Page MenuHomeFreeBSD

add a MSG_TLSAPPDATA flag that tells sorecieve() to return ENXIO for TLS non-application data records
ClosedPublic

Authored by rmacklem on Aug 2 2020, 10:04 PM.

Details

Summary

The kernel RPC cannot process non-application data records when
using TLS. It must to an upcall to a userspace daemon that will
call SSL_read() to process them.

This patch adds a new flag called MSG_TLSAPPDATA that the kernel
RPC can use to tell sorecieve() to return ENXIO instead of a non-application
data record, when that is what is at the top of the receive queue.

The code could use any error return that is not normally returned by
soreceive(). If some other errno is preferred, that can easily be changed.

I also put the code in #ifdef KERN_TLS/#endif, although it will build without
that, so that it is recognized as only useful when KERN_TLS is enabled.

The alternative to doing this is to have the kernel RPC re-queue the
non-application data message after receiving it, but that seems more
complicated and might introduce message ordering issues when there
are multiple non-application data records one after another.

I do not know what, if any, changes will be required to support TLS1.3.

Test Plan

Has been tested using the nfs-over-tls implementation in
head/projects/nfs-over-tls. (Really RPC-over-TLS, but since
NFS is the only anticipated consumer, I called it nfs-over-tls.)

Diff Detail

Repository
rS FreeBSD src repository
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.