Differential D33007

ktls: Support for TLS 1.3 receive offload.
ClosedPublic
Actions

Authored by jhb on Nov 16 2021, 12:37 AM.

Tags

None

Referenced Files

	Unknown Object (File)
	Mon, Apr 22, 2:47 AM

	Unknown Object (File)
	Thu, Apr 18, 9:06 AM

	Unknown Object (File)
	Thu, Apr 18, 6:41 AM

	Unknown Object (File)
	Wed, Apr 17, 10:45 PM

	Unknown Object (File)
	Mar 12 2024, 8:43 PM

	Unknown Object (File)
	Mar 7 2024, 2:12 AM

	Unknown Object (File)
	Mar 7 2024, 2:12 AM

	Unknown Object (File)
	Mar 7 2024, 2:08 AM

View All 54 Files

Subscribers

Details

Reviewers

markj
gallatin
• hselasky

Commits

rG1462dc95f796: ktls: Support for TLS 1.3 receive offload.
rG05a1d0f5d7ac: ktls: Support for TLS 1.3 receive offload.

Summary

Sponsored by: Netflix

Diff Detail

Repository

rS FreeBSD src repository - subversion

Lint

Lint Passed

Unit

No Test Coverage

Build Status

Buildable 42803
Build 39691: arc lint + arc unit

Event Timeline

jhb created this revision.Nov 16 2021, 12:37 AM

Herald added subscribers: jmg, imp. · View Herald TranscriptNov 16 2021, 12:37 AM

jhb requested review of this revision.Nov 16 2021, 12:37 AM

Harbormaster completed remote builds in B42803: Diff 98559.Nov 16 2021, 12:37 AM

jhb added a parent revision: D33006: ktls: Split encrypt vs decrypt OCF counters..Nov 16 2021, 12:37 AM

I've tested this with the tests here as well as with an OpenSSL patched with the patches from https://github.com/openssl/openssl/pull/16798.

sys/opencrypto/ktls_ocf.c
668	For NIC TLS RX support we may end up making this bit of code a helper routine that can be shared with the NIC TLS RX path.

jhb added a subscriber: • hselasky.Nov 16 2021, 12:41 AM

• hselasky added inline comments.Nov 16 2021, 8:02 AM

sys/kern/uipc_ktls.c
1991	Could the record_type be extracted outside this function? We will need this for the hardware decrypted traffic.
sys/opencrypto/ktls_ocf.c
668	Sounds like a good idea, to factor this bit out. Then you don't really need two separate decryption functions.

zlei added a subscriber: zlei.Nov 16 2021, 9:41 AM

jhb added inline comments.Nov 16 2021, 5:55 PM

sys/opencrypto/ktls_ocf.c
668	You would still need separate decryption functions as some of the other details are different such as the AAD. I think splitting out this routine is probably something sensible to do in a future commit in a series adding 1.3 NIC TLS RX, but I might move it back to sys/kern/uipc_ktls.c. I had started with doing it in uipc_ktls.c but found it simpler to do it here instead.

• hselasky added inline comments.Nov 17 2021, 1:52 PM

sys/opencrypto/ktls_ocf.c
668	Should we have another callback function into OCF, which handle already decrypted traffic, to get the trailer length and header type fields correct?

Move routine to parse TLS 1.3 trailer to uipc_ktls.c.

Harbormaster completed remote builds in B43068: Diff 99260.Nov 30 2021, 8:22 PM

jhb marked an inline comment as done.Dec 3 2021, 7:46 PM

jhb added inline comments.

sys/kern/uipc_ktls.c
1991	I think this version should work for you for NIC TLS as you can fall through to the code below with the decrypted record.

jhb marked an inline comment as done.Dec 9 2021, 12:33 AM

Looks good. I'll rebase my patches.

This revision is now accepted and ready to land.Dec 13 2021, 2:22 PM

Closed by commit rG05a1d0f5d7ac: ktls: Support for TLS 1.3 receive offload. (authored by jhb). · Explain WhyDec 14 2021, 7:01 PM

This revision was automatically updated to reflect the committed changes.

jhb added a commit: rG05a1d0f5d7ac: ktls: Support for TLS 1.3 receive offload..

jhb added a commit: rG1462dc95f796: ktls: Support for TLS 1.3 receive offload..Apr 29 2022, 11:12 PM

Revision Contents
Changeset List

Path

Size

sys/

kern/

21 lines

opencrypto/

117 lines

sys/

2 lines

tests/

sys/

kern/

129 lines

Diff 98559

sys/kern/uipc_ktls.c

Loading...

sys/opencrypto/ktls_ocf.c

Loading...

sys/sys/ktls.h

Loading...

tests/sys/kern/ktls_test.c

Loading...