|
@@ -83,6 +83,39 @@ static int tls1_generate_key_block(SSL *s, unsigned char *km, size_t num)
|
|
|
return ret;
|
|
|
}
|
|
|
|
|
|
+#ifndef OPENSSL_NO_KTLS
|
|
|
+ /*
|
|
|
+ * Count the number of records that were not processed yet from record boundary.
|
|
|
+ *
|
|
|
+ * This function assumes that there are only fully formed records read in the
|
|
|
+ * record layer. If read_ahead is enabled, then this might be false and this
|
|
|
+ * function will fail.
|
|
|
+ */
|
|
|
+static int count_unprocessed_records(SSL *s)
|
|
|
+{
|
|
|
+ SSL3_BUFFER *rbuf = RECORD_LAYER_get_rbuf(&s->rlayer);
|
|
|
+ PACKET pkt, subpkt;
|
|
|
+ int count = 0;
|
|
|
+
|
|
|
+ if (!PACKET_buf_init(&pkt, rbuf->buf + rbuf->offset, rbuf->left))
|
|
|
+ return -1;
|
|
|
+
|
|
|
+ while (PACKET_remaining(&pkt) > 0) {
|
|
|
+ /* Skip record type and version */
|
|
|
+ if (!PACKET_forward(&pkt, 3))
|
|
|
+ return -1;
|
|
|
+
|
|
|
+ /* Read until next record */
|
|
|
+ if (PACKET_get_length_prefixed_2(&pkt, &subpkt))
|
|
|
+ return -1;
|
|
|
+
|
|
|
+ count += 1;
|
|
|
+ }
|
|
|
+
|
|
|
+ return count;
|
|
|
+}
|
|
|
+#endif
|
|
|
+
|
|
|
int tls1_change_cipher_state(SSL *s, int which)
|
|
|
{
|
|
|
unsigned char *p, *mac_secret;
|
|
@@ -101,8 +134,10 @@ int tls1_change_cipher_state(SSL *s, int which)
|
|
|
int reuse_dd = 0;
|
|
|
#ifndef OPENSSL_NO_KTLS
|
|
|
struct tls12_crypto_info_aes_gcm_128 crypto_info;
|
|
|
- BIO *wbio;
|
|
|
+ BIO *bio;
|
|
|
unsigned char geniv[12];
|
|
|
+ int count_unprocessed;
|
|
|
+ int bit;
|
|
|
#endif
|
|
|
|
|
|
c = s->s3->tmp.new_sym_enc;
|
|
@@ -326,8 +361,8 @@ int tls1_change_cipher_state(SSL *s, int which)
|
|
|
if (s->compress)
|
|
|
goto skip_ktls;
|
|
|
|
|
|
- if ((which & SSL3_CC_READ) ||
|
|
|
- ((which & SSL3_CC_WRITE) && (s->mode & SSL_MODE_NO_KTLS_TX)))
|
|
|
+ if (((which & SSL3_CC_READ) && (s->mode & SSL_MODE_NO_KTLS_RX))
|
|
|
+ || ((which & SSL3_CC_WRITE) && (s->mode & SSL_MODE_NO_KTLS_TX)))
|
|
|
goto skip_ktls;
|
|
|
|
|
|
/* ktls supports only the maximum fragment size */
|
|
@@ -344,19 +379,26 @@ int tls1_change_cipher_state(SSL *s, int which)
|
|
|
if (s->version != TLS1_2_VERSION)
|
|
|
goto skip_ktls;
|
|
|
|
|
|
- wbio = s->wbio;
|
|
|
- if (!ossl_assert(wbio != NULL)) {
|
|
|
+ if (which & SSL3_CC_WRITE)
|
|
|
+ bio = s->wbio;
|
|
|
+ else
|
|
|
+ bio = s->rbio;
|
|
|
+
|
|
|
+ if (!ossl_assert(bio != NULL)) {
|
|
|
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_CHANGE_CIPHER_STATE,
|
|
|
ERR_R_INTERNAL_ERROR);
|
|
|
goto err;
|
|
|
}
|
|
|
|
|
|
/* All future data will get encrypted by ktls. Flush the BIO or skip ktls */
|
|
|
- if (BIO_flush(wbio) <= 0)
|
|
|
- goto skip_ktls;
|
|
|
+ if (which & SSL3_CC_WRITE) {
|
|
|
+ if (BIO_flush(bio) <= 0)
|
|
|
+ goto skip_ktls;
|
|
|
+ }
|
|
|
|
|
|
/* ktls doesn't support renegotiation */
|
|
|
- if (BIO_get_ktls_send(s->wbio)) {
|
|
|
+ if ((BIO_get_ktls_send(s->wbio) && (which & SSL3_CC_WRITE)) ||
|
|
|
+ (BIO_get_ktls_recv(s->rbio) && (which & SSL3_CC_READ))) {
|
|
|
SSLfatal(s, SSL_AD_NO_RENEGOTIATION, SSL_F_TLS1_CHANGE_CIPHER_STATE,
|
|
|
ERR_R_INTERNAL_ERROR);
|
|
|
goto err;
|
|
@@ -373,12 +415,33 @@ int tls1_change_cipher_state(SSL *s, int which)
|
|
|
TLS_CIPHER_AES_GCM_128_IV_SIZE);
|
|
|
memcpy(crypto_info.salt, geniv, TLS_CIPHER_AES_GCM_128_SALT_SIZE);
|
|
|
memcpy(crypto_info.key, key, EVP_CIPHER_key_length(c));
|
|
|
- memcpy(crypto_info.rec_seq, &s->rlayer.write_sequence,
|
|
|
- TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
|
|
|
+ if (which & SSL3_CC_WRITE)
|
|
|
+ memcpy(crypto_info.rec_seq, &s->rlayer.write_sequence,
|
|
|
+ TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
|
|
|
+ else
|
|
|
+ memcpy(crypto_info.rec_seq, &s->rlayer.read_sequence,
|
|
|
+ TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
|
|
|
+
|
|
|
+ if (which & SSL3_CC_READ) {
|
|
|
+ count_unprocessed = count_unprocessed_records(s);
|
|
|
+ if (count_unprocessed < 0)
|
|
|
+ goto skip_ktls;
|
|
|
+
|
|
|
+ /* increment the crypto_info record sequence */
|
|
|
+ while (count_unprocessed) {
|
|
|
+ for (bit = 7; bit >= 0; bit--) { /* increment */
|
|
|
+ ++crypto_info.rec_seq[bit];
|
|
|
+ if (crypto_info.rec_seq[bit] != 0)
|
|
|
+ break;
|
|
|
+ }
|
|
|
+ count_unprocessed--;
|
|
|
+ }
|
|
|
+ }
|
|
|
|
|
|
/* ktls works with user provided buffers directly */
|
|
|
- if (BIO_set_ktls(wbio, &crypto_info, which & SSL3_CC_WRITE)) {
|
|
|
- ssl3_release_write_buffer(s);
|
|
|
+ if (BIO_set_ktls(bio, &crypto_info, which & SSL3_CC_WRITE)) {
|
|
|
+ if (which & SSL3_CC_WRITE)
|
|
|
+ ssl3_release_write_buffer(s);
|
|
|
SSL_set_options(s, SSL_OP_NO_RENEGOTIATION);
|
|
|
}
|
|
|
|