Page MenuHomeFreeBSD
Differential D33007

ktls: Support for TLS 1.3 receive offload.
ClosedPublic
Actions

Authored by jhb on Nov 16 2021, 12:37 AM.
Tags
None
Referenced Files
Unknown Object (File)
Thu, Nov 7, 4:47 PM
Unknown Object (File)
Wed, Nov 6, 9:19 AM
Unknown Object (File)
Tue, Nov 5, 1:44 PM
Unknown Object (File)
Tue, Nov 5, 12:02 AM
Unknown Object (File)
Sun, Oct 27, 12:41 PM
Unknown Object (File)
Fri, Oct 25, 9:18 AM
Unknown Object (File)
Thu, Oct 24, 11:39 PM
Unknown Object (File)
Wed, Oct 23, 3:25 AM
View All Files
Subscribers
hselasky
imp
jmg
jtl
zlei

Details

Reviewers
markj
gallatin
hselasky
Commits
rG1462dc95f796: ktls: Support for TLS 1.3 receive offload.
rG05a1d0f5d7ac: ktls: Support for TLS 1.3 receive offload.
Summary

Sponsored by: Netflix

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

jhb created this revision.Nov 16 2021, 12:37 AM
Herald added subscribers: jmg, imp. · View Herald TranscriptNov 16 2021, 12:37 AM
jhb requested review of this revision.Nov 16 2021, 12:37 AM
Harbormaster completed remote builds in B42803: Diff 98559.Nov 16 2021, 12:37 AM
jhb added a parent revision: D33006: ktls: Split encrypt vs decrypt OCF counters..Nov 16 2021, 12:37 AM
jhb added a comment.Nov 16 2021, 12:41 AM

I've tested this with the tests here as well as with an OpenSSL patched with the patches from https://github.com/openssl/openssl/pull/16798.

sys/opencrypto/ktls_ocf.c
667

For NIC TLS RX support we may end up making this bit of code a helper routine that can be shared with the NIC TLS RX path.

jhb added a subscriber: hselasky.Nov 16 2021, 12:41 AM
hselasky added inline comments.Nov 16 2021, 8:02 AM
sys/kern/uipc_ktls.c
2030

Could the record_type be extracted outside this function? We will need this for the hardware decrypted traffic.

sys/opencrypto/ktls_ocf.c
667

Sounds like a good idea, to factor this bit out. Then you don't really need two separate decryption functions.

zlei added a subscriber: zlei.Nov 16 2021, 9:41 AM
jhb added inline comments.Nov 16 2021, 5:55 PM
sys/opencrypto/ktls_ocf.c
667

You would still need separate decryption functions as some of the other details are different such as the AAD. I think splitting out this routine is probably something sensible to do in a future commit in a series adding 1.3 NIC TLS RX, but I might move it back to sys/kern/uipc_ktls.c. I had started with doing it in uipc_ktls.c but found it simpler to do it here instead.

hselasky added inline comments.Nov 17 2021, 1:52 PM
sys/opencrypto/ktls_ocf.c
667

Should we have another callback function into OCF, which handle already decrypted traffic, to get the trailer length and header type fields correct?

jhb updated this revision to Diff 99260.Nov 30 2021, 8:22 PM
  • Move routine to parse TLS 1.3 trailer to uipc_ktls.c.
Harbormaster completed remote builds in B43068: Diff 99260.Nov 30 2021, 8:22 PM
jhb marked an inline comment as done.Dec 3 2021, 7:46 PM
jhb added inline comments.
sys/kern/uipc_ktls.c
2030

I think this version should work for you for NIC TLS as you can fall through to the code below with the decrypted record.

jhb marked an inline comment as done.Dec 9 2021, 12:33 AM
hselasky accepted this revision.Dec 13 2021, 2:22 PM

Looks good. I'll rebase my patches.

This revision is now accepted and ready to land.Dec 13 2021, 2:22 PM
Closed by commit rG05a1d0f5d7ac: ktls: Support for TLS 1.3 receive offload. (authored by jhb). · Explain WhyDec 14 2021, 7:01 PM
This revision was automatically updated to reflect the committed changes.
jhb added a commit: rG05a1d0f5d7ac: ktls: Support for TLS 1.3 receive offload..
jhb added a commit: rG1462dc95f796: ktls: Support for TLS 1.3 receive offload..Apr 29 2022, 11:12 PM

Revision Contents
Changeset List

PathSize
sys/
kern/
72 lines
opencrypto/
77 lines
tests/
sys/
kern/
129 lines

Diff 100017

View Options

sys/kern/uipc_ktls.c

Loading...
View Options

sys/opencrypto/ktls_ocf.c

Loading...
View Options

tests/sys/kern/ktls_test.c

Loading...