This removes a guard condition that prevents KTLS being enabled for
receiving in TLS 1.3. Use the correct sequence number and BIO for
receive vs transmit offload.
Approved by: jkim
Obtained from: OpenSSL commit 7c78932b9a4330fb7c8db72b3fb37cbff1401f8b
MFC after: 1 week
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D34976
- Don't unpad records, check the outer record type, or extract the
inner record type from TLS 1.3 records handled by the kernel. KTLS
performs all of these steps and returns the inner record type in the
TLS header.
- When checking the length of a received TLS 1.3 record don't allow
for the extra byte for the nested record type when KTLS is used.
- Pass a pointer to the record type in the TLS header to the
SSL3_RT_INNER_CONTENT_TYPE message callback. For KTLS, the old
pointer pointed to the last byte of payload rather than the record
type. For the non-KTLS case, the TLS header has been updated with
the inner type before this callback is invoked.
Approved by: jkim
Obtained from: OpenSSL commit a5fb9605329fb939abb536c1604d44a511741624
MFC after: 1 week
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D34975
When KTLS receive is enabled, pending data may still be present due to
read ahead. This data must still be processed the same as records
received without KTLS. To ease readability (especially in
consideration of additional checks which will be added for TLS 1.3),
add a helper variable 'using_ktls' that is true when the KTLS receive
path is being used to receive a record.
Approved by: jkim
Obtained from: OpenSSL commit 031132c297e54cbc20404a0bf8de6ed863196399
MFC after: 1 week
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D34974
KTLS implementations currently assume that the start of the in-kernel
socket buffer is aligned with the start of a TLS record for the
receive side. The socket option to enable KTLS specifies the TLS
sequence number of this initial record.
When read ahead is enabled, data can be pending in the SSL read buffer
after negotiating session keys. This pending data must be examined to
ensurs that the kernel's socket buffer does not contain a partial TLS
record as well as to determine the correct sequence number of the
first TLS record to be processed by the kernel.
In preparation for enabling receive kernel offload for TLS 1.3, move
the existing logic to handle read ahead from t1_enc.c into ktls.c and
invoke it from ktls_configure_crypto().
Approved by: jkim
Obtained from: OpenSSL commit 85773128d0e80cd8dcc772a6931d385b8cf4acd1
MFC after: 1 week
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D34973
In some corner cases the check for packets
which exceed the allowed record length was missing
when KTLS is initially enabled, when some
unprocessed packets are still pending.
Approved by: jkim
Obtained from: OpenSSL commit 8fff986d52606e1a33f9404504535e2e2aee3e8b
MFC after: 1 week
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D34972
FreeBSD's kernel TLS supports Chacha20 for both TLS 1.2 and TLS 1.3.
NB: This commit has not yet been merged upstream as it is deemed a new
feature and did not make the feature freeze cutoff for OpenSSL 3.0.
Reviewed by: jkim
MFC after: 5 days
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D31443
It has always been the case that KTLS is not compiled by default. However
if it is compiled then it was automatically used unless specifically
configured not to. This is problematic because it avoids any crypto
implementations from providers. A user who configures all crypto to use
the FIPS provider may unexpectedly find that TLS related crypto is actually
being performed outside of the FIPS boundary.
Instead we change KTLS so that it is disabled by default.
We also swap to using a single "option" (i.e. SSL_OP_ENABLE_KTLS) rather
than two separate "modes", (i.e. SSL_MODE_NO_KTLS_RX and
SSL_MODE_NO_KTLS_TX).
Reviewed by: jkim
Obtained from: OpenSSL (a3a54179b6754fbed6d88e434baac710a83aaf80)
MFC after: 5 days
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D31440
Linux kernel is going to support ChaCha20-Poly1305 in TLS offload.
Add support for this cipher.
Reviewed by: jkim
Obtained from: OpenSSL (3aa7212e0a4fd1533c8a28b8587dd8b022f3a66f)
MFC after: 5 days
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D31439
This merges upstream patches from OpenSSL's master branch to add
KTLS infrastructure for TLS 1.0-1.3 including both RX and TX
offload and SSL_sendfile support on both Linux and FreeBSD.
Note that TLS 1.3 only supports TX offload.
A new WITH/WITHOUT_OPENSSL_KTLS determines if OpenSSL is built with
KTLS support. It defaults to enabled on amd64 and disabled on all
other architectures.
Reviewed by: jkim (earlier version)
Approved by: secteam
Obtained from: OpenSSL (patches from master)
MFC after: 1 week
Relnotes: yes
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D28273
Because there was an extra declaration in the vendor version, we locally
removed the second one in r238405 with 1.0.1c. Later, upstream fixed it in
1.0.2d but they removed the first one. Therefore, both were removed in our
version unfortunately. Now we revert to the vendor one to re-add it.
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D10525