summaryrefslogtreecommitdiff
path: root/security/openssl35/files/extra-patch-ktls
diff options
context:
space:
mode:
Diffstat (limited to 'security/openssl35/files/extra-patch-ktls')
-rw-r--r--security/openssl35/files/extra-patch-ktls540
1 files changed, 540 insertions, 0 deletions
diff --git a/security/openssl35/files/extra-patch-ktls b/security/openssl35/files/extra-patch-ktls
new file mode 100644
index 000000000000..8a46c272d95c
--- /dev/null
+++ b/security/openssl35/files/extra-patch-ktls
@@ -0,0 +1,540 @@
+diff --git include/internal/ktls.h include/internal/ktls.h
+index 95492fd065..3c82cae26b 100644
+--- include/internal/ktls.h
++++ include/internal/ktls.h
+@@ -40,6 +40,11 @@
+ # define OPENSSL_KTLS_AES_GCM_128
+ # define OPENSSL_KTLS_AES_GCM_256
+ # define OPENSSL_KTLS_TLS13
++# ifdef TLS_CHACHA20_IV_LEN
++# ifndef OPENSSL_NO_CHACHA
++# define OPENSSL_KTLS_CHACHA20_POLY1305
++# endif
++# endif
+
+ typedef struct tls_enable ktls_crypto_info_t;
+
+diff --git ssl/ktls.c ssl/ktls.c
+index 79d980959e..e343d382cc 100644
+--- ssl/ktls.c
++++ ssl/ktls.c
+@@ -10,6 +10,67 @@
+ #include "ssl_local.h"
+ #include "internal/ktls.h"
+
++#ifndef OPENSSL_NO_KTLS_RX
++ /*
++ * Count the number of records that were not processed yet from record boundary.
++ *
++ * This function assumes that there are only fully formed records read in the
++ * record layer. If read_ahead is enabled, then this might be false and this
++ * function will fail.
++ */
++static int count_unprocessed_records(SSL *s)
++{
++ SSL3_BUFFER *rbuf = RECORD_LAYER_get_rbuf(&s->rlayer);
++ PACKET pkt, subpkt;
++ int count = 0;
++
++ if (!PACKET_buf_init(&pkt, rbuf->buf + rbuf->offset, rbuf->left))
++ return -1;
++
++ while (PACKET_remaining(&pkt) > 0) {
++ /* Skip record type and version */
++ if (!PACKET_forward(&pkt, 3))
++ return -1;
++
++ /* Read until next record */
++ if (!PACKET_get_length_prefixed_2(&pkt, &subpkt))
++ return -1;
++
++ count += 1;
++ }
++
++ return count;
++}
++
++/*
++ * The kernel cannot offload receive if a partial TLS record has been read.
++ * Check the read buffer for unprocessed records. If the buffer contains a
++ * partial record, fail and return 0. Otherwise, update the sequence
++ * number at *rec_seq for the count of unprocessed records and return 1.
