Date: Wed, 8 Jan 2020 10:08:32 -0800 From: John Baldwin <jhb@FreeBSD.org> To: Rick Macklem <rmacklem@uoguelph.ca>, "freebsd-current@FreeBSD.org" <freebsd-current@FreeBSD.org> Subject: Re: how to use the ktls Message-ID: <5be57c87-90fe-fcbe-ea37-bdb1bcff2da8@FreeBSD.org> In-Reply-To: <YQBPR0101MB142760894682CA3663CB53BDDD3F0@YQBPR0101MB1427.CANPRD01.PROD.OUTLOOK.COM> References: <YQBPR0101MB142760894682CA3663CB53BDDD3F0@YQBPR0101MB1427.CANPRD01.PROD.OUTLOOK.COM>
next in thread | previous in thread | raw e-mail | index | archive | help
On 1/7/20 3:02 PM, Rick Macklem wrote:
> Hi,
>
> Now that I've completed NFSv4.2 I'm on to the next project, which is making NFS
> work over TLS.
> Of course, I know absolutely nothing about TLS, which will make this an interesting
> exercise for me.
> I did find simple server code in the OpenSSL doc. which at least gives me a starting
> point for the initialization stuff.
> As I understand it, this initialization must be done in userspace?
>
> Then somehow, the ktls takes over and does the encryption of the
> data being sent on the socket via sosend_generic(). Does that sound right?
>
> So, how does the kernel know the stuff that the initialization phase (handshake)
> figures out, or is it magic I don't have to worry about?
>
> Don't waste much time replying to this. A few quick hints will keep me going for
> now. (From what I've seen sofar, this TLS stuff isn't simple. And I thought Kerberos
> was a pain.;-)
>
> Thanks in advance for any hints, rick
Hmmm, this might be a fair bit of work indeed.
Right now KTLS only works for transmit (though I have some WIP for receive).
KTLS does assumes that the initial handshake and key negotiation is handled by
OpenSSL. OpenSSL uses custom setockopt() calls to tell the kernel which
session keys to use.
I think what you would want to do is use something like OpenSSL_connect() in
userspace, and then check to see if KTLS "worked". If it did, you can tell
the kernel it can write to the socket directly, otherwise you will have to
bounce data back out to userspace to run it through SSL_write() and have
userspace do SSL_read() and then feed data into the kernel.
The pseudo-code might look something like:
SSL *s;
s = SSL_new(...);
/* fd is the existing TCP socket */
SSL_set_fd(s, fd);
OpenSSL_connect(s);
if (BIO_get_ktls_send(SSL_get_wbio(s)) {
/* Can use KTLS for transmit. */
}
if (BIO_get_ktls_recv(SSL_get_rbio(s)) {
/* Can use KTLS for receive. */
}
--
John Baldwin
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5be57c87-90fe-fcbe-ea37-bdb1bcff2da8>