D34195.id102495.diff
No OneTemporary
Actions

Size

4 KB

Referenced Files

None

Subscribers

None

D34195.id102495.diff
View Options

	Index: sys/kern/uipc_ktls.c
	===================================================================
	--- sys/kern/uipc_ktls.c
	+++ sys/kern/uipc_ktls.c
	@@ -1691,19 +1691,18 @@
	* All mbufs in the chain should be TLS records whose
	* payload does not exceed the maximum frame length.
	*
	- * Empty TLS records are permitted when using CBC.
	+ * Empty TLS 1.0 records are permitted when using CBC.
	*/
	- KASSERT(m->m_len <= maxlen &&
	- (tls->params.cipher_algorithm == CRYPTO_AES_CBC ?
	- m->m_len >= 0 : m->m_len > 0),
	- ("ktls_frame: m %p len %d\n", m, m->m_len));
	+ KASSERT(m->m_len <= maxlen && m->m_len >= 0 &&
	+ (m->m_len > 0 \|\| ktls_permit_empty_frames(tls)),
	+ ("ktls_frame: m %p len %d", m, m->m_len));

	/*
	* TLS frames require unmapped mbufs to store session
	* info.
	*/
	KASSERT((m->m_flags & M_EXTPG) != 0,
	- ("ktls_frame: mapped mbuf %p (top = %p)\n", m, top));
	+ ("ktls_frame: mapped mbuf %p (top = %p)", m, top));

	tls_len = m->m_len;

	@@ -1797,6 +1796,13 @@
	}
	}

	+bool
	+ktls_permit_empty_frames(struct ktls_session *tls)
	+{
	+ return (tls->params.cipher_algorithm == CRYPTO_AES_CBC &&
	+ tls->params.tls_vminor == TLS_MINOR_VER_ZERO);
	+}
	+
	void
	ktls_check_rx(struct sockbuf *sb)
	{
	Index: sys/kern/uipc_socket.c
	===================================================================
	--- sys/kern/uipc_socket.c
	+++ sys/kern/uipc_socket.c
	@@ -1667,6 +1667,11 @@
	atomic = 1;
	}
	}
	+
	+ if (resid == 0 && !ktls_permit_empty_frames(tls)) {
	+ error = EINVAL;
	+ goto release;
	+ }
	}
	#endif

	Index: sys/sys/ktls.h
	===================================================================
	--- sys/sys/ktls.h
	+++ sys/sys/ktls.h
	@@ -213,6 +213,7 @@
	void ktls_destroy(struct ktls_session *tls);
	void ktls_frame(struct mbuf m, struct ktls_session tls, int *enqueue_cnt,
	uint8_t record_type);
	+bool ktls_permit_empty_frames(struct ktls_session *tls);
	void ktls_seq(struct sockbuf sb, struct mbuf m);
	void ktls_enqueue(struct mbuf m, struct socket so, int page_count);
	void ktls_enqueue_to_free(struct mbuf *m);
	Index: tests/sys/kern/ktls_test.c
	===================================================================
	--- tests/sys/kern/ktls_test.c
	+++ tests/sys/kern/ktls_test.c
	@@ -1105,9 +1105,19 @@
	fd_set_blocking(sockets[0]);
	fd_set_blocking(sockets[1]);

	- /* A write of zero bytes should send an empty fragment. */
	+ /*
	+ * A write of zero bytes should send an empty fragment only for
	+ * TLS 1.0, otherwise an error should be raised.
	+ */
	rv = write(sockets[1], NULL, 0);
	- ATF_REQUIRE(rv == 0);
	+ if (rv == 0) {
	+ ATF_REQUIRE(en->cipher_algorithm == CRYPTO_AES_CBC);
	+ ATF_REQUIRE(en->tls_vminor == TLS_MINOR_VER_ZERO);
	+ } else {
	+ ATF_REQUIRE(rv == -1);
	+ ATF_REQUIRE(errno == EINVAL);
	+ return;
	+ }

	/*
	* First read the header to determine how much additional data
	@@ -1369,7 +1379,7 @@
	ATF_TP_ADD_TC(tp, ktls_transmit_##cipher_name##_##name);

	#define GEN_TRANSMIT_EMPTY_FRAGMENT_TEST(cipher_name, cipher_alg, \
	- key_size, auth_alg) \
	+ key_size, auth_alg, minor) \
	ATF_TC_WITHOUT_HEAD(ktls_transmit_##cipher_name##_empty_fragment); \
	ATF_TC_BODY(ktls_transmit_##cipher_name##_empty_fragment, tc) \
	{ \
	@@ -1378,14 +1388,14 @@
	\
	ATF_REQUIRE_KTLS(); \
	seqno = random(); \
	- build_tls_enable(cipher_alg, key_size, auth_alg, \
	- TLS_MINOR_VER_ZERO, seqno, &en); \
	+ build_tls_enable(cipher_alg, key_size, auth_alg, minor, seqno, \
	+ &en); \
	test_ktls_transmit_empty_fragment(&en, seqno); \
	free_tls_enable(&en); \
	}

	#define ADD_TRANSMIT_EMPTY_FRAGMENT_TEST(cipher_name, cipher_alg, \
	- key_size, auth_alg) \
	+ key_size, auth_alg, minor) \
	ATF_TP_ADD_TC(tp, ktls_transmit_##cipher_name##_empty_fragment);

	#define GEN_TRANSMIT_TESTS(cipher_name, cipher_alg, key_size, auth_alg, \
	@@ -1506,7 +1516,9 @@
	* Test "empty fragments" which are TLS records with no payload that
	* OpenSSL can send for TLS 1.0 connections.
	*/
	-TLS_10_TESTS(GEN_TRANSMIT_EMPTY_FRAGMENT_TEST);
	+AES_CBC_TESTS(GEN_TRANSMIT_EMPTY_FRAGMENT_TEST);
	+AES_GCM_TESTS(GEN_TRANSMIT_EMPTY_FRAGMENT_TEST);
	+CHACHA20_TESTS(GEN_TRANSMIT_EMPTY_FRAGMENT_TEST);

	static void
	test_ktls_invalid_transmit_cipher_suite(struct tls_enable *en)
	@@ -1768,7 +1780,9 @@
	AES_GCM_TESTS(ADD_TRANSMIT_TESTS);
	CHACHA20_TESTS(ADD_TRANSMIT_TESTS);
	AES_CBC_TESTS(ADD_TRANSMIT_PADDING_TESTS);
	- TLS_10_TESTS(ADD_TRANSMIT_EMPTY_FRAGMENT_TEST);
	+ AES_CBC_TESTS(ADD_TRANSMIT_EMPTY_FRAGMENT_TEST);
	+ AES_GCM_TESTS(ADD_TRANSMIT_EMPTY_FRAGMENT_TEST);
	+ CHACHA20_TESTS(ADD_TRANSMIT_EMPTY_FRAGMENT_TEST);
	INVALID_CIPHER_SUITES(ADD_INVALID_TRANSMIT_TEST);

	/* Receive tests */

File Metadata

Mime Type: text/plain
Expires: Wed, Nov 26, 9:07 PM (14 h, 3 m)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 26226873
Default Alt Text: D34195.id102495.diff (4 KB)

D34195.id102495.diffNo OneTemporaryActions

D34195.id102495.diffView Options

File Metadata

Event Timeline

D34195.id102495.diff
No OneTemporary
Actions

D34195.id102495.diff
View Options