++ */
++static int check_rx_read_ahead(SSL *s, unsigned char *rec_seq)
++{
++ int bit, count_unprocessed;
++
++ count_unprocessed = count_unprocessed_records(s);
++ if (count_unprocessed < 0)
++ return 0;
++
++ /* increment the crypto_info record sequence */
++ while (count_unprocessed) {
++ for (bit = 7; bit >= 0; bit--) { /* increment */
++ ++rec_seq[bit];
++ if (rec_seq[bit] != 0)
++ break;
++ }
++ count_unprocessed--;
++
++ }
++
++ return 1;
++}
++#endif
++
+ #if defined(__FreeBSD__)
+ # include "crypto/cryptodev.h"
+
+@@ -37,6 +98,10 @@ int ktls_check_supported_cipher(const SSL *s, const EVP_CIPHER *c,
+ case SSL_AES128GCM:
+ case SSL_AES256GCM:
+ return 1;
++# ifdef OPENSSL_KTLS_CHACHA20_POLY1305
++ case SSL_CHACHA20POLY1305:
++ return 1;
++# endif
+ case SSL_AES128:
+ case SSL_AES256:
+ if (s->ext.use_etm)
+@@ -55,9 +120,9 @@ int ktls_check_supported_cipher(const SSL *s, const EVP_CIPHER *c,
+ }
+
+ /* Function to configure kernel TLS structure */
+-int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd,
++int ktls_configure_crypto(SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd,
+ void *rl_sequence, ktls_crypto_info_t *crypto_info,
+- unsigned char **rec_seq, unsigned char *iv,
++ int is_tx, unsigned char *iv,
+ unsigned char *key, unsigned char *mac_key,
+ size_t mac_secret_size)
+ {
+@@ -71,6 +136,12 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd,
+ else
+ crypto_info->iv_len = EVP_GCM_TLS_FIXED_IV_LEN;
+ break;
++# ifdef OPENSSL_KTLS_CHACHA20_POLY1305
++ case SSL_CHACHA20POLY1305:
++ crypto_info->cipher_algorithm = CRYPTO_CHACHA20_POLY1305;
++ crypto_info->iv_len = EVP_CIPHER_CTX_get_iv_length(dd);
++ break;
++# endif
+ case SSL_AES128:
+ case SSL_AES256:
+ switch (s->s3.tmp.new_cipher->algorithm_mac) {
+@@ -101,11 +172,11 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd,
+ crypto_info->tls_vminor = (s->version & 0x000000ff);
+ # ifdef TCP_RXTLS_ENABLE
+ memcpy(crypto_info->rec_seq, rl_sequence, sizeof(crypto_info->rec_seq));
+- if (rec_seq != NULL)
+- *rec_seq = crypto_info->rec_seq;
++ if (!is_tx && !check_rx_read_ahead(s, crypto_info->rec_seq))
++ return 0;
+ # else
+- if (rec_seq != NULL)
+- *rec_seq = NULL;
++ if (!is_tx)
++ return 0;
+ # endif
+ return 1;
+ };
+@@ -154,15 +225,20 @@ int ktls_check_supported_cipher(const SSL *s, const EVP_CIPHER *c,
+ }
+
+ /* Function to configure kernel TLS structure */
+-int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd,
++int ktls_configure_crypto(SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd,
+ void *rl_sequence, ktls_crypto_info_t *crypto_info,
+- unsigned char **rec_seq, unsigned char *iv,
++ int is_tx, unsigned char *iv,
+ unsigned char *key, unsigned char *mac_key,
+ size_t mac_secret_size)
+ {
+ unsigned char geniv[12];
+ unsigned char *iiv = iv;
+
++# ifdef OPENSSL_NO_KTLS_RX
++ if (!is_tx)
++ return 0;
++# endif
++
+ if (s->version == TLS1_2_VERSION &&
+ EVP_CIPHER_get_mode(c) == EVP_CIPH_GCM_MODE) {
+ if (!EVP_CIPHER_CTX_get_updated_iv(dd, geniv,
+@@ -186,8 +262,8 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd,
+ memcpy(crypto_info->gcm128.key, key, EVP_CIPHER_get_key_length(c));
+ memcpy(crypto_info->gcm128.rec_seq, rl_sequence,
+ TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
+- if (rec_seq != NULL)
+- *rec_seq = crypto_info->gcm128.rec_seq;
