path: root/sys/sys/ktls.h
diff options
authorJohn Baldwin <jhb@FreeBSD.org>2020-04-27 23:17:19 +0000
committerJohn Baldwin <jhb@FreeBSD.org>2020-04-27 23:17:19 +0000
commitf1f93475463891194c453aff5f7c872fa9109b45 (patch)
tree96c3a00abf0c646544c443cf7a4ced5dae445568 /sys/sys/ktls.h
parentec1db6e13db4d5cffa7fadc42519f9bc4315eaee (diff)
Initial support for kernel offload of TLS receive.
- Add a new TCP_RXTLS_ENABLE socket option to set the encryption and authentication algorithms and keys as well as the initial sequence number. - When reading from a socket using KTLS receive, applications must use recvmsg(). Each successful call to recvmsg() will return a single TLS record. A new TCP control message, TLS_GET_RECORD, will contain the TLS record header of the decrypted record. The regular message buffer passed to recvmsg() will receive the decrypted payload. This is similar to the interface used by Linux's KTLS RX except that Linux does not return the full TLS header in the control message. - Add plumbing to the TOE KTLS interface to request either transmit or receive KTLS sessions. - When a socket is using receive KTLS, redirect reads from soreceive_stream() into soreceive_generic(). - Note that this interface is currently only defined for TLS 1.1 and 1.2, though I believe we will be able to reuse the same interface and structures for 1.3.
Notes: svn path=/head/; revision=360408
Diffstat (limited to 'sys/sys/ktls.h')
1 files changed, 17 insertions, 2 deletions
diff --git a/sys/sys/ktls.h b/sys/sys/ktls.h
index 94d5a976274a..bb7d41a7fa5c 100644
--- a/sys/sys/ktls.h
+++ b/sys/sys/ktls.h
@@ -98,7 +98,7 @@ struct tls_mac_data {
#define TLS_MINOR_VER_TWO 3 /* 3, 3 */
#define TLS_MINOR_VER_THREE 4 /* 3, 4 */
#ifdef _KERNEL
struct tls_enable_v0 {
const uint8_t *cipher_key;
@@ -130,6 +130,17 @@ struct tls_enable {
uint8_t rec_seq[8];
+/* Structure for TLS_GET_RECORD. */
+struct tls_get_record {
+ /* TLS record header. */
+ uint8_t tls_type;
+ uint8_t tls_vmajor;
+ uint8_t tls_vminor;
+ uint16_t tls_length;
+#ifdef _KERNEL
struct tls_session_params {
uint8_t *cipher_key;
uint8_t *auth_key;
@@ -148,7 +159,9 @@ struct tls_session_params {
uint8_t flags;
-#ifdef _KERNEL
+/* Used in APIs to request RX vs TX sessions. */
+#define KTLS_TX 1
+#define KTLS_RX 2
@@ -192,6 +205,7 @@ struct ktls_session {
int ktls_crypto_backend_register(struct ktls_crypto_backend *be);
int ktls_crypto_backend_deregister(struct ktls_crypto_backend *be);
+int ktls_enable_rx(struct socket *so, struct tls_enable *en);
int ktls_enable_tx(struct socket *so, struct tls_enable *en);
void ktls_destroy(struct ktls_session *tls);
void ktls_frame(struct mbuf *m, struct ktls_session *tls, int *enqueue_cnt,
@@ -199,6 +213,7 @@ void ktls_frame(struct mbuf *m, struct ktls_session *tls, int *enqueue_cnt,
void ktls_seq(struct sockbuf *sb, struct mbuf *m);
void ktls_enqueue(struct mbuf *m, struct socket *so, int page_count);
void ktls_enqueue_to_free(struct mbuf_ext_pgs *pgs);
+int ktls_get_rx_mode(struct socket *so);
int ktls_set_tx_mode(struct socket *so, int mode);
int ktls_get_tx_mode(struct socket *so);
int ktls_output_eagain(struct inpcb *inp, struct ktls_session *tls);