git: 79669b07b08b - stable/13 - uipc_socket.c: Modify MSG_TLSAPPDATA to only do Alert Records

From: Rick Macklem <rmacklem_at_FreeBSD.org>
Date: Sat, 28 May 2022 03:20:58 UTC
The branch stable/13 has been updated by rmacklem:

URL: https://cgit.FreeBSD.org/src/commit/?id=79669b07b08bca80203f35495d06783da5b799c7

commit 79669b07b08bca80203f35495d06783da5b799c7
Author:     Rick Macklem <rmacklem@FreeBSD.org>
AuthorDate: 2022-05-14 19:56:50 +0000
Commit:     Rick Macklem <rmacklem@FreeBSD.org>
CommitDate: 2022-05-28 03:19:48 +0000

    uipc_socket.c: Modify MSG_TLSAPPDATA to only do Alert Records
    
    Without this patch, the MSG_TLSAPPDATA flag would cause
    soreceive_generic() to return ENXIO for any non-application
    data record in a TLS receive stream.
    
    This works ok for TLS1.2, since Alert records appear to be
    the only non-application data records received.
    However, for TLS1.3, there can be post-handshake handshake
    records, such as NewSessionKey sent to the client from the
    server. These handshake records cannot be handled by the
    upcall which does an SSL_read() with length == 0.
    
    It appears that the client can simply throw away these
    NewSessionKey records, but to do so, it needs to receive
    them within the kernel.
    
    This patch modifies the semantics of MSG_TLSAPPDATA slightly,
    so that it only applies to Alert records and not Handshake
    records. It is needed to allow the krpc to work with KTLS1.3.
    
    (cherry picked from commit 373511338d954895752e957f3028a178587c8c84)
---
 sys/kern/uipc_socket.c | 8 ++++----
 sys/sys/ktls.h         | 2 ++
 sys/sys/socket.h       | 2 +-
 3 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/sys/kern/uipc_socket.c b/sys/kern/uipc_socket.c
index bdd7756916d9..bbcd5dd30320 100644
--- a/sys/kern/uipc_socket.c
+++ b/sys/kern/uipc_socket.c
@@ -2065,8 +2065,8 @@ dontblock:
 		struct tls_get_record tgr;
 
 		/*
-		 * For MSG_TLSAPPDATA, check for a non-application data
-		 * record.  If found, return ENXIO without removing
+		 * For MSG_TLSAPPDATA, check for an alert record.
+		 * If found, return ENXIO without removing
 		 * it from the receive queue.  This allows a subsequent
 		 * call without MSG_TLSAPPDATA to receive it.
 		 * Note that, for TLS, there should only be a single
@@ -2077,8 +2077,8 @@ dontblock:
 			if (cmsg->cmsg_type == TLS_GET_RECORD &&
 			    cmsg->cmsg_len == CMSG_LEN(sizeof(tgr))) {
 				memcpy(&tgr, CMSG_DATA(cmsg), sizeof(tgr));
-				/* This will need to change for TLS 1.3. */
-				if (tgr.tls_type != TLS_RLTYPE_APP) {
+				if (__predict_false(tgr.tls_type ==
+				    TLS_RLTYPE_ALERT)) {
 					SOCKBUF_UNLOCK(&so->so_rcv);
 					error = ENXIO;
 					goto release;
diff --git a/sys/sys/ktls.h b/sys/sys/ktls.h
index 0e16fd5d9d1e..9fc01de5978c 100644
--- a/sys/sys/ktls.h
+++ b/sys/sys/ktls.h
@@ -50,6 +50,8 @@ struct tls_record_layer {
 #define	TLS_CBC_IMPLICIT_IV_LEN	16
 
 /* Type values for the record layer */
+#define	TLS_RLTYPE_ALERT	21
+#define	TLS_RLTYPE_HANDSHAKE	22
 #define	TLS_RLTYPE_APP		23
 
 /*
diff --git a/sys/sys/socket.h b/sys/sys/socket.h
index 2cb76f9c6d63..de7a874b3079 100644
--- a/sys/sys/socket.h
+++ b/sys/sys/socket.h
@@ -470,7 +470,7 @@ struct msghdr {
 #endif
 #ifdef _KERNEL
 #define	MSG_MORETOCOME	 0x00100000	/* additional data pending */
-#define	MSG_TLSAPPDATA	 0x00200000	/* only soreceive() app. data (TLS) */
+#define	MSG_TLSAPPDATA	 0x00200000	/* do not soreceive() alert rec. (TLS) */
 #endif
 
 /*