Provide functions to determine if TLSv1.2 record protection is engaged.

Call these functions from code that needs to know if we've changed cipher
state and enabled record protection, rather than inconsistently checking
various pointers from other places in the code base. This also fixes a
minor bug where the wrong pointers are checked if we're operating with
AEAD.

ok inoguchi@ tb@

1 files changed, 19 insertions, 1 deletions

diff --git a/src/lib/libssl/tls12_record_layer.c b/src/lib/libssl/tls12_record_layer.c
index 7fa31707d3..affc5375a2 100644
--- a/src/lib/libssl/tls12_record_layer.c
+++ b/src/lib/libssl/tls12_record_layer.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls12_record_layer.c,v 1.11 2021/01/19 18:51:08 jsing Exp $ */
+/* $OpenBSD: tls12_record_layer.c,v 1.12 2021/01/19 18:57:09 jsing Exp $ */
 /*
  * Copyright (c) 2020 Joel Sing <jsing@openbsd.org>
  *
@@ -59,6 +59,12 @@ tls12_record_protection_free(struct tls12_record_protection *rp)
 }
 
 static int
+tls12_record_protection_engaged(struct tls12_record_protection *rp)
+{
+        return rp->aead_ctx != NULL || rp->cipher_ctx != NULL;
+}
+
+static int
 tls12_record_protection_eiv_len(struct tls12_record_protection *rp,
     size_t *out_eiv_len)
 {
@@ -195,6 +201,18 @@ tls12_record_layer_write_overhead(struct tls12_record_layer *rl,
         return 1;
 }
 
+int
+tls12_record_layer_read_protected(struct tls12_record_layer *rl)
+{
+        return tls12_record_protection_engaged(rl->read);
+}
+
+int
+tls12_record_layer_write_protected(struct tls12_record_layer *rl)
+{
+        return tls12_record_protection_engaged(rl->write);
+}
+
 void
 tls12_record_layer_set_version(struct tls12_record_layer *rl, uint16_t version)
 {