Page MenuHomeFreeBSD

Add support to the KTLS OCF module for AES-CBC MTE ciphersuites.
ClosedPublic

Authored by jhb on Oct 9 2020, 11:57 PM.
Tags
None
Referenced Files
Unknown Object (File)
Fri, Jan 10, 7:19 PM
Unknown Object (File)
Tue, Dec 24, 7:34 PM
Unknown Object (File)
Nov 5 2024, 6:49 PM
Unknown Object (File)
Oct 23 2024, 7:09 AM
Unknown Object (File)
Oct 21 2024, 1:09 AM
Unknown Object (File)
Oct 4 2024, 12:52 PM
Unknown Object (File)
Oct 3 2024, 12:22 PM
Unknown Object (File)
Oct 1 2024, 7:47 PM
Subscribers

Details

Summary

This is a simplistic approach which uses encrypts each TLS record in
two separate passes, one to generate the MAC, and a second to encrypt.
This supports TLS 1.0 connections with implicit IVs as well as TLS
1.1+ with explicit IVs.

Test Plan
  • tested with openssl s_time as the client against an openssl s_server

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

jhb requested review of this revision.Oct 9 2020, 11:57 PM
jhb created this revision.

Awesome. Thank you!

sys/opencrypto/ktls_ocf.c
578 ↗(On Diff #78072)

This looks outside the scope of this review, but I"m fine with it, and we need it.

This revision is now accepted and ready to land.Oct 10 2020, 12:53 AM
sys/opencrypto/ktls_ocf.c
578 ↗(On Diff #78072)

It just renders weird in the web UI. This code is already present, but in the current source it is after the switch on the algorithm. I just had to move it into the GCM-specific case since the version checks are ciphersuite-specific.