git: 4d85e7386f77 - stable/14 - KTLS: Handle TLS 1.3 in ssl3_get_record.

From: John Baldwin <jhb_at_FreeBSD.org>
Date: Tue, 24 Oct 2023 19:25:58 UTC
The branch stable/14 has been updated by jhb:

URL: https://cgit.FreeBSD.org/src/commit/?id=4d85e7386f7756c98f3e4ae1fb0037b56903510f

commit 4d85e7386f7756c98f3e4ae1fb0037b56903510f
Author:     Daiki Ueno <dueno@redhat.com>
AuthorDate: 2021-10-10 06:54:07 +0000
Commit:     John Baldwin <jhb@FreeBSD.org>
CommitDate: 2023-10-24 19:02:46 +0000

    KTLS: Handle TLS 1.3 in ssl3_get_record.
    
    - Don't unpad records, check the outer record type, or extract the
      inner record type from TLS 1.3 records handled by the kernel.  KTLS
      performs all of these steps and returns the inner record type in the
      TLS header.
    
    - When checking the length of a received TLS 1.3 record don't allow
      for the extra byte for the nested record type when KTLS is used.
    
    - Pass a pointer to the record type in the TLS header to the
      SSL3_RT_INNER_CONTENT_TYPE message callback.  For KTLS, the old
      pointer pointed to the last byte of payload rather than the record
      type.  For the non-KTLS case, the TLS header has been updated with
      the inner type before this callback is invoked.
    
    Obtained from:  OpenSSL commit a5fb9605329fb939abb536c1604d44a511741624)
    
    (cherry picked from commit c085ca5245797ae17fc69353bbdf7584acb2feaa)
---
 crypto/openssl/ssl/record/ssl3_record.c | 46 ++++++++++++++++++++++-----------
 1 file changed, 31 insertions(+), 15 deletions(-)

diff --git a/crypto/openssl/ssl/record/ssl3_record.c b/crypto/openssl/ssl/record/ssl3_record.c
index 57915e1bd6e0..d6c0cf346723 100644
--- a/crypto/openssl/ssl/record/ssl3_record.c
+++ b/crypto/openssl/ssl/record/ssl3_record.c
@@ -366,7 +366,9 @@ int ssl3_get_record(SSL *s)
                     }
                 }
 
-                if (SSL_IS_TLS13(s) && s->enc_read_ctx != NULL) {
+                if (SSL_IS_TLS13(s)
+                        && s->enc_read_ctx != NULL
+                        && !using_ktls) {
                     if (thisrr->type != SSL3_RT_APPLICATION_DATA
                             && (thisrr->type != SSL3_RT_CHANGE_CIPHER_SPEC
                                 || !SSL_IS_FIRST_HANDSHAKE(s))
@@ -396,7 +398,13 @@ int ssl3_get_record(SSL *s)
         }
 
         if (SSL_IS_TLS13(s)) {
-            if (thisrr->length > SSL3_RT_MAX_TLS13_ENCRYPTED_LENGTH) {
+            size_t len = SSL3_RT_MAX_TLS13_ENCRYPTED_LENGTH;
+
+            /* KTLS strips the inner record type. */
+            if (using_ktls)
+                len = SSL3_RT_MAX_ENCRYPTED_LENGTH;
+
+            if (thisrr->length > len) {
                 SSLfatal(s, SSL_AD_RECORD_OVERFLOW,
                          SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
                 return -1;
@@ -689,21 +697,29 @@ int ssl3_get_record(SSL *s)
         if (SSL_IS_TLS13(s)
                 && s->enc_read_ctx != NULL
                 && thisrr->type != SSL3_RT_ALERT) {
-            size_t end;
+            /*
+             * The following logic are irrelevant in KTLS: the kernel provides
+             * unprotected record and thus record type represent the actual
+             * content type, and padding is already removed and thisrr->type and
+             * thisrr->length should have the correct values.
+             */
+            if (!using_ktls) {
+                size_t end;
 
-            if (thisrr->length == 0
-                    || thisrr->type != SSL3_RT_APPLICATION_DATA) {
-                SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_BAD_RECORD_TYPE);
-                goto end;
-            }
+                if (thisrr->length == 0
+                        || thisrr->type != SSL3_RT_APPLICATION_DATA) {
+                    SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_BAD_RECORD_TYPE);
+                    goto end;
+                }
 
-            /* Strip trailing padding */
-            for (end = thisrr->length - 1; end > 0 && thisrr->data[end] == 0;
-                 end--)
-                continue;
+                /* Strip trailing padding */
+                for (end = thisrr->length - 1; end > 0 && thisrr->data[end] == 0;
+                     end--)
+                    continue;
 
-            thisrr->length = end;
-            thisrr->type = thisrr->data[end];
+                thisrr->length = end;
+                thisrr->type = thisrr->data[end];
+            }
             if (thisrr->type != SSL3_RT_APPLICATION_DATA
                     && thisrr->type != SSL3_RT_ALERT
                     && thisrr->type != SSL3_RT_HANDSHAKE) {
@@ -712,7 +728,7 @@ int ssl3_get_record(SSL *s)
             }
             if (s->msg_callback)
                 s->msg_callback(0, s->version, SSL3_RT_INNER_CONTENT_TYPE,
-                                &thisrr->data[end], 1, s, s->msg_callback_arg);
+                                &thisrr->type, 1, s, s->msg_callback_arg);
         }
 
         /*