c46234ebb4
Add rx path for tls software implementation. recvmsg, splice_read, and poll implemented. An additional sockopt TLS_RX is added, with the same interface as TLS_TX. Either TLX_RX or TLX_TX may be provided separately, or together (with two different setsockopt calls with appropriate keys). Control messages are passed via CMSG in a similar way to transmit. If no cmsg buffer is passed, then only application data records will be passed to userspace, and EIO is returned for other types of alerts. EBADMSG is passed for decryption errors, and EMSGSIZE is passed for framing too big, and EBADMSG for framing too small (matching openssl semantics). EINVAL is returned for TLS versions that do not match the original setsockopt call. All are unrecoverable. strparser is used to parse TLS framing. Decryption is done directly in to userspace buffers if they are large enough to support it, otherwise sk_cow_data is called (similar to ipsec), and buffers are decrypted in place and copied. splice_read always decrypts in place, since no buffers are provided to decrypt in to. sk_poll is overridden, and only returns POLLIN if a full TLS message is received. Otherwise we wait for strparser to finish reading a full frame. Actual decryption is only done during recvmsg or splice_read calls. Signed-off-by: Dave Watson <davejwatson@fb.com> Signed-off-by: David S. Miller <davem@davemloft.net>
17 lines
341 B
Plaintext
17 lines
341 B
Plaintext
#
|
|
# TLS configuration
|
|
#
|
|
config TLS
|
|
tristate "Transport Layer Security support"
|
|
depends on INET
|
|
select CRYPTO
|
|
select CRYPTO_AES
|
|
select CRYPTO_GCM
|
|
select STREAM_PARSER
|
|
default n
|
|
---help---
|
|
Enable kernel support for TLS protocol. This allows symmetric
|
|
encryption handling of the TLS protocol to be done in-kernel.
|
|
|
|
If unsure, say N.
|