From 91f65728bbd7d52ae6b75050d31e197591769d78 Mon Sep 17 00:00:00 2001 From: Todd Short Date: Thu, 5 Mar 2015 11:54:11 -0500 Subject: [PATCH] Add "struct iovec" variants to ssl IO (configurable, disabled by default) Patch: ssl_iov.diff --- Configure | 1 + ssl/Makefile | 4 +- ssl/d1_pkt.c | 91 ++++++++++++++++-------------- ssl/s23_lib.c | 50 +++++++++++++++-- ssl/s3_lib.c | 81 +++++++++++++++++++++++++++ ssl/s3_pkt.c | 165 ++++++++++++++++++++++++++++++++++-------------------- ssl/ssl.h | 48 ++++++++++++++++ ssl/ssl_bucket.c | 99 ++++++++++++++++++++++++++++++++ ssl/ssl_lib.c | 33 +++++++++++ ssl/ssl_locl.h | 49 +++++++++++++++- 10 files changed, 509 insertions(+), 112 deletions(-) create mode 100644 ssl/ssl_bucket.c diff --git a/Configure b/Configure index 5dbfa6c..fa9dab7 100755 --- a/Configure +++ b/Configure @@ -278,6 +278,7 @@ my %disabled = ( # "what" => "comment" [or special keyword "experimental "deprecated" => "default", "ec_nistp_64_gcc_128" => "default", "gmp" => "default", + "iovec" => "default", "jpake" => "experimental", "md2" => "default", "rc5" => "default", diff --git a/ssl/Makefile b/ssl/Makefile index 087f796..56509cd 100644 --- a/ssl/Makefile +++ b/ssl/Makefile @@ -28,7 +28,7 @@ LIBSRC= \ d1_both.c d1_srtp.c \ ssl_lib.c ssl_err2.c ssl_cert.c ssl_sess.c \ ssl_ciph.c ssl_stat.c ssl_rsa.c \ - ssl_asn1.c ssl_txt.c ssl_algs.c ssl_conf.c \ + ssl_asn1.c ssl_txt.c ssl_algs.c ssl_conf.c ssl_bucket.c \ bio_ssl.c ssl_err.c kssl.c t1_reneg.c tls_srp.c t1_trce.c ssl_utst.c LIBOBJ= \ s3_meth.o s3_srvr.o s3_clnt.o s3_lib.o s3_enc.o s3_pkt.o s3_both.o s3_cbc.o \ @@ -38,7 +38,7 @@ LIBOBJ= \ d1_both.o d1_srtp.o\ ssl_lib.o ssl_err2.o ssl_cert.o ssl_sess.o \ ssl_ciph.o ssl_stat.o ssl_rsa.o \ - ssl_asn1.o ssl_txt.o ssl_algs.o ssl_conf.o \ + ssl_asn1.o ssl_txt.o ssl_algs.o ssl_conf.o ssl_bucket.o \ bio_ssl.o ssl_err.o kssl.o t1_reneg.o tls_srp.o t1_trce.o ssl_utst.o SRC= $(LIBSRC) diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c index d66ecf5..71800cc 100644 --- a/ssl/d1_pkt.c +++ b/ssl/d1_pkt.c @@ -181,8 +181,8 @@ static int satsub64be(const unsigned char *v1, const unsigned char *v2) return brw + (ret & 0xFF); } -static int have_handshake_fragment(SSL *s, int type, unsigned char *buf, - int len, int peek); +static int have_handshake_fragment(SSL *s, int type, ssl_bucket *buckets, + int count, int peek); static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap); static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap); static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, @@ -715,7 +715,7 @@ int dtls1_get_record(SSL *s) * Application data protocol * none of our business */ -int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) +int dtls1_readv_bytes(SSL *s, int type, ssl_bucket *buckets, int count, int peek) { int al, i, j, ret; unsigned int n; @@ -736,7 +736,7 @@ int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) /* * check whether there's a handshake message (client hello?) waiting */ - if ((ret = have_handshake_fragment(s, type, buf, len, peek))) + if ((ret = have_handshake_fragment(s, type, buckets, count, peek))) return ret; /* @@ -855,6 +855,7 @@ int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) if (type == rr->type) { /* SSL3_RT_APPLICATION_DATA or * SSL3_RT_HANDSHAKE */ + size_t len = ssl_bucket_len(buckets, count); /* * make sure that we are not getting application data when we are * doing a handshake for the first time @@ -874,7 +875,7 @@ int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) else n = (unsigned int)len; - memcpy(buf, &(rr->data[rr->off]), n); + ssl_bucket_cpy_in(buckets, count, &(rr->data[rr->off]), n); if (!peek) { rr->length -= n; rr->off += n; @@ -1339,6 +1340,12 @@ int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) return (-1); } +int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) +{ + ssl_bucket bucket = { (void*)buf, len }; + return dtls1_readv_bytes(s, type, &bucket, 1, peek); +} + int dtls1_write_app_data_bytes(SSL *s, int type, const void *buf_, int len) { int i; @@ -1380,28 +1387,25 @@ int dtls1_write_app_data_bytes(SSL *s, int type, const void *buf_, int len) * is started. */ static int -have_handshake_fragment(SSL *s, int type, unsigned char *buf, - int len, int peek) +have_handshake_fragment(SSL *s, int type, ssl_bucket *buckets, int count, + int peek) { - if ((type == SSL3_RT_HANDSHAKE) && (s->d1->handshake_fragment_len > 0)) + if ((type == SSL3_RT_HANDSHAKE) && (s->d1->handshake_fragment_len > 0)) { /* (partially) satisfy request from storage */ - { - unsigned char *src = s->d1->handshake_fragment; - unsigned char *dst = buf; - unsigned int k, n; - - /* peek == 0 */ - n = 0; - while ((len > 0) && (s->d1->handshake_fragment_len > 0)) { - *dst++ = *src++; - len--; - s->d1->handshake_fragment_len--; - n++; - } - /* move any remaining fragment bytes: */ - for (k = 0; k < s->d1->handshake_fragment_len; k++) - s->d1->handshake_fragment[k] = *src++; + size_t n = ssl_bucket_cpy_in(buckets, count, + s->d1->handshake_fragment, + s->d1->handshake_fragment_len); + if (peek) + return n; + + if (n < s->d1->handshake_fragment_len) { + s->d1->handshake_fragment_len -= n; + memmove(s->d1->handshake_fragment, + s->d1->handshake_fragment+n, + s->d1->handshake_fragment_len); + } else + s->d1->handshake_fragment_len = 0; return n; } @@ -1422,8 +1426,8 @@ int dtls1_write_bytes(SSL *s, int type, const void *buf, int len) return i; } -int do_dtls1_write(SSL *s, int type, const unsigned char *buf, - unsigned int len, int create_empty_fragment) +int do_dtls1_writev(SSL *s, int type, const ssl_bucket *buckets, + int count, int create_empty_fragment) { unsigned char *p, *pseq; int i, mac_size, clear = 0; @@ -1432,6 +1436,7 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, SSL3_RECORD *wr; SSL3_BUFFER *wb; SSL_SESSION *sess; + size_t len = ssl_bucket_len(buckets,count); /* * first check if there is a SSL3_BUFFER still being written out. This @@ -1439,7 +1444,7 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, */ if (s->s3->wbuf.left != 0) { OPENSSL_assert(0); /* XDTLS: want to see if we ever get here */ - return (ssl3_write_pending(s, type, buf, len)); + return (ssl3_writev_pending(s,type,buckets,count,len,0)); } /* If we have an alert to send, lets send it */ @@ -1510,8 +1515,6 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, /* lets setup the record stuff. */ wr->data = p + eivlen; /* make room for IV in case of CBC */ - wr->length = (int)len; - wr->input = (unsigned char *)buf; /* * we now 'read' from wr->input, wr->length bytes into wr->data @@ -1519,12 +1522,12 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, /* first we compress */ if (s->compress != NULL) { - if (!ssl3_do_compress(s)) { + if (!ssl3_do_vcompress(s, buckets, count, 0, len)) { SSLerr(SSL_F_DO_DTLS1_WRITE, SSL_R_COMPRESSION_FAILURE); goto err; } } else { - memcpy(wr->data, wr->input, wr->length); + wr->length = ssl_bucket_cpy_out(wr->data, buckets, count, 0, len); wr->input = wr->data; } @@ -1594,21 +1597,19 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, wb->left = prefix_len + wr->length; wb->offset = 0; - /* - * memorize arguments so that ssl3_write_pending can detect bad write - * retries later - */ - s->s3->wpend_tot = len; - s->s3->wpend_buf = buf; - s->s3->wpend_type = type; - s->s3->wpend_ret = len; - /* we now just need to write the buffer */ - return ssl3_write_pending(s, type, buf, len); + return ssl3_writev_pending(s, type, buckets, count, len, 1); err: return -1; } +int do_dtls1_write(SSL *s, int type, const unsigned char *buf, + unsigned int len, int create_empty_fragment) +{ + ssl_bucket bucket = { (void*)buf, len }; + return do_dtls1_writev(s, type, &bucket, 1, create_empty_fragment); +} + static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap) { int cmp; @@ -1739,3 +1740,11 @@ void dtls1_reset_seq_numbers(SSL *s, int rw) memset(seq, 0x00, seq_bytes); } + +int dtls1_writev_bytes(SSL *s, int type, const ssl_bucket *buckets, + int count) +{ + OPENSSL_assert(ssl_bucket_len(buckets,count) <= SSL3_RT_MAX_PLAIN_LENGTH); + s->rwstate = SSL_NOTHING; + return do_dtls1_writev(s, type, buckets,count, 0); +} diff --git a/ssl/s23_lib.c b/ssl/s23_lib.c