diff options
| author | John Baldwin <jhb@FreeBSD.org> | 2025-09-29 15:02:28 +0000 |
|---|---|---|
| committer | Navdeep Parhar <np@FreeBSD.org> | 2025-09-29 15:19:12 +0000 |
| commit | 6154961e2e4c7e1d998f4c9e22c5370d17edb160 (patch) | |
| tree | 8a7bb9232becce02dbe9a8f0c53521ea3c02b38d | |
| parent | 4f272a5ef3d8073940e7719401d1e8de2de6100a (diff) | |
cxgbe: Support for TLS 1.3 in key contexts.
For TLS 1.3 the 4 byte salt field has been extended to hold the 12
byte nonce.
MFC after: 3 days
Sponsored by: Chelsio Communications
| -rw-r--r-- | sys/dev/cxgbe/crypto/t4_crypto.h | 1 | ||||
| -rw-r--r-- | sys/dev/cxgbe/crypto/t4_keyctx.c | 26 |
2 files changed, 23 insertions, 4 deletions
diff --git a/sys/dev/cxgbe/crypto/t4_crypto.h b/sys/dev/cxgbe/crypto/t4_crypto.h index 452e48d20dfd..71c9ec3903ef 100644 --- a/sys/dev/cxgbe/crypto/t4_crypto.h +++ b/sys/dev/cxgbe/crypto/t4_crypto.h @@ -139,6 +139,7 @@ struct phys_sge_pairs { #define SCMD_PROTO_VERSION_TLS_1_2 0 #define SCMD_PROTO_VERSION_TLS_1_1 1 #define SCMD_PROTO_VERSION_GENERIC 4 +#define SCMD_PROTO_VERSION_TLS_1_3 8 #define SCMD_CIPH_MODE_NOP 0 #define SCMD_CIPH_MODE_AES_CBC 1 diff --git a/sys/dev/cxgbe/crypto/t4_keyctx.c b/sys/dev/cxgbe/crypto/t4_keyctx.c index 52a75666c3aa..b85e50fd6cb1 100644 --- a/sys/dev/cxgbe/crypto/t4_keyctx.c +++ b/sys/dev/cxgbe/crypto/t4_keyctx.c @@ -437,10 +437,16 @@ t4_tls_key_info_size(const struct ktls_session *tls) int t4_tls_proto_ver(const struct ktls_session *tls) { - if (tls->params.tls_vminor == TLS_MINOR_VER_ONE) + switch (tls->params.tls_vminor) { + case TLS_MINOR_VER_ONE: return (SCMD_PROTO_VERSION_TLS_1_1); - else + case TLS_MINOR_VER_TWO: return (SCMD_PROTO_VERSION_TLS_1_2); + case TLS_MINOR_VER_THREE: + return (SCMD_PROTO_VERSION_TLS_1_3); + default: + __assert_unreachable(); + } } int @@ -492,6 +498,17 @@ t4_tls_hmac_ctrl(const struct ktls_session *tls) } static int +tls_seqnum_ctrl(const struct ktls_session *tls) +{ + switch (tls->params.tls_vminor) { + case TLS_MINOR_VER_THREE: + return (0); + default: + return (3); + } +} + +static int tls_cipher_key_size(const struct ktls_session *tls) { switch (tls->params.cipher_key_len) { @@ -557,7 +574,7 @@ t4_tls_key_ctx(const struct ktls_session *tls, int direction, kctx->u.rxhdr.authmode_to_rxvalid = V_TLS_KEYCTX_TX_WR_AUTHMODE(t4_tls_auth_mode(tls)) | - V_TLS_KEYCTX_TX_WR_SEQNUMCTRL(3) | + V_TLS_KEYCTX_TX_WR_SEQNUMCTRL(tls_seqnum_ctrl(tls)) | V_TLS_KEYCTX_TX_WR_RXVALID(1); kctx->u.rxhdr.ivpresent_to_rxmk_size = @@ -607,7 +624,8 @@ t4_tls_key_ctx(const struct ktls_session *tls, int direction, _Static_assert(offsetof(struct tx_keyctx_hdr, txsalt) == offsetof(struct rx_keyctx_hdr, rxsalt), "salt offset mismatch"); - memcpy(kctx->u.txhdr.txsalt, tls->params.iv, SALT_SIZE); + memcpy(kctx->u.txhdr.txsalt, tls->params.iv, + tls->params.iv_len); t4_init_gmac_hash(tls->params.cipher_key, tls->params.cipher_key_len, hash); } else { |