Page MenuHomeFreeBSD

D57974.diff
No OneTemporary

D57974.diff

diff --git a/share/man/man4/ktls.4 b/share/man/man4/ktls.4
--- a/share/man/man4/ktls.4
+++ b/share/man/man4/ktls.4
@@ -29,7 +29,7 @@
.\"
.\" * Other names and brands may be claimed as the property of others.
.\"
-.Dd October 31, 2024
+.Dd June 30, 2026
.Dt KTLS 4
.Os
.Sh NAME
@@ -182,6 +182,8 @@
.Bl -tag -width ".Va kern.ipc.tls.cbc_enable"
.It Va kern.ipc.tls.enable
Determines if new kernel TLS sessions can be created.
+.It Va kern.ipc.tls.rx_enable
+Determines if new kernel TLS receive sessions can be created.
.It Va kern.ipc.tls.cbc_enable
Determines if new kernel TLS sessions with a cipher suite using AES-CBC
can be created.
diff --git a/sys/kern/uipc_ktls.c b/sys/kern/uipc_ktls.c
--- a/sys/kern/uipc_ktls.c
+++ b/sys/kern/uipc_ktls.c
@@ -148,6 +148,11 @@
&ktls_offload_enable, 0,
"Enable support for kernel TLS offload");
+static bool ktls_rx_offload_enable = true;
+SYSCTL_BOOL(_kern_ipc_tls, OID_AUTO, rx_enable, CTLFLAG_RWTUN,
+ &ktls_rx_offload_enable, 0,
+ "Enable support for kernel TLS receive offload");
+
static bool ktls_cbc_enable = true;
SYSCTL_BOOL(_kern_ipc_tls, OID_AUTO, cbc_enable, CTLFLAG_RWTUN,
&ktls_cbc_enable, 1,
@@ -1285,7 +1290,7 @@
struct ktls_session *tls;
int error;
- if (!ktls_offload_enable)
+ if (!ktls_offload_enable || !ktls_rx_offload_enable)
return (ENOTSUP);
counter_u64_add(ktls_offload_enable_calls, 1);
diff --git a/tests/sys/kern/ktls_test.c b/tests/sys/kern/ktls_test.c
--- a/tests/sys/kern/ktls_test.c
+++ b/tests/sys/kern/ktls_test.c
@@ -69,6 +69,28 @@
#define ATF_REQUIRE_KTLS() require_ktls()
+static void
+require_ktls_rx(void)
+{
+ size_t len;
+ bool enable;
+
+ ATF_REQUIRE_KTLS();
+
+ len = sizeof(enable);
+ if (sysctlbyname("kern.ipc.tls.rx_enable", &enable, &len, NULL, 0) ==
+ -1) {
+ if (errno == ENOENT)
+ atf_tc_skip("kernel does not support TLS offload");
+ atf_libc_error(errno, "Failed to read kern.ipc.tls.rx_enable");
+ }
+
+ if (!enable)
+ atf_tc_skip("Kernel TLS receive is disabled");
+}
+
+#define ATF_REQUIRE_KTLS_RX() require_ktls_rx()
+
static void
check_tls_mode(const atf_tc_t *tc, int s, int sockopt)
{
@@ -2286,7 +2308,7 @@
struct tls_enable en; \
uint64_t seqno; \
\
- ATF_REQUIRE_KTLS(); \
+ ATF_REQUIRE_KTLS_RX(); \
seqno = random(); \
build_tls_enable(tc, cipher_alg, key_size, auth_alg, minor, \
seqno, &en); \
@@ -2306,7 +2328,7 @@
struct tls_enable en; \
uint64_t seqno; \
\
- ATF_REQUIRE_KTLS(); \
+ ATF_REQUIRE_KTLS_RX(); \
seqno = random(); \
build_tls_enable(tc, cipher_alg, key_size, auth_alg, minor, \
