl3_buffer.c
index bffe521947..ab977a5c17 100644
--- a/ssl/record/ssl3_buffer.c
+++ b/ssl/record/ssl3_buffer.c
@@ -164,7 +164,9 @@ int ssl3_release_write_buffer(SSL *s)
while (pipes > 0) {
wb = &RECORD_LAYER_get_wbuf(&s->rlayer)[pipes - 1];
- if (s->wbio == NULL || !BIO_get_ktls_send(s->wbio))
+ if (SSL3_BUFFER_is_app_buffer(wb))
+ SSL3_BUFFER_set_app_buffer(wb, 0);
+ else
OPENSSL_free(wb->buf);
wb->buf = NULL;
pipes--;
More information about the openssl-commits
mailing list