The branch main has been updated by jhb:
URL:
https://cgit.FreeBSD.org/src/commit/?id=faf0224ff27b93b743d50b3830bf5ce345b67e94
commit faf0224ff27b93b743d50b3830bf5ce345b67e94
Author: John Baldwin <j...@freebsd.org>
AuthorDate: 2021-06-15 17:36:57 +0000
Commit: John Baldwin <j...@freebsd.org>
CommitDate: 2021-06-16 00:45:21 +0000
ktls: Don't mark existing received mbufs notready for TOE TLS.
The TOE driver might receive decrypted TLS records that are enqueued
to the socket buffer after ktls_try_toe() returns and before
ktls_enable_rx() locks the receive buffer to call sb_mark_notready().
In that case, sb_mark_notready() would incorrectly treat the decrypted
TLS record as an encrypted record and schedule it for decryption.
This always resulted in the connection being dropped as the data in
the control message did not look like a valid TLS header.
To fix, don't try to handle software decryption of existing buffers in
the socket buffer for TOE TLS in ktls_enable_rx(). If a TOE TLS
driver needs to decrypt existing data in the socket buffer, the driver
will need to manage that in its tod_alloc_tls_session method.
Sponsored by: Chelsio Communications
---
sys/kern/uipc_ktls.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/sys/kern/uipc_ktls.c b/sys/kern/uipc_ktls.c
index 2ab2ef18446b..8eb52cd02afe 100644
--- a/sys/kern/uipc_ktls.c
+++ b/sys/kern/uipc_ktls.c
@@ -1049,8 +1049,10 @@ ktls_enable_rx(struct socket *so, struct tls_enable *en)
so->so_rcv.sb_flags |= SB_TLS_RX;
/* Mark existing data as not ready until it can be decrypted. */
- sb_mark_notready(&so->so_rcv);
- ktls_check_rx(&so->so_rcv);
+ if (tls->mode != TCP_TLS_MODE_TOE) {
+ sb_mark_notready(&so->so_rcv);
+ ktls_check_rx(&so->so_rcv);
+ }
SOCKBUF_UNLOCK(&so->so_rcv);
counter_u64_add(ktls_offload_total, 1);
_______________________________________________
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
