From owner-svn-src-all@freebsd.org Thu Dec 3 21:59:48 2020 Return-Path: Delivered-To: svn-src-all@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 7D5C64B08BC; Thu, 3 Dec 2020 21:59:48 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Cn8rh39kCz4p1x; Thu, 3 Dec 2020 21:59:48 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 5F3D02098C; Thu, 3 Dec 2020 21:59:48 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 0B3Lxm1H090478; Thu, 3 Dec 2020 21:59:48 GMT (envelope-from jhb@FreeBSD.org) Received: (from jhb@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 0B3LxmUv090477; Thu, 3 Dec 2020 21:59:48 GMT (envelope-from jhb@FreeBSD.org) Message-Id: <202012032159.0B3LxmUv090477@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: jhb set sender to jhb@FreeBSD.org using -f From: John Baldwin Date: Thu, 3 Dec 2020 21:59:48 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r368312 - head/sys/dev/cxgbe/tom X-SVN-Group: head X-SVN-Commit-Author: jhb X-SVN-Commit-Paths: head/sys/dev/cxgbe/tom X-SVN-Commit-Revision: 368312 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Dec 2020 21:59:48 -0000 Author: jhb Date: Thu Dec 3 21:59:47 2020 New Revision: 368312 URL: https://svnweb.freebsd.org/changeset/base/368312 Log: Clear TLS offload mode for unsupported cipher suites and versions. If TOE TLS is requested for an unsupported cipher suite or TLS version, disable TLS processing and fall back to plain TOE. In addition, if an error occurs when saving the decryption keys in the card's memory, disable TLS processing and fall back to plain TOE. Reviewed by: np Sponsored by: Chelsio Communications Differential Revision: https://reviews.freebsd.org/D27468 Modified: head/sys/dev/cxgbe/tom/t4_tls.c Modified: head/sys/dev/cxgbe/tom/t4_tls.c ============================================================================== --- head/sys/dev/cxgbe/tom/t4_tls.c Thu Dec 3 21:49:20 2020 (r368311) +++ head/sys/dev/cxgbe/tom/t4_tls.c Thu Dec 3 21:59:47 2020 (r368312) @@ -986,7 +986,8 @@ tls_alloc_ktls(struct toepcb *toep, struct ktls_sessio case 256 / 8: break; default: - return (EINVAL); + error = EINVAL; + goto clr_ofld; } switch (tls->params.auth_algorithm) { case CRYPTO_SHA1_HMAC: @@ -994,30 +995,37 @@ tls_alloc_ktls(struct toepcb *toep, struct ktls_sessio case CRYPTO_SHA2_384_HMAC: break; default: - return (EPROTONOSUPPORT); + error = EPROTONOSUPPORT; + goto clr_ofld; } break; case CRYPTO_AES_NIST_GCM_16: - if (tls->params.iv_len != SALT_SIZE) - return (EINVAL); + if (tls->params.iv_len != SALT_SIZE) { + error = EINVAL; + goto clr_ofld; + } switch (tls->params.cipher_key_len) { case 128 / 8: case 192 / 8: case 256 / 8: break; default: - return (EINVAL); + error = EINVAL; + goto clr_ofld; } break; default: - return (EPROTONOSUPPORT); + error = EPROTONOSUPPORT; + goto clr_ofld; } /* Only TLS 1.1 and TLS 1.2 are currently supported. */ if (tls->params.tls_vmajor != TLS_MAJOR_VER_ONE || tls->params.tls_vminor < TLS_MINOR_VER_ONE || - tls->params.tls_vminor > TLS_MINOR_VER_TWO) - return (EPROTONOSUPPORT); + tls->params.tls_vminor > TLS_MINOR_VER_TWO) { + error = EPROTONOSUPPORT; + goto clr_ofld; + } /* Bail if we already have a key. */ if (direction == KTLS_TX) { @@ -1037,8 +1045,11 @@ tls_alloc_ktls(struct toepcb *toep, struct ktls_sessio init_ktls_key_context(tls, k_ctx, direction); error = tls_program_key_id(toep, k_ctx); - if (error) + if (error) { + if (direction == KTLS_RX) + goto clr_ofld; return (error); + } if (direction == KTLS_TX) { toep->tls.scmd0.seqno_numivs = @@ -1098,6 +1109,14 @@ tls_alloc_ktls(struct toepcb *toep, struct ktls_sessio toep->tls.mode = TLS_MODE_KTLS; return (0); + +clr_ofld: + if (ulp_mode(toep) == ULP_MODE_TLS) { + CTR2(KTR_CXGBE, "%s: tid %d clr_ofld_mode", __func__, + toep->tid); + tls_clr_ofld_mode(toep); + } + return (error); } #endif