index 0c79941..b9ca7a0 100644 --- a/ssl/s23_lib.c +++ b/ssl/s23_lib.c @@ -104,26 +104,33 @@ int ssl23_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p) return (3); } -int ssl23_read(SSL *s, void *buf, int len) +static int ssl23_read_preflight(SSL *s) { - int n; - clear_sys_error(); if (SSL_in_init(s) && (!s->in_handshake)) { - n = s->handshake_func(s); + int n = s->handshake_func(s); if (n < 0) return (n); if (n == 0) { SSLerr(SSL_F_SSL23_READ, SSL_R_SSL_HANDSHAKE_FAILURE); return (-1); } - return (SSL_read(s, buf, len)); + return (1); } else { ssl_undefined_function(s); return (-1); } } +int ssl23_read(SSL *s, void *buf, int len) +{ + int n = ssl23_read_preflight(s); + if (n > 0) + return (SSL_read(s, buf, len)); + else + return (n); +} + int ssl23_peek(SSL *s, void *buf, int len) { int n; @@ -163,3 +170,36 @@ int ssl23_write(SSL *s, const void *buf, int len) return (-1); } } + +#ifndef OPENSSL_NO_IOVEC + +int ssl23_readv(SSL *s, ssl_bucket *buckets, int count) +{ + int n = ssl23_read_preflight(s); + if (n > 0) + return (SSL_readv(s, buckets, count)); + else + return (n); +} + +int ssl23_writev(SSL *s, const ssl_bucket *buckets, int count) +{ + int n; + + clear_sys_error(); + if (SSL_in_init(s) && (!s->in_handshake)) { + n=s->handshake_func(s); + if (n < 0) + return(n); + if (n == 0) { + SSLerr(SSL_F_SSL23_WRITE,SSL_R_SSL_HANDSHAKE_FAILURE); + return(-1); + } + return (SSL_writev(s,buckets,count)); + } else { + ssl_undefined_function(s); + return(-1); + } +} + +#endif /* !OPENSSL_NO_IOVEC */ diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 51a3656..bfb71fd 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -4672,3 +4672,84 @@ void ssl_task_rsa_decrypt(SSL *s, SSL_rsa_decrypt_ctx *ctx) else SSL_signal_event(s, SSL_EVENT_KEY_EXCH_DECRYPT_DONE, ctx->dest_len); } + +#ifndef OPENSSL_NO_IOVEC + +static int ssl3_readv_internal(SSL *s, ssl_bucket *buckets, int count, int peek) +{ + int ret; + + clear_sys_error(); + if (s->s3->renegotiate) + ssl3_renegotiate_check(s); + s->s3->in_read_app_data = 1; + ret = s->method->ssl_readv_bytes(s, SSL3_RT_APPLICATION_DATA, + buckets, count, peek); + if ((ret == -1) && (s->s3->in_read_app_data == 2)) { + /* ssl3_read_bytes decided to call s->handshake_func, which + * called ssl3_read_bytes to read handshake data. + * However, ssl3_read_bytes actually found application data + * and thinks that application data makes sense here; so disable + * handshake processing and try to read application data again. */ + s->in_handshake++; + ret = s->method->ssl_readv_bytes(s, SSL3_RT_APPLICATION_DATA, + buckets, count, peek); + s->in_handshake--; + } + else + s->s3->in_read_app_data = 0; + + return (ret); +} + +int ssl3_readv(SSL *s, ssl_bucket *buckets, int count) +{ + return (ssl3_readv_internal(s, buckets, count, 0)); +} + +int ssl3_writev(SSL *s, const ssl_bucket *buckets, int count) +{ + int ret, n; + + clear_sys_error(); + if (s->s3->renegotiate) + ssl3_renegotiate_check(s); + + /* This is an experimental flag that sends the + * last handshake message in the same packet as the first + * use data - used to see if it helps the TCP protocol during + * session-id reuse */ + /* The second test is because the buffer may have been removed */ + if ((s->s3->flags & SSL3_FLAGS_POP_BUFFER) && (s->wbio == s->bbio)) { + /* First time through, we write into the buffer */ + if (s->s3->delay_buf_pop_ret == 0) { + ret = ssl3_writev_bytes(s, SSL3_RT_APPLICATION_DATA, + buckets, count); + if (ret <= 0) + return (ret); + + s->s3->delay_buf_pop_ret = ret; + } + + s->rwstate = SSL_WRITING; + n = BIO_flush(s->wbio); + if (n <= 0) + return (n); + s->rwstate = SSL_NOTHING; + + /* We have flushed the buffer, so remove it */ + ssl_free_wbio_buffer(s); + s->s3->flags &= ~SSL3_FLAGS_POP_BUFFER; + + ret = s->s3->delay_buf_pop_ret; + s->s3->delay_buf_pop_ret = 0; + } else { + ret = s->method->ssl_writev_bytes(s, SSL3_RT_APPLICATION_DATA, + buckets, count); + if (ret <= 0) + return (ret); + } + return (ret); +} + +#endif /* !OPENSSL_NO_IOVEC */ diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c index 