Page MenuHomeFreeBSD
Differential D32381

ktls: Ensure FIFO encryption order for TLS 1.0.
ClosedPublic
Actions

Authored by jhb on Oct 8 2021, 10:42 PM.
Tags
None
Referenced Files
Unknown Object (File)
Feb 7 2024, 4:31 PM
Unknown Object (File)
Jan 12 2024, 8:45 AM
Unknown Object (File)
Dec 20 2023, 8:24 AM
Unknown Object (File)
Dec 15 2023, 3:12 PM
Unknown Object (File)
Sep 27 2023, 12:08 PM
Unknown Object (File)
Sep 2 2023, 8:09 PM
Unknown Object (File)
Aug 14 2023, 1:43 AM
Unknown Object (File)
Jul 3 2023, 8:43 AM
View All 15 Files
Subscribers
imp

Details

Reviewers
gallatin
markj
Commits
rGba6b771d1732: ktls: Ensure FIFO encryption order for TLS 1.0.
rG9f03d2c00167: ktls: Ensure FIFO encryption order for TLS 1.0.
Summary

TLS 1.0 records are encrypted as one continuous CBC chain where the
last block of the previous record is used as the IV for the next
record. As a result, TLS 1.0 records cannot be encrypted out of order
but must be encrypted as a FIFO.

If the later pages of a sendfile(2) request complete before the first
pages, then TLS records can be encrypted out of order. For TLS 1.1
and later this is fine, but this can break for TLS 1.0.

To cope, add a queue in each TLS session to hold TLS records that
contain valid unencrypted data but are waiting for an earlier TLS
record to be encrypted first.

  • In ktls_enqueue(), check if a TLS record being queued is the next record expected for a TLS 1.0 session. If not, it is placed in sorted order in the pending_records queue in the TLS session.

    If it is the next expected record, queue it for SW encryption like normal. In addition, check if this new record (really a potential batch of records) was holding up any previously queued records in the pending_records queue. Any of those records that are now in order are also placed on the queue for SW encryption.
  • In ktls_destroy(), free any TLS records on the pending_records queue. These mbufs are marked M_NOTREADY so were not freed when the socket buffer was purged in sbdestroy(). Instead, they must be freed explicitly.

Sponsored by: Netflix

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

jhb created this revision.Oct 8 2021, 10:42 PM
Herald added a subscriber: imp. · View Herald TranscriptOct 8 2021, 10:42 PM
jhb requested review of this revision.Oct 8 2021, 10:42 PM
Harbormaster completed remote builds in B42038: Diff 96512.Oct 8 2021, 10:42 PM
jhb added a comment.Oct 8 2021, 10:56 PM

Testing this was a bit challenging. I have a test client that uses msync(MS_INVALIDATE) to flush out every over MB of a file before it sendfile()'s it. However, even with that I ended up adding a hack into sendfile_iodone() to use a callout to defer ktls_enqueue with a random delay. This did allow me to provoke some misordering and I have some KTR traces that show it working, but most of the time I only managed to get two batches of records misordered relative to each other. I did get 2 batches deferred once while waiting for the missing record:

  5223 ktls_enqueue: unpending TLS seq 67856
  5222 ktls_enqueue: unpending TLS seq 67827
  5219 ktls_enqueue: queueing TLS seq 67856 at the end
  5218 ktls_enqueue: queueing TLS seq 67827 at the end
  1148 ktls_enqueue: unpending TLS seq 6095
  1145 ktls_enqueue: queueing TLS seq 6095 at the end
  1099 ktls_enqueue: unpending TLS seq 5380
  1096 ktls_enqueue: queueing TLS seq 5380 at the end
  1080 ktls_enqueue: unpending TLS seq 5117
  1077 ktls_enqueue: queueing TLS seq 5117 at the end
  1001 ktls_enqueue: unpending TLS seq 4053
   998 ktls_enqueue: queueing TLS seq 4053 at the end
   884 ktls_enqueue: unpending TLS seq 2692
   881 ktls_enqueue: queueing TLS seq 2692 at the end
...
jhb added inline comments.Oct 8 2021, 11:02 PM
sys/kern/uipc_ktls.c
1501

I have not tested that this cleans up ok in case of an encryption error or I/O error.

2117

I have considered changing m_epg_enc_cnt to be a count of TLS records instead of a count of pages. We could compute the needed page count in the loop in ktls_encrypt. However, optimizing for TLS 1.0 probably isn't very worthwhile.

gallatin added inline comments.Oct 11 2021, 1:07 PM
sys/kern/uipc_ktls.c
2182

Do you really want to return here? I think there can be cases where what you've inserted puts the pending records in order and gives you something to process.. Also, if you return here, is there a backstop to ensure processing of the pending records if this was the batch to be enqueued?

Eg, what's wrong with putting the tls->next_seqno += and STAILQ_INSERT_TAIL() into an else, and then attempting processing of the pending records?

jhb added inline comments.Oct 11 2021, 8:45 PM
sys/kern/uipc_ktls.c
2182

No, tls->next_seqno is the next record I need to process. At any given time, all of the TLS records in tls->pending_records must have sequence numbers > tls->next_seqno. To be in this case, m->m_epg_seqno must also be > than tls->next_seqno. The loop below is what releases pending records once the missing record shows up.

If the record is the missing record, then we don't go into this if and instead queue the missing record and then look to see if that frees up more records. However, we can only make forward progress when a record that is tls->next_seqno shows up.

Note that this design effectively has tls->pending_records as a queue in front of the encryption work queue. It doesn't wait for the missing record to be decrypted, it just ensures that the records are placed into the encryption work queue in FIFO order.

gallatin accepted this revision.Oct 12 2021, 9:08 PM
gallatin added inline comments.
sys/kern/uipc_ktls.c
2182

Makes sense, thanks!

This revision is now accepted and ready to land.Oct 12 2021, 9:08 PM
markj accepted this revision.Oct 13 2021, 2:25 PM
markj added inline comments.
sys/kern/uipc_ktls.c
1513

These three lines can be replaced with m = m_free(m);.

2182

I think a brief comment along these lines would be worthwhile to have here.

jhb marked 4 inline comments as done.Oct 13 2021, 7:22 PM
Closed by commit rG9f03d2c00167: ktls: Ensure FIFO encryption order for TLS 1.0. (authored by jhb). · Explain WhyOct 13 2021, 8:26 PM
This revision was automatically updated to reflect the committed changes.
jhb added a commit: rG9f03d2c00167: ktls: Ensure FIFO encryption order for TLS 1.0..
jhb added a commit: rGba6b771d1732: ktls: Ensure FIFO encryption order for TLS 1.0..Nov 23 2021, 11:13 PM

Revision Contents
Changeset List

PathSize
sys/
kern/
113 lines
sys/
5 lines

Diff 96841

View Options

sys/kern/uipc_ktls.c

Loading...
View Options

sys/sys/ktls.h

Loading...