From owner-dev-commits-src-main@freebsd.org Wed Jun 16 00:45:59 2021 Return-Path: Delivered-To: dev-commits-src-main@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 5B32F6579CB; Wed, 16 Jun 2021 00:45:59 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4G4RLv0CDhz3vnY; Wed, 16 Jun 2021 00:45:59 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id E37DA122C9; Wed, 16 Jun 2021 00:45:58 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 15G0jwqE052785; Wed, 16 Jun 2021 00:45:58 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 15G0jwG3052784; Wed, 16 Jun 2021 00:45:58 GMT (envelope-from git) Date: Wed, 16 Jun 2021 00:45:58 GMT Message-Id: <202106160045.15G0jwG3052784@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: John Baldwin Subject: git: faf0224ff27b - main - ktls: Don't mark existing received mbufs notready for TOE TLS. MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: jhb X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: faf0224ff27b93b743d50b3830bf5ce345b67e94 Auto-Submitted: auto-generated X-BeenThere: dev-commits-src-main@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commit messages for the main branch of the src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Jun 2021 00:45:59 -0000 The branch main has been updated by jhb: URL: https://cgit.FreeBSD.org/src/commit/?id=faf0224ff27b93b743d50b3830bf5ce345b67e94 commit faf0224ff27b93b743d50b3830bf5ce345b67e94 Author: John Baldwin AuthorDate: 2021-06-15 17:36:57 +0000 Commit: John Baldwin CommitDate: 2021-06-16 00:45:21 +0000 ktls: Don't mark existing received mbufs notready for TOE TLS. The TOE driver might receive decrypted TLS records that are enqueued to the socket buffer after ktls_try_toe() returns and before ktls_enable_rx() locks the receive buffer to call sb_mark_notready(). In that case, sb_mark_notready() would incorrectly treat the decrypted TLS record as an encrypted record and schedule it for decryption. This always resulted in the connection being dropped as the data in the control message did not look like a valid TLS header. To fix, don't try to handle software decryption of existing buffers in the socket buffer for TOE TLS in ktls_enable_rx(). If a TOE TLS driver needs to decrypt existing data in the socket buffer, the driver will need to manage that in its tod_alloc_tls_session method. Sponsored by: Chelsio Communications --- sys/kern/uipc_ktls.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/sys/kern/uipc_ktls.c b/sys/kern/uipc_ktls.c index 2ab2ef18446b..8eb52cd02afe 100644 --- a/sys/kern/uipc_ktls.c +++ b/sys/kern/uipc_ktls.c @@ -1049,8 +1049,10 @@ ktls_enable_rx(struct socket *so, struct tls_enable *en) so->so_rcv.sb_flags |= SB_TLS_RX; /* Mark existing data as not ready until it can be decrypted. */ - sb_mark_notready(&so->so_rcv); - ktls_check_rx(&so->so_rcv); + if (tls->mode != TCP_TLS_MODE_TOE) { + sb_mark_notready(&so->so_rcv); + ktls_check_rx(&so->so_rcv); + } SOCKBUF_UNLOCK(&so->so_rcv); counter_u64_add(ktls_offload_total, 1);