++ if (!is_tx && !check_rx_read_ahead(s, crypto_info->gcm128.rec_seq))
++ return 0;
+ return 1;
+ # endif
+ # ifdef OPENSSL_KTLS_AES_GCM_256
+@@ -201,8 +277,8 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd,
+ memcpy(crypto_info->gcm256.key, key, EVP_CIPHER_get_key_length(c));
+ memcpy(crypto_info->gcm256.rec_seq, rl_sequence,
+ TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
+- if (rec_seq != NULL)
+- *rec_seq = crypto_info->gcm256.rec_seq;
++ if (!is_tx && !check_rx_read_ahead(s, crypto_info->gcm256.rec_seq))
++ return 0;
+ return 1;
+ # endif
+ # ifdef OPENSSL_KTLS_AES_CCM_128
+@@ -216,8 +292,8 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd,
+ memcpy(crypto_info->ccm128.key, key, EVP_CIPHER_get_key_length(c));
+ memcpy(crypto_info->ccm128.rec_seq, rl_sequence,
+ TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
+- if (rec_seq != NULL)
+- *rec_seq = crypto_info->ccm128.rec_seq;
++ if (!is_tx && !check_rx_read_ahead(s, crypto_info->ccm128.rec_seq))
++ return 0;
+ return 1;
+ # endif
+ # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
+@@ -231,8 +307,10 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd,
+ EVP_CIPHER_get_key_length(c));
+ memcpy(crypto_info->chacha20poly1305.rec_seq, rl_sequence,
+ TLS_CIPHER_CHACHA20_POLY1305_REC_SEQ_SIZE);
+- if (rec_seq != NULL)
+- *rec_seq = crypto_info->chacha20poly1305.rec_seq;
++ if (!is_tx
++ && !check_rx_read_ahead(s,
++ crypto_info->chacha20poly1305.rec_seq))
++ return 0;
+ return 1;
+ # endif
+ default:
+diff --git ssl/record/ssl3_record.c ssl/record/ssl3_record.c
+index d8ef018741..63caac080f 100644
+--- ssl/record/ssl3_record.c
++++ ssl/record/ssl3_record.c
+@@ -185,18 +185,23 @@ int ssl3_get_record(SSL *s)
+ int imac_size;
+ size_t num_recs = 0, max_recs, j;
+ PACKET pkt, sslv2pkt;
+- int is_ktls_left;
++ int using_ktls;
+ SSL_MAC_BUF *macbufs = NULL;
+ int ret = -1;
+
+ rr = RECORD_LAYER_get_rrec(&s->rlayer);
+ rbuf = RECORD_LAYER_get_rbuf(&s->rlayer);
+- is_ktls_left = (SSL3_BUFFER_get_left(rbuf) > 0);
+ max_recs = s->max_pipelines;
+ if (max_recs == 0)
+ max_recs = 1;
+ sess = s->session;
+
++ /*
++ * KTLS reads full records. If there is any data left,
++ * then it is from before enabling ktls.
++ */
++ using_ktls = BIO_get_ktls_recv(s->rbio) && SSL3_BUFFER_get_left(rbuf) == 0;
++
+ do {
+ thisrr = &rr[num_recs];
+
+@@ -361,7 +366,9 @@ int ssl3_get_record(SSL *s)
+ }
+ }
+
+- if (SSL_IS_TLS13(s) && s->enc_read_ctx != NULL) {
++ if (SSL_IS_TLS13(s)
++ && s->enc_read_ctx != NULL
++ && !using_ktls) {
+ if (thisrr->type != SSL3_RT_APPLICATION_DATA
+ && (thisrr->type != SSL3_RT_CHANGE_CIPHER_SPEC
+ || !SSL_IS_FIRST_HANDSHAKE(s))
+@@ -391,7 +398,13 @@ int ssl3_get_record(SSL *s)
+ }
+
+ if (SSL_IS_TLS13(s)) {
+- if (thisrr->length > SSL3_RT_MAX_TLS13_ENCRYPTED_LENGTH) {
++ size_t len = SSL3_RT_MAX_TLS13_ENCRYPTED_LENGTH;
++
++ /* KTLS strips the inner record type. */
++ if (using_ktls)
++ len = SSL3_RT_MAX_ENCRYPTED_LENGTH;
++
++ if (thisrr->length > len) {
+ SSLfatal(s, SSL_AD_RECORD_OVERFLOW,
+ SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
+ return -1;
+@@ -409,7 +422,7 @@ int ssl3_get_record(SSL *s)
+ #endif
+
+ /* KTLS may use all of the buffer */
+- if (BIO_get_ktls_recv(s->rbio) && !is_ktls_left)
++ if (using_ktls)
+ len = SSL3_BUFFER_get_left(rbuf);
