git: a8333d4c62cb - stable/13 - OpenSSL: KTLS: Add using_ktls helper variable in ssl3_get_record().
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sat, 14 May 2022 00:10:00 UTC
The branch stable/13 has been updated by jhb:
URL: https://cgit.FreeBSD.org/src/commit/?id=a8333d4c62cbf69f7510208749703a0d9370b138
commit a8333d4c62cbf69f7510208749703a0d9370b138
Author: John Baldwin <jhb@FreeBSD.org>
AuthorDate: 2022-05-04 20:08:17 +0000
Commit: John Baldwin <jhb@FreeBSD.org>
CommitDate: 2022-05-13 23:51:20 +0000
OpenSSL: KTLS: Add using_ktls helper variable in ssl3_get_record().
When KTLS receive is enabled, pending data may still be present due to
read ahead. This data must still be processed the same as records
received without KTLS. To ease readability (especially in
consideration of additional checks which will be added for TLS 1.3),
add a helper variable 'using_ktls' that is true when the KTLS receive
path is being used to receive a record.
Approved by: jkim
Obtained from: OpenSSL commit 031132c297e54cbc20404a0bf8de6ed863196399
MFC after: 1 week
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D34974
(cherry picked from commit 4f1f9c550227667efaad65e7f2a0034355d94dc8)
---
crypto/openssl/ssl/record/ssl3_record.c | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/crypto/openssl/ssl/record/ssl3_record.c b/crypto/openssl/ssl/record/ssl3_record.c
index 4fd22019ee7b..5fa481de9dbe 100644
--- a/crypto/openssl/ssl/record/ssl3_record.c
+++ b/crypto/openssl/ssl/record/ssl3_record.c
@@ -186,16 +186,21 @@ int ssl3_get_record(SSL *s)
size_t num_recs = 0, max_recs, j;
PACKET pkt, sslv2pkt;
size_t first_rec_len;
- int is_ktls_left;
+ int using_ktls;
rr = RECORD_LAYER_get_rrec(&s->rlayer);
rbuf = RECORD_LAYER_get_rbuf(&s->rlayer);
- is_ktls_left = (SSL3_BUFFER_get_left(rbuf) > 0);
max_recs = s->max_pipelines;
if (max_recs == 0)
max_recs = 1;
sess = s->session;
+ /*
+ * KTLS reads full records. If there is any data left,
+ * then it is from before enabling ktls.
+ */
+ using_ktls = BIO_get_ktls_recv(s->rbio) && SSL3_BUFFER_get_left(rbuf) == 0;
+
do {
thisrr = &rr[num_recs];
@@ -413,7 +418,7 @@ int ssl3_get_record(SSL *s)
#endif
/* KTLS may use all of the buffer */
- if (BIO_get_ktls_recv(s->rbio) && !is_ktls_left)
+ if (using_ktls)
len = SSL3_BUFFER_get_left(rbuf);
if (thisrr->length > len) {
@@ -522,11 +527,7 @@ int ssl3_get_record(SSL *s)
return 1;
}
- /*
- * KTLS reads full records. If there is any data left,
- * then it is from before enabling ktls
- */
- if (BIO_get_ktls_recv(s->rbio) && !is_ktls_left)
+ if (using_ktls)
goto skip_decryption;
/*
@@ -787,8 +788,7 @@ int ssl3_get_record(SSL *s)
* Therefore we have to rely on KTLS to check the plaintext length
* limit in the kernel.
*/
- if (thisrr->length > SSL3_RT_MAX_PLAIN_LENGTH
- && (!BIO_get_ktls_recv(s->rbio) || is_ktls_left)) {
+ if (thisrr->length > SSL3_RT_MAX_PLAIN_LENGTH && !using_ktls) {
SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_SSL3_GET_RECORD,
SSL_R_DATA_LENGTH_TOO_LONG);
return -1;