ktls: Fix races that can lead to double initialization

ktls_enable_rx() and ktls_enable_tx() have checks to return EALREADY if
the socket already has KTLS enabled. However, these are done without
a

ktls: Fix races that can lead to double initialization

ktls_enable_rx() and ktls_enable_tx() have checks to return EALREADY if
the socket already has KTLS enabled. However, these are done without
any locks held and nothing blocks concurrent attempts to set the socket
option. I believe the worst outcome of the race is leaked memory.

Fix the problem by rechecking under the sockbuf lock. While here, unify
the locking protocol for sb_tls_info: require both the sockbuf and
socket I/O locks in order to enable KTLS. This means that either lock
is sufficient for checking whether KTLS is enabled in a given sockbuf,
which simplifies some refactoring further down the road.

Note that the SOLISTENING() check can go away because
SOCK_IO_RECV_LOCK() atomically locks the socket buffer and checks
whether the socket is a listening socket. This changes the returned
errno value, so update a test which checks it.

Reviewed by: gallatin
MFC after: 2 weeks
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D45674

show more ...

ktls tests: Relax error checking for shutdown(2) a bit

In my test suite runs I occasionally see shutdown(2) fail with
ECONNRESET rather than ENOTCONN. soshutdown(2) will return ENOTCONN if
the sock

ktls tests: Relax error checking for shutdown(2) a bit

In my test suite runs I occasionally see shutdown(2) fail with
ECONNRESET rather than ENOTCONN. soshutdown(2) will return ENOTCONN if
the socket has been disconnected (synchronized by the socket lock), and
tcp_usr_shutdown() will return ECONNRESET if the inpcb has been dropped
(synchronized by the inpcb lock). I think it's possible to pass the
first check in soshutdown() but fail the second check in
tcp_usr_shutdown(), so modify the KTLS tests to permit this.

Reviewed by: jhb
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D42277

show more ...

ktls tests: Populate sockaddr fields before binding

Reported by: Jenkins
Fixes: b4b33821fa3d ("ktls: Fix interlocking between ktls_enable_rx() and listen(2)")

ktls: Fix interlocking between ktls_enable_rx() and listen(2)

The TCP_TXTLS_ENABLE and TCP_RXTLS_ENABLE socket option handlers check
whether the socket is listening socket and fail if so, but this c

ktls: Fix interlocking between ktls_enable_rx() and listen(2)

The TCP_TXTLS_ENABLE and TCP_RXTLS_ENABLE socket option handlers check
whether the socket is listening socket and fail if so, but this check is
racy. Since we have to lock the socket buffer later anyway, defer the
check to that point.

ktls_enable_tx() locks the send buffer's I/O lock, which will fail if
the socket is a listening socket, so no explicit checks are needed. In
ktls_enable_rx(), which does not acquire the I/O lock (see the review
for some discussion on this), use an explicit SOLISTENING() check after
locking the recv socket buffer.

Otherwise, a concurrent solisten_proto() call can trigger crashes and
memory leaks by wiping out socket buffers as ktls_enable_*() is
modifying them.

Also make sure that a KTLS-enabled socket can't be converted to a
listening socket, and use SOCK_(SEND|RECV)BUF_LOCK macros instead of the
old ones while here.

Add some simple regression tests involving listen(2).

Reported by: syzkaller
MFC after: 2 weeks
Reviewed by: gallatin, glebius, jhb
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D38504

show more ...

ktls_tests: Ignore errors from close for receive error tests.

For tests that send invalid data to a TLS socket to trigger read
errors the kernel may end up dropping the connection before close is
ca

ktls_tests: Ignore errors from close for receive error tests.

For tests that send invalid data to a TLS socket to trigger read
errors the kernel may end up dropping the connection before close is
called at the conclusion of the test resulting in spurious ECONNRESET
errors from close. Ignore any errors from close for these tests.

PR: 268390
Reported by: olivier, Michal Gulbicki <michalx.gulbicki@intel.com>
Reviewed by: markj
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D37717

show more ...

ktls_tests: Ignore spurious errors from shutdown(2).

For some of the "bad size" tests, the remote end can notice the error
and drop the connection before the test program returns from write to
call

ktls_tests: Ignore spurious errors from shutdown(2).

For some of the "bad size" tests, the remote end can notice the error
and drop the connection before the test program returns from write to
call shutdown. In that case, shutdown fails with ENOTCONN. Permit
these ENOTCONN errors without failing the test.

Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D37693

show more ...

ktls_tests: Log more details when a test fails.

- Make use of ATF_REQUIRE_INTEQ to log the values of integers for
unexpected mismatches.

- Use ATF_REQUIRE_MSG in a few more places to log values w

ktls_tests: Log more details when a test fails.

- Make use of ATF_REQUIRE_INTEQ to log the values of integers for
unexpected mismatches.

- Use ATF_REQUIRE_MSG in a few more places to log values when a
requirement fails.

- Consistently use ATF_REQUIRE_ERRNO when checking for an expected
errno value.

Reviewed by: markj
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D37691

show more ...

ktls_test: Add debug option to hexdump keys, nonces, and buffers.

Reviewed by: markj
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D37509

ktls: Add tests for receiving corrupted or invalid records.

These should all trigger errors when reading from the socket.

Tests include truncated records (socket closed early on the other
side), co

ktls: Add tests for receiving corrupted or invalid records.

These should all trigger errors when reading from the socket.

Tests include truncated records (socket closed early on the other
side), corrupted records (bits flipped in explicit IVs, ciphertext, or
MAC), invalid header fields, and various invalid record lengths.

