Skip to content

T
Third Party Openssl

OpenHarmony / Third Party Openssl
1 年多 前同步成功

通知 10
Star 18
Fork 1
T
Third Party Openssl
提交 c7c42022 编写于 作者: M Matt Caswell
浏览文件
操作

Convert TLS record construction to use WPACKET 

Reviewed-by: NRich Salz <rsalz@openssl.org>
上级 3171bad6
显示空白变更内容
内联 并排
Showing with 122 addition and 43 deletion
ssl/record/rec_layer_s3.c
浏览文件 @ c7c42022
...@@ -633,15 +633,16 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, ...@@ -633,15 +633,16 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
size_t *pipelens, size_t numpipes, size_t *pipelens, size_t numpipes,
int create_empty_fragment, size_t *written) int create_empty_fragment, size_t *written)
{ {
unsigned char *outbuf[SSL_MAX_PIPELINES], *plen[SSL_MAX_PIPELINES]; WPACKET pkt[SSL_MAX_PIPELINES];
SSL3_RECORD wr[SSL_MAX_PIPELINES]; SSL3_RECORD wr[SSL_MAX_PIPELINES];
unsigned char *recordstart;
int i, mac_size, clear = 0; int i, mac_size, clear = 0;
size_t prefix_len = 0; size_t prefix_len = 0;
int eivlen; int eivlen;
size_t align = 0; size_t align = 0;
SSL3_BUFFER *wb; SSL3_BUFFER *wb;
SSL_SESSION *sess; SSL_SESSION *sess;
size_t totlen = 0; size_t totlen = 0, len, wpinited = 0;
size_t j; size_t j;
for (j = 0; j < numpipes; j++) for (j = 0; j < numpipes; j++)
...@@ -726,12 +727,24 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, ...@@ -726,12 +727,24 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
align = (size_t)SSL3_BUFFER_get_buf(wb) + 2 * SSL3_RT_HEADER_LENGTH; align = (size_t)SSL3_BUFFER_get_buf(wb) + 2 * SSL3_RT_HEADER_LENGTH;
align = SSL3_ALIGN_PAYLOAD - 1 - ((align - 1) % SSL3_ALIGN_PAYLOAD); align = SSL3_ALIGN_PAYLOAD - 1 - ((align - 1) % SSL3_ALIGN_PAYLOAD);
#endif #endif
outbuf[0] = SSL3_BUFFER_get_buf(wb) + align;
SSL3_BUFFER_set_offset(wb, align); SSL3_BUFFER_set_offset(wb, align);
if (!WPACKET_init_static_len(&pkt[0], SSL3_BUFFER_get_buf(wb),
SSL3_BUFFER_get_len(wb), 0)
|| !WPACKET_allocate_bytes(&pkt[0], align, NULL)) {
SSLerr(SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR);
goto err;
}
wpinited = 1;
} else if (prefix_len) { } else if (prefix_len) {
wb = &s->rlayer.wbuf[0]; wb = &s->rlayer.wbuf[0];
outbuf[0] = SSL3_BUFFER_get_buf(wb) + SSL3_BUFFER_get_offset(wb) if (!WPACKET_init_static_len(&pkt[0], SSL3_BUFFER_get_buf(wb),
+ prefix_len; SSL3_BUFFER_get_len(wb), 0)
|| !WPACKET_allocate_bytes(&pkt[0], SSL3_BUFFER_get_offset(wb)
+ prefix_len, NULL)) {
SSLerr(SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR);
goto err;
}
wpinited = 1;
} else { } else {
for (j = 0; j < numpipes; j++) { for (j = 0; j < numpipes; j++) {
wb = &s->rlayer.wbuf[j]; wb = &s->rlayer.wbuf[j];
...@@ -739,8 +752,14 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, ...@@ -739,8 +752,14 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
align = (size_t)SSL3_BUFFER_get_buf(wb) + SSL3_RT_HEADER_LENGTH; align = (size_t)SSL3_BUFFER_get_buf(wb) + SSL3_RT_HEADER_LENGTH;
align = SSL3_ALIGN_PAYLOAD - 1 - ((align - 1) % SSL3_ALIGN_PAYLOAD); align = SSL3_ALIGN_PAYLOAD - 1 - ((align - 1) % SSL3_ALIGN_PAYLOAD);
#endif #endif
outbuf[j] = SSL3_BUFFER_get_buf(wb) + align;
SSL3_BUFFER_set_offset(wb, align); SSL3_BUFFER_set_offset(wb, align);
if (!WPACKET_init_static_len(&pkt[j], SSL3_BUFFER_get_buf(wb),
SSL3_BUFFER_get_len(wb), 0)
|| !WPACKET_allocate_bytes(&pkt[j], align, NULL)) {
SSLerr(SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR);
goto err;
}
wpinited++;
} }
} }
...@@ -752,42 +771,52 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, ...@@ -752,42 +771,52 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
eivlen = EVP_CIPHER_CTX_iv_length(s->enc_write_ctx); eivlen = EVP_CIPHER_CTX_iv_length(s->enc_write_ctx);
if (eivlen <= 1) if (eivlen <= 1)
eivlen = 0; eivlen = 0;
