This is a simplistic approach which uses encrypts each TLS record in
two separate passes, one to generate the MAC, and a second to encrypt.
This supports TLS 1.0 connections with implicit IVs as well as TLS
1.1+ with explicit IVs.
Details
Details
- tested with openssl s_time as the client against an openssl s_server
Diff Detail
Diff Detail
- Repository
- rS FreeBSD src repository - subversion
- Lint
Lint Not Applicable - Unit
Tests Not Applicable
Event Timeline
Comment Actions
Awesome. Thank you!
sys/opencrypto/ktls_ocf.c | ||
---|---|---|
578 ↗ | (On Diff #78072) | This looks outside the scope of this review, but I"m fine with it, and we need it. |
sys/opencrypto/ktls_ocf.c | ||
---|---|---|
578 ↗ | (On Diff #78072) | It just renders weird in the web UI. This code is already present, but in the current source it is after the switch on the algorithm. I just had to move it into the GCM-specific case since the version checks are ciphersuite-specific. |