Reviewed by: markj
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D37373

show more ...

ktls: Add tests for software AES-CBC decryption for TLS 1.1+.

Reviewed by: markj
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D37371

ktls_test: Add a require_toe option similar to require_ifnet.

This skips tests that send and receive records that do not use TOE TLS.

Sponsored by: Chelsio Communications

ktls_test: Permit an option to skip tests not using ifnet TLS.

If ktls.require_ifnet is set to true, then check the TLS offload mode
for tests sending and receiving records and skip the test if the

ktls_test: Permit an option to skip tests not using ifnet TLS.

If ktls.require_ifnet is set to true, then check the TLS offload mode
for tests sending and receiving records and skip the test if the
offload mode is not ifnet mode.

This can be used along with ktls.host to run KTLS tests against a NIC
supporting ifnet TLS and verify that expected cipher suites and
directions used ifnet TLS rather than software TLS. Receive tests may
result in a false positive as receive ifnet TLS can use software as a
fallback.

Reviewed by: markj
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D35427

show more ...

ktls_test: Permit connecting to a remote echo server for tests.

Previously ktls tests always executed over a local socket pair.
ktls.host can be set to a host to connect to with a single socket
inst

ktls_test: Permit connecting to a remote echo server for tests.

Previously ktls tests always executed over a local socket pair.
ktls.host can be set to a host to connect to with a single socket
instead. The remote end is expected to echo back any data received
(such as the echo service). The port can be set with ktls.port which
defaults to "echo".

This is primarily useful to permit testing NIC TLS offload use cases
where the traffic needs to transit the NIC.

Note that the variables must be set via
'kyua -v test_suites.FreeBSD.ktls.host=host'.

Reviewed by: markj
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D35426

show more ...

ktls_test: Add a helper function to close sockets.

Reviewed by: markj
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D35425

ktls: Disallow transmitting empty frames outside of TLS 1.0/CBC mode

There was nothing preventing one from sending an empty fragment on an
arbitrary KTLS TX-enabled socket, but ktls_frame() asserts

ktls: Disallow transmitting empty frames outside of TLS 1.0/CBC mode

There was nothing preventing one from sending an empty fragment on an
arbitrary KTLS TX-enabled socket, but ktls_frame() asserts that this
could not happen. Though the transmit path handles this case for TLS
1.0 with AES-CBC, we should be strict and allow empty fragments only in
modes where it is explicitly allowed.

Modify sosend_generic() to reject writes to a KTLS-enabled socket if the
number of data bytes is zero, so that userspace cannot trigger the
aforementioned assertion.

Add regression tests to exercise this case.

Reported by: syzkaller
Reviewed by: gallatin, jhb
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D34195

show more ...

ktls: Add a regression test to exercise socket error handling

Prior to commit 916c61a5ed37 ("Fix handling of errors from
pru_send(PRUS_NOTREADY)") this test triggered a kernel panic due to an
mbuf d

ktls: Add a regression test to exercise socket error handling

Prior to commit 916c61a5ed37 ("Fix handling of errors from
pru_send(PRUS_NOTREADY)") this test triggered a kernel panic due to an
mbuf double free.

Reviewed by: jhb
MFC after: 2 weeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D33517

show more ...

ktls: Support for TLS 1.3 receive offload.

Note that support for TLS 1.3 receive offload in OpenSSL is still an
open pull request in active development. However, potential changes
to that pull requ

ktls: Support for TLS 1.3 receive offload.

Note that support for TLS 1.3 receive offload in OpenSSL is still an
open pull request in active development. However, potential changes
to that pull request should not affect the kernel interface.

Reviewed by: hselasky
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D33007

show more ...

ktls tests: Check the return values of close().

Suggested by: markj
Reviewed by: markj
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D33004

ktls: Use ATF_REQUIRE instead of assert() for validating TLS header lengths.

The TLS header length field is set by the kernel, so if it is
incorrect that is an indication of a kernel bug, not an int

ktls: Use ATF_REQUIRE instead of assert() for validating TLS header lengths.

The TLS header length field is set by the kernel, so if it is
incorrect that is an indication of a kernel bug, not an internal error
in the tests.

Prompted by: markj (comment in an earlier review)
Reviewed by: markj
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D33003

show more ...

ktls: Add tests ensuring unsupported receive cipher suites are rejected.

Reviewed by: markj
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D32982

ktls: Add tests ensuring invalid receive cipher suites are rejected.

Reviewed by: markj
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D32981

ktls: Add simple receive tests of kernel TLS.

Similar to the simple transmit tests added in
a10482ea7476d68d1ab028145ae6d97cef747b49, these tests test the kernel
TLS functionality directly by manual

ktls: Add simple receive tests of kernel TLS.

Similar to the simple transmit tests added in
a10482ea7476d68d1ab028145ae6d97cef747b49, these tests test the kernel
TLS functionality directly by manually encrypting TLS records using
randomly generated keys and writing them to a socket to be processed
by the kernel.

Reviewed by: markj
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D32980

show more ...

ktls: Add tests ensuring various invalid cipher suites are rejected.

Reviewed by: markj
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D32843

ktls: Add tests for sending empty fragments for TLS 1.0 connections.

Reviewed by: markj
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D32841

ktls: Add padding tests for AES-CBC MTE cipher suites.

For each AES-CBC MTE cipher suite, test sending records with 1 to 16
bytes of payload. This ensures that all of the potential padding
values a

ktls: Add padding tests for AES-CBC MTE cipher suites.

For each AES-CBC MTE cipher suite, test sending records with 1 to 16
bytes of payload. This ensures that all of the potential padding
values are covered.

Reviewed by: markj
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D32840

show more ...