Fix downgrading of TOE TLS sockets to plain TOE.

If a TOE TLS socket ends up using an unsupported TLS version or
ciphersuite, it must be downgraded to a "plain" TOE socket with TLS
encryption/decryption performed on the host.  The previous
implementation of this fallback was incomplete and resulted in hung
connections.

Reviewed by:	np
MFC after:	2 weeks
Sponsored by:	Chelsio Communications
Differential Revision:	https://reviews.freebsd.org/D27467
This commit is contained in:
John Baldwin 2020-12-03 21:49:20 +00:00
parent ca93db7931
commit 05d5675520
Notes: svn2git 2020-12-20 02:59:44 +00:00
svn path=/head/; revision=368311
2 changed files with 27 additions and 6 deletions

View File

@ -4917,9 +4917,22 @@ set_params__post_init(struct adapter *sc)
#endif
#ifdef KERN_TLS
if (t4_kern_tls != 0 && sc->cryptocaps & FW_CAPS_CONFIG_TLSKEYS &&
sc->toecaps & FW_CAPS_CONFIG_TOE)
if (sc->cryptocaps & FW_CAPS_CONFIG_TLSKEYS &&
sc->toecaps & FW_CAPS_CONFIG_TOE) {
if (t4_kern_tls != 0)
t4_enable_kern_tls(sc);
else {
/*
* Limit TOE connections to 2 reassembly
* "islands". This is required for TOE TLS
* connections to downgrade to plain TOE
* connections if an unsupported TLS version
* or ciphersuite is used.
*/
t4_tp_wr_bits_indirect(sc, A_TP_FRAG_CONFIG,
V_PASSMODE(M_PASSMODE), V_PASSMODE(2));
}
}
#endif
return (0);
}

View File

@ -138,11 +138,19 @@ tls_clr_ofld_mode(struct toepcb *toep)
tls_stop_handshake_timer(toep);
/* Operate in PDU extraction mode only. */
KASSERT(toep->tls.rx_key_addr == -1,
("%s: tid %d has RX key", __func__, toep->tid));
/* Switch to plain TOE mode. */
t4_set_tls_tcb_field(toep, W_TCB_ULP_RAW,
V_TCB_ULP_RAW(M_TCB_ULP_RAW),
V_TCB_ULP_RAW(V_TF_TLS_ENABLE(1)));
V_TCB_ULP_RAW(V_TF_TLS_ENABLE(1)),
V_TCB_ULP_RAW(V_TF_TLS_ENABLE(0)));
t4_set_tls_tcb_field(toep, W_TCB_ULP_TYPE,
V_TCB_ULP_TYPE(M_TCB_ULP_TYPE), V_TCB_ULP_TYPE(ULP_MODE_NONE));
t4_clear_rx_quiesce(toep);
toep->flags &= ~TPF_FORCE_CREDITS;
toep->params.ulp_mode = ULP_MODE_NONE;
}
static void