1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
|
/*-
* SPDX-License-Identifier: BSD-2-Clause-FreeBSD
*
* Copyright (c) 2018-2024 Netflix
* Author: Maksim Yevmenkin <maksim.yevmenkin@gmail.com>
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include <sys/cdefs.h>
#define ACCEPT_FILTER_MOD
#include <sys/param.h>
#include <sys/kernel.h>
#include <sys/mbuf.h>
#include <sys/module.h>
#include <sys/signalvar.h>
#include <sys/sysctl.h>
#include <sys/socketvar.h>
static int sbfull(struct sockbuf *sb);
static uint8_t sbmget8(struct mbuf *m, int offset);
static int so_hastls(struct socket *so, void *arg, int waitflag);
ACCEPT_FILTER_DEFINE(accf_tls, "tlsready", so_hastls, NULL, NULL, 1);
static int
sbfull(struct sockbuf *sb)
{
return (sbused(sb) >= sb->sb_hiwat || sb->sb_mbcnt >= sb->sb_mbmax);
}
static uint8_t
sbmget8(struct mbuf *m, int offset)
{
struct mbuf *n = m->m_nextpkt;
while (m != NULL && offset >= m->m_len) {
offset -= m->m_len;
m = m->m_next;
if (m == NULL) {
m = n;
n = m->m_nextpkt;
}
}
return *(mtod(m, uint8_t *) + offset);
}
static int
so_hastls(struct socket *so, void *arg, int waitflag)
{
struct sockbuf *sb = &so->so_rcv;
int avail;
uint16_t reclen;
if ((sb->sb_state & SBS_CANTRCVMORE) || sbfull(sb))
return (SU_ISCONNECTED); /* can't wait any longer */
/*
* struct {
* ContentType type; - 1 byte, 0x16 handshake
* ProtocolVersion version; - 2 bytes (major, minor)
* uint16 length; - 2 bytes, NBO, 2^14 max
* opaque fragment[TLSPlaintext.length];
* } TLSPlaintext;
*/
/* Did we get at least 5 bytes */
avail = sbavail(sb);
if (avail < 5)
return (SU_OK); /* nope */
/* Does this look like TLS handshake? */
if (sbmget8(sb->sb_mb, 0) != 0x16)
return (SU_ISCONNECTED); /* nope */
/* Did we get a complete TLS record? */
reclen = (uint16_t) sbmget8(sb->sb_mb, 3) << 8;
reclen |= (uint16_t) sbmget8(sb->sb_mb, 4);
if (reclen <= 16384 && avail < (int) 5 + reclen)
return (SU_OK); /* nope */
return (SU_ISCONNECTED);
}
|
