Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ktls: improve messaging around freed handshakes #4346

Merged
merged 3 commits into from
Jan 9, 2024
Merged

ktls: improve messaging around freed handshakes #4346

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
e09fc23
ktls: improve messaging around freed handshakes
lrstewart Jan 8, 2024
6e4a2b9
Move check, add comment
lrstewart Jan 9, 2024
b704884
Merge branch 'main' into ktls_fix
lrstewart Jan 9, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 4 additions & 2 deletions api/unstable/ktls.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,8 @@
* Enables sending using kTLS on a given connection.
*
* See above for the limitations on when kTLS can be enabled. Additionally,
* s2n_connection_ktls_enable_send must be called after the handshake completes.
* s2n_connection_ktls_enable_send must be called after the handshake completes
* but before the handshake is freed with s2n_connection_free_handshake.
* It may be called after some application data is sent and received without kTLS,
* but there must be no pending application data that requires flushing. If these
* requirements are not met, enabling kTLS will fail with an error.
Expand Down Expand Up @@ -74,7 +75,8 @@ S2N_API int s2n_connection_ktls_enable_send(struct s2n_connection *conn);
* Enables receiving using kTLS on a given connection.
*
* See above for the limitations on when kTLS can be enabled. Additionally,
* s2n_connection_ktls_enable_recv must be called after the handshake completes.
* s2n_connection_ktls_enable_recv must be called after the handshake completes
* but before the handshake is freed with s2n_connection_free_handshake.
* It may be called after some application data is sent and received without kTLS,
* but there must be no buffered application data that requires draining. If these
* requirements are not met, enabling kTLS will fail with an error.
Expand Down
6 changes: 6 additions & 0 deletions tls/s2n_ktls.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,12 @@ static S2N_RESULT s2n_ktls_validate(struct s2n_connection *conn, s2n_ktls_mode k
/* kTLS enable should only be called once the handshake has completed. */
RESULT_ENSURE(is_handshake_complete(conn), S2N_ERR_HANDSHAKE_NOT_COMPLETE);

/* kTLS uses the prf_space to recalculate the keys, but the prf_space may be
* freed by s2n_connection_free_handshake to reduce the connection size.
* Explicitly check for prf_space here to avoid a confusing S2N_ERR_NULL later.
*/
RESULT_ENSURE(conn->prf_space, S2N_ERR_INVALID_STATE);

/* For now, only allow TlS1.3 if explicitly enabled.
*
* TLS1.3 is potentially more dangerous to enable than TLS1.2, since the kernel
Expand Down
Loading