Page MenuHomeFreeBSD
Differential D29177

ktls: Fix non-inplace TLS 1.3 encryption.
ClosedPublic
Actions

Authored by jhb on Mar 10 2021, 12:33 AM.
Tags
None
Referenced Files
Unknown Object (File)
Fri, Apr 19, 4:45 PM
Unknown Object (File)
Thu, Apr 18, 7:47 AM
Unknown Object (File)
Tue, Apr 16, 5:13 AM
Unknown Object (File)
Mar 28 2024, 8:47 AM
Unknown Object (File)
Mar 27 2024, 8:27 AM
Unknown Object (File)
Dec 17 2023, 12:20 PM
Unknown Object (File)
Dec 12 2023, 6:10 AM
Unknown Object (File)
Nov 13 2023, 4:29 PM
View All 35 Files
Subscribers
imp

Details

Reviewers
gallatin
markj
jmg
Commits
rG3fa034210c75: ktls: Fix non-inplace TLS 1.3 encryption.
Summary

Copy the iovec for the trailer from the proper place. This is the same
fix for CBC encryption from ff6a7e4ba6bf.

Reported by: gallatin
Fixes: 49f6925ca

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

jhb created this revision.Mar 10 2021, 12:33 AM
Herald added a reviewer: jmg. · View Herald TranscriptMar 10 2021, 12:33 AM
Herald added a subscriber: imp. · View Herald Transcript
jhb requested review of this revision.Mar 10 2021, 12:33 AM
Harbormaster completed remote builds in B37724: Diff 85447.Mar 10 2021, 12:33 AM
jhb added a comment.Mar 10 2021, 12:37 AM

Sample commands to test TLS 1.3 on a client against an nginx server:

# AES-GCM with TLS 1.2
openssl s_time -connect <host>:443 -www "/bigfile" -tls1_2
# CHACHA20 with TLS 1.2
openssl s_time -connect <host>:443 -www "/bigfile" -tls1_2 -cipher CHACHA20

# AES-GCM with TLS 1.3
openssl s_time -connect <host>:443 -www "/bigfile" -tls1_3
# CHACHA20 with TLS 1.3
openssl s_time -connect <host>:443 -www "/bigfile" -tls1_3 -ciphersuites TLS_CHACHA20_POLY1305_SHA256

For AES-CBC you need a noetm.conf file:

openssl_conf = openssl_init

[openssl_init]

ssl_conf = ssl_sect

[ssl_sect]

system_default = system_default_sect

[system_default_sect]

Options = -EncryptThenMac

and then you can test that this way:

env OPENSSL_CONF=noetm.cnf openssl s_time -connect <host>:443 -www "/bigfile" -tls1_2 -cipher AES256-SHA

Other ciphers you can use for AES-CBC are AES-SHA, AES-SHA256, and AES256-SHA256.

In my case "bigfile" is a 1GB file of junk in /usr/local/www/nginx.

markj accepted this revision.Mar 10 2021, 12:38 AM
This revision is now accepted and ready to land.Mar 10 2021, 12:38 AM
gallatin accepted this revision.Mar 10 2021, 1:53 AM
Closed by commit rG3fa034210c75: ktls: Fix non-inplace TLS 1.3 encryption. (authored by jhb). · Explain WhyMar 10 2021, 7:09 PM
This revision was automatically updated to reflect the committed changes.
jhb added a commit: rG3fa034210c75: ktls: Fix non-inplace TLS 1.3 encryption..

Revision Contents
Changeset List

PathSize
sys/
opencrypto/
2 lines

Diff 85503

View Options

sys/opencrypto/ktls_ocf.c

Loading...