]> CyberLeo.Net >> Repos - FreeBSD/FreeBSD.git/commit
projects / FreeBSD / FreeBSD.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 663ae8f) | patch
KTLS: Add a new recrypt operation to the software backend.
authorJohn Baldwin <jhb@FreeBSD.org>
Fri, 22 Apr 2022 22:52:50 +0000 (15:52 -0700)
committerJohn Baldwin <jhb@FreeBSD.org>
Fri, 22 Apr 2022 22:52:50 +0000 (15:52 -0700)
commita8280123e4c681f505917fdf126ea9091addab62
tree2d2fffea0bb4ffbe7799cbaca0c08ab24b6e34detree | snapshot
parent663ae8f7f949b4d4fc0c91d8e9b2a01f56e40dc5commit | diff
KTLS: Add a new recrypt operation to the software backend.

When using NIC TLS RX, packets that are dropped and retransmitted are
not decrypted by the NIC but are passed along as-is.  As a result, a
received TLS record might contain a mix of encrypted and decrypted
data.  If this occurs, the already-decrypted data needs to be
re-encrypted so that the resulting record can then be decrypted
normally.

Add support for this for sessions using AES-GCM with TLS 1.2 or TLS
1.3.  For the recrypt operation, allocate a temporary buffer and
encrypt the the payload portion of the TLS record with AES-CTR with an
initial IV constructed from the AES-GCM nonce.  Then fixup the
original mbuf chain by copying the results from the temporary buffer
back into the original mbufs for any mbufs containing decrypted data.

Once it has been recrypted, the mbuf chain can then be decrypted via
the normal software decryption path.

Co-authored by: Hans Petter Selasky <hselasky@FreeBSD.org>
Reviewed by: hselasky
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D35012
sys/opencrypto/ktls.h diff | blob | history
sys/opencrypto/ktls_ocf.c diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.