Date: Wed, 4 May 2022 20:33:58 GMT From: John Baldwin <jhb@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: 913616b88505 - main - OpenSSL: KTLS: Enable KTLS for receiving as well in TLS 1.3 Message-ID: <202205042033.244KXw7n053175@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by jhb: URL: https://cgit.FreeBSD.org/src/commit/?id=913616b88505b2a5ff40f3d0a4b504d39ee563bb commit 913616b88505b2a5ff40f3d0a4b504d39ee563bb Author: John Baldwin <jhb@FreeBSD.org> AuthorDate: 2022-05-04 20:08:36 +0000 Commit: John Baldwin <jhb@FreeBSD.org> CommitDate: 2022-05-04 20:08:36 +0000 OpenSSL: KTLS: Enable KTLS for receiving as well in TLS 1.3 This removes a guard condition that prevents KTLS being enabled for receiving in TLS 1.3. Use the correct sequence number and BIO for receive vs transmit offload. Approved by: jkim Obtained from: OpenSSL commit 7c78932b9a4330fb7c8db72b3fb37cbff1401f8b MFC after: 1 week Sponsored by: Netflix Differential Revision: https://reviews.freebsd.org/D34976 --- crypto/openssl/ssl/tls13_enc.c | 32 +++++++++++++++++++++----------- 1 file changed, 21 insertions(+), 11 deletions(-) diff --git a/crypto/openssl/ssl/tls13_enc.c b/crypto/openssl/ssl/tls13_enc.c index cc1435ec55c2..109227e55666 100644 --- a/crypto/openssl/ssl/tls13_enc.c +++ b/crypto/openssl/ssl/tls13_enc.c @@ -471,6 +471,7 @@ int tls13_change_cipher_state(SSL *s, int which) const EVP_CIPHER *cipher = NULL; #if !defined(OPENSSL_NO_KTLS) && defined(OPENSSL_KTLS_TLS13) ktls_crypto_info_t crypto_info; + void *rl_sequence; BIO *bio; #endif @@ -724,8 +725,7 @@ int tls13_change_cipher_state(SSL *s, int which) s->statem.enc_write_state = ENC_WRITE_STATE_VALID; #ifndef OPENSSL_NO_KTLS # if defined(OPENSSL_KTLS_TLS13) - if (!(which & SSL3_CC_WRITE) - || !(which & SSL3_CC_APPLICATION) + if (!(which & SSL3_CC_APPLICATION) || (s->options & SSL_OP_ENABLE_KTLS) == 0) goto skip_ktls; @@ -741,7 +741,10 @@ int tls13_change_cipher_state(SSL *s, int which) if (!ktls_check_supported_cipher(s, cipher, ciph_ctx)) goto skip_ktls; - bio = s->wbio; + if (which & SSL3_CC_WRITE) + bio = s->wbio; + else + bio = s->rbio; if (!ossl_assert(bio != NULL)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_CHANGE_CIPHER_STATE, @@ -750,19 +753,26 @@ int tls13_change_cipher_state(SSL *s, int which) } /* All future data will get encrypted by ktls. Flush the BIO or skip ktls */ - if (BIO_flush(bio) <= 0) - goto skip_ktls; + if (which & SSL3_CC_WRITE) { + if (BIO_flush(bio) <= 0) + goto skip_ktls; + } /* configure kernel crypto structure */ - if (!ktls_configure_crypto(s, cipher, ciph_ctx, - RECORD_LAYER_get_write_sequence(&s->rlayer), - &crypto_info, which & SSL3_CC_WRITE, iv, key, - NULL, 0)) + if (which & SSL3_CC_WRITE) + rl_sequence = RECORD_LAYER_get_write_sequence(&s->rlayer); + else + rl_sequence = RECORD_LAYER_get_read_sequence(&s->rlayer); + + if (!ktls_configure_crypto(s, cipher, ciph_ctx, rl_sequence, &crypto_info, + which & SSL3_CC_WRITE, iv, key, NULL, 0)) goto skip_ktls; /* ktls works with user provided buffers directly */ - if (BIO_set_ktls(bio, &crypto_info, which & SSL3_CC_WRITE)) - ssl3_release_write_buffer(s); + if (BIO_set_ktls(bio, &crypto_info, which & SSL3_CC_WRITE)) { + if (which & SSL3_CC_WRITE) + ssl3_release_write_buffer(s); + } skip_ktls: # endif #endif
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202205042033.244KXw7n053175>