} } else if (mode == EVP_CIPH_GCM_MODE) {
/* Need explicit part of IV for GCM mode */ /* Need explicit part of IV for GCM mode */
else if (mode == EVP_CIPH_GCM_MODE)
eivlen = EVP_GCM_TLS_EXPLICIT_IV_LEN; eivlen = EVP_GCM_TLS_EXPLICIT_IV_LEN;
else if (mode == EVP_CIPH_CCM_MODE) } else if (mode == EVP_CIPH_CCM_MODE) {
eivlen = EVP_CCM_TLS_EXPLICIT_IV_LEN; eivlen = EVP_CCM_TLS_EXPLICIT_IV_LEN;
else } else {
eivlen = 0; eivlen = 0;
} else }
} else {
eivlen = 0; eivlen = 0;
}
totlen = 0; totlen = 0;
/* Clear our SSL3_RECORD structures */ /* Clear our SSL3_RECORD structures */
memset(wr, 0, sizeof wr); memset(wr, 0, sizeof wr);
for (j = 0; j < numpipes; j++) { for (j = 0; j < numpipes; j++) {
/* write the header */ unsigned int version = s->version;
*(outbuf[j]++) = type & 0xff; unsigned char *compressdata;
SSL3_RECORD_set_type(&wr[j], type); size_t maxcomplen;
*(outbuf[j]++) = (s->version >> 8); SSL3_RECORD_set_type(&wr[j], type);
/* /*
* Some servers hang if initial client hello is larger than 256 bytes * Some servers hang if initial client hello is larger than 256 bytes
* and record version number > TLS 1.0 * and record version number > TLS 1.0
*/ */
if (SSL_get_state(s) == TLS_ST_CW_CLNT_HELLO if (SSL_get_state(s) == TLS_ST_CW_CLNT_HELLO
&& !s->renegotiate && TLS1_get_version(s) > TLS1_VERSION) && !s->renegotiate && TLS1_get_version(s) > TLS1_VERSION)
*(outbuf[j]++) = 0x1; version = TLS1_VERSION;
else
*(outbuf[j]++) = s->version & 0xff;
/* field where we are to write out packet length */ maxcomplen = pipelens[j] + (ssl_allow_compression(s)
plen[j] = outbuf[j]; ? SSL3_RT_MAX_COMPRESSED_OVERHEAD : 0);
outbuf[j] += 2; /* write the header */
if (!WPACKET_put_bytes_u8(&pkt[j], type)
|| !WPACKET_put_bytes_u16(&pkt[j], version)
|| !WPACKET_start_sub_packet_u16(&pkt[j])
|| (eivlen > 0
&& !WPACKET_allocate_bytes(&pkt[j], eivlen, NULL))
|| (maxcomplen > 0
&& !WPACKET_reserve_bytes(&pkt[j], maxcomplen,
&compressdata))) {
SSLerr(SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR);
goto err;
}
/* lets setup the record stuff. */ /* lets setup the record stuff. */
SSL3_RECORD_set_data(&wr[j], outbuf[j] + eivlen); SSL3_RECORD_set_data(&wr[j], compressdata);
SSL3_RECORD_set_length(&wr[j], pipelens[j]); SSL3_RECORD_set_length(&wr[j], pipelens[j]);
SSL3_RECORD_set_input(&wr[j], (unsigned char *)&buf[totlen]); SSL3_RECORD_set_input(&wr[j], (unsigned char *)&buf[totlen]);
totlen += pipelens[j]; totlen += pipelens[j];
...@@ -798,12 +827,16 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, ...@@ -798,12 +827,16 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
/* first we compress */ /* first we compress */
if (s->compress != NULL) { if (s->compress != NULL) {
if (!ssl3_do_compress(s, &wr[j])) { if (!ssl3_do_compress(s, &wr[j])
|| !WPACKET_allocate_bytes(&pkt[j], wr[j].length, NULL)) {
SSLerr(SSL_F_DO_SSL3_WRITE, SSL_R_COMPRESSION_FAILURE); SSLerr(SSL_F_DO_SSL3_WRITE, SSL_R_COMPRESSION_FAILURE);
goto err; goto err;
} }
} else { } else {
memcpy(wr[j].data, wr[j].input, wr[j].length); if (!WPACKET_memcpy(&pkt[j], wr[j].input, wr[j].length)) {
SSLerr(SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR);
goto err;
}
SSL3_RECORD_reset_input(&wr[j]); SSL3_RECORD_reset_input(&wr[j]);
} }
...@@ -814,41 +847,85 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, ...@@ -814,41 +847,85 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
*/ */
if (!SSL_USE_ETM(s) && mac_size != 0) { if (!SSL_USE_ETM(s) && mac_size != 0) {
if (!s->method->ssl3_enc->mac(s, &wr[j], unsigned char *mac;
&(outbuf[j][wr[j].length + eivlen]),
1)) if (!WPACKET_allocate_bytes(&pkt[j], mac_size, &mac)
|| !s->method->ssl3_enc->mac(s, &wr[j], mac, 1)) {
SSLerr(SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR);
goto err; goto err;
