[gnutls-devel] GnuTLS | GnuTLS should transparently use KTLS if it's available (#1113)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Wed Nov 4 21:03:32 CET 2020

Ander Juaristi created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1113

The Linux kernel has been supporting KTLS for some time now.

This is basically a kernel-side TLS record encryption offloading. The kernel receives plaintext data on the socket descriptor via `write()` and it builds a valid TLS record around it. The same happens when data is read with `read()`: a TLS record is expected, then decrypted and the plaintext it contains returned.

After a successful TLS handshake (this happens normally on userland), you need to obtain the TLS secrets. You do this with `gnutls_record_get_state()`.

Then you enable KTLS on a connected TCP socket with `setsockopt`:

    setsockopt(sockfd, SOL_TCP, TCP_ULP, "tls", sizeof("tls");

And finally you copy the TLS master secret to the kernel so that it can build the read and write keys.

I think GnuTLS should transparently use KTLS if it's available, when either `gnutls_record_recv()` or `gnutls_record_write()` are called.

If it's not available, fall back to userland encryption using Nettle, just like now.

Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1113
You're receiving this email because of your account on gitlab.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20201104/2e48261a/attachment.html>

More information about the Gnutls-devel mailing list