11b1c55..cd16dda 100644 --- a/ssl/s3_pkt.c +++ b/ssl/s3_pkt.c @@ -132,8 +132,9 @@ # define EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK 0 #endif -static int do_ssl3_write(SSL *s, int type, const unsigned char *buf, - unsigned int len, int create_empty_fragment); +static int do_ssl3_write(SSL *s, int type, const ssl_bucket *buckets, + int count, int offset, int len, + int create_empty_fragment); static int ssl3_get_record(SSL *s); int ssl3_read_n(SSL *s, int n, int max, int extend) @@ -630,26 +631,48 @@ int ssl3_do_compress(SSL *ssl) return (1); } +int ssl3_do_vcompress(SSL *ssl, const ssl_bucket *buckets, int count, size_t offset, size_t len) +{ +#ifndef OPENSSL_NO_COMP + int nlen = 0, i; + SSL3_RECORD *wr = &(ssl->s3->wrec); + for (i = 0; i < count && len > 0; ++i) { + size_t blen = buckets[i].iov_len; + if (offset >= blen) { + offset -= blen; + continue; + } + int n = COMP_compress_block(ssl->compress, wr->data+nlen, + SSL3_RT_MAX_COMPRESSED_LENGTH, + buckets[i].iov_base+offset, + (int)blen-offset); + if (n < 0) + return (0); + offset = 0; + nlen += n; + len -= n; + } + wr->length = nlen; + wr->input = wr->data; +#endif + return (1); +} + /* * Call this to write data in records of type 'type' It will return <= 0 if * not all data has been sent or non-blocking IO. */ -int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len) +int ssl3_writev_bytes(SSL *s, int type, const ssl_bucket *buckets, + int count) { - const unsigned char *buf = buf_; int tot; - unsigned int n, nw; + unsigned int n, nw, len; #if !defined(OPENSSL_NO_MULTIBLOCK) && EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK unsigned int max_send_fragment; #endif SSL3_BUFFER *wb = &(s->s3->wbuf); int i; - unsigned int u_len = (unsigned int)len; - - if (len < 0) { - SSLerr(SSL_F_SSL3_WRITE_BYTES, SSL_R_SSL_NEGATIVE_LENGTH); - return -1; - } + unsigned int u_len; s->rwstate = SSL_NOTHING; OPENSSL_assert(s->s3->wnum <= INT_MAX); @@ -670,11 +693,12 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len) * ensure that if we end up with a smaller value of data to write out * than the the original len from a write which didn't complete for * non-blocking I/O and also somehow ended up avoiding the check for - * this in ssl3_write_pending/SSL_R_BAD_WRITE_RETRY as it must never be + * this in ssl3_writev_pending/SSL_R_BAD_WRITE_RETRY as it must never be * possible to end up with (len-tot) as a large number that will then * promptly send beyond the end of the users buffer ... so we trap and * report the error in a way the user will notice */ + u_len = len = ssl_bucket_len(buckets, count); if (len < tot) { SSLerr(SSL_F_SSL3_WRITE_BYTES, SSL_R_BAD_LENGTH); return (-1); @@ -685,7 +709,7 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len) * will happen with non blocking IO */ if (wb->left != 0) { - i = ssl3_write_pending(s, type, &buf[tot], s->s3->wpend_tot); + i = ssl3_writev_pending(s, type, buckets, count, s->s3->wpend_tot, 0); if (i <= 0) { /* XXX should we ssl3_release_write_buffer if i<0? */ s->s3->wnum = tot; @@ -707,6 +731,7 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len) EVP_CIPHER_flags(s->enc_write_ctx->cipher) & EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK) { unsigned char aad[13]; + unsigned char *ptr; EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM mb_param; int packlen; @@ -755,6 +780,9 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len) else nw = max_send_fragment * (mb_param.interleave = 4); + /* get pointer into a bucket, and update number to write */ + ptr = ssl_bucket_get_pointer(buckets, count, tot, &nw); + memcpy(aad, s->s3->write_sequence, 8); aad[8] = type; aad[9] = (unsigned char)(s->version >> 8); @@ -776,7 +804,7 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len) } mb_param.out = wb->buf; - mb_param.inp = &buf[tot]; + mb_param.inp = ptr; mb_param.len = nw; if (EVP_CIPHER_CTX_ctrl(s->enc_write_ctx, @@ -794,11 +822,12 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len) wb->left = packlen; s->s3->wpend_tot = nw; - s->s3->wpend_buf = &buf[tot]; + memcpy(s->s3->wpend_bucket, buckets, sizeof(ssl_bucket)*count); + s->s3->wpend_bucket_count = count; s->s3->wpend_type = type; s->s3->wpend_ret = nw; - i = ssl3_write_pending(s, type, &buf[tot], nw); + i = ssl3_writev_pending(s, type, buckets, count, nw, 0); if (i <= 0) { if (i < 0) { OPENSSL_free(wb->buf); @@ -831,7 +860,7 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len) else nw = n; - i = do_ssl3_write(s, type, &(buf[tot]), nw, 0); + i = do_ssl3_write(s, type, buckets, count, tot, nw, 0); if (i <= 0) { /* XXX should we ssl3_release_write_buffer if i<0? */ s->s3->wnum = tot; @@ -859,8 +888,15 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len) } } -static int do_ssl3_write(SSL *s, int type, const unsigned char *buf, - unsigned int len, int create_empty_fragment) +int ssl3_write_bytes(SSL *s, int type, const void *buf, int len) +{ + const ssl_bucket bucket = { (void*)buf, len }; + return (ssl3_writev_bytes(s, type, &bucket, 1)); +} + +static int do_ssl3_write(SSL *s, int type, const ssl_bucket *buckets, + int count, int offset, int len, + int create_empty_fragment) { unsigned char *p, *plen; int i, mac_size, clear = 0; @@ -876,7 +912,7 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf, * will happen with non blocking IO */ if (wb->left != 0) - return (ssl3_write_pending(s, type, buf, len)); + return (ssl3_writev_pending(s, type, buckets, count, len, 0)); /* If we have an alert to send, lets send it */ if (s->s3->alert_dispatch) { @@ -923,7 +959,7 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf, * 'prefix_len' bytes are sent out later together with the actual * payload) */ - prefix_len = do_ssl3_write(s, type, buf, 0, 1); + prefix_len = do_ssl3_write(s, type, buckets, count, offset, 0, 1); if (prefix_len <= 0) goto err; @@ -999,8 +1035,6 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf, /* lets setup the record stuff. */ wr->data = p + eivlen; - wr->length = (int)len; - wr->input = (unsigned char *)buf; /* * we now 'read' from wr->input, wr->length bytes into wr->data @@ -1008,12 +1042,13 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf, /* first we compress */ if (s->compress != NULL) { - if (!ssl3_do_compress(s)) { + if (!ssl3_do_vcompress(s, buckets, count, offset, len)) { SSLerr(SSL_F_DO_SSL3_WRITE, SSL_R_COMPRESSION_FAILURE); goto err; } } else { - memcpy(wr->data, wr->input, wr->length); + wr->length = ssl_bucket_cpy_out(wr->data, buckets, count, + offset, len); wr->input = wr->data; } @@ -1073,33 +1108,34 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf, /* now let's set up wb */ wb->left = prefix_len + wr->length; - /* - * memorize arguments so that ssl3_write_pending can detect bad write - * retries later - */ - s->s3->wpend_tot = len; - s->s3->wpend_buf = buf; - s->s3->wpend_type = type; - s->s3->wpend_ret = len; - /* we now just need to write the buffer */ - return ssl3_write_pending(s, type, buf, len); + return ssl3_writev_pending(s, type, buckets, count, len, 1); err: return -1; } /* if s->s3->wbuf.left != 0, we need to call this */ -int ssl3_write_pending(SSL *s, int type, const unsigned char *buf, - unsigned int len) +int ssl3_writev_pending(SSL *s, int type, const ssl_bucket *buckets, + int count, unsigned int len, int reset) { int i; SSL3_BUFFER *wb = &(s->s3->wbuf); /* XXXX */ - if ((s->s3->wpend_tot > (int)len) - || ((s->s3->wpend_buf != buf) && - !(s->mode & SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER)) - || (s->s3->wpend_type != type)) { + if (reset) { + /* memorize arguments so that ssl3_writev_pending can detect bad write retries later */ + s->s3->wpend_tot = len; + OPENSSL_assert(count <= SSL_BUCKET_MAX); + memcpy(s->s3->wpend_bucket, buckets, sizeof(ssl_bucket)*count); + s->s3->wpend_bucket_count = count; + s->s3->wpend_type = type; + s->s3->wpend_ret = len; + } else if ((s->s3->wpend_tot > (int)len) + || (!