git: c8f2c290e40d - main - Add definitions for TLS receive tags using the existing send tag infrastructure.

From: Hans Petter Selasky <hselasky_at_FreeBSD.org>
Date: Wed, 26 Jan 2022 12:42:09 UTC
The branch main has been updated by hselasky:

URL: https://cgit.FreeBSD.org/src/commit/?id=c8f2c290e40d011a8d2d88a00ea8626237105c5e

commit c8f2c290e40d011a8d2d88a00ea8626237105c5e
Author:     Hans Petter Selasky <hselasky@FreeBSD.org>
AuthorDate: 2022-01-26 11:33:47 +0000
Commit:     Hans Petter Selasky <hselasky@FreeBSD.org>
CommitDate: 2022-01-26 11:55:00 +0000

    Add definitions for TLS receive tags using the existing send tag infrastructure.
    
    Although send tags are strictly used for transmit, the name might be changed
    in the future to be more generic.
    
    The TLS receive tags support regular IPv4 and IPv6 traffic, and also over any
    VLAN. If prio-tagging is enabled, VLAN ID zero, this must be checked in the
    network driