diff options
Diffstat (limited to 'sys/netinet/accf_tls.c')
-rw-r--r-- | sys/netinet/accf_tls.c | 106 |
1 files changed, 106 insertions, 0 deletions
diff --git a/sys/netinet/accf_tls.c b/sys/netinet/accf_tls.c new file mode 100644 index 000000000000..9f1ed7000474 --- /dev/null +++ b/sys/netinet/accf_tls.c @@ -0,0 +1,106 @@ +/*- + * SPDX-License-Identifier: BSD-2-Clause-FreeBSD + * + * Copyright (c) 2018-2024 Netflix + * Author: Maksim Yevmenkin <maksim.yevmenkin@gmail.com> + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include <sys/cdefs.h> +#define ACCEPT_FILTER_MOD + +#include <sys/param.h> +#include <sys/kernel.h> +#include <sys/mbuf.h> +#include <sys/module.h> +#include <sys/signalvar.h> +#include <sys/sysctl.h> +#include <sys/socketvar.h> + +static int sbfull(struct sockbuf *sb); +static uint8_t sbmget8(struct mbuf *m, int offset); +static int so_hastls(struct socket *so, void *arg, int waitflag); + +ACCEPT_FILTER_DEFINE(accf_tls, "tlsready", so_hastls, NULL, NULL, 1); + +static int +sbfull(struct sockbuf *sb) +{ + + return (sbused(sb) >= sb->sb_hiwat || sb->sb_mbcnt >= sb->sb_mbmax); +} + +static uint8_t +sbmget8(struct mbuf *m, int offset) +{ + struct mbuf *n = m->m_nextpkt; + + while (m != NULL && offset >= m->m_len) { + offset -= m->m_len; + m = m->m_next; + if (m == NULL) { + m = n; + n = m->m_nextpkt; + } + } + + return *(mtod(m, uint8_t *) + offset); +} + +static int +so_hastls(struct socket *so, void *arg, int waitflag) +{ + struct sockbuf *sb = &so->so_rcv; + int avail; + uint16_t reclen; + + if ((sb->sb_state & SBS_CANTRCVMORE) || sbfull(sb)) + return (SU_ISCONNECTED); /* can't wait any longer */ + + /* + * struct { + * ContentType type; - 1 byte, 0x16 handshake + * ProtocolVersion version; - 2 bytes (major, minor) + * uint16 length; - 2 bytes, NBO, 2^14 max + * opaque fragment[TLSPlaintext.length]; + * } TLSPlaintext; + */ + + /* Did we get at least 5 bytes */ + avail = sbavail(sb); + if (avail < 5) + return (SU_OK); /* nope */ + + /* Does this look like TLS handshake? */ + if (sbmget8(sb->sb_mb, 0) != 0x16) + return (SU_ISCONNECTED); /* nope */ + + /* Did we get a complete TLS record? */ + reclen = (uint16_t) sbmget8(sb->sb_mb, 3) << 8; + reclen |= (uint16_t) sbmget8(sb->sb_mb, 4); + + if (reclen <= 16384 && avail < (int) 5 + reclen) + return (SU_OK); /* nope */ + + return (SU_ISCONNECTED); +} |