+
+ if (thisrr->length > len) {
+@@ -518,11 +531,7 @@ int ssl3_get_record(SSL *s)
+ return 1;
+ }
+
+- /*
+- * KTLS reads full records. If there is any data left,
+- * then it is from before enabling ktls
+- */
+- if (BIO_get_ktls_recv(s->rbio) && !is_ktls_left)
++ if (using_ktls)
+ goto skip_decryption;
+
+ if (s->read_hash != NULL) {
+@@ -677,21 +686,29 @@ int ssl3_get_record(SSL *s)
+ if (SSL_IS_TLS13(s)
+ && s->enc_read_ctx != NULL
+ && thisrr->type != SSL3_RT_ALERT) {
+- size_t end;
++ /*
++ * The following logic are irrelevant in KTLS: the kernel provides
++ * unprotected record and thus record type represent the actual
++ * content type, and padding is already removed and thisrr->type and
++ * thisrr->length should have the correct values.
++ */
++ if (!using_ktls) {
++ size_t end;
+
+- if (thisrr->length == 0
+- || thisrr->type != SSL3_RT_APPLICATION_DATA) {
+- SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_BAD_RECORD_TYPE);
+- goto end;
++ if (thisrr->length == 0
++ || thisrr->type != SSL3_RT_APPLICATION_DATA) {
++ SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_BAD_RECORD_TYPE);
++ goto end;
++ }
++
++ /* Strip trailing padding */
++ for (end = thisrr->length - 1; end > 0 && thisrr->data[end] == 0;
++ end--)
++ continue;
++
++ thisrr->length = end;
++ thisrr->type = thisrr->data[end];
+ }
+-
+- /* Strip trailing padding */
+- for (end = thisrr->length - 1; end > 0 && thisrr->data[end] == 0;
+- end--)
+- continue;
+-
+- thisrr->length = end;
+- thisrr->type = thisrr->data[end];
+ if (thisrr->type != SSL3_RT_APPLICATION_DATA
+ && thisrr->type != SSL3_RT_ALERT
+ && thisrr->type != SSL3_RT_HANDSHAKE) {
+@@ -700,7 +717,7 @@ int ssl3_get_record(SSL *s)
+ }
+ if (s->msg_callback)
+ s->msg_callback(0, s->version, SSL3_RT_INNER_CONTENT_TYPE,
+- &thisrr->data[end], 1, s, s->msg_callback_arg);
++ &thisrr->type, 1, s, s->msg_callback_arg);
+ }
+
+ /*
+@@ -723,8 +740,7 @@ int ssl3_get_record(SSL *s)
+ * Therefore we have to rely on KTLS to check the plaintext length
+ * limit in the kernel.
+ */
+- if (thisrr->length > SSL3_RT_MAX_PLAIN_LENGTH
+- && (!BIO_get_ktls_recv(s->rbio) || is_ktls_left)) {
++ if (thisrr->length > SSL3_RT_MAX_PLAIN_LENGTH && !using_ktls) {
+ SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG);
+ goto end;
+ }
+diff --git ssl/ssl_local.h ssl/ssl_local.h
+index 5471e900b8..79ced2f468 100644
+--- ssl/ssl_local.h
++++ ssl/ssl_local.h
+@@ -2760,9 +2760,9 @@ __owur int ssl_log_secret(SSL *ssl, const char *label,
+ /* ktls.c */
+ int ktls_check_supported_cipher(const SSL *s, const EVP_CIPHER *c,
+ const EVP_CIPHER_CTX *dd);
+-int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd,
++int ktls_configure_crypto(SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd,
+ void *rl_sequence, ktls_crypto_info_t *crypto_info,
+- unsigned char **rec_seq, unsigned char *iv,
++ int is_tx, unsigned char *iv,
+ unsigned char *key, unsigned char *mac_key,
+ size_t mac_secret_size);
+ # endif
+diff --git ssl/t1_enc.c ssl/t1_enc.c
+index 237a19cd93..900ba14fbd 100644
+--- ssl/t1_enc.c
++++ ssl/t1_enc.c
+@@ -98,42 +98,6 @@ static int tls1_generate_key_block(SSL *s, unsigned char *km, size_t num)
+ return ret;
+ }
+
+-#ifndef OPENSSL_NO_KTLS
+- /*
+- * Count the number of records that were not processed yet from record boundary.
