From c57dbec69a6cb20098b691b9cd5246f390d83e80 Mon Sep 17 00:00:00 2001 From: John Baldwin Date: Thu, 21 Oct 2021 09:36:29 -0700 Subject: [PATCH] ktls: Add a routine to query information in a receive socket buffer. In particular, ktls_pending_rx_info() determines which TLS record is at the end of the current receive socket buffer (including not-yet-decrypted data) along with how much data in that TLS record is not yet present in the socket buffer. This is useful for future changes to support NIC TLS receive offload and enhancements to TOE TLS receive offload. Those use cases need a way to synchronize a state machine on the NIC with the TLS record boundaries in the TCP stream. Reviewed by: gallatin, hselasky Sponsored by: Chelsio Communications Differential Revision: https://reviews.freebsd.org/D32564 --- sys/kern/uipc_ktls.c | 63 ++++++++++++++++++++++++++++++++++++++++++++ sys/sys/ktls.h | 1 + 2 files changed, 64 insertions(+) diff --git a/sys/kern/uipc_ktls.c b/sys/kern/uipc_ktls.c index 1d3321fd4ff6..eb1f8dec8c1e 100644 --- a/sys/kern/uipc_ktls.c +++ b/sys/kern/uipc_ktls.c @@ -1082,6 +1082,69 @@ sb_mark_notready(struct sockbuf *sb) sb->sb_ccc)); } +/* + * Return information about the pending TLS data in a socket + * buffer. On return, 'seqno' is set to the sequence number + * of the next TLS record to be received, 'resid' is set to + * the amount of bytes still needed for the last pending + * record. The function returns 'false' if the last pending + * record contains a partial TLS header. In that case, 'resid' + * is the number of bytes needed to complete the TLS header. + */ +bool +ktls_pending_rx_info(struct sockbuf *sb, uint64_t *seqnop, size_t *residp) +{ + struct tls_record_layer hdr; + struct mbuf *m; + uint64_t seqno; + size_t resid; + u_int offset, record_len; + + SOCKBUF_LOCK_ASSERT(sb); + MPASS(sb->sb_flags & SB_TLS_RX); + seqno = sb->sb_tls_seqno; + resid = sb->sb_tlscc; + m = sb->sb_mtls; + offset = 0; + + if (resid == 0) { + *seqnop = seqno; + *residp = 0; + return (true); + } + + for (;;) { + seqno++; + + if (resid < sizeof(hdr)) { + *seqnop = seqno; + *residp = sizeof(hdr) - resid; + return (false); + } + + m_copydata(m, offset, sizeof(hdr), (void *)&hdr); + + record_len = sizeof(hdr) + ntohs(hdr.tls_length); + if (resid <= record_len) { + *seqnop = seqno; + *residp = record_len - resid; + return (true); + } + resid -= record_len; + + while (record_len != 0) { + if (m->m_len - offset > record_len) { + offset += record_len; + break; + } + + record_len -= (m->m_len - offset); + offset = 0; + m = m->m_next; + } + } +} + int ktls_enable_rx(struct socket *so, struct tls_enable *en) { diff --git a/sys/sys/ktls.h b/sys/sys/ktls.h index cd0a786bb345..4258d2c342dc 100644 --- a/sys/sys/ktls.h +++ b/sys/sys/ktls.h @@ -224,6 +224,7 @@ int ktls_output_eagain(struct inpcb *inp, struct ktls_session *tls); #ifdef RATELIMIT int ktls_modify_txrtlmt(struct ktls_session *tls, uint64_t max_pacing_rate); #endif +bool ktls_pending_rx_info(struct sockbuf *sb, uint64_t *seqnop, size_t *residp); static inline struct ktls_session * ktls_hold(struct ktls_session *tls)