From owner-freebsd-current@freebsd.org Thu Jan 9 22:53:41 2020 Return-Path: Delivered-To: freebsd-current@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id AB05C1FC21B for ; Thu, 9 Jan 2020 22:53:41 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from CAN01-QB1-obe.outbound.protection.outlook.com (mail-qb1can01on0618.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe5c::618]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "GlobalSign Organization Validation CA - SHA256 - G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 47v1ch4C1tz3MGq; Thu, 9 Jan 2020 22:53:40 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ddTbZZDDNqY6Org8iQcg46V0oqNUDFHfu/DOQnmV2iSgGU1H3obyMnME5ASOJTSr2/Iapm9mT35RJNdjhhYa6AonDJQ27hc4lpPpLJoqIWj3YPA+MziluoYXm0qobRoAaQze/Hlr3rzuDOdq9sHpw/dt9Je6Ng1yB48Ar6irBpnM0I5U/kLf2SVELoiOZGpzDKZLcHEnoI1JZ/TP0GRev28N8J6FcaoaqCg4i9CyDFGf7l9EsGaPjf7QNlyb/ENfjBWr81xSnVgQNPVqqtwbARQTmcaN56dwMnqh70A1xKgPhytcFi9HS/kcLL4LOVZhTLtM6XYV6GXcqXDy9qhVVQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=xAmtw8wBtTCAZOTEtjLHkCZkO9wvzplj6gFuBIiet4U=; b=D/yx0vH9DnFV4gxNw6nlfaXIVLf1WyRMs5SnoFW0MTGlmF0eQu7XDwdnI+5K/TgVKf+vWZlewX93bRRurmDpimlxFTKAHy/yS22kCd+fI3yAsOjIMVQDcrncIZlCl3M/VS2J06VzIueV13OG0tO18huJO9HlZ6ma8+ewjwMn4TLCnI7FLIDtvjMCdefaG9eTuAR3rAPD5Ikqb22cRc87yvbQqKoeQcvegSWbv4hUGjBNS1M4reK2C+xh26TU985rE0kqAZk73WiFEVhI63nuCA3qi5a/PuXmRtJuDwM+LDfEaujJgOkbdSB6he9vwYuV1yPa3eBNxBLKVNOEgAnLrg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=uoguelph.ca; dmarc=pass action=none header.from=uoguelph.ca; dkim=pass header.d=uoguelph.ca; arc=none Received: from YQBPR0101MB1427.CANPRD01.PROD.OUTLOOK.COM (52.132.69.153) by YQBPR0101MB1633.CANPRD01.PROD.OUTLOOK.COM (52.132.65.14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2623.9; Thu, 9 Jan 2020 22:53:38 +0000 Received: from YQBPR0101MB1427.CANPRD01.PROD.OUTLOOK.COM ([fe80::7512:8580:8d82:6c94]) by YQBPR0101MB1427.CANPRD01.PROD.OUTLOOK.COM ([fe80::7512:8580:8d82:6c94%6]) with mapi id 15.20.2602.018; Thu, 9 Jan 2020 22:53:38 +0000 From: Rick Macklem To: John Baldwin , "freebsd-current@FreeBSD.org" Subject: Re: how to use the ktls Thread-Topic: how to use the ktls Thread-Index: AQHVxa2HeRfmo36hWEyrGcMaBhE88KfhEeoAgAHfXus= Date: Thu, 9 Jan 2020 22:53:38 +0000 Message-ID: References: , <5be57c87-90fe-fcbe-ea37-bdb1bcff2da8@FreeBSD.org> In-Reply-To: <5be57c87-90fe-fcbe-ea37-bdb1bcff2da8@FreeBSD.org> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 9b051d3d-3333-4261-bf83-08d79556c420 x-ms-traffictypediagnostic: YQBPR0101MB1633: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:7219; x-forefront-prvs: 02778BF158 x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(376002)(39860400002)(366004)(346002)(136003)(396003)(189003)(199004)(51874003)(478600001)(5660300002)(186003)(66446008)(76116006)(66476007)(66556008)(91956017)(86362001)(9686003)(2906002)(71200400001)(6506007)(8936002)(7696005)(55016002)(64756008)(66946007)(26005)(33656002)(110136005)(786003)(8676002)(52536014)(81156014)(450100002)(81166006)(316002); DIR:OUT; SFP:1101; SCL:1; SRVR:YQBPR0101MB1633; H:YQBPR0101MB1427.CANPRD01.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1; received-spf: None (protection.outlook.com: uoguelph.ca does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: PvxPXCnvgucJEBPyAkmXx06Mbmu84Z3EsM8fLLYGqnQSHsPn5OAiiZbesHQw2TxkzqG5JMmfMdEqVV9E9l0830KAth1w9H2gjDfUoTlIl3488CX8Fwhk4vWCYfmnpJuyZ7OK7pn9ZW6MM9A55ITwi9bhdLZiaFjRLmnhBGPCt4cRqmeMtVmvut6cENsvGVIwotaiLDvvrizbqYdxTIVjeZj/IaTBXf9eNVdkJ194dcU3u6xy0NtS9OWK8TKm/WdKj65ALoWkzURZEsfjAOXVJ0Wi9TqJEFYeOA4Q519eOlgzuRXxzz0J6OEU+cDPiiHOZXpBF/9uCZauz6aQj9ePPoyX2uiZWBcUBFIN50BJa3uY5EFN2EiOnD25h0wm5IFYg6E5lYU1cY2mYUaMQfdzzkoEPI0o8hAySYh2oHBlpgJ4ss6T+PbfmORoZmwT2+BpUhUslU9wqJsCzzgf8m/mGoSUZDLnhiTOOABi/aeapvMAxlvo/98709VzIdu0vdtF x-ms-exchange-transport-forked: True Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: uoguelph.ca X-MS-Exchange-CrossTenant-Network-Message-Id: 9b051d3d-3333-4261-bf83-08d79556c420 X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Jan 2020 22:53:38.5311 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: be62a12b-2cad-49a1-a5fa-85f4f3156a7d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: HUImTKLA2z+s0kuLFRV0DOTXOVtr7/hwO3Lzbg6neyoJpaawOVcfH1lhDbX3Sgv4mnw3KuOtQQTUQyNZojATBA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: YQBPR0101MB1633 X-Rspamd-Queue-Id: 47v1ch4C1tz3MGq X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of rmacklem@uoguelph.ca designates 2a01:111:f400:fe5c::618 as permitted sender) smtp.mailfrom=rmacklem@uoguelph.ca X-Spamd-Result: default: False [-4.65 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2a01:111:f400::/48]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[uoguelph.ca]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; RCVD_COUNT_THREE(0.00)[3]; IP_SCORE(-1.35)[ipnet: 2a01:111:f000::/36(-3.72), asn: 8075(-2.99), country: US(-0.05)]; RCPT_COUNT_TWO(0.00)[2]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:8075, ipnet:2a01:111:f000::/36, country:US]; ARC_ALLOW(-1.00)[i=1] X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Jan 2020 22:53:41 -0000 John Baldwin wrote:=0A= >On 1/7/20 3:02 PM, Rick Macklem wrote:=0A= >> Hi,=0A= >>=0A= >> Now that I've completed NFSv4.2 I'm on to the next project, which is mak= ing NFS=0A= >> work over TLS.=0A= >> Of course, I know absolutely nothing about TLS, which will make this an = interesting=0A= >> exercise for me.=0A= >> I did find simple server code in the OpenSSL doc. which at least gives m= e a starting=0A= >> point for the initialization stuff.=0A= >> As I understand it, this initialization must be done in userspace?=0A= >>=0A= >> Then somehow, the ktls takes over and does the encryption of the=0A= >> data being sent on the socket via sosend_generic(). Does that sound righ= t?=0A= >>=0A= >> So, how does the kernel know the stuff that the initialization phase (ha= ndshake)=0A= >> figures out, or is it magic I don't have to worry about?=0A= >>=0A= >> Don't waste much time replying to this. A few quick hints will keep me g= oing for=0A= >> now. (From what I've seen sofar, this TLS stuff isn't simple. And I thou= ght Kerberos=0A= >> was a pain.;-)=0A= >>=0A= >> Thanks in advance for any hints, rick=0A= >=0A= >Hmmm, this might be a fair bit of work indeed.=0A= If it was easy, it wouldn't be fun;-) FreeBSD13 is a ways off and if it do= esn't make that, oh well..=0A= =0A= >Right now KTLS only works for transmit (though I have some WIP for receive= ).=0A= Hopefully your WIP will make progress someday, or I might be able to work o= n it.=0A= =0A= >KTLS does assumes that the initial handshake and key negotiation is handle= d by=0A= >OpenSSL. OpenSSL uses custom setockopt() calls to tell the kernel which= =0A= >session keys to use.=0A= Yea, I figured I'd need a daemon like the gssd for this. The krpc makes it = a little=0A= more fun, since it handles TCP connections in the kernel.=0A= =0A= >I think what you would want to do is use something like OpenSSL_connect() = in=0A= >userspace, and then check to see if KTLS "worked".=0A= Thanks (and for the code below). I found the simple server code in the Open= SSL doc,=0A= but the client code gets a web page and is quite involved.=0A= =0A= >If it did, you can tell=0A= >the kernel it can write to the socket directly, otherwise you will have to= =0A= >bounce data back out to userspace to run it through SSL_write() and have= =0A= >userspace do SSL_read() and then feed data into the kernel.=0A= I don't think bouncing the data up/down to/from userland would work well.= =0A= I'd say "if it can't be done in the kernel, too bad". The above could be us= ed for=0A= a NULL RPC to see it is working, for the client.=0A= =0A= >The pseudo-code might look something like:=0A= >=0A= >SSL *s;=0A= >=0A= >s =3D SSL_new(...);=0A= >=0A= >/* fd is the existing TCP socket */=0A= >SSL_set_fd(s, fd);=0A= >OpenSSL_connect(s);=0A= >if (BIO_get_ktls_send(SSL_get_wbio(s)) {=0A= > /* Can use KTLS for transmit. */=0A= >}=0A= >if (BIO_get_ktls_recv(SSL_get_rbio(s)) {=0A= > /* Can use KTLS for receive. */=0A= >}=0A= =0A= Thanks John, rick=0A= =0A= =0A= --=0A= John Baldwin=0A=