diff options
| author | John Baldwin <jhb@FreeBSD.org> | 2020-04-27 23:17:19 +0000 |
|---|---|---|
| committer | John Baldwin <jhb@FreeBSD.org> | 2020-04-27 23:17:19 +0000 |
| commit | f1f93475463891194c453aff5f7c872fa9109b45 (patch) | |
| tree | 96c3a00abf0c646544c443cf7a4ced5dae445568 /share/man/man4/tcp.4 | |
| parent | ec1db6e13db4d5cffa7fadc42519f9bc4315eaee (diff) | |
| download | src-f1f93475463891194c453aff5f7c872fa9109b45.tar.gz src-f1f93475463891194c453aff5f7c872fa9109b45.zip | |
Initial support for kernel offload of TLS receive.
- Add a new TCP_RXTLS_ENABLE socket option to set the encryption and
authentication algorithms and keys as well as the initial sequence
number.
- When reading from a socket using KTLS receive, applications must use
recvmsg(). Each successful call to recvmsg() will return a single
TLS record. A new TCP control message, TLS_GET_RECORD, will contain
the TLS record header of the decrypted record. The regular message
buffer passed to recvmsg() will receive the decrypted payload. This
is similar to the interface used by Linux's KTLS RX except that
Linux does not return the full TLS header in the control message.
- Add plumbing to the TOE KTLS interface to request either transmit
or receive KTLS sessions.
- When a socket is using receive KTLS, redirect reads from
soreceive_stream() into soreceive_generic().
- Note that this interface is currently only defined for TLS 1.1 and
1.2, though I believe we will be able to reuse the same interface
and structures for 1.3.
Notes
Notes:
svn path=/head/; revision=360408
Diffstat (limited to 'share/man/man4/tcp.4')
| -rw-r--r-- | share/man/man4/tcp.4 | 38 |
1 files changed, 31 insertions, 7 deletions
diff --git a/share/man/man4/tcp.4 b/share/man/man4/tcp.4 index 7fc1ccb29928..915b8d0b6bf5 100644 --- a/share/man/man4/tcp.4 +++ b/share/man/man4/tcp.4 @@ -34,7 +34,7 @@ .\" From: @(#)tcp.4 8.1 (Berkeley) 6/5/93 .\" $FreeBSD$ .\" -.Dd April 16, 2020 +.Dd April 27, 2020 .Dt TCP 4 .Os .Sh NAME @@ -319,14 +319,11 @@ control message. The payload of this control message is a single byte holding the desired TLS record type. .Pp -Data read from this socket will still be encrypted and must be parsed by -a TLS-aware consumer. -.Pp -At present, only a single key may be set on a socket. +At present, only a single transmit key may be set on a socket. As such, users of this option must disable rekeying. .It Dv TCP_TXTLS_MODE -The integer argument can be used to get or set the current TLS mode of a -socket. +The integer argument can be used to get or set the current TLS transmit mode +of a socket. Setting the mode can only used to toggle between software and NIC TLS after TLS has been initially enabled via the .Dv TCP_TXTLS_ENABLE @@ -344,6 +341,33 @@ TLS records are encrypted by the network interface card (NIC). .It Dv TCP_TLS_MODE_TOE TLS records are encrypted by the NIC using a TCP offload engine (TOE). .El +.It Dv TCP_RXTLS_ENABLE +Enable in-kernel TLS for data read from this socket. +The +.Vt struct tls_so_enable +argument defines the encryption and authentication algorithms and keys +used to decrypt the socket data. +.Pp +Each received TLS record must be read from the socket using +.Xr recvmsg 2 . +Each received TLS record will contain a +.Dv TLS_GET_RECORD +control message along with the decrypted payload. +The control message contains a +.Vt struct tls_get_record +which includes fields from the TLS record header. +If a corrupted TLS record is received, +recvmsg 2 +will fail with +.Dv EBADMSG . +.Pp +At present, only a single receive key may be set on a socket. +As such, users of this option must disable rekeying. +.It Dv TCP_RXTLS_MODE +The integer argument can be used to get the current TLS receive mode +of a socket. +The available modes are the same as for +.Dv TCP_TXTLS_MODE . .El .Pp The option level for the |