Page MenuHomeFreeBSD
Differential D35170

Make MSG_TLSAPPDATA only apply to Alert records
ClosedPublic
Actions

Authored by rmacklem on May 11 2022, 1:33 AM.
Tags
None
Referenced Files
Unknown Object (File)
Fri, Apr 19, 4:55 AM
Unknown Object (File)
Fri, Apr 19, 4:54 AM
Unknown Object (File)
Fri, Apr 19, 4:50 AM
Unknown Object (File)
Tue, Apr 16, 1:01 AM
Unknown Object (File)
Jan 31 2024, 2:22 AM
Unknown Object (File)
Jan 31 2024, 2:22 AM
Unknown Object (File)
Jan 31 2024, 2:22 AM
Unknown Object (File)
Jan 29 2024, 6:41 PM
View All 46 Files
Subscribers
imp

Details

Reviewers
jhb
gallatin
bjk
hselasky
Commits
rG373511338d95: uipc_socket.c: Modify MSG_TLSAPPDATA to only do Alert Records
Summary

Without this patch, the MSG_TLSAPPDATA flag would cause
soreceive_generic() to return ENXIO for any non-application
data record in a TLS receive stream.

This works ok for TLS1.2, since Alert records appear to be
the only non-application data records received.
However, for TLS1.3, there can be post-handshake handshake
records, such as NewSessionKey sent to the client from the
server. These handshake records cannot be handled by the
upcall which does an SSL_read() with length == 0.

It appears that the client can simply throw away these
NewSessionKey records, but to do so, it needs to receive
them within the kernel.

This patch modifies the semantics of MSG_TLSAPPDATA slightly,
so that it only applies to Alert records and not Handshake records.
It is needed to allow the krpc to work with KTLS1.3.

Test Plan

Has been tested using an NFS-over-TLS mount configured
to use TLS1.3.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped

Revision Contents
Changeset List

PathSize
sys/
kern/
uipc_socket.c
uipc_socket.c.sav
7 lines
sys/
ktls.h
ktls.h.sav
2 lines
socket.h
socket.h.sav
2 lines

Diff 105849

View Options

sys/kern/uipc_socket.c

Loading...
View Options

sys/sys/ktls.h

Loading...
View Options

sys/sys/socket.h

Loading...