Fix SSL_key_update() problems#16077
Conversation
Sometimes this function gets called when the buffers have already been set up. If there is already a partial packet in the read buffer then the packet pointer will be set to an incorrect value. The packet pointer already gets reset to the correct value when we first read a packet anyway, so we don't also need to do it in ssl3_setup_read_buffer. Fixes openssl#13729
If an application is halfway through writing application data it should not be allowed to attempt an SSL_key_update() operation. Instead the SSL_write() operation should be completed. Fixes openssl#12485
mattcaswell
added
branch: master
t8m
added
approval: done
kaduk
left a comment
kaduk
left a comment
There was a problem hiding this comment.
- Don't reset the packet pointer in ssl3_setup_read_buffer
Sometimes this function gets called when the buffers have already been
set up. If there is already a partial packet in the read buffer then the
packet pointer will be set to an incorrect value. The packet pointer already
gets reset to the correct value when we first read a packet anyway, so we
don't also need to do it in ssl3_setup_read_buffer.
The main initialization of s->rlayer.packet in ssl3_read_n() seems to only occur in the !extend case; in the extend case we seem to memmove from the current packet value before updating it. I guess it would be a programming error to call the "extend" case without a preceding "non-extend" case, so maybe that's good enough.
(Also, the comment at the top of the body of ssl3_read_n() refers to s->packet and s->packet_length, which seems out of date with respect to the RECORD_LAYER abstraction.)
| return 0; | ||
| } | ||
|
|
||
| if (RECORD_LAYER_write_pending(&s->rlayer)) { |
There was a problem hiding this comment.
Hmm, should the check in SSL_new_session_ticket() use RECORD_LAYER_write_pending() instead of peeking into s->rlayer.wbuf[0].left?
There was a problem hiding this comment.
Yes. It probably should (different PR though)
|
openssl/ssl/record/ssl3_record.c Lines 430 to 446 in 11f18ef |
|
Hmmmm. Strangely I just saw the message "First-time contributors need a maintainer to approve running workflows" for this PR, and I had to approve the run despite all commits in it being authored by me. I could have sworn I'd made a few commits to this repo before now... |
Various comments referred to s->packet and s->packet_length instead of s->rlayer.packet and s->rlayer.packet_length. Also fixed is a spot where RECORD_LAYER_write_pending() should have been used. Based on the review comments in openssl#16077.
|
I've created #16086 to address the problems identified in the various comments (plus a few other instances I found). I also fixed |
|
24 hours has passed since 'approval: done' was set, but as this PR has been updated in that time the label 'approval: ready to merge' is not being automatically set. Please review the updates and set the label manually. |
|
I think this should go to 1.1.1 as well (the cherry-pick is clean). |
... but |
Yeah, as I said in the introduction to this PR:
|
t8m
added
approval: ready to merge
Sometimes this function gets called when the buffers have already been set up. If there is already a partial packet in the read buffer then the packet pointer will be set to an incorrect value. The packet pointer already gets reset to the correct value when we first read a packet anyway, so we don't also need to do it in ssl3_setup_read_buffer. Fixes #13729 Reviewed-by: Tomas Mraz <[email protected]> (Merged from #16077)
If an application is halfway through writing application data it should not be allowed to attempt an SSL_key_update() operation. Instead the SSL_write() operation should be completed. Fixes #12485 Reviewed-by: Tomas Mraz <[email protected]> (Merged from #16077)
|
Merged to master. Thanks. |
|
I've now noticed that I've accidentally forgot to add @kaduk to reviewed-by. I am sorry for that. |
Various comments referred to s->packet and s->packet_length instead of s->rlayer.packet and s->rlayer.packet_length. Also fixed is a spot where RECORD_LAYER_write_pending() should have been used. Based on the review comments in #16077. Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Ben Kaduk <[email protected]> (Merged from #16086)
Various comments referred to s->packet and s->packet_length instead of s->rlayer.packet and s->rlayer.packet_length. Also fixed is a spot where RECORD_LAYER_write_pending() should have been used. Based on the review comments in openssl#16077. Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Ben Kaduk <[email protected]> (Merged from openssl#16086) (cherry picked from commit ca00152)
Various comments referred to s->packet and s->packet_length instead of s->rlayer.packet and s->rlayer.packet_length. Also fixed is a spot where RECORD_LAYER_write_pending() should have been used. Based on the review comments in #16077. Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Ben Kaduk <[email protected]> (cherry picked from commit ca00152) Reviewed-by: Paul Dale <[email protected]> (Merged from #16105)
This contains 2 fixes affecting SSL_key_update():
Sometimes this function gets called when the buffers have already been
set up. If there is already a partial packet in the read buffer then the
packet pointer will be set to an incorrect value. The packet pointer already
gets reset to the correct value when we first read a packet anyway, so we
don't also need to do it in ssl3_setup_read_buffer.
If an application is halfway through writing application data it should
not be allowed to attempt an SSL_key_update() operation. Instead the
SSL_write() operation should be completed.
The former issue can result in a "bad record mac" problem if a partial record read occurs around the same time as a key update.
Fixes #13729
Fixes #12485
PR #16021 will provide tests for these scenarios.
This should also be applied to 1.1.1, but I will wait until this is approved to create a PR there since it requires some minor adjustment there.