SSL3_RECORD_add_length(&wr[j], mac_size); }
} }
SSL3_RECORD_set_data(&wr[j], outbuf[j]);
SSL3_RECORD_reset_input(&wr[j]);
if (eivlen) {
/* /*
* if (RAND_pseudo_bytes(p, eivlen) <= 0) goto err; * Reserve some bytes for any growth that may occur during encryption.
* This will be at most one cipher block or the tag length if using
* AEAD. SSL_RT_MAX_CIPHER_BLOCK_SIZE covers either case.
*/
if(!WPACKET_reserve_bytes(&pkt[j], SSL_RT_MAX_CIPHER_BLOCK_SIZE,
NULL)
/*
* We also need next the amount of bytes written to this
* sub-packet
*/ */
SSL3_RECORD_add_length(&wr[j], eivlen); || !WPACKET_get_length(&pkt[j], &len)) {
SSLerr(SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR);
goto err;
} }
/* Get a pointer to the start of this record excluding header */
recordstart = WPACKET_get_curr(&pkt[j]) - len;
SSL3_RECORD_set_data(&wr[j], recordstart);
SSL3_RECORD_reset_input(&wr[j]);
SSL3_RECORD_set_length(&wr[j], len);
} }
if (s->method->ssl3_enc->enc(s, wr, numpipes, 1) < 1) if (s->method->ssl3_enc->enc(s, wr, numpipes, 1) < 1)
goto err; goto err;
for (j = 0; j < numpipes; j++) { for (j = 0; j < numpipes; j++) {
size_t origlen;
/* Allocate bytes for the encryption overhead */
if (!WPACKET_get_length(&pkt[j], &origlen)
/* Encryption should never shrink the data! */
|| origlen > wr[j].length
|| (wr[j].length > origlen
&& !WPACKET_allocate_bytes(&pkt[j],
wr[j].length - origlen, NULL))) {
SSLerr(SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR);
goto err;
}
if (SSL_USE_ETM(s) && mac_size != 0) { if (SSL_USE_ETM(s) && mac_size != 0) {
if (!s->method->ssl3_enc->mac(s, &wr[j], unsigned char *mac;
outbuf[j] + wr[j].length, 1))
if (!WPACKET_allocate_bytes(&pkt[j], mac_size, &mac)
|| !s->method->ssl3_enc->mac(s, &wr[j], mac, 1)) {
SSLerr(SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR);
goto err; goto err;
}
SSL3_RECORD_add_length(&wr[j], mac_size); SSL3_RECORD_add_length(&wr[j], mac_size);
} }
/* record length after mac and block padding */ if (!WPACKET_get_length(&pkt[j], &len)
s2n(SSL3_RECORD_get_length(&wr[j]), plen[j]); || !WPACKET_close(&pkt[j])) {
SSLerr(SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR);
goto err;
}
if (s->msg_callback) if (s->msg_callback) {
s->msg_callback(1, 0, SSL3_RT_HEADER, plen[j] - 5, 5, s, recordstart = WPACKET_get_curr(&pkt[j]) - len
- SSL3_RT_HEADER_LENGTH;
s->msg_callback(1, 0, SSL3_RT_HEADER, recordstart,
SSL3_RT_HEADER_LENGTH, s,
s->msg_callback_arg); s->msg_callback_arg);
}
if (!WPACKET_finish(&pkt[j])) {
SSLerr(SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR);
goto err;
}
/* /*
* we should now have wr->data pointing to the encrypted data, which is * we should now have wr->data pointing to the encrypted data, which is
...@@ -889,6 +966,8 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, ...@@ -889,6 +966,8 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
/* we now just need to write the buffer */ /* we now just need to write the buffer */
return ssl3_write_pending(s, type, buf, totlen, written); return ssl3_write_pending(s, type, buf, totlen, written);
err: err:
for (j = 0; j < wpinited; j++)
WPACKET_cleanup(&pkt[j]);
return -1; return -1;
} }
......
ssl/record/ssl3_record.c
浏览文件 @ c7c42022
...@@ -553,7 +553,7 @@ int ssl3_do_compress(SSL *ssl, SSL3_RECORD *wr) ...@@ -553,7 +553,7 @@ int ssl3_do_compress(SSL *ssl, SSL3_RECORD *wr)
/* TODO(size_t): Convert this call */ /* TODO(size_t): Convert this call */
i = COMP_compress_block(ssl->compress, wr->data, i = COMP_compress_block(ssl->compress, wr->data,
SSL3_RT_MAX_COMPRESSED_LENGTH, (int)(wr->length + SSL3_RT_MAX_COMPRESSED_OVERHEAD),
wr->input, (int)wr->length); wr->input, (int)wr->length);
if (i < 0) if (i < 0)
return (0); return (0);
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册