This is mainly intended to provide a fallback for TOE TLS which may
need to use software decryption for an initial record at the start
of a connection.
Sponsored by: Chelsio Communications
Details
Details
Diff Detail
Diff Detail
- Repository
- rG FreeBSD src repository
- Lint
Lint Not Applicable - Unit
Tests Not Applicable
Event Timeline
| sys/kern/uipc_ktls.c | ||
|---|---|---|
| 1262 | I had tried to add a knob to not use SW here for CBC so that use of TOE or ifnet would be mandated for CBC by default. However, there's not a great way to unwind the changes made above (which both ifnet and TOE TLS need to be done first) of moving the mbufs over to sb_mtls and queuing work for the kthread, etc. | |
Comment Actions
This is mainly intended to provide a fallback for TOE TLS which may need to use software decryption for an initial record at the start of a connection.
Why does it need to fall back?
| sys/opencrypto/ktls_ocf.c | ||
|---|---|---|
| 461 | Shouldn't this logically be ntohs? | |
| 464 | If you drop unnecessary parens, then this condition fits on one line. | |
| 505 | You technically don't need M_ZERO here. Given how expensive this function is I'm not sure if microoptimizing makes much sense. | |
Comment Actions
Well, there's D37351 (which is required for TLS 1.3, but also makes TOE TLS a lot less fragile and more user friendly), but also after commit d958bc7963d415d6745abf3e6829f05dabf4c9ed AES-CBC for TOE TLS hasn't worked as we allocate a software session always for both ifnet and TOE TLS for RX.
| sys/opencrypto/ktls_ocf.c | ||
|---|---|---|
| 505 | I did it because conceivably the skip in the loop below might result in using fewer iov entries and the M_ZERO is a safety net to ensure there isn't garbage left over in the iov array in that case. | |
| sys/opencrypto/ktls_ocf.c | ||
|---|---|---|
| 521 | I guess I could set uio.iovcnt to i here though. | |