(s->mode & SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER) + && !ssl_bucket_same(s->s3->wpend_bucket, + s->s3->wpend_bucket_count, + buckets, count)) + || (s->s3->wpend_type != type)) { SSLerr(SSL_F_SSL3_WRITE_PENDING, SSL_R_BAD_WRITE_RETRY); return (-1); } @@ -1163,7 +1199,8 @@ int ssl3_write_pending(SSL *s, int type, const unsigned char *buf, * Application data protocol * none of our business */ -int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) +int ssl3_readv_bytes(SSL *s, int type, ssl_bucket *buckets, + int count, int peek) { int al, i, j, ret; unsigned int n; @@ -1182,25 +1219,21 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) return -1; } - if ((type == SSL3_RT_HANDSHAKE) && (s->s3->handshake_fragment_len > 0)) + if ((type == SSL3_RT_HANDSHAKE) && (s->s3->handshake_fragment_len > 0)) { /* (partially) satisfy request from storage */ - { - unsigned char *src = s->s3->handshake_fragment; - unsigned char *dst = buf; - unsigned int k; - - /* peek == 0 */ - n = 0; - while ((len > 0) && (s->s3->handshake_fragment_len > 0)) { - *dst++ = *src++; - len--; - s->s3->handshake_fragment_len--; - n++; + int copied = ssl_bucket_cpy_in(buckets, count, + s->s3->handshake_fragment, + s->s3->handshake_fragment_len); + if (copied > 0 && copied < s->s3->handshake_fragment_len) { + s->s3->handshake_fragment_len -= copied; + memmove(s->s3->handshake_fragment, + s->s3->handshake_fragment + copied, + s->s3->handshake_fragment_len); + } else { + s->s3->handshake_fragment_len = 0; } - /* move any remaining fragment bytes: */ - for (k = 0; k < s->s3->handshake_fragment_len; k++) - s->s3->handshake_fragment[k] = *src++; - return n; + + return (copied); } /* @@ -1257,6 +1290,7 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) if (type == rr->type) { /* SSL3_RT_APPLICATION_DATA or * SSL3_RT_HANDSHAKE */ + size_t len; /* * make sure that we are not getting application data when we are * doing a handshake for the first time @@ -1268,6 +1302,7 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) goto f_err; } + len = ssl_bucket_len(buckets, count); if (len <= 0) return (len); @@ -1276,7 +1311,7 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) else n = (unsigned int)len; - memcpy(buf, &(rr->data[rr->off]), n); + ssl_bucket_cpy_in(buckets, count, &(rr->data[rr->off]), n); if (!peek) { rr->length -= n; rr->off += n; @@ -1632,6 +1667,12 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) return (-1); } +int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) +{ + ssl_bucket bucket = { buf, len }; + return (ssl3_readv_bytes(s, type, &bucket, 1, peek)); +} + int ssl3_do_change_cipher_spec(SSL *s) { int i; @@ -1712,9 +1753,11 @@ int ssl3_dispatch_alert(SSL *s) { int i, j; void (*cb) (const SSL *ssl, int type, int val) = NULL; + ssl_bucket bucket; s->s3->alert_dispatch = 0; - i = do_ssl3_write(s, SSL3_RT_ALERT, &s->s3->send_alert[0], 2, 0); + ssl_bucket_set(&bucket, &s->s3->send_alert[0], 2); + i = do_ssl3_write(s, SSL3_RT_ALERT, &bucket, 1, 0, 2, 0); if (i <= 0) { s->s3->alert_dispatch = 1; } else { diff --git a/ssl/ssl.h b/ssl/ssl.h index 5c4a91a..4207adf 100644 --- a/ssl/ssl.h +++ b/ssl/ssl.h @@ -371,6 +371,12 @@ typedef int (*tls_session_secret_cb_fn) (SSL *s, void *secret, STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg); +# ifndef OPENSSL_NO_IOVEC +typedef struct iovec ssl_bucket; +# else /* !OPENSSL_NO_IOVEC */ +typedef struct ssl_bucket_st ssl_bucket; +# endif /* OPENSSL_NO_IOVEC */ + # ifndef OPENSSL_NO_TLSEXT /* Typedefs for handling custom extensions */ @@ -959,6 +965,44 @@ int SSL_extension_supported(unsigned int ext_type); } #endif +# ifndef OPENSSL_NO_IOVEC + +# ifndef WIN32 +# include +# else +# ifndef HAVE_STRUCT_IOVEC +struct iovec { + void *iov_base; /* Pointer to data. */ + size_t iov_len; /* Length of data. */ +}; +# define HAVE_STRUCT_IOVEC +# endif /* HAVE_STRUCT_IOVEC */ +# endif /* !WIN32 */ + +# define SSL_BUCKET_MAX 32 + +# else /* !OPENSSL_NO_IOVEC */ + +struct ssl_bucket_st { + void *iov_base; + size_t iov_len; +}; + +# define SSL_BUCKET_MAX 1 + +# endif /* OPENSSL_NO_IOVEC */ + +size_t ssl_bucket_len(const ssl_bucket *buckets, int count); +int ssl_bucket_same(const ssl_bucket *buckets1, int count1, + const ssl_bucket *buckets2, int count2); +void ssl_bucket_set(ssl_bucket *bucket, void *buf, size_t len); +size_t ssl_bucket_cpy_out(void *buf, const ssl_bucket *bucket, + int count, int offset, int len); +size_t ssl_bucket_cpy_in(const ssl_bucket *buckets, int count, + void *buf, int len); +unsigned char *ssl_bucket_get_pointer(const ssl_bucket *buckets, int count, + int offset, unsigned int *nw); + # include # include # include /* This is mostly sslv3 with a few tweaks */ @@ -1607,6 +1651,10 @@ int SSL_connect(SSL *ssl); int SSL_read(SSL *ssl, void *buf, int num); int SSL_peek(SSL *ssl, void *buf, int num); int SSL_write(SSL *ssl, const void *buf, int num); +# ifndef OPENSSL_NO_IOVEC +int SSL_readv(SSL *ssl, ssl_bucket *buckets, int count); +int SSL_writev(SSL *ssl, const ssl_bucket *buckets, int count); +#endif /* !OPENSSL_NO_IOVEC */ long SSL_ctrl(SSL *ssl, int cmd, long larg, void *parg); long SSL_callback_ctrl(SSL *, int, void (*)(void)); long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg); diff --git a/ssl/ssl_bucket.c b/ssl/ssl_bucket.c new file mode 100644 index 0000000..5882ba2 --- /dev/null +++ b/ssl/ssl_bucket.c @@ -0,0 +1,99 @@ +/* + * ssl_bucket.c + * + * Created by Stefan Eissing on 08.07.14. + * Copyright (c) 2014 Akamai and greenbytes. All rights reserved. + */ + +#include + +#include "ssl_locl.h" + +size_t ssl_bucket_len(const ssl_bucket *buckets, int count) +{ + size_t len = 0, i; + for(i=0; i < count; ++i) + len += buckets[i].iov_len; + return len; +} + +int ssl_bucket_same(const ssl_bucket *buckets1, int count1, const ssl_bucket *buckets2, int count2) +{ + return ((count1 == count2) && + (memcmp(buckets1, buckets2, count2*sizeof(ssl_bucket)) == 0)); +} + +void ssl_bucket_set(ssl_bucket *bucket, void *buf, size_t len) +{ + bucket->iov_base = buf; + bucket->iov_len = len; +} + +size_t ssl_bucket_cpy_out(void *buf, const ssl_bucket *buckets, int count, int offset, int len) +{ + int j, i = 0; + size_t copied = 0; + + if (count == 1) { + len = (len <= buckets[0].iov_len)? len : buckets[0].iov_len; + memcpy(buf, buckets[0].iov_base+offset, len); + return (len); + } + + while (i < count && offset > buckets[i].iov_len) { + offset -= buckets[i].iov_len; + ++i; + } + + while (i < count && len > 0) { + j = buckets[i].iov_len - offset; + if (j > len) + j = len; + memcpy(buf, buckets[i].iov_base+offset, j); + buf += j; + copied += j; + len -= j; + offset = 0; + ++i; + } + return (copied); +} + +size_t ssl_bucket_cpy_in(const ssl_bucket *buckets, int count, void *buf, int len) +{ + size_t copied = 0, i; + + if (count == 1) { + len = (len <= buckets[0].iov_len)? len : buckets[0].iov_len; + memcpy(buckets[0].iov_base, buf, len); + return (len); + } + + for(i=0; i < count && len > 0; ++i) { + int j = buckets[i].iov_len; + if (len < j) + j = len; + memcpy(buckets[i].iov_base, buf, j); + buf += j; + copied += j; + len -= j; + } + return (copied); +} + +unsigned char *ssl_bucket_get_pointer(const ssl_bucket *buckets, int count, + int offset, unsigned int *nw) +{ + int i = 0; + while (i < count && offset > buckets[i].iov_len) { + offset -= buckets[i].iov_len; + ++i; + } + + if (i == count) + return NULL; + if (*nw > (buckets[i].iov_len - offset)) + *nw = buckets[i].iov_len - offset; + return &(buckets[i].iov_base[offset]); + +} diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 41d0a7f..9f40fbb 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -1017,6 +1017,39 @@ int SSL_write(SSL *s, const void *buf, int num) return (s->method->ssl_write(s, buf, num)); } +#ifndef OPENSSL_NO_IOVEC + +int SSL_readv(SSL *s, ssl_bucket *buckets, int count) +{ + if (s->handshake_func == 0) { + SSLerr(SSL_F_SSL_READ, SSL_R_UNINITIALIZED); + return -1; + } + + if ((s->shutdown & SSL_RECEIVED_SHUTDOWN)) { + s->rwstate=SSL_NOTHING; + return(0); + } + return (s->method->ssl_readv(s, buckets, count)); +} + +int SSL_writev(SSL *s, const ssl_bucket *buckets, int count) +{ + if (s->handshake_func == 0) { + SSLerr(SSL_F_SSL_WRITE, SSL_R_UNINITIALIZED); + return -1; + } + + if ((s->shutdown & SSL_SENT_SHUTDOWN)) { + s->rwstate=SSL_NOTHING; + SSLerr(SSL_F_SSL_WRITE,SSL_R_PROTOCOL_IS_SHUTDOWN); + return(-1); + } + return (s->method->ssl_writev(s, buckets, count)); +} + +#endif /* !OPENSSL_NO_IOVEC */ + int SSL_shutdown(SSL *s) { /* diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index d0ab177..8d5de53 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -559,6 +559,14 @@ struct ssl_method_st { int (*ssl_read_bytes) (SSL *s, int type, unsigned char *buf, int len, int peek); int (*ssl_write_bytes) (SSL *s, int type, const void *buf_, int len); +# ifndef OPENSSL_NO_IOVEC + int (*ssl_readv)(SSL *s, ssl_bucket *buckets, int count); + int (*ssl_writev)(SSL *s, const ssl_bucket *buckets, int count); + int (*ssl_readv_bytes)(SSL *s, int type, ssl_bucket *buckets, + int count, int peek); + int (*ssl_writev_bytes)(SSL *s, int type, const ssl_bucket *buckets, + int count); +# endif /* !OPENSSL_NO_IOVEC */ int (*ssl_dispatch_alert) (SSL *s); long (*ssl_ctrl) (SSL *s, int cmd, long larg, void *parg); long (*ssl_ctx_ctrl) (SSL_CTX *ctx, int cmd, long larg, void *parg); @@ -1354,7 +1362,8 @@ typedef struct ssl3_state_st { int wpend_tot; /* number bytes written */ int wpend_type; int wpend_ret; /* number of bytes submitted */ - const unsigned char *wpend_buf; + ssl_bucket wpend_bucket[SSL_BUCKET_MAX]; + size_t wpend_bucket_count; /* used during startup, digest all incoming/outgoing packets */ BIO *handshake_buffer; /* @@ -1939,6 +1948,34 @@ extern const SSL3_ENC_METHOD SSLv3_enc_data; extern const SSL3_ENC_METHOD DTLSv1_enc_data; extern const SSL3_ENC_METHOD DTLSv1_2_enc_data; +#ifndef OPENSSL_NO_IOVEC + +int ssl23_readv(SSL *s, ssl_bucket *buckets, int count); +int ssl3_readv(SSL *s, ssl_bucket *buckets, int count); + +int ssl23_writev(SSL *s, const ssl_bucket *buckets, int count); +int ssl3_writev(SSL *s, const ssl_bucket *buckets, int count); + +int ssl3_readv_bytes(SSL *s, int type, ssl_bucket *buckets, int count, int peek); +int ssl3_writev_bytes(SSL *s, int type, const ssl_bucket *buckets, int count); + +int dtls1_readv_bytes(SSL *s, int type, ssl_bucket *buckets, int count, int peek); +int dtls1_writev_bytes(SSL *s, int type, const ssl_bucket *buckets, int count); + +#define OPENSSL_SSL23_IOVEC_FNS ssl23_readv, ssl23_writev, ssl3_readv_bytes, ssl3_writev_bytes, +#define OPENSSL_SSL3_IOVEC_FNS ssl3_readv, ssl3_writev, ssl3_readv_bytes, ssl3_writev_bytes, +#define OPENSSL_DTLS1_IOVEC_FNS ssl3_readv, ssl3_writev, dtls1_readv_bytes, dtls1_writev_bytes, + +#else /* !OPENSSL_NO_IOVEC */ + +#define OPENSSL_SSL2_IOVEC_FNS +#define OPENSSL_SSL23_IOVEC_FNS +#define OPENSSL_SSL3_IOVEC_FNS +#define OPENSSL_DTLS1_IOVEC_FNS + +#endif /* OPENSSL_NO_IOVEC */ + + # define IMPLEMENT_tls_meth_func(version, func_name, s_accept, s_connect, \ s_get_meth, enc_data) \ const SSL_METHOD *func_name(void) \ @@ -1959,6 +1996,7 @@ const SSL_METHOD *func_name(void) \ ssl3_get_message, \ ssl3_read_bytes, \ ssl3_write_bytes, \ + OPENSSL_SSL3_IOVEC_FNS \ ssl3_dispatch_alert, \ ssl3_ctrl, \ ssl3_ctx_ctrl, \ @@ -1997,6 +2035,7 @@ const SSL_METHOD *func_name(void) \ ssl3_get_message, \ ssl3_read_bytes, \ ssl3_write_bytes, \ + OPENSSL_SSL3_IOVEC_FNS \ ssl3_dispatch_alert, \ ssl3_ctrl, \ ssl3_ctx_ctrl, \ @@ -2035,6 +2074,7 @@ const SSL_METHOD *func_name(void) \ ssl3_get_message, \ ssl3_read_bytes, \ ssl3_write_bytes, \ + OPENSSL_SSL23_IOVEC_FNS \ ssl3_dispatch_alert, \ ssl3_ctrl, \ ssl3_ctx_ctrl, \ @@ -2074,6 +2114,7 @@ const SSL_METHOD *func_name(void) \ dtls1_get_message, \ dtls1_read_bytes, \ dtls1_write_app_data_bytes, \ + OPENSSL_DTLS1_IOVEC_FNS \ dtls1_dispatch_alert, \ dtls1_ctrl, \ ssl3_ctx_ctrl, \ @@ -2258,8 +2299,10 @@ int ssl3_read_n(SSL *s, int n, int max, int extend); int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek); int ssl3_do_compress(SSL *ssl); int ssl3_do_uncompress(SSL *ssl); -int ssl3_write_pending(SSL *s, int type, const unsigned char *buf, - unsigned int len); +int ssl3_do_vcompress(SSL *ssl, const ssl_bucket *buckets, int count, + size_t offset, size_t len); +int ssl3_writev_pending(SSL *s, int type, const ssl_bucket *buckets, int count, + unsigned int len, int reset); unsigned char *dtls1_set_message_header(SSL *s, unsigned char *p, unsigned char mt, unsigned long len, -- 1.7.9.5