+- *
+- * This function assumes that there are only fully formed records read in the
+- * record layer. If read_ahead is enabled, then this might be false and this
+- * function will fail.
+- */
+-# ifndef OPENSSL_NO_KTLS_RX
+-static int count_unprocessed_records(SSL *s)
+-{
+- SSL3_BUFFER *rbuf = RECORD_LAYER_get_rbuf(&s->rlayer);
+- PACKET pkt, subpkt;
+- int count = 0;
+-
+- if (!PACKET_buf_init(&pkt, rbuf->buf + rbuf->offset, rbuf->left))
+- return -1;
+-
+- while (PACKET_remaining(&pkt) > 0) {
+- /* Skip record type and version */
+- if (!PACKET_forward(&pkt, 3))
+- return -1;
+-
+- /* Read until next record */
+- if (!PACKET_get_length_prefixed_2(&pkt, &subpkt))
+- return -1;
+-
+- count += 1;
+- }
+-
+- return count;
+-}
+-# endif
+-#endif
+-
+-
+ int tls_provider_set_tls_params(SSL *s, EVP_CIPHER_CTX *ctx,
+ const EVP_CIPHER *ciph,
+ const EVP_MD *md)
+@@ -201,12 +165,7 @@ int tls1_change_cipher_state(SSL *s, int which)
+ int reuse_dd = 0;
+ #ifndef OPENSSL_NO_KTLS
+ ktls_crypto_info_t crypto_info;
+- unsigned char *rec_seq;
+ void *rl_sequence;
+-# ifndef OPENSSL_NO_KTLS_RX
+- int count_unprocessed;
+- int bit;
+-# endif
+ BIO *bio;
+ #endif
+
+@@ -473,30 +432,11 @@ int tls1_change_cipher_state(SSL *s, int which)
+ else
+ rl_sequence = RECORD_LAYER_get_read_sequence(&s->rlayer);
+
+- if (!ktls_configure_crypto(s, c, dd, rl_sequence, &crypto_info, &rec_seq,
+- iv, key, ms, *mac_secret_size))
++ if (!ktls_configure_crypto(s, c, dd, rl_sequence, &crypto_info,
++ which & SSL3_CC_WRITE, iv, key, ms,
++ *mac_secret_size))
+ goto skip_ktls;
+
+- if (which & SSL3_CC_READ) {
+-# ifndef OPENSSL_NO_KTLS_RX
+- count_unprocessed = count_unprocessed_records(s);
+- if (count_unprocessed < 0)
+- goto skip_ktls;
+-
+- /* increment the crypto_info record sequence */
+- while (count_unprocessed) {
+- for (bit = 7; bit >= 0; bit--) { /* increment */
+- ++rec_seq[bit];
+- if (rec_seq[bit] != 0)
+- break;
+- }
+- count_unprocessed--;
+- }
+-# else
+- goto skip_ktls;
+-# endif
+- }
+-
+ /* ktls works with user provided buffers directly */
+ if (BIO_set_ktls(bio, &crypto_info, which & SSL3_CC_WRITE)) {
+ if (which & SSL3_CC_WRITE)
+diff --git ssl/tls13_enc.c ssl/tls13_enc.c
+index 12388922e3..eaab0e2a74 100644
+--- ssl/tls13_enc.c
++++ ssl/tls13_enc.c
+@@ -434,6 +434,7 @@ int tls13_change_cipher_state(SSL *s, int which)
+ const EVP_CIPHER *cipher = NULL;