seqno, &en); \
@@ -2326,7 +2348,7 @@
struct tls_enable en; \
uint64_t seqno; \
\
- ATF_REQUIRE_KTLS(); \
+ ATF_REQUIRE_KTLS_RX(); \
seqno = random(); \
build_tls_enable(tc, cipher_alg, key_size, auth_alg, minor, \
seqno, &en); \
@@ -2346,7 +2368,7 @@
struct tls_enable en; \
uint64_t seqno; \
\
- ATF_REQUIRE_KTLS(); \
+ ATF_REQUIRE_KTLS_RX(); \
seqno = random(); \
build_tls_enable(tc, cipher_alg, key_size, auth_alg, minor, \
seqno, &en); \
@@ -2366,7 +2388,7 @@
struct tls_enable en; \
uint64_t seqno; \
\
- ATF_REQUIRE_KTLS(); \
+ ATF_REQUIRE_KTLS_RX(); \
seqno = random(); \
build_tls_enable(tc, cipher_alg, key_size, auth_alg, minor, \
seqno, &en); \
@@ -2386,7 +2408,7 @@
struct tls_enable en; \
uint64_t seqno; \
\
- ATF_REQUIRE_KTLS(); \
+ ATF_REQUIRE_KTLS_RX(); \
seqno = random(); \
build_tls_enable(tc, cipher_alg, key_size, auth_alg, minor, \
seqno, &en); \
@@ -2406,7 +2428,7 @@
struct tls_enable en; \
uint64_t seqno; \
\
- ATF_REQUIRE_KTLS(); \
+ ATF_REQUIRE_KTLS_RX(); \
seqno = random(); \
build_tls_enable(tc, cipher_alg, key_size, auth_alg, minor, \
seqno, &en); \
@@ -2426,7 +2448,7 @@
struct tls_enable en; \
uint64_t seqno; \
\
- ATF_REQUIRE_KTLS(); \
+ ATF_REQUIRE_KTLS_RX(); \
seqno = random(); \
build_tls_enable(tc, cipher_alg, key_size, auth_alg, minor, \
seqno, &en); \
@@ -2622,7 +2644,7 @@
struct tls_enable en; \
uint64_t seqno; \
\
- ATF_REQUIRE_KTLS(); \
+ ATF_REQUIRE_KTLS_RX(); \
seqno = random(); \
build_tls_enable(tc, cipher_alg, key_size, auth_alg, minor, \
seqno, &en); \
@@ -2679,7 +2701,7 @@
struct tls_enable en; \
uint64_t seqno; \
\
- ATF_REQUIRE_KTLS(); \
+ ATF_REQUIRE_KTLS_RX(); \
seqno = random(); \
build_tls_enable(tc, cipher_alg, key_size, auth_alg, minor, \
seqno, &en); \
@@ -2722,7 +2744,7 @@
struct tls_enable en; \
uint64_t seqno; \
\
- ATF_REQUIRE_KTLS(); \
+ ATF_REQUIRE_KTLS_RX(); \
seqno = random(); \
build_tls_enable(tc, cipher_alg, key_size, auth_alg, minor, \
seqno, &en); \
@@ -2781,7 +2803,7 @@
struct tls_enable en; \
uint64_t seqno; \
\
- ATF_REQUIRE_KTLS(); \
+ ATF_REQUIRE_KTLS_RX(); \
seqno = random(); \
build_tls_enable(tc, cipher_alg, key_size, auth_alg, minor, \
seqno, &en); \
@@ -2820,7 +2842,7 @@
struct tls_enable en; \
uint64_t seqno; \
\
- ATF_REQUIRE_KTLS(); \
+ ATF_REQUIRE_KTLS_RX(); \
seqno = random(); \
build_tls_enable(tc, cipher_alg, key_size, auth_alg, minor, \
seqno, &en); \
@@ -2881,29 +2903,18 @@
* Make sure that listen(2) returns an error for KTLS-enabled sockets, and
* verify that an attempt to enable KTLS on a listening socket fails.
*/
-ATF_TC_WITHOUT_HEAD(ktls_listening_socket);
