Add support for TLS_RX_EXPECT_NO_PAD

Summary: Add support for TLS_RX_EXPECT_NO_PAD From: https://docs.kernel.org/networking/tls.html "TLS_RX_EXPECT_NO_PAD TLS 1.3 only. Expect the sender to not pad records. This allows the data to be decrypted directly into user space buffers with TLS 1.3. This optimization is safe to enable only if the remote end is trusted, otherwise it is an attack vector to doubling the TLS processing cost." Reviewed By: kuba-moo Differential Revision: D47904915 fbshipit-source-id: a8400aef7ba84379727dbdae5b5f0c906e20d38b
facebook · Aug 2, 2023 · cf946ba · cf946ba
1 parent 5b26092
commit cf946ba
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 2 deletions.
diff --git a/wangle/acceptor/Acceptor.cpp b/wangle/acceptor/Acceptor.cpp
@@ -395,6 +395,9 @@ static std::string logContext(folly::AsyncTransport& transport) {
 AsyncTransport::UniquePtr Acceptor::transformTransport(
     AsyncTransport::UniquePtr sock) {
   if constexpr (fizz::platformCapableOfKTLS) {
+    fizz::KTLSRxPad rxPad = accConfig_.fizzConfig.expectNoPadKTLSRx
+        ? fizz::KTLSRxPad::RxExpectNoPad
+        : fizz::KTLSRxPad::RxPadUnknown;
     if (accConfig_.fizzConfig.preferKTLS) {
       if (accConfig_.fizzConfig.preferKTLSRx) {
         std::string sockLogContext;
@@ -410,7 +413,7 @@ AsyncTransport::UniquePtr Acceptor::transformTransport(
               << sockLogContext;
           return sock;
         }
-        auto ktlsRxSockResult = fizz::tryConvertKTLSRx(*fizzSocket);
+        auto ktlsRxSockResult = fizz::tryConvertKTLSRx(*fizzSocket, rxPad);
         if (ktlsRxSockResult.hasValue()) {
           VLOG(5) << "Upgraded socket to kTLS Rx. " << sockLogContext;
           return std::move(ktlsRxSockResult).value();
@@ -434,7 +437,7 @@ AsyncTransport::UniquePtr Acceptor::transformTransport(
               << sockLogContext;
           return sock;
         }
-        auto ktlsSockResult = fizz::tryConvertKTLS(*fizzSocket);
+        auto ktlsSockResult = fizz::tryConvertKTLS(*fizzSocket, rxPad);
         if (ktlsSockResult.hasValue()) {
           VLOG(5) << "Upgraded socket to kTLS. " << sockLogContext;
           return std::move(ktlsSockResult).value();

diff --git a/wangle/acceptor/FizzConfig.h b/wangle/acceptor/FizzConfig.h
@@ -39,6 +39,9 @@ struct FizzConfig {
   // EXPERIMENTAL: Attempt to switch to kTLS Rx only
   // Requires preferKTLS to be enabled
   bool preferKTLSRx{false};
+  // EXPERIMENTAL: Attempt opportunistic zero-copy
+  // Requires preferKTLS to be enabled
+  bool expectNoPadKTLSRx{false};
 
   folly::Optional<uint16_t> maxRecord;
   folly::Optional<uint16_t> paddingModulo;