Page MenuHomeFreeBSD

ktls: Support for TLS 1.3 receive offload.
ClosedPublic

Authored by jhb on Nov 16 2021, 12:37 AM.
Tags
None
Referenced Files
Unknown Object (File)
Mon, Nov 25, 3:28 PM
Unknown Object (File)
Mon, Nov 25, 11:11 AM
Unknown Object (File)
Sun, Nov 24, 8:00 PM
Unknown Object (File)
Sun, Nov 24, 2:43 PM
Unknown Object (File)
Sat, Nov 23, 3:21 PM
Unknown Object (File)
Sat, Nov 23, 7:23 AM
Unknown Object (File)
Fri, Nov 22, 12:33 PM
Unknown Object (File)
Thu, Nov 21, 9:36 AM

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

jhb requested review of this revision.Nov 16 2021, 12:37 AM

I've tested this with the tests here as well as with an OpenSSL patched with the patches from https://github.com/openssl/openssl/pull/16798.

sys/opencrypto/ktls_ocf.c
667

For NIC TLS RX support we may end up making this bit of code a helper routine that can be shared with the NIC TLS RX path.

sys/kern/uipc_ktls.c
2030

Could the record_type be extracted outside this function? We will need this for the hardware decrypted traffic.

sys/opencrypto/ktls_ocf.c
667

Sounds like a good idea, to factor this bit out. Then you don't really need two separate decryption functions.

sys/opencrypto/ktls_ocf.c
667

You would still need separate decryption functions as some of the other details are different such as the AAD. I think splitting out this routine is probably something sensible to do in a future commit in a series adding 1.3 NIC TLS RX, but I might move it back to sys/kern/uipc_ktls.c. I had started with doing it in uipc_ktls.c but found it simpler to do it here instead.

sys/opencrypto/ktls_ocf.c
667

Should we have another callback function into OCF, which handle already decrypted traffic, to get the trailer length and header type fields correct?

  • Move routine to parse TLS 1.3 trailer to uipc_ktls.c.
jhb marked an inline comment as done.Dec 3 2021, 7:46 PM
jhb added inline comments.
sys/kern/uipc_ktls.c
2030

I think this version should work for you for NIC TLS as you can fall through to the code below with the decrypted record.

jhb marked an inline comment as done.Dec 9 2021, 12:33 AM

Looks good. I'll rebase my patches.

This revision is now accepted and ready to land.Dec 13 2021, 2:22 PM
This revision was automatically updated to reflect the committed changes.