+ #if !defined(OPENSSL_NO_KTLS) && defined(OPENSSL_KTLS_TLS13)
+ ktls_crypto_info_t crypto_info;
++ void *rl_sequence;
+ BIO *bio;
+ #endif
+
+@@ -688,8 +689,7 @@ int tls13_change_cipher_state(SSL *s, int which)
+ s->statem.enc_write_state = ENC_WRITE_STATE_VALID;
+ #ifndef OPENSSL_NO_KTLS
+ # if defined(OPENSSL_KTLS_TLS13)
+- if (!(which & SSL3_CC_WRITE)
+- || !(which & SSL3_CC_APPLICATION)
++ if (!(which & SSL3_CC_APPLICATION)
+ || (s->options & SSL_OP_ENABLE_KTLS) == 0)
+ goto skip_ktls;
+
+@@ -705,7 +705,10 @@ int tls13_change_cipher_state(SSL *s, int which)
+ if (!ktls_check_supported_cipher(s, cipher, ciph_ctx))
+ goto skip_ktls;
+
+- bio = s->wbio;
++ if (which & SSL3_CC_WRITE)
++ bio = s->wbio;
++ else
++ bio = s->rbio;
+
+ if (!ossl_assert(bio != NULL)) {
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+@@ -713,18 +716,26 @@ int tls13_change_cipher_state(SSL *s, int which)
+ }
+
+ /* All future data will get encrypted by ktls. Flush the BIO or skip ktls */
+- if (BIO_flush(bio) <= 0)
+- goto skip_ktls;
++ if (which & SSL3_CC_WRITE) {
++ if (BIO_flush(bio) <= 0)
++ goto skip_ktls;
++ }
+
+ /* configure kernel crypto structure */
+- if (!ktls_configure_crypto(s, cipher, ciph_ctx,
+- RECORD_LAYER_get_write_sequence(&s->rlayer),
+- &crypto_info, NULL, iv, key, NULL, 0))
++ if (which & SSL3_CC_WRITE)
++ rl_sequence = RECORD_LAYER_get_write_sequence(&s->rlayer);
++ else
++ rl_sequence = RECORD_LAYER_get_read_sequence(&s->rlayer);
++
++ if (!ktls_configure_crypto(s, cipher, ciph_ctx, rl_sequence, &crypto_info,
++ which & SSL3_CC_WRITE, iv, key, NULL, 0))
+ goto skip_ktls;
+
+ /* ktls works with user provided buffers directly */
+- if (BIO_set_ktls(bio, &crypto_info, which & SSL3_CC_WRITE))
+- ssl3_release_write_buffer(s);
++ if (BIO_set_ktls(bio, &crypto_info, which & SSL3_CC_WRITE)) {
++ if (which & SSL3_CC_WRITE)
++ ssl3_release_write_buffer(s);
++ }
+ skip_ktls:
+ # endif
+ #endif
+diff --git test/sslapitest.c test/sslapitest.c
+index 2911d6e94b..faf2eec2bc 100644
+--- test/sslapitest.c
++++ test/sslapitest.c
+@@ -1243,7 +1243,7 @@ static int execute_test_ktls(int cis_ktls, int sis_ktls,
+ #if defined(OPENSSL_NO_KTLS_RX)
+ rx_supported = 0;
+ #else
+- rx_supported = (tls_version != TLS1_3_VERSION);
++ rx_supported = 1;
+ #endif
+ if (!cis_ktls || !rx_supported) {
+ if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))
generated by cgit v1.2.3 (git 2.25.1) at 2025-09-04 10:56:05 +0000