git: 65e292cdf155 - stable/14 - KTLS: Add using_ktls helper variable in ssl3_get_record().

From: John Baldwin <jhb_at_FreeBSD.org>
Date: Tue, 24 Oct 2023 19:25:56 UTC
The branch stable/14 has been updated by jhb:

URL: https://cgit.FreeBSD.org/src/commit/?id=65e292cdf15539472ffe3ecf561951d08fa2a76d

commit 65e292cdf15539472ffe3ecf561951d08fa2a76d
Author:     John Baldwin <jhb@FreeBSD.org>
AuthorDate: 2022-03-08 00:55:18 +0000
Commit:     John Baldwin <jhb@FreeBSD.org>
CommitDate: 2023-10-24 19:02:36 +0000

    KTLS: Add using_ktls helper variable in ssl3_get_record().
    
    When KTLS receive is enabled, pending data may still be present due to
    read ahead.  This data must still be processed the same as records
    received without KTLS.  To ease readability (especially in
    consideration of additional checks which will be added for TLS 1.3),
    add a helper variable 'using_ktls' that is true when the KTLS receive
    path is being used to receive a record.
    
    Obtained from:  OpenSSL commit 031132c297e54cbc20404a0bf8de6ed863196399
    
    (cherry picked from commit 0fc28f22d5b6a75d8a0449262a05cefe1040f982)
---
 crypto/openssl/ssl/record/ssl3_record.c | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/crypto/openssl/ssl/record/ssl3_record.c b/crypto/openssl/ssl/record/ssl3_record.c
index 3c0b1323a459..57915e1bd6e0 100644
--- a/crypto/openssl/ssl/record/ssl3_record.c
+++ b/crypto/openssl/ssl/record/ssl3_record.c
@@ -185,18 +185,23 @@ int ssl3_get_record(SSL *s)
     int imac_size;
     size_t num_recs = 0, max_recs, j;
     PACKET pkt, sslv2pkt;
-    int is_ktls_left;
+    int using_ktls;
     SSL_MAC_BUF *macbufs = NULL;
     int ret = -1;
 
     rr = RECORD_LAYER_get_rrec(&s->rlayer);
     rbuf = RECORD_LAYER_get_rbuf(&s->rlayer);
-    is_ktls_left = (SSL3_BUFFER_get_left(rbuf) > 0);
     max_recs = s->max_pipelines;
     if (max_recs == 0)
         max_recs = 1;
     sess = s->session;
 
+    /*
+     * KTLS reads full records. If there is any data left,
+     * then it is from before enabling ktls.
+     */
+    using_ktls = BIO_get_ktls_recv(s->rbio) && SSL3_BUFFER_get_left(rbuf) == 0;
+
     do {
         thisrr = &rr[num_recs];
 
@@ -409,7 +414,7 @@ int ssl3_get_record(SSL *s)
 #endif
 
             /* KTLS may use all of the buffer */
-            if (BIO_get_ktls_recv(s->rbio) && !is_ktls_left)
+            if (using_ktls)
                 len = SSL3_BUFFER_get_left(rbuf);
 
             if (thisrr->length > len) {
@@ -518,11 +523,7 @@ int ssl3_get_record(SSL *s)
         return 1;
     }
 
-    /*
-     * KTLS reads full records. If there is any data left,
-     * then it is from before enabling ktls
-     */
-    if (BIO_get_ktls_recv(s->rbio) && !is_ktls_left)
+    if (using_ktls)
         goto skip_decryption;
 
     if (s->read_hash != NULL) {
@@ -734,8 +735,7 @@ int ssl3_get_record(SSL *s)
          * Therefore we have to rely on KTLS to check the plaintext length
          * limit in the kernel.
          */
-        if (thisrr->length > SSL3_RT_MAX_PLAIN_LENGTH
-                && (!BIO_get_ktls_recv(s->rbio) || is_ktls_left)) {
+        if (thisrr->length > SSL3_RT_MAX_PLAIN_LENGTH && !using_ktls) {
             SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG);
             goto end;
         }