Add support to the KTLS OCF module for AES-CBC MTE ciphersuites.
ClosedPublic
Actions

Authored by jhb on Oct 9 2020, 11:57 PM.

Details

Reviewers

gallatin
jmg

Commits

rS366677: Add support to the KTLS OCF module for AES-CBC MTE ciphersuites.

Summary

This is a simplistic approach which uses encrypts each TLS record in
two separate passes, one to generate the MAC, and a second to encrypt.
This supports TLS 1.0 connections with implicit IVs as well as TLS
1.1+ with explicit IVs.

Test Plan

tested with openssl s_time as the client against an openssl s_server

Diff Detail

Repository

rS FreeBSD src repository - subversion

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

jhb requested review of this revision.Oct 9 2020, 11:57 PM

jhb created this revision.

Harbormaster completed remote builds in B34080: Diff 78072.Oct 9 2020, 11:57 PM

jhb added a parent revision: D26729: Permit sending empty fragments for TLS 1.0..Oct 9 2020, 11:57 PM

Awesome. Thank you!

sys/opencrypto/ktls_ocf.c
578 ↗	(On Diff #78072)	This looks outside the scope of this review, but I"m fine with it, and we need it.

This revision is now accepted and ready to land.Oct 10 2020, 12:53 AM

jhb added inline comments.Oct 13 2020, 5:36 PM

sys/opencrypto/ktls_ocf.c
578 ↗	(On Diff #78072)	It just renders weird in the web UI. This code is already present, but in the current source it is after the switch on the algorithm. I just had to move it into the GCM-specific case since the version checks are ciphersuite-specific.