The branch main has been updated by jhb:
URL:
https://cgit.FreeBSD.org/src/commit/?id=a4c5d490f6be56468b2a088a5f6169846e39bd84
commit a4c5d490f6be56468b2a088a5f6169846e39bd84
Author: John Baldwin <j...@freebsd.org>
AuthorDate: 2022-04-22 22:52:12 +0000
Commit: John Baldwin <j...@freebsd.org>
CommitDate: 2022-04-22 22:52:12 +0000
KTLS: Move OCF function pointers out of ktls_session.
Instead, create a switch structure private to ktls_ocf.c and store a
pointer to the switch in the ocf_session. This will permit adding an
additional function pointer needed for NIC TLS RX without further
bloating ktls_session.
Reviewed by: hselasky
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D35011
---
sys/kern/uipc_ktls.c | 6 ++---
sys/opencrypto/ktls.h | 6 +++++
sys/opencrypto/ktls_ocf.c | 60 +++++++++++++++++++++++++++++++++++++----------
sys/sys/ktls.h | 10 +-------
4 files changed, 58 insertions(+), 24 deletions(-)
diff --git a/sys/kern/uipc_ktls.c b/sys/kern/uipc_ktls.c
index 466b64d01386..7b99c460e8de 100644
--- a/sys/kern/uipc_ktls.c
+++ b/sys/kern/uipc_ktls.c
@@ -2073,7 +2073,7 @@ ktls_decrypt(struct socket *so)
SBCHECK(sb);
SOCKBUF_UNLOCK(sb);
- error = tls->sw_decrypt(tls, hdr, data, seqno, &trail_len);
+ error = ktls_ocf_decrypt(tls, hdr, data, seqno, &trail_len);
if (error == 0) {
if (tls13)
error = tls13_find_record_type(tls, data,
@@ -2262,7 +2262,7 @@ ktls_encrypt_record(struct ktls_wq *wq, struct mbuf *m,
/* Anonymous mbufs are encrypted in place. */
if ((m->m_epg_flags & EPG_FLAG_ANON) != 0)
- return (tls->sw_encrypt(state, tls, m, NULL, 0));
+ return (ktls_ocf_encrypt(state, tls, m, NULL, 0));
/*
* For file-backed mbufs (from sendfile), anonymous wired
@@ -2292,7 +2292,7 @@ ktls_encrypt_record(struct ktls_wq *wq, struct mbuf *m,
state->dst_iov[i].iov_base = m->m_epg_trail;
state->dst_iov[i].iov_len = m->m_epg_trllen;
- error = tls->sw_encrypt(state, tls, m, state->dst_iov, i + 1);
+ error = ktls_ocf_encrypt(state, tls, m, state->dst_iov, i + 1);
if (__predict_false(error != 0)) {
/* Free the anonymous pages. */
diff --git a/sys/opencrypto/ktls.h b/sys/opencrypto/ktls.h
index 9eb01c9b02a5..b97f589fecb4 100644
--- a/sys/opencrypto/ktls.h
+++ b/sys/opencrypto/ktls.h
@@ -49,5 +49,11 @@ struct ktls_ocf_encrypt_state {
void ktls_encrypt_cb(struct ktls_ocf_encrypt_state *state, int error);
void ktls_ocf_free(struct ktls_session *tls);
int ktls_ocf_try(struct socket *so, struct ktls_session *tls, int direction);
+int ktls_ocf_encrypt(struct ktls_ocf_encrypt_state *state,
+ struct ktls_session *tls, struct mbuf *m, struct iovec *outiov,
+ int outiovcnt);
+int ktls_ocf_decrypt(struct ktls_session *tls,
+ const struct tls_record_layer *hdr, struct mbuf *m, uint64_t seqno,
+ int *trailer_len);
#endif /* !__OPENCRYPTO_KTLS_H__ */
diff --git a/sys/opencrypto/ktls_ocf.c b/sys/opencrypto/ktls_ocf.c
index 34e76556fccc..575a91f9fe3f 100644
--- a/sys/opencrypto/ktls_ocf.c
+++ b/sys/opencrypto/ktls_ocf.c
@@ -47,7 +47,20 @@ __FBSDID("$FreeBSD$");
#include <opencrypto/cryptodev.h>
#include <opencrypto/ktls.h>
+struct ktls_ocf_sw {
+ /* Encrypt a single outbound TLS record. */
+ int (*encrypt)(struct ktls_ocf_encrypt_state *state,
+ struct ktls_session *tls, struct mbuf *m,
+ struct iovec *outiov, int outiovcnt);
+
+ /* Decrypt a received TLS record. */
+ int (*decrypt)(struct ktls_session *tls,
+ const struct tls_record_layer *hdr, struct mbuf *m,
+ uint64_t seqno, int *trailer_len);
+};
+
struct ktls_ocf_session {
+ const struct ktls_ocf_sw *sw;
crypto_session_t sid;
crypto_session_t mac_sid;
struct mtx lock;
@@ -386,6 +399,10 @@ ktls_ocf_tls_cbc_encrypt(struct ktls_ocf_encrypt_state
*state,
return (error);
}
+static const struct ktls_ocf_sw ktls_ocf_tls_cbc_sw = {
+ .encrypt = ktls_ocf_tls_cbc_encrypt
+};
+
static int
ktls_ocf_tls12_aead_encrypt(struct ktls_ocf_encrypt_state *state,
struct ktls_session *tls, struct mbuf *m, struct iovec *outiov,
@@ -532,6 +549,11 @@ ktls_ocf_tls12_aead_decrypt(struct ktls_session *tls,
return (error);
}
+static const struct ktls_ocf_sw ktls_ocf_tls12_aead_sw = {
+ .encrypt = ktls_ocf_tls12_aead_encrypt,
+ .decrypt = ktls_ocf_tls12_aead_decrypt,
+};
+
static int
ktls_ocf_tls13_aead_encrypt(struct ktls_ocf_encrypt_state *state,
struct ktls_session *tls, struct mbuf *m, struct iovec *outiov,
@@ -662,6 +684,11 @@ ktls_ocf_tls13_aead_decrypt(struct ktls_session *tls,
return (error);
}
+static const struct ktls_ocf_sw ktls_ocf_tls13_aead_sw = {
+ .encrypt = ktls_ocf_tls13_aead_encrypt,
+ .decrypt = ktls_ocf_tls13_aead_decrypt,
+};
+
void
ktls_ocf_free(struct ktls_session *tls)
{
@@ -806,19 +833,12 @@ ktls_ocf_try(struct socket *so, struct ktls_session *tls,
int direction)
tls->ocf_session = os;
if (tls->params.cipher_algorithm == CRYPTO_AES_NIST_GCM_16 ||
tls->params.cipher_algorithm == CRYPTO_CHACHA20_POLY1305) {
- if (direction == KTLS_TX) {
- if (tls->params.tls_vminor == TLS_MINOR_VER_THREE)
- tls->sw_encrypt = ktls_ocf_tls13_aead_encrypt;
- else
- tls->sw_encrypt = ktls_ocf_tls12_aead_encrypt;
- } else {
- if (tls->params.tls_vminor == TLS_MINOR_VER_THREE)
- tls->sw_decrypt = ktls_ocf_tls13_aead_decrypt;
- else
- tls->sw_decrypt = ktls_ocf_tls12_aead_decrypt;
- }
+ if (tls->params.tls_vminor == TLS_MINOR_VER_THREE)
+ os->sw = &ktls_ocf_tls13_aead_sw;
+ else
+ os->sw = &ktls_ocf_tls12_aead_sw;
} else {
- tls->sw_encrypt = ktls_ocf_tls_cbc_encrypt;
+ os->sw = &ktls_ocf_tls_cbc_sw;
if (tls->params.tls_vminor == TLS_MINOR_VER_ZERO) {
os->implicit_iv = true;
memcpy(os->iv, tls->params.iv, AES_BLOCK_LEN);
@@ -837,3 +857,19 @@ ktls_ocf_try(struct socket *so, struct ktls_session *tls,
int direction)
tls->params.cipher_algorithm == CRYPTO_AES_CBC;
return (0);
}
+
+int
+ktls_ocf_encrypt(struct ktls_ocf_encrypt_state *state,
+ struct ktls_session *tls, struct mbuf *m, struct iovec *outiov,
+ int outiovcnt)
+{
+ return (tls->ocf_session->sw->encrypt(state, tls, m, outiov,
+ outiovcnt));
+}
+
+int
+ktls_ocf_decrypt(struct ktls_session *tls, const struct tls_record_layer *hdr,
+ struct mbuf *m, uint64_t seqno, int *trailer_len)
+{
+ return (tls->ocf_session->sw->decrypt(tls, hdr, m, seqno, trailer_len));
+}
diff --git a/sys/sys/ktls.h b/sys/sys/ktls.h
index 4fa52f13e127..6d0b391ee0a5 100644
--- a/sys/sys/ktls.h
+++ b/sys/sys/ktls.h
@@ -167,8 +167,8 @@ struct tls_session_params {
#define KTLS_RX 2
struct iovec;
-struct ktls_ocf_session;
struct ktls_ocf_encrypt_state;
+struct ktls_ocf_session;
struct ktls_session;
struct m_snd_tag;
struct mbuf;
@@ -176,14 +176,6 @@ struct sockbuf;
struct socket;
struct ktls_session {
- union {
- int (*sw_encrypt)(struct ktls_ocf_encrypt_state *state,
- struct ktls_session *tls, struct mbuf *m,
- struct iovec *outiov, int outiovcnt);
- int (*sw_decrypt)(struct ktls_session *tls,
- const struct tls_record_layer *hdr, struct mbuf *m,
- uint64_t seqno, int *trailer_len);
- };
struct ktls_ocf_session *ocf_session;
struct m_snd_tag *snd_tag;
struct tls_session_params params;
