Page MenuHomeFreeBSD
Differential D29177

ktls: Fix non-inplace TLS 1.3 encryption.
ClosedPublic
Actions

Authored by jhb on Mar 10 2021, 12:33 AM.
Tags
None
Referenced Files
F102108356: D29177.diff
Thu, Nov 7, 5:22 PM
Unknown Object (File)
Tue, Nov 5, 4:23 AM
Unknown Object (File)
Thu, Oct 17, 4:53 AM
Unknown Object (File)
Wed, Oct 16, 10:26 AM
Unknown Object (File)
Mon, Oct 14, 3:40 PM
Unknown Object (File)
Sun, Oct 13, 5:56 AM
Unknown Object (File)
Sat, Oct 12, 10:01 AM
Unknown Object (File)
Fri, Oct 11, 2:31 AM
View All 66 Files
Subscribers
imp

Details

Reviewers
gallatin
markj
jmg
Commits
rG3fa034210c75: ktls: Fix non-inplace TLS 1.3 encryption.
Summary

Copy the iovec for the trailer from the proper place. This is the same
fix for CBC encryption from ff6a7e4ba6bf.

Reported by: gallatin
Fixes: 49f6925ca

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

jhb created this revision.Mar 10 2021, 12:33 AM
Herald added a reviewer: jmg. · View Herald TranscriptMar 10 2021, 12:33 AM
Herald added a subscriber: imp. · View Herald Transcript
jhb requested review of this revision.Mar 10 2021, 12:33 AM
Harbormaster completed remote builds in B37724: Diff 85447.Mar 10 2021, 12:33 AM
jhb added a comment.Mar 10 2021, 12:37 AM

Sample commands to test TLS 1.3 on a client against an nginx server:

# AES-GCM with TLS 1.2
openssl s_time -connect <host>:443 -www "/bigfile" -tls1_2
# CHACHA20 with TLS 1.2
openssl s_time -connect <host>:443 -www "/bigfile" -tls1_2 -cipher CHACHA20

# AES-GCM with TLS 1.3
openssl s_time -connect <host>:443 -www "/bigfile" -tls1_3
# CHACHA20 with TLS 1.3
openssl s_time -connect <host>:443 -www "/bigfile" -tls1_3 -ciphersuites TLS_CHACHA20_POLY1305_SHA256

For AES-CBC you need a noetm.conf file:

openssl_conf = openssl_init

[openssl_init]

ssl_conf = ssl_sect

[ssl_sect]

system_default = system_default_sect

[system_default_sect]

Options = -EncryptThenMac

and then you can test that this way:

env OPENSSL_CONF=noetm.cnf openssl s_time -connect <host>:443 -www "/bigfile" -tls1_2 -cipher AES256-SHA

Other ciphers you can use for AES-CBC are AES-SHA, AES-SHA256, and AES256-SHA256.

In my case "bigfile" is a 1GB file of junk in /usr/local/www/nginx.

markj accepted this revision.Mar 10 2021, 12:38 AM
This revision is now accepted and ready to land.Mar 10 2021, 12:38 AM
gallatin accepted this revision.Mar 10 2021, 1:53 AM
Closed by commit rG3fa034210c75: ktls: Fix non-inplace TLS 1.3 encryption. (authored by jhb). · Explain WhyMar 10 2021, 7:09 PM
This revision was automatically updated to reflect the committed changes.
jhb added a commit: rG3fa034210c75: ktls: Fix non-inplace TLS 1.3 encryption..

Revision Contents
Changeset List

PathSize
sys/
opencrypto/
2 lines

Diff 85503

View Options

sys/opencrypto/ktls_ocf.c

Loading...