[Backport 3.6] Defragment incoming TLS handshake messages (reuse badmac_seen) #9981
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
gilles-peskine-arm
added
component-tls
needs-ci
rojer
reviewed
Feb 13, 2025
6 tasks
Signed-off-by: Deomid rojer Ryabkov <[email protected]>
Co-authored-by: minosgalanakis <[email protected]> Signed-off-by: Deomid Ryabkov <[email protected]>
Signed-off-by: Deomid rojer Ryabkov <[email protected]>
Signed-off-by: Deomid rojer Ryabkov <[email protected]>
Except the first Signed-off-by: Deomid rojer Ryabkov <[email protected]>
Signed-off-by: Deomid rojer Ryabkov <[email protected]>
The first fragment of a fragmented handshake message always starts at the beginning of the buffer so there's no need to store it. Signed-off-by: Deomid rojer Ryabkov <[email protected]>
No behavior change. Signed-off-by: Gilles Peskine <[email protected]>
Prepare to unify two fields of the `mbedtls_ssl_context` structure: `badmac_seen` (always present but only used in DTLS) and `in_hsfraglen` (always present but only used in non-DTLS TLS). Signed-off-by: Gilles Peskine <[email protected]>
In the `mbedtls_ssl_context` structure, change the type of `in_hsfraglen` from `size_t` to `unsigned`. This is in preparation for merging `in_hsfraglen` into `badmac_seen_or_in_hsfraglen`, which has the type `unsigned` and cannot change since we do not want to change the ABI. Signed-off-by: Gilles Peskine <[email protected]>
In the `mbedtls_ssl_context` structure, merge the field `in_hsfraglen` into `badmac_seen_or_in_hsfraglen`. This restores the ABI of `libmbedtls` as it was in Mbed TLS 3.6.0 through 3.6.2. The field `badmac_seen_or_in_hsfraglen` (formerly `badmac_seen`) was only used for DTLS (despite being present in non-DTLS builds), and the field `in_hsfraglen` was only used in non-DTLS TLS. Therefore the two values can be stored in the same field. Signed-off-by: Gilles Peskine <[email protected]>
gilles-peskine-arm
changed the base branch from
mbedtls-3.6
to
features/tls-defragmentation/3.6
Signed-off-by: Gilles Peskine <[email protected]>
gilles-peskine-arm
force-pushed
the
tls_hs_defrag_in-3.6-badmac_seen
branch
from
da8f72e to
cb72cd2
Compare
Signed-off-by: Gilles Peskine <[email protected]>
gilles-peskine-arm
added
needs-review
Contributor
|
Thanks for raising this backport PR and the elegant sollution. Looks good overall, but it would be good to update the programs, using |
Signed-off-by: Gilles Peskine <[email protected]>
6 tasks
Contributor
|
@gilles-peskine-arm According to Can you explain why? |
mpg
reviewed
Feb 19, 2025
Contributor
mpg
left a comment
mpg
left a comment
There was a problem hiding this comment.
LGTM except for the 3 missing commits.
As usual, thanks for the nice commit structure of the ABI-fixing refactoring, always appreciated as a reviewer.
tation. h/t @waleed-elmelegy-arm Mbed-TLS@909e716 Signed-off-by: Waleed Elmelegy <[email protected]> Signed-off-by: Deomid rojer Ryabkov <[email protected]>
Signed-off-by: Deomid rojer Ryabkov <[email protected]>
Signed-off-by: Waleed Elmelegy <[email protected]> Signed-off-by: Deomid rojer Ryabkov <[email protected]>
gilles-peskine-arm
removed
the
needs-reviewer
Contributor
Author
|
My bad, I had started from #9949 then removed the tests and hadn't noticed the non-ssl-opt commits in the middle of the ssl-opt commits. I've cherry-picked the extra commits now. |
mpg
added
approved
Contributor
|
For the record, I've double-checked the report from the API/ABI compat checked, only two issues are found, both of which are about the renamed field:
|
github-merge-queue
bot
removed this pull request from the merge queue due to no response for status checks
mpg
merged commit cca140b
into
Mbed-TLS:features/tls-defragmentation/3.6
4 of 6 checks passed
6 tasks
Contributor
|
Hi! This patch seems to drop a publicly exposed ABI symbol ( |
Contributor
|
Hi! The symbol being removed was only declared in |
Contributor
|
Got it. Thanks for the fast reply :)
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is the 3.6 backport of #9872, with extra commits to preserve ABI compatibility in 3.6.
A simpler alternative to #9949, which wasn't possible when #9949 was made. Originally we needed room for a message size and a pointer in the SSL context. Now, after an improvement to the original PR, we only need room for a message size, and that's easier to find.
PR checklist