svn commit: r364409 - in head/sys: kern sys
Rick Macklem
rmacklem at FreeBSD.org
Wed Aug 19 23:42:34 UTC 2020
Author: rmacklem
Date: Wed Aug 19 23:42:33 2020
New Revision: 364409
URL: https://svnweb.freebsd.org/changeset/base/364409
Log:
Add the MSG_TLSAPPDATA flag to indicate "return ENXIO" for non-application TLS
data records.
The kernel RPC cannot process non-application data records when
using TLS. It must to an upcall to a userspace daemon that will
call SSL_read() to process them.
This patch adds a new flag called MSG_TLSAPPDATA that the kernel
RPC can use to tell sorecieve() to return ENXIO instead of a non-application
data record, when that is what is at the top of the receive queue.
I put the code in #ifdef KERN_TLS/#endif, although it will build without
that, so that it is recognized as only useful when KERN_TLS is enabled.
The alternative to doing this is to have the kernel RPC re-queue the
non-application data message after receiving it, but that seems more
complicated and might introduce message ordering issues when there
are multiple non-application data records one after another.
I do not know what, if any, changes will be required to support TLS1.3.
Reviewed by: glebius
Differential Revision: https://reviews.freebsd.org/D25923
Modified:
head/sys/kern/uipc_socket.c
head/sys/sys/socket.h
Modified: head/sys/kern/uipc_socket.c
==============================================================================
--- head/sys/kern/uipc_socket.c Wed Aug 19 20:41:22 2020 (r364408)
+++ head/sys/kern/uipc_socket.c Wed Aug 19 23:42:33 2020 (r364409)
@@ -2056,6 +2056,32 @@ dontblock:
if (m != NULL && m->m_type == MT_CONTROL) {
struct mbuf *cm = NULL, *cmn;
struct mbuf **cme = &cm;
+#ifdef KERN_TLS
+ struct cmsghdr *cmsg;
+ struct tls_get_record tgr;
+
+ /*
+ * For MSG_TLSAPPDATA, check for a non-application data
+ * record. If found, return ENXIO without removing
+ * it from the receive queue. This allows a subsequent
+ * call without MSG_TLSAPPDATA to receive it.
+ * Note that, for TLS, there should only be a single
+ * control mbuf with the TLS_GET_RECORD message in it.
+ */
+ if (flags & MSG_TLSAPPDATA) {
+ cmsg = mtod(m, struct cmsghdr *);
+ if (cmsg->cmsg_type == TLS_GET_RECORD &&
+ cmsg->cmsg_len == CMSG_LEN(sizeof(tgr))) {
+ memcpy(&tgr, CMSG_DATA(cmsg), sizeof(tgr));
+ /* This will need to change for TLS 1.3. */
+ if (tgr.tls_type != TLS_RLTYPE_APP) {
+ SOCKBUF_UNLOCK(&so->so_rcv);
+ error = ENXIO;
+ goto release;
+ }
+ }
+ }
+#endif
do {
if (flags & MSG_PEEK) {
Modified: head/sys/sys/socket.h
==============================================================================
--- head/sys/sys/socket.h Wed Aug 19 20:41:22 2020 (r364408)
+++ head/sys/sys/socket.h Wed Aug 19 23:42:33 2020 (r364409)
@@ -468,6 +468,7 @@ struct msghdr {
#endif
#ifdef _KERNEL
#define MSG_MORETOCOME 0x00100000 /* additional data pending */
+#define MSG_TLSAPPDATA 0x00200000 /* only soreceive() app. data (TLS) */
#endif
/*
More information about the svn-src-all
mailing list