Page MenuHomeFreeBSD

ktls: Support for TLS 1.3 receive offload.
ClosedPublic

Authored by jhb on Nov 16 2021, 12:37 AM.
Tags
None
Referenced Files
F102998230: D33007.diff
Tue, Nov 19, 3:49 PM
Unknown Object (File)
Fri, Nov 15, 8:18 PM
Unknown Object (File)
Fri, Nov 15, 12:21 AM
Unknown Object (File)
Thu, Nov 7, 4:47 PM
Unknown Object (File)
Wed, Nov 6, 9:19 AM
Unknown Object (File)
Tue, Nov 5, 1:44 PM
Unknown Object (File)
Tue, Nov 5, 12:02 AM
Unknown Object (File)
Sun, Oct 27, 12:41 PM

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

jhb requested review of this revision.Nov 16 2021, 12:37 AM

I've tested this with the tests here as well as with an OpenSSL patched with the patches from https://github.com/openssl/openssl/pull/16798.

sys/opencrypto/ktls_ocf.c
667

For NIC TLS RX support we may end up making this bit of code a helper routine that can be shared with the NIC TLS RX path.

sys/kern/uipc_ktls.c
2030

Could the record_type be extracted outside this function? We will need this for the hardware decrypted traffic.

sys/opencrypto/ktls_ocf.c
667

Sounds like a good idea, to factor this bit out. Then you don't really need two separate decryption functions.

sys/opencrypto/ktls_ocf.c
667

You would still need separate decryption functions as some of the other details are different such as the AAD. I think splitting out this routine is probably something sensible to do in a future commit in a series adding 1.3 NIC TLS RX, but I might move it back to sys/kern/uipc_ktls.c. I had started with doing it in uipc_ktls.c but found it simpler to do it here instead.

sys/opencrypto/ktls_ocf.c
667

Should we have another callback function into OCF, which handle already decrypted traffic, to get the trailer length and header type fields correct?

  • Move routine to parse TLS 1.3 trailer to uipc_ktls.c.
jhb marked an inline comment as done.Dec 3 2021, 7:46 PM
jhb added inline comments.
sys/kern/uipc_ktls.c
2030

I think this version should work for you for NIC TLS as you can fall through to the code below with the decrypted record.

jhb marked an inline comment as done.Dec 9 2021, 12:33 AM

Looks good. I'll rebase my patches.

This revision is now accepted and ready to land.Dec 13 2021, 2:22 PM
This revision was automatically updated to reflect the committed changes.