src - FreeBSD source tree

diff options


context:
space:
mode:

author	John Baldwin <jhb@FreeBSD.org>	2022-04-22 22:52:12 +0000
committer	John Baldwin <jhb@FreeBSD.org>	2022-04-22 22:52:12 +0000
commit	a4c5d490f6be56468b2a088a5f6169846e39bd84 (patch)
tree	7276fae446661166ccaedbd62e9e372350dabc47 /sys/opencrypto
parent	f2d166d5322e557ff1388a5419ed694187fc1dbc (diff)

KTLS: Move OCF function pointers out of ktls_session.

Instead, create a switch structure private to ktls_ocf.c and store a pointer to the switch in the ocf_session. This will permit adding an additional function pointer needed for NIC TLS RX without further bloating ktls_session. Reviewed by: hselasky Sponsored by: Netflix Differential Revision: https://reviews.freebsd.org/D35011

Diffstat (limited to 'sys/opencrypto')

-rw-r--r--

sys/opencrypto/ktls.h

-rw-r--r--

sys/opencrypto/ktls_ocf.c

2 files changed, 54 insertions, 12 deletions

diff --git a/sys/opencrypto/ktls.h b/sys/opencrypto/ktls.h
index 9eb01c9b02a5..b97f589fecb4 100644
--- a/sys/opencrypto/ktls.h
+++ b/sys/opencrypto/ktls.h

@@ -49,5 +49,11 @@ struct ktls_ocf_encrypt_state {

void ktls_encrypt_cb(struct ktls_ocf_encrypt_state *state, int error);

void ktls_ocf_free(struct ktls_session *tls);

int ktls_ocf_try(struct socket *so, struct ktls_session *tls, int direction);

+int ktls_ocf_encrypt(struct ktls_ocf_encrypt_state *state,

+ struct ktls_session *tls, struct mbuf *m, struct iovec *outiov,

+ int outiovcnt);

+int ktls_ocf_decrypt(struct ktls_session *tls,

+ const struct tls_record_layer *hdr, struct mbuf *m, uint64_t seqno,

+ int *trailer_len);

#endif /* !__OPENCRYPTO_KTLS_H__ */

diff --git a/sys/opencrypto/ktls_ocf.c b/sys/opencrypto/ktls_ocf.c
index 34e76556fccc..575a91f9fe3f 100644
--- a/sys/opencrypto/ktls_ocf.c
+++ b/sys/opencrypto/ktls_ocf.c

@@ -47,7 +47,20 @@ __FBSDID("$FreeBSD$");

#include <opencrypto/cryptodev.h>

#include <opencrypto/ktls.h>

+struct ktls_ocf_sw {

+ /* Encrypt a single outbound TLS record. */

+ int (*encrypt)(struct ktls_ocf_encrypt_state *state,

+ struct ktls_session *tls, struct mbuf *m,

+ struct iovec *outiov, int outiovcnt);

+ /* Decrypt a received TLS record. */

+ int (*decrypt)(struct ktls_session *tls,

+ const struct tls_record_layer *hdr, struct mbuf *m,

+ uint64_t seqno, int *trailer_len);

+};

struct ktls_ocf_session {

+ const struct ktls_ocf_sw *sw;

crypto_session_t sid;

crypto_session_t mac_sid;

struct mtx lock;

@@ -386,6 +399,10 @@ ktls_ocf_tls_cbc_encrypt(struct ktls_ocf_encrypt_state *state,

return (error);

}

+static const struct ktls_ocf_sw ktls_ocf_tls_cbc_sw = {

+ .encrypt = ktls_ocf_tls_cbc_encrypt

+};

static int

ktls_ocf_tls12_aead_encrypt(struct ktls_ocf_encrypt_state *state,

struct ktls_session *tls, struct mbuf *m, struct iovec *outiov,

@@ -532,6 +549,11 @@ ktls_ocf_tls12_aead_decrypt(struct ktls_session *tls,

return (error);

}

+static const struct ktls_ocf_sw ktls_ocf_tls12_aead_sw = {

+ .encrypt = ktls_ocf_tls12_aead_encrypt,

+ .decrypt = ktls_ocf_tls12_aead_decrypt,

+};

static int

ktls_ocf_tls13_aead_encrypt(struct ktls_ocf_encrypt_state *state,

struct ktls_session *tls, struct mbuf *m, struct iovec *outiov,

@@ -662,6 +684,11 @@ ktls_ocf_tls13_aead_decrypt(struct ktls_session *tls,

return (error);

}

+static const struct ktls_ocf_sw ktls_ocf_tls13_aead_sw = {

+ .encrypt = ktls_ocf_tls13_aead_encrypt,

+ .decrypt = ktls_ocf_tls13_aead_decrypt,

+};

void

ktls_ocf_free(struct ktls_session *tls)

{

@@ -806,19 +833,12 @@ ktls_ocf_try(struct socket *so, struct ktls_session *tls, int direction)

tls->ocf_session = os;

if (tls->params.cipher_algorithm == CRYPTO_AES_NIST_GCM_16 ||

tls->params.cipher_algorithm == CRYPTO_CHACHA20_POLY1305) {

- if (direction == KTLS_TX) {

- if (tls->params.tls_vminor == TLS_MINOR_VER_THREE)

- tls->sw_encrypt = ktls_ocf_tls13_aead_encrypt;

- else

- tls->sw_encrypt = ktls_ocf_tls12_aead_encrypt;

- } else {

- if (tls->params.tls_vminor == TLS_MINOR_VER_THREE)

- tls->sw_decrypt = ktls_ocf_tls13_aead_decrypt;

- else

- tls->sw_decrypt = ktls_ocf_tls12_aead_decrypt;

- }

+ if (tls->params.tls_vminor == TLS_MINOR_VER_THREE)

+ os->sw = &ktls_ocf_tls13_aead_sw;

+ else

+ os->sw = &ktls_ocf_tls12_aead_sw;

} else {

- tls->sw_encrypt = ktls_ocf_tls_cbc_encrypt;

+ os->sw = &ktls_ocf_tls_cbc_sw;

if (tls->params.tls_vminor == TLS_MINOR_VER_ZERO) {

os->implicit_iv = true;

memcpy(os->iv, tls->params.iv, AES_BLOCK_LEN);

@@ -837,3 +857,19 @@ ktls_ocf_try(struct socket *so, struct ktls_session *tls, int direction)

tls->params.cipher_algorithm == CRYPTO_AES_CBC;

return (0);

}

+int

+ktls_ocf_encrypt(struct ktls_ocf_encrypt_state *state,

+ struct ktls_session *tls, struct mbuf *m, struct iovec *outiov,

+ int outiovcnt)

+ return (tls->ocf_session->sw->encrypt(state, tls, m, outiov,

+ outiovcnt));

+int

+ktls_ocf_decrypt(struct ktls_session *tls, const struct tls_record_layer *hdr,

+ struct mbuf *m, uint64_t seqno, int *trailer_len)

+ return (tls->ocf_session->sw->decrypt(tls, hdr, m, seqno, trailer_len));