tls.rst - OpenGrok cross reference for /linux-6.14.4/Documentation/networking/tls.rst

Lines Matching +full:layer +full:- +full:buffer +full:- +full:offset
10 Transport Layer Security (TLS) is a Upper Layer Protocol (ULP) that runs over
11 TCP. TLS provides end-to-end data integrity and confidentiality.
17 -------------------------
21 .. code-block:: c
29 data-path to the kernel. There is a separate socket option for moving
32 .. code-block:: c
65 ----------------------------
71 .. code-block:: c
76 send() data is directly encrypted from the userspace buffer provided
77 to the encrypted kernel send buffer if possible.
82 .. code-block:: c
86   sendfile(sock, file, &offset, stat.st_size);
92 The kernel will need to allocate a buffer for the encrypted data.
93 This buffer is allocated at the time send() is called, such that
94 either the entire send() call will return -ENOMEM (or block waiting
96 -ENOMEM and some data was left on the socket buffer from a previous
97 call using MSG_MORE, the MSG_MORE data is left on the socket buffer.
100 ------------------------------
106 .. code-block:: c
108   char buffer[16384];
109   recv(sock, buffer, 16384);
111 Received data is decrypted directly in to the user buffer if it is
113 buffer is too small, data is decrypted in the kernel and copied to
124 -------------------------
132 .. code-block:: c
147         cmsg->cmsg_level = SOL_TLS;
148         cmsg->cmsg_type = TLS_SET_RECORD_TYPE;
149         cmsg->cmsg_len = CMSG_LEN(cmsg_len);
151         msg.msg_controllen = cmsg->cmsg_len;
165 ------------------------------
167 TLS control messages are passed in the userspace buffer, with message
168 type passed via cmsg.  If no cmsg buffer is provided, an error is
170 received without a cmsg buffer set.
172 .. code-block:: c
174   char buffer[16384];
181   msg_iov.iov_base = buffer;
190   if (cmsg->cmsg_level == SOL_TLS &&
191       cmsg->cmsg_type == TLS_GET_RECORD_TYPE) {
194       // buffer.
198       // Buffer contains application data.
204 -------------------
230 ---------------------------------------
233 layer of a userspace TLS library.
235 A patchset to OpenSSL to use ktls as the record layer is
238 `An example <https://github.com/ktls/af_ktls-tool/commits/RX>`_
240 Since it doesn't implement a full record layer, control
244 ----------------------
246 There are certain condition-specific optimizations the TLS ULP can make,
248 or may impact correctness, hence they require an opt-in.
249 All options are set per-socket using setsockopt(), and their
256 to the NIC without making an in-kernel copy. This allows true zero-copy
261 applicable if the data sent on a socket via sendfile() is read-only.
278 record it will be decrypted again into a kernel buffer without zero copy.
284 TLS implementation exposes the following per-namespace statistics
287 - ``TlsCurrTxSw``, ``TlsCurrRxSw`` -
291 - ``TlsCurrTxDevice``, ``TlsCurrRxDevice`` -
295 - ``TlsTxSw``, ``TlsRxSw`` -
298 - ``TlsTxDevice``, ``TlsRxDevice`` -
301 - ``TlsDecryptError`` -
304 - ``TlsDeviceRxResync`` -
307 - ``TlsDecryptRetry`` -
308   number of RX records which had to be re-decrypted due to
309   ``TLS_RX_EXPECT_NO_PAD`` mis-prediction. Note that this counter will
310   also increment for non-data records.
312 - ``TlsRxNoPadViolation`` -
313   number of data RX records which had to be re-decrypted due to
314   ``TLS_RX_EXPECT_NO_PAD`` mis-prediction.
316 - ``TlsTxRekeyOk``, ``TlsRxRekeyOk`` -
319 - ``TlsTxRekeyError``, ``TlsRxRekeyError`` -
322 - ``TlsRxRekeyReceived`` -