diff options
author | Andrew Gallatin <gallatin@FreeBSD.org> | 2019-09-27 19:17:40 +0000 |
---|---|---|
committer | Andrew Gallatin <gallatin@FreeBSD.org> | 2019-09-27 19:17:40 +0000 |
commit | 6554362c664073f963300598abc4e8ae2be6d915 (patch) | |
tree | bc8f12f8eeff3b72514ca4d8c814fb6d2b653926 /sys/sys/ktls.h | |
parent | 708cf7eb6c21e7eb670ed4595fda761b43197de7 (diff) | |
download | src-6554362c664073f963300598abc4e8ae2be6d915.tar.gz src-6554362c664073f963300598abc4e8ae2be6d915.zip |
kTLS support for TLS 1.3
TLS 1.3 requires a few changes because 1.3 pretends to be 1.2
with a record type of application data. The "real" record type is
then included at the end of the user-supplied plaintext
data. This required adding a field to the mbuf_ext_pgs struct to
save the record type, and passing the real record type to the
sw_encrypt() ktls backend functions.
Reviewed by: jhb, hselasky
Sponsored by: Netflix
Differential Revision: D21801
Notes
Notes:
svn path=/head/; revision=352814
Diffstat (limited to 'sys/sys/ktls.h')
-rw-r--r-- | sys/sys/ktls.h | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/sys/sys/ktls.h b/sys/sys/ktls.h index 079d4448bd8d..62f694b3daee 100644 --- a/sys/sys/ktls.h +++ b/sys/sys/ktls.h @@ -43,6 +43,7 @@ struct tls_record_layer { #define TLS_MAX_MSG_SIZE_V10_2 16384 #define TLS_MAX_PARAM_SIZE 1024 /* Max key/mac/iv in sockopt */ #define TLS_AEAD_GCM_LEN 4 +#define TLS_1_3_GCM_IV_LEN 12 #define TLS_CBC_IMPLICIT_IV_LEN 16 /* Type values for the record layer */ @@ -85,6 +86,7 @@ struct tls_mac_data { #define TLS_MINOR_VER_ZERO 1 /* 3, 1 */ #define TLS_MINOR_VER_ONE 2 /* 3, 2 */ #define TLS_MINOR_VER_TWO 3 /* 3, 3 */ +#define TLS_MINOR_VER_THREE 4 /* 3, 4 */ /* For TCP_TXTLS_ENABLE */ struct tls_enable { @@ -121,7 +123,7 @@ struct tls_session_params { #ifdef _KERNEL -#define KTLS_API_VERSION 5 +#define KTLS_API_VERSION 6 struct iovec; struct ktls_session; @@ -144,7 +146,7 @@ struct ktls_session { int (*sw_encrypt)(struct ktls_session *tls, const struct tls_record_layer *hdr, uint8_t *trailer, struct iovec *src, struct iovec *dst, int iovcnt, - uint64_t seqno); + uint64_t seqno, uint8_t record_type); union { void *cipher; struct m_snd_tag *snd_tag; |