This only supports TOE mode, but can be extended to support other
offload backends in the future.
- Add new TCP_RXTLS_ENABLE and TCP_RXTLS_MODE socket options. These function similarly to their TX counterparts.
- TLS records are stored in the socket receive buffer as records with a new TLS_GET_RECORD control message containing fields from the TLS header in a struct tls_get_record. The decrypted TLS record payload is appended after the control message mbuf in the socket buffer. soreceive_stream() falls back to soreceive_generic() for sockets with an active KTLS RX session. OpenSSL uses recvmsg() to fetch decrypted TLS records. If a TLS record is received that fails to authenticate, the socket error is set to EBADMSG to fail the next call to recvmsg().
- A new SO_WANT_KTLS socket option can be set by applications to hint to the kernel that KTLS is requested. If the socket ends up using TLS, the application must attempt to enable KTLS via TCP_RXTLS_ENABLE, however, setting the socket option is not required. Some KTLS backends may not be able to offload RX if the option is not set.
The Chelsio driver uses this hint to enable TLS mode on TOE sockets. The TOE layer has to know when a connection is established if it will use TLS for RX or not.
- The TOE interface for allocating TLS sessions now accepts an additional 'bool transmit' parameter to differentiate transmit vs receive sessions.