Date: Fri, 22 Apr 2022 22:55:21 GMT From: John Baldwin <jhb@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: a4c5d490f6be - main - KTLS: Move OCF function pointers out of ktls_session. Message-ID: <202204222255.23MMtLpv093213@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by jhb: URL: https://cgit.FreeBSD.org/src/commit/?id=a4c5d490f6be56468b2a088a5f6169846e39bd84 commit a4c5d490f6be56468b2a088a5f6169846e39bd84 Author: John Baldwin <jhb@FreeBSD.org> AuthorDate: 2022-04-22 22:52:12 +0000 Commit: John Baldwin <jhb@FreeBSD.org> CommitDate: 2022-04-22 22:52:12 +0000 KTLS: Move OCF function pointers out of ktls_session. Instead, create a switch structure private to ktls_ocf.c and store a pointer to the switch in the ocf_session. This will permit adding an additional function pointer needed for NIC TLS RX without further bloating ktls_session. Reviewed by: hselasky Sponsored by: Netflix Differential Revision: https://reviews.freebsd.org/D35011 --- sys/kern/uipc_ktls.c | 6 ++--- sys/opencrypto/ktls.h | 6 +++++ sys/opencrypto/ktls_ocf.c | 60 +++++++++++++++++++++++++++++++++++++---------- sys/sys/ktls.h | 10 +------- 4 files changed, 58 insertions(+), 24 deletions(-) diff --git a/sys/kern/uipc_ktls.c b/sys/kern/uipc_ktls.c index 466b64d01386..7b99c460e8de 100644 --- a/sys/kern/uipc_ktls.c +++ b/sys/kern/uipc_ktls.c @@ -2073,7 +2073,7 @@ ktls_decrypt(struct socket *so) SBCHECK(sb); SOCKBUF_UNLOCK(sb); - error = tls->sw_decrypt(tls, hdr, data, seqno, &trail_len); + error = ktls_ocf_decrypt(tls, hdr, data, seqno, &trail_len); if (error == 0) { if (tls13) error = tls13_find_record_type(tls, data, @@ -2262,7 +2262,7 @@ ktls_encrypt_record(struct ktls_wq *wq, struct mbuf *m, /* Anonymous mbufs are encrypted in place. */ if ((m->m_epg_flags & EPG_FLAG_ANON) != 0) - return (tls->sw_encrypt(state, tls, m, NULL, 0)); + return (ktls_ocf_encrypt(state, tls, m, NULL, 0)); /* * For file-backed mbufs (from sendfile), anonymous wired @@ -2292,7 +2292,7 @@ ktls_encrypt_record(struct ktls_wq *wq, struct mbuf *m, state->dst_iov[i].iov_base = m->m_epg_trail; state->dst_iov[i].iov_len = m->m_epg_trllen; - error = tls->sw_encrypt(state, tls, m, state->dst_iov, i + 1); + error = ktls_ocf_encrypt(state, tls, m, state->dst_iov, i + 1); if (__predict_false(error != 0)) { /* Free the anonymous pages. */ diff --git a/sys/opencrypto/ktls.h b/sys/opencrypto/ktls.h index 9eb01c9b02a5..b97f589fecb4 100644 --- a/sys/opencrypto/ktls.h +++ b/sys/opencrypto/ktls.h @@ -49,5 +49,11 @@ struct ktls_ocf_encrypt_state { void ktls_encrypt_cb(struct ktls_ocf_encrypt_state *state, int error); void ktls_ocf_free(struct ktls_session *tls); int ktls_ocf_try(struct socket *so, struct ktls_session *tls, int direction); +int ktls_ocf_encrypt(struct ktls_ocf_encrypt_state *state, + struct ktls_session *tls, struct mbuf *m, struct iovec *outiov, + int outiovcnt); +int ktls_ocf_decrypt(struct ktls_session *tls, + const struct tls_record_layer *hdr, struct mbuf *m, uint64_t seqno, + int *trailer_len); #endif /* !__OPENCRYPTO_KTLS_H__ */ diff --git a/sys/opencrypto/ktls_ocf.c b/sys/opencrypto/ktls_ocf.c index 34e76556fccc..575a91f9fe3f 100644 --- a/sys/opencrypto/ktls_ocf.c +++ b/sys/opencrypto/ktls_ocf.c @@ -47,7 +47,20 @@ __FBSDID("$FreeBSD$"); #include <opencrypto/cryptodev.h> #include <opencrypto/ktls.h> +struct ktls_ocf_sw { + /* Encrypt a single outbound TLS record. */ + int (*encrypt)(struct ktls_ocf_encrypt_state *state, + struct ktls_session *tls, struct mbuf *m, + struct iovec *outiov, int outiovcnt); + + /* Decrypt a received TLS record. */ + int (*decrypt)(struct ktls_session *tls, + const struct tls_record_layer *hdr, struct mbuf *m, + uint64_t seqno, int *trailer_len); +}; + struct ktls_ocf_session { + const struct ktls_ocf_sw *sw; crypto_session_t sid; crypto_session_t mac_sid; struct mtx lock; @@ -386,6 +399,10 @@ ktls_ocf_tls_cbc_encrypt(struct ktls_ocf_encrypt_state *state, return (error); } +static const struct ktls_ocf_sw ktls_ocf_tls_cbc_sw = { + .encrypt = ktls_ocf_tls_cbc_encrypt +}; + static int ktls_ocf_tls12_aead_encrypt(struct ktls_ocf_encrypt_state *state, struct ktls_session *tls, struct mbuf *m, struct iovec *outiov, @@ -532,6 +549,11 @@ ktls_ocf_tls12_aead_decrypt(struct ktls_session *tls, return (error); } +static const struct ktls_ocf_sw ktls_ocf_tls12_aead_sw = { + .encrypt = ktls_ocf_tls12_aead_encrypt, + .decrypt = ktls_ocf_tls12_aead_decrypt, +}; + static int ktls_ocf_tls13_aead_encrypt(struct ktls_ocf_encrypt_state *state, struct ktls_session *tls, struct mbuf *m, struct iovec *outiov, @@ -662,6 +684,11 @@ ktls_ocf_tls13_aead_decrypt(struct ktls_session *tls, return (error); } +static const struct ktls_ocf_sw ktls_ocf_tls13_aead_sw = { + .encrypt = ktls_ocf_tls13_aead_encrypt, + .decrypt = ktls_ocf_tls13_aead_decrypt, +}; + void ktls_ocf_free(struct ktls_session *tls) { @@ -806,19 +833,12 @@ ktls_ocf_try(struct socket *so, struct ktls_session *tls, int direction) tls->ocf_session = os; if (tls->params.cipher_algorithm == CRYPTO_AES_NIST_GCM_16 || tls->params.cipher_algorithm == CRYPTO_CHACHA20_POLY1305) { - if (direction == KTLS_TX) { - if (tls->params.tls_vminor == TLS_MINOR_VER_THREE) - tls->sw_encrypt = ktls_ocf_tls13_aead_encrypt; - else - tls->sw_encrypt = ktls_ocf_tls12_aead_encrypt; - } else { - if (tls->params.tls_vminor == TLS_MINOR_VER_THREE) - tls->sw_decrypt = ktls_ocf_tls13_aead_decrypt; - else - tls->sw_decrypt = ktls_ocf_tls12_aead_decrypt; - } + if (tls->params.tls_vminor == TLS_MINOR_VER_THREE) + os->sw = &ktls_ocf_tls13_aead_sw; + else + os->sw = &ktls_ocf_tls12_aead_sw; } else { - tls->sw_encrypt = ktls_ocf_tls_cbc_encrypt; + os->sw = &ktls_ocf_tls_cbc_sw; if (tls->params.tls_vminor == TLS_MINOR_VER_ZERO) { os->implicit_iv = true; memcpy(os->iv, tls->params.iv, AES_BLOCK_LEN); @@ -837,3 +857,19 @@ ktls_ocf_try(struct socket *so, struct ktls_session *tls, int direction) tls->params.cipher_algorithm == CRYPTO_AES_CBC; return (0); } + +int +ktls_ocf_encrypt(struct ktls_ocf_encrypt_state *state, + struct ktls_session *tls, struct mbuf *m, struct iovec *outiov, + int outiovcnt) +{ + return (tls->ocf_session->sw->encrypt(state, tls, m, outiov, + outiovcnt)); +} + +int +ktls_ocf_decrypt(struct ktls_session *tls, const struct tls_record_layer *hdr, + struct mbuf *m, uint64_t seqno, int *trailer_len) +{ + return (tls->ocf_session->sw->decrypt(tls, hdr, m, seqno, trailer_len)); +} diff --git a/sys/sys/ktls.h b/sys/sys/ktls.h index 4fa52f13e127..6d0b391ee0a5 100644 --- a/sys/sys/ktls.h +++ b/sys/sys/ktls.h @@ -167,8 +167,8 @@ struct tls_session_params { #define KTLS_RX 2 struct iovec; -struct ktls_ocf_session; struct ktls_ocf_encrypt_state; +struct ktls_ocf_session; struct ktls_session; struct m_snd_tag; struct mbuf; @@ -176,14 +176,6 @@ struct sockbuf; struct socket; struct ktls_session { - union { - int (*sw_encrypt)(struct ktls_ocf_encrypt_state *state, - struct ktls_session *tls, struct mbuf *m, - struct iovec *outiov, int outiovcnt); - int (*sw_decrypt)(struct ktls_session *tls, - const struct tls_record_layer *hdr, struct mbuf *m, - uint64_t seqno, int *trailer_len); - }; struct ktls_ocf_session *ocf_session; struct m_snd_tag *snd_tag; struct tls_session_params params;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202204222255.23MMtLpv093213>