svn commit: r368312 - head/sys/dev/cxgbe/tom

John Baldwin jhb at FreeBSD.org
Thu Dec 3 21:59:48 UTC 2020


Author: jhb
Date: Thu Dec  3 21:59:47 2020
New Revision: 368312
URL: https://svnweb.freebsd.org/changeset/base/368312

Log:
  Clear TLS offload mode for unsupported cipher suites and versions.
  
  If TOE TLS is requested for an unsupported cipher suite or TLS
  version, disable TLS processing and fall back to plain TOE.  In
  addition, if an error occurs when saving the decryption keys in the
  card's memory, disable TLS processing and fall back to plain TOE.
  
  Reviewed by:	np
  Sponsored by:	Chelsio Communications
  Differential Revision:	https://reviews.freebsd.org/D27468

Modified:
  head/sys/dev/cxgbe/tom/t4_tls.c

Modified: head/sys/dev/cxgbe/tom/t4_tls.c
==============================================================================
--- head/sys/dev/cxgbe/tom/t4_tls.c	Thu Dec  3 21:49:20 2020	(r368311)
+++ head/sys/dev/cxgbe/tom/t4_tls.c	Thu Dec  3 21:59:47 2020	(r368312)
@@ -986,7 +986,8 @@ tls_alloc_ktls(struct toepcb *toep, struct ktls_sessio
 		case 256 / 8:
 			break;
 		default:
-			return (EINVAL);
+			error = EINVAL;
+			goto clr_ofld;
 		}
 		switch (tls->params.auth_algorithm) {
 		case CRYPTO_SHA1_HMAC:
@@ -994,30 +995,37 @@ tls_alloc_ktls(struct toepcb *toep, struct ktls_sessio
 		case CRYPTO_SHA2_384_HMAC:
 			break;
 		default:
-			return (EPROTONOSUPPORT);
+			error = EPROTONOSUPPORT;
+			goto clr_ofld;
 		}
 		break;
 	case CRYPTO_AES_NIST_GCM_16:
-		if (tls->params.iv_len != SALT_SIZE)
-			return (EINVAL);
+		if (tls->params.iv_len != SALT_SIZE) {
+			error = EINVAL;
+			goto clr_ofld;
+		}
 		switch (tls->params.cipher_key_len) {
 		case 128 / 8:
 		case 192 / 8:
 		case 256 / 8:
 			break;
 		default:
-			return (EINVAL);
+			error = EINVAL;
+			goto clr_ofld;
 		}
 		break;
 	default:
-		return (EPROTONOSUPPORT);
+		error = EPROTONOSUPPORT;
+		goto clr_ofld;
 	}
 
 	/* Only TLS 1.1 and TLS 1.2 are currently supported. */
 	if (tls->params.tls_vmajor != TLS_MAJOR_VER_ONE ||
 	    tls->params.tls_vminor < TLS_MINOR_VER_ONE ||
-	    tls->params.tls_vminor > TLS_MINOR_VER_TWO)
-		return (EPROTONOSUPPORT);
+	    tls->params.tls_vminor > TLS_MINOR_VER_TWO) {
+		error = EPROTONOSUPPORT;
+		goto clr_ofld;
+	}
 
 	/* Bail if we already have a key. */
 	if (direction == KTLS_TX) {
@@ -1037,8 +1045,11 @@ tls_alloc_ktls(struct toepcb *toep, struct ktls_sessio
 	init_ktls_key_context(tls, k_ctx, direction);
 
 	error = tls_program_key_id(toep, k_ctx);
-	if (error)
+	if (error) {
+		if (direction == KTLS_RX)
+			goto clr_ofld;
 		return (error);
+	}
 
 	if (direction == KTLS_TX) {
 		toep->tls.scmd0.seqno_numivs =
@@ -1098,6 +1109,14 @@ tls_alloc_ktls(struct toepcb *toep, struct ktls_sessio
 	toep->tls.mode = TLS_MODE_KTLS;
 
 	return (0);
+
+clr_ofld:
+	if (ulp_mode(toep) == ULP_MODE_TLS) {
+		CTR2(KTR_CXGBE, "%s: tid %d clr_ofld_mode", __func__,
+		    toep->tid);
+		tls_clr_ofld_mode(toep);
+	}
+	return (error);
 }
 #endif
 


More information about the svn-src-head mailing list