TLS Terminator component

The TLS Terminator component supplied as part of KasperskyOS Community Edition ensures secure data transmission over the network between the client and the server using the Transport Layer Security (TLS) protocol.

The TLS Terminator component is built into the network interaction between the client and the network VFS backend. When a client uses network functions from the libc library, calls of these functions are redirected to the TLS Terminator component. The TLS Terminator component implements wrapper functions for standard calls of the network VFS backend. These wrappers ensure that TLS connections are established, outbound data is encrypted before it is sent to the network VFS backend, and inbound data is decrypted before being returned to the client. This implementation of the component ensures data protection during transmission over the network without the need to modify the client code.

How the TLS Terminator component works

How the TLS Terminator component works

API of the libc library supported by the TLS Terminator component

accept()

send()

bind()*

getprotobyname()*

close()

sendto()

fcntl()*

getprotobynumber()*

connect()

sendvec()

freeaddrinfo()*

getsockname()*

getsockopt()

setsockopt()

freeifaddrs()*

ioctl()*

poll()

shutdown()

getaddrinfo()*

listen()*

read()

socket()

gethostbyname()*

pipe()*

readv()

write()

getifaddrs()*

socketpair()*

recv()

writev()

getnameinfo()*

subscribe()*

recvfrom()

 

getnetbyname()*

sysctl()*

recvvec()

 

getpeername()*

 

Functions marked with * in the table have standard POSIX behavior. The behavior of the rest of the functions is modified by the TLS Terminator component as indicated in the table below.

Modification of the behavior of libc functions by the TLS Terminator component

libc function

POSIX behavior of the function

Behavior of the function when using TLS Terminator

accept()

Accepts a connection request from the pending connection queue and creates a new socket handle for interaction
  1. Accepts a connection request from the pending connection queue.
  2. Performs a TLS handshake with the client.
  3. Creates a new socket handle for interaction over a TLS connection.

close()

Closes the socket
  1. Terminates the TLS connection.
  2. Closes the socket.

connect()

Initiates a connection on the socket
  1. Establishes a TCP connection with the server.
  2. Performs a TLS handshake with the server.
  3. Returns a secure socket handle.

getsockopt()

Gets socket options
  1. Gets socket options.
  2. Supports parameters specific for TLS Terminator, which are presented in the table below.

read(), readv(), recv(), recvfrom(), recvvec()

Receives data from the server
  1. Receives encrypted data from the server.
  2. Decrypts them via the TLS context.
  3. Returns the decrypted data to the client.

send(), sendto(), sendvec()

Sends data to the server
  1. Encrypts client data via the TLS context.
  2. Sends encrypted data to the server over a TCP connection.

setsockopt()

Sets the parameters of a socket.
  1. Sets the parameters of a socket.
  2. Supports parameters specific for TLS Terminator, which are presented in the table below.

shutdown()

Terminates data transfer over the socket
  1. Terminates the TLS connection.
  2. Closes the TCP socket.

socket()

Creates a socket for network communication
  1. Creates a socket.
  2. Prepares a TLS context for subsequent use.

poll()

Tracks the state of file handles.
  1. Monitors the state of TLS sockets.
  2. Tracks the state of the TLS handshake and readiness for encryption/decryption.

write(), writev()

Sends data to the server
  1. Encrypts outbound data using the TLS context.
  2. Sends encrypted data to the server.

The IPPROTO_TLS value, which is not available in POSIX, has been implemented for the level parameter for the getsockopt() and setsockopt() functions. This value is defined in the /opt/KasperskyOS-Community-Edition-<platform>-<version>/sysroot-*-kos/include/netinet/in.h file from KasperskyOS Community Edition. Syntax of functions:

int setsockopt(int socket, int level, int option_name, const void *option_value, socklen_t option_len);

int getsockopt(int socket, int level, int option_name, void *restrict option_value, socklen_t *restrict option_len);

The level parameter specifies the level at which the option_name socket parameter name is defined. If the level parameter is equal to IPPROTO_TLS when calling the getsockopt() and setsockopt() functions, the TLS Terminator component processes the option_name socket parameter names that are available for this level from the table below.

Socket parameter names and their corresponding function behavior

Socket parameter name

Behavior of the setsockopt() function

Behavior of the getsockopt() function

TLS_REMOTE_HOSTNAME

Sets the name of the server to which the TLS connection is being established. This name will be used in the Server Name Indication (SNI) extension when performing the TLS handshake.

Gets the name of the server to which the TLS connection is being established.

TLS_OCSP_STAPLING_CHECK

Enables an OCSP Stapling check (confirmation that the certificate is valid) for the specified client socket.

This parameter is not processed.

TLS_SESSION_ID

This parameter is not processed.

Gets the ID of the TLS session.

TLS_VERIFY_RESULT

This parameter is not processed.

Returns the server certificate validation result as a combination of error flags.

If the default functionality of the TLS Terminator component is insufficient, it can be extended by using a plug-in mechanism. For more details, refer to Extending TLS Terminator functionality.

Contents of the TLS Terminator component

The component consists of the following files:

Page top