From owner-svn-src-projects@freebsd.org  Mon Mar  2 17:34:48 2020
Return-Path: <owner-svn-src-projects@freebsd.org>
Delivered-To: svn-src-projects@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id E1970254EFB
 for <svn-src-projects@mailman.nyi.freebsd.org>;
 Mon,  2 Mar 2020 17:34:48 +0000 (UTC) (envelope-from jhb@FreeBSD.org)
Received: from smtp.freebsd.org (smtp.freebsd.org
 [IPv6:2610:1c1:1:606c::24b:4])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "smtp.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 48WS2J2ybxz428Q;
 Mon,  2 Mar 2020 17:34:48 +0000 (UTC) (envelope-from jhb@FreeBSD.org)
Received: from John-Baldwins-MacBook-Pro-7.local (ralph.baldwin.cx
 [66.234.199.215])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client did not present a certificate) (Authenticated sender: jhb)
 by smtp.freebsd.org (Postfix) with ESMTPSA id 520B52D8C3;
 Mon,  2 Mar 2020 17:34:47 +0000 (UTC) (envelope-from jhb@FreeBSD.org)
Subject: Re: svn commit: r358053 - projects/nfs-over-tls/sys/fs/nfsclient
To: Rick Macklem <rmacklem@uoguelph.ca>, Rick Macklem <rmacklem@FreeBSD.org>, 
 "src-committers@freebsd.org" <src-committers@freebsd.org>,
 "svn-src-projects@freebsd.org" <svn-src-projects@freebsd.org>
References: <202002172110.01HLAXZY003012@repo.freebsd.org>
 <fccc4f14-6b8a-7ab2-6614-52da1561946b@FreeBSD.org>
 <YTBPR01MB33742D4B8CB9DB7107564927DDE90@YTBPR01MB3374.CANPRD01.PROD.OUTLOOK.COM>
From: John Baldwin <jhb@FreeBSD.org>
Autocrypt: addr=jhb@FreeBSD.org; keydata=
 mQGiBETQ+XcRBADMFybiq69u+fJRy/0wzqTNS8jFfWaBTs5/OfcV7wWezVmf9sgwn8TW0Dk0
 c9MBl0pz+H01dA2ZSGZ5fXlmFIsee1WEzqeJzpiwd/pejPgSzXB9ijbLHZ2/E0jhGBcVy5Yo
 /Tw5+U/+laeYKu2xb0XPvM0zMNls1ah5OnP9a6Ql6wCgupaoMySb7DXm2LHD1Z9jTsHcAQMD
 /1jzh2BoHriy/Q2s4KzzjVp/mQO5DSm2z14BvbQRcXU48oAosHA1u3Wrov6LfPY+0U1tG47X
 1BGfnQH+rNAaH0livoSBQ0IPI/8WfIW7ub4qV6HYwWKVqkDkqwcpmGNDbz3gfaDht6nsie5Z
 pcuCcul4M9CW7Md6zzyvktjnbz61BADGDCopfZC4of0Z3Ka0u8Wik6UJOuqShBt1WcFS8ya1
 oB4rc4tXfSHyMF63aPUBMxHR5DXeH+EO2edoSwViDMqWk1jTnYza51rbGY+pebLQOVOxAY7k
 do5Ordl3wklBPMVEPWoZ61SdbcjhHVwaC5zfiskcxj5wwXd2E9qYlBqRg7QeSm9obiBCYWxk
 d2luIDxqaGJARnJlZUJTRC5vcmc+iGAEExECACAFAkTQ+awCGwMGCwkIBwMCBBUCCAMEFgID
 AQIeAQIXgAAKCRBy3lIGd+N/BI6RAJ9S97fvbME+3hxzE3JUyUZ6vTewDACdE1stFuSfqMvM
 jomvZdYxIYyTUpC5Ag0ERND5ghAIAPwsO0B7BL+bz8sLlLoQktGxXwXQfS5cInvL17Dsgnr3
 1AKa94j9EnXQyPEj7u0d+LmEe6CGEGDh1OcGFTMVrof2ZzkSy4+FkZwMKJpTiqeaShMh+Goj
 XlwIMDxyADYvBIg3eN5YdFKaPQpfgSqhT+7El7w+wSZZD8pPQuLAnie5iz9C8iKy4/cMSOrH
 YUK/tO+Nhw8Jjlw94Ik0T80iEhI2t+XBVjwdfjbq3HrJ0ehqdBwukyeJRYKmbn298KOFQVHO
 EVbHA4rF/37jzaMadK43FgJ0SAhPPF5l4l89z5oPu0b/+5e2inA3b8J3iGZxywjM+Csq1tqz
 hltEc7Q+E08AAwUIAL+15XH8bPbjNJdVyg2CMl10JNW2wWg2Q6qdljeaRqeR6zFus7EZTwtX
 sNzs5bP8y51PSUDJbeiy2RNCNKWFMndM22TZnk3GNG45nQd4OwYK0RZVrikalmJY5Q6m7Z16
 4yrZgIXFdKj2t8F+x613/SJW1lIr9/bDp4U9tw0V1g3l2dFtD3p3ZrQ3hpoDtoK70ioIAjjH
 aIXIAcm3FGZFXy503DOA0KaTWwvOVdYCFLm3zWuSOmrX/GsEc7ovasOWwjPn878qVjbUKWwx
 Q4QkF4OhUV9zPtf9tDSAZ3x7QSwoKbCoRCZ/xbyTUPyQ1VvNy/mYrBcYlzHodsaqUDjHuW+I
 SQQYEQIACQUCRND5ggIbDAAKCRBy3lIGd+N/BCO8AJ9j1dWVQWxw/YdTbEyrRKOY8YZNwwCf
 afMAg8QvmOWnHx3wl8WslCaXaE8=
Message-ID: <de3e5a30-c36a-916d-2de1-1ee4154d2782@FreeBSD.org>
Date: Mon, 2 Mar 2020 09:34:45 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:68.0)
 Gecko/20100101 Thunderbird/68.4.2
MIME-Version: 1.0
In-Reply-To: <YTBPR01MB33742D4B8CB9DB7107564927DDE90@YTBPR01MB3374.CANPRD01.PROD.OUTLOOK.COM>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-BeenThere: svn-src-projects@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "SVN commit messages for the src &quot; projects&quot;
 tree" <svn-src-projects.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-projects>, 
 <mailto:svn-src-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-projects/>
List-Post: <mailto:svn-src-projects@freebsd.org>
List-Help: <mailto:svn-src-projects-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-projects>, 
 <mailto:svn-src-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Mar 2020 17:34:49 -0000

On 2/28/20 8:57 PM, Rick Macklem wrote:
> John Baldwin wrote:
>> On 2/17/20 1:10 PM, Rick Macklem wrote:
>>> Author: rmacklem
>>> Date: Mon Feb 17 21:10:32 2020
>>> New Revision: 358053
>>> URL: https://svnweb.freebsd.org/changeset/base/358053
>>>
>>> Log:
>>>   Update nfs_clrpcops.c to handle ext_pgs mbufs, including the additional
>>>   argument to nfscl_reqstart() to tell it if it should build ext_pgs mbufs.
>>>
>>>   This completes most of the conversion to support of ext_pgs mbufs, but
>>>   there are still a couple of areas to fix.
>>>   1 - The code that the MDS uses to do a proxy to a DS for a pNFS server.
>>>   2 - The krpc code on the receive side. (The NFS code now handles the
>>>       ext_pgs mbufs, but they are being created by copying the regular mbuf
>>>       list when the NFS code gets it from the krpc.) The krpc still needs
>>>       to be fixed so it can handle a list of ext_pgs mbufs handed to it
>>>       by soreceive().
>>
>> Note that the current KTLS RX support I've worked on is a bit different in that
>> it doesn't use ext_pgs mbufs.  Instead the socket buffer contains a list of
>> records (OpenSSL uses recvmsg()) where there is a control mbuf with the TLS
>> header followed by a chain of normal mbufs with the data.  As such, you will
>> only have to construct ext_pgs mbufs for the send side.  Receive will still
>> be getting regular mbufs.  For receive you probably want to check the TLS
>> record type and do something (not sure?) with any non-application-data records,
>> but otherwise just treat the payload of application-data records the same as
>> you do for the non-TLS case.
> Ok. I've already done the receive side code changes to handle ext_pgs mbufs
> in the krpc/nfs code, so if it becomes easier/more efficient to put the receive
> data in ext_pgs mbufs, that can be handled. (Someday there may be net
> interfaces that perform better using ext_pgs mbufs?)
> 
> Any non-data records that need to be handled by OpenSSL in userspace can
> be passed up/handled by the daemons, similar to SSL_connect()/SSL_accept().
> 
> Thanks for the info John, rick

Ok.  After sending this, I do think it is likely that for NICs able to do TLS
RX without TOE, TLS records may indeed arrive as ext_pgs mbufs, but by the time
you would get them out of the socket buffer the TLS headers and trailers would
be stripped and they would just be unmapped mbufs holding the TLS record payload.
The TLS header would still be in a control message in the socket buffer.

I started testing my KTLS RX software branch Friday btw (panicked right away
of course, but it's hopefully not too far away).  For now I'm only focused on
TLS 1.0-1.2, but will get to 1.3 eventually.  I suspect for 1.3 that early data
will still be handled in userland and just as for KTLS TX, KTLS RX will only
be used with the second set of keys.

-- 
John Baldwin