This port provides a kernel module containing a KTLS software
backend for AES-GCM connections using Intel's ISA-L crypto
library.
Details
Details
- tested with KTLS
- I have left gallatin@ as the MAINTAINER as he is likely to be more active with this going forward I think
Diff Detail
Diff Detail
- Repository
- rP FreeBSD ports repository
- Lint
Lint Not Applicable - Unit
Tests Not Applicable
Event Timeline
| security/ktls_isa-l_crypto/files/Makefile | ||
|---|---|---|
| 35 ↗ | (On Diff #61380) | I'm not a ports expert, but does specifying the full path to yasm here come with any drawbacks? |
| security/ktls_isa-l_crypto/files/Makefile | ||
|---|---|---|
| 35 ↗ | (On Diff #61380) | Probably. It should maybe use LOCALBASE. I'll try to find a ports person who can review this. |
Comment Actions
It looks good to my eye, modulo my suggestion.
| security/ktls_isa-l_crypto/files/Makefile | ||
|---|---|---|
| 35 ↗ | (On Diff #61380) | YASM=${PREFIX}/bin/yasm |
Comment Actions
- Use LOCALBASE for yasm.
- Make portlint mostly happy.
- Use IGNORE instead of BROKEN.
- Use PLIST_FILES instead of 1-line pkg-plist.
Comment Actions
By convention we use the suffix -kmod for such ports.
Let me take a look at a few other things that those ports do by default (I know USES=uidfix is in most of them). I am not that familiar with them.
Comment Actions
Please see PR 240395. After a half hour of trying to argue with phabricator-- and failing -- I need to move on to other tasks.
Comment Actions
- I've taken linimon's changes from bugzilla
- I've hooked the port to the Makefile in the parent
Mark: I was not able to reproduce your build failure. If you could give me more details about where you're building the port, I can try to fix what you are seeing.
| security/ktls_isa-l_crypto-kmod/Makefile | ||
|---|---|---|
| 1 ↗ | (On Diff #62663) | So, the Created by: line is only "about" the ports Makefile itself. Even so, we've been moving away from including it, in favor of letting people use SVN to look at the committer of the initial import. FYI. |
| head/security/ktls_isa-l_crypto-kmod/files/intelisa_kern.c | ||
|---|---|---|
| 166 | This actually undoes one of the changes I had made. For TLS < 1.3 you need to read the 8 byte nonce out of the TLS header supplied by the kernel instead of assuming it is the sequence number. Especially if we do the change to use a random starting value, then this will break since the nonce on the wire will be the random value but this module would have encrypted it as if it was the sequence number, so the client will get garbage when it tries to decrypt. | |
| head/security/ktls_isa-l_crypto-kmod/files/intelisa_kern.c | ||
|---|---|---|
| 142 | Why is this 32 bytes I wonder? The AES IV is always 16 bytes regardless of key size as it is the length of one block. Furthermore, for GCM it is really always 12 bytes with the last 4 bytes as a counter that always starts as 0x0002 and increments by 1 for each 16-byte block. | |