-ATF_TC_BODY(ktls_listening_socket, tc)
+static void
+ktls_listening_socket(const atf_tc_t *tc, int optname)
{
struct tls_enable en;
struct sockaddr_in sin;
int s;
- ATF_REQUIRE_KTLS();
-
- s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
- ATF_REQUIRE(s >= 0);
- build_tls_enable(tc, CRYPTO_AES_NIST_GCM_16, 128 / 8, 0,
- TLS_MINOR_VER_THREE, (uint64_t)random(), &en);
- ATF_REQUIRE(setsockopt(s, IPPROTO_TCP, TCP_TXTLS_ENABLE, &en,
- sizeof(en)) == 0);
- ATF_REQUIRE_ERRNO(EINVAL, listen(s, 1) == -1);
- ATF_REQUIRE(close(s) == 0);
-
s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
ATF_REQUIRE(s >= 0);
build_tls_enable(tc, CRYPTO_AES_NIST_GCM_16, 128 / 8, 0,
TLS_MINOR_VER_THREE, (uint64_t)random(), &en);
- ATF_REQUIRE(setsockopt(s, IPPROTO_TCP, TCP_RXTLS_ENABLE, &en,
+ ATF_REQUIRE(setsockopt(s, IPPROTO_TCP, optname, &en,
sizeof(en)) == 0);
ATF_REQUIRE_ERRNO(EINVAL, listen(s, 1) == -1);
ATF_REQUIRE(close(s) == 0);
@@ -2918,12 +2929,26 @@
build_tls_enable(tc, CRYPTO_AES_NIST_GCM_16, 128 / 8, 0,
TLS_MINOR_VER_THREE, (uint64_t)random(), &en);
ATF_REQUIRE_ERRNO(ENOTCONN,
- setsockopt(s, IPPROTO_TCP, TCP_TXTLS_ENABLE, &en, sizeof(en)) != 0);
- ATF_REQUIRE_ERRNO(ENOTCONN,
- setsockopt(s, IPPROTO_TCP, TCP_RXTLS_ENABLE, &en, sizeof(en)) != 0);
+ setsockopt(s, IPPROTO_TCP, optname, &en, sizeof(en)) != 0);
ATF_REQUIRE(close(s) == 0);
}
+ATF_TC_WITHOUT_HEAD(ktls_listening_socket_tx);
+ATF_TC_BODY(ktls_listening_socket_tx, tc)
+{
+ ATF_REQUIRE_KTLS();
+
+ ktls_listening_socket(tc, TCP_TXTLS_ENABLE);
+}
+
+ATF_TC_WITHOUT_HEAD(ktls_listening_socket_rx);
+ATF_TC_BODY(ktls_listening_socket_rx, tc)
+{
+ ATF_REQUIRE_KTLS_RX();
+
+ ktls_listening_socket(tc, TCP_RXTLS_ENABLE);
+}
+
/*
* Verify that the KTLS receive path does not overwrite data belonging
* to a file whose payload is transmitted over a loopback connection
@@ -2947,7 +2972,7 @@
int mode, shm, sockets[2];
socklen_t slen;
- ATF_REQUIRE_KTLS();
+ ATF_REQUIRE_KTLS_RX();
seqno = random();
build_tls_enable(tc, CRYPTO_AES_NIST_GCM_16, 128 / 8, 0,
TLS_MINOR_VER_TWO, seqno, &en);
@@ -3040,7 +3065,8 @@
/* Miscellaneous */
ATF_TP_ADD_TC(tp, ktls_sendto_baddst);
- ATF_TP_ADD_TC(tp, ktls_listening_socket);
+ ATF_TP_ADD_TC(tp, ktls_listening_socket_tx);
+ ATF_TP_ADD_TC(tp, ktls_listening_socket_rx);
ATF_TP_ADD_TC(tp, ktls_receive_loopback_sendfile);
return (atf_no_error());

File Metadata

Mime Type
text/plain
Expires
Fri, Jul 17, 2:00 AM (15 h, 5 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
35124677
Default Alt Text
D57974.diff (8 KB)

Event Timeline