tls.rst - OpenGrok cross reference for /linux/Documentation/networking/tls.rst

Lines Matching +full:layer +full:- +full:buffer +full:- +full:offset
10 Transport Layer Security (TLS) is a Upper Layer Protocol (ULP) that runs over
11 TCP. TLS provides end-to-end data integrity and confidentiality.
17 -------------------------
22 .. code-block:: c
31 data-path to the kernel. There is a separate socket option for moving
34 .. code-block:: c
67 ----------------------------
73 .. code-block:: c
78 send() data is directly encrypted from the userspace buffer provided
79 to the encrypted kernel send buffer if possible.
84 .. code-block:: c
88   sendfile(sock, file, &offset, stat.st_size);
94 The kernel will need to allocate a buffer for the encrypted data.
95 This buffer is allocated at the time send() is called, such that
96 either the entire send() call will return -ENOMEM (or block waiting
98 -ENOMEM and some data was left on the socket buffer from a previous
99 call using MSG_MORE, the MSG_MORE data is left on the socket buffer.
102 ------------------------------
108 .. code-block:: c
110   char buffer[16384];
111   recv(sock, buffer, 16384);
113 Received data is decrypted directly in to the user buffer if it is
115 buffer is too small, data is decrypted in the kernel and copied to
126 -------------------------
134 .. code-block:: c
149         cmsg->cmsg_level = SOL_TLS;
150         cmsg->cmsg_type = TLS_SET_RECORD_TYPE;
151         cmsg->cmsg_len = CMSG_LEN(cmsg_len);
153         msg.msg_controllen = cmsg->cmsg_len;
167 ------------------------------
169 TLS control messages are passed in the userspace buffer, with message
170 type passed via cmsg.  If no cmsg buffer is provided, an error is
172 received without a cmsg buffer set.
174 .. code-block:: c
176   char buffer[16384];
183   msg_iov.iov_base = buffer;
192   if (cmsg->cmsg_level == SOL_TLS &&
193       cmsg->cmsg_type == TLS_GET_RECORD_TYPE) {
196       // buffer.
200       // Buffer contains application data.
206 -------------------
232 ---------------------------------------
235 layer of a userspace TLS library.
237 A patchset to OpenSSL to use ktls as the record layer is
240 `An example <https://github.com/ktls/af_ktls-tool/commits/RX>`_
242 Since it doesn't implement a full record layer, control
246 ----------------------
248 There are certain condition-specific optimizations the TLS ULP can make,
250 or may impact correctness, hence they require an opt-in.
251 All options are set per-socket using setsockopt(), and their
258 to the NIC without making an in-kernel copy. This allows true zero-copy
263 applicable if the data sent on a socket via sendfile() is read-only.
280 record it will be decrypted again into a kernel buffer without zero copy.
286 TLS implementation exposes the following per-namespace statistics
289 - ``TlsCurrTxSw``, ``TlsCurrRxSw`` -
293 - ``TlsCurrTxDevice``, ``TlsCurrRxDevice`` -
297 - ``TlsTxSw``, ``TlsRxSw`` -
300 - ``TlsTxDevice``, ``TlsRxDevice`` -
303 - ``TlsDecryptError`` -
306 - ``TlsDeviceRxResync`` -
309 - ``TlsDecryptRetry`` -
310   number of RX records which had to be re-decrypted due to
311   ``TLS_RX_EXPECT_NO_PAD`` mis-prediction. Note that this counter will
312   also increment for non-data records.
314 - ``TlsRxNoPadViolation`` -
315   number of data RX records which had to be re-decrypted due to
316   ``TLS_RX_EXPECT_NO_PAD`` mis-prediction.
318 - ``TlsTxRekeyOk``, ``TlsRxRekeyOk`` -
321 - ``TlsTxRekeyError``, ``TlsRxRekeyError`` -
324 - ``TlsRxRekeyReceived`` -