| tcp.4 (f6393bcd780b79e87f79b02b5b1a03aef2f070b8) | tcp.4 (d1e0552937e18bef661fb9ace710bcaa1b5d5a80) |
|---|---|
| 1.\" Copyright (c) 1983, 1991, 1993 2.\" The Regents of the University of California. 3.\" Copyright (c) 2010-2011 The FreeBSD Foundation 4.\" All rights reserved. 5.\" 6.\" Portions of this documentation were written at the Centre for Advanced 7.\" Internet Architectures, Swinburne University of Technology, Melbourne, 8.\" Australia by David Hayes under sponsorship from the FreeBSD Foundation. --- 20 unchanged lines hidden (view full) --- 29.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32.\" SUCH DAMAGE. 33.\" 34.\" From: @(#)tcp.4 8.1 (Berkeley) 6/5/93 35.\" $FreeBSD$ 36.\" | 1.\" Copyright (c) 1983, 1991, 1993 2.\" The Regents of the University of California. 3.\" Copyright (c) 2010-2011 The FreeBSD Foundation 4.\" All rights reserved. 5.\" 6.\" Portions of this documentation were written at the Centre for Advanced 7.\" Internet Architectures, Swinburne University of Technology, Melbourne, 8.\" Australia by David Hayes under sponsorship from the FreeBSD Foundation. --- 20 unchanged lines hidden (view full) --- 29.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32.\" SUCH DAMAGE. 33.\" 34.\" From: @(#)tcp.4 8.1 (Berkeley) 6/5/93 35.\" $FreeBSD$ 36.\" |
| 37.Dd July 23, 2020 | 37.Dd November 25, 2020 |
| 38.Dt TCP 4 39.Os 40.Sh NAME 41.Nm tcp 42.Nd Internet Transmission Control Protocol 43.Sh SYNOPSIS 44.In sys/types.h 45.In sys/socket.h --- 249 unchanged lines hidden (view full) --- 295Manage collection of connection level statistics using the 296.Xr stats 3 297framework. 298.Pp 299Each dropped segment is taken into account in the TCP protocol statistics. 300.It Dv TCP_TXTLS_ENABLE 301Enable in-kernel Transport Layer Security (TLS) for data written to this 302socket. | 38.Dt TCP 4 39.Os 40.Sh NAME 41.Nm tcp 42.Nd Internet Transmission Control Protocol 43.Sh SYNOPSIS 44.In sys/types.h 45.In sys/socket.h --- 249 unchanged lines hidden (view full) --- 295Manage collection of connection level statistics using the 296.Xr stats 3 297framework. 298.Pp 299Each dropped segment is taken into account in the TCP protocol statistics. 300.It Dv TCP_TXTLS_ENABLE 301Enable in-kernel Transport Layer Security (TLS) for data written to this 302socket. |
| 303The 304.Vt struct tls_so_enable 305argument defines the encryption and authentication algorithms and keys 306used to encrypt the socket data as well as the maximum TLS record 307payload size. 308.Pp 309All data written to this socket will be encapsulated in TLS records 310and subsequently encrypted. 311By default all data written to this socket is treated as application data. 312Individual TLS records with a type other than application data 313(for example, handshake messages), 314may be transmitted by invoking 315.Xr sendmsg 2 316with a custom TLS record type set in a 317.Dv TLS_SET_RECORD_TYPE 318control message. 319The payload of this control message is a single byte holding the desired 320TLS record type. 321.Pp 322At present, only a single transmit key may be set on a socket. 323As such, users of this option must disable rekeying. | 303See 304.Xr ktls 4 305for more details. |
| 324.It Dv TCP_TXTLS_MODE 325The integer argument can be used to get or set the current TLS transmit mode 326of a socket. | 306.It Dv TCP_TXTLS_MODE 307The integer argument can be used to get or set the current TLS transmit mode 308of a socket. |
| 327Setting the mode can only used to toggle between software and NIC TLS after 328TLS has been initially enabled via the 329.Dv TCP_TXTLS_ENABLE 330option. 331The available modes are: 332.Bl -tag -width "Dv TCP_TLS_MODE_IFNET" 333.It Dv TCP_TLS_MODE_NONE 334In-kernel TLS framing and encryption is not enabled for this socket. 335.It Dv TCP_TLS_MODE_SW 336TLS records are encrypted by the kernel prior to placing the data in the 337socket buffer. 338Typically this encryption is performed in software. 339.It Dv TCP_TLS_MODE_IFNET 340TLS records are encrypted by the network interface card (NIC). 341.It Dv TCP_TLS_MODE_TOE 342TLS records are encrypted by the NIC using a TCP offload engine (TOE). 343.El | 309See 310.Xr ktls 4 311for more details. |
| 344.It Dv TCP_RXTLS_ENABLE 345Enable in-kernel TLS for data read from this socket. | 312.It Dv TCP_RXTLS_ENABLE 313Enable in-kernel TLS for data read from this socket. |
| 346The 347.Vt struct tls_so_enable 348argument defines the encryption and authentication algorithms and keys 349used to decrypt the socket data. 350.Pp 351Each received TLS record must be read from the socket using 352.Xr recvmsg 2 . 353Each received TLS record will contain a 354.Dv TLS_GET_RECORD 355control message along with the decrypted payload. 356The control message contains a 357.Vt struct tls_get_record 358which includes fields from the TLS record header. 359If an invalid or corrupted TLS record is received, 360recvmsg 2 361will fail with one of the following errors: 362.Bl -tag -width Er 363.It Bq Er EINVAL 364The version fields in a TLS record's header did not match the version required 365by the 366.Vt struct tls_so_enable 367structure used to enable in-kernel TLS. 368.It Bq Er EMSGSIZE 369A TLS record's length was either too small or too large. 370.It Bq Er EMSGSIZE 371The connection was closed after sending a truncated TLS record. 372.It Bq Er EBADMSG 373The TLS record failed to match the included authentication tag. | 314See 315.Xr ktls 4 316for more details. |
| 374.El 375.Pp | 317.El 318.Pp |
| 376At present, only a single receive key may be set on a socket. 377As such, users of this option must disable rekeying. 378.It Dv TCP_RXTLS_MODE 379The integer argument can be used to get the current TLS receive mode 380of a socket. 381The available modes are the same as for 382.Dv TCP_TXTLS_MODE . 383.El 384.Pp | |
| 385The option level for the 386.Xr setsockopt 2 387call is the protocol number for 388.Tn TCP , 389available from 390.Xr getprotobyname 3 , 391or 392.Dv IPPROTO_TCP . --- 372 unchanged lines hidden (view full) --- 765.Xr getsockopt 2 , 766.Xr socket 2 , 767.Xr stats 3 , 768.Xr sysctl 3 , 769.Xr blackhole 4 , 770.Xr inet 4 , 771.Xr intro 4 , 772.Xr ip 4 , | 319The option level for the 320.Xr setsockopt 2 321call is the protocol number for 322.Tn TCP , 323available from 324.Xr getprotobyname 3 , 325or 326.Dv IPPROTO_TCP . --- 372 unchanged lines hidden (view full) --- 699.Xr getsockopt 2 , 700.Xr socket 2 , 701.Xr stats 3 , 702.Xr sysctl 3 , 703.Xr blackhole 4 , 704.Xr inet 4 , 705.Xr intro 4 , 706.Xr ip 4 , |
| 707.Xr ktls 4 , |
|
| 773.Xr mod_cc 4 , 774.Xr siftr 4 , 775.Xr syncache 4 , 776.Xr tcp_bbr 4 , 777.Xr setkey 8 , 778.Xr tcp_functions 9 779.Rs 780.%A "V. Jacobson" --- 31 unchanged lines hidden --- | 708.Xr mod_cc 4 , 709.Xr siftr 4 , 710.Xr syncache 4 , 711.Xr tcp_bbr 4 , 712.Xr setkey 8 , 713.Xr tcp_functions 9 714.Rs 715.%A "V. Jacobson" --- 31 unchanged lines hidden --- |