Page MenuHomeFreeBSD

Make MSG_TLSAPPDATA only apply to Alert records
ClosedPublic

Authored by rmacklem on May 11 2022, 1:33 AM.
Tags
None
Referenced Files
Unknown Object (File)
Oct 6 2024, 7:25 PM
Unknown Object (File)
Sep 23 2024, 7:52 AM
Unknown Object (File)
Sep 22 2024, 1:47 AM
Unknown Object (File)
Sep 21 2024, 8:36 AM
Unknown Object (File)
Sep 20 2024, 7:12 PM
Unknown Object (File)
Sep 18 2024, 5:51 PM
Unknown Object (File)
Sep 7 2024, 4:08 PM
Unknown Object (File)
Sep 5 2024, 11:15 AM
Subscribers

Details

Summary

Without this patch, the MSG_TLSAPPDATA flag would cause
soreceive_generic() to return ENXIO for any non-application
data record in a TLS receive stream.

This works ok for TLS1.2, since Alert records appear to be
the only non-application data records received.
However, for TLS1.3, there can be post-handshake handshake
records, such as NewSessionKey sent to the client from the
server. These handshake records cannot be handled by the
upcall which does an SSL_read() with length == 0.

It appears that the client can simply throw away these
NewSessionKey records, but to do so, it needs to receive
them within the kernel.

This patch modifies the semantics of MSG_TLSAPPDATA slightly,
so that it only applies to Alert records and not Handshake records.
It is needed to allow the krpc to work with KTLS1.3.

Test Plan

Has been tested using an NFS-over-TLS mount configured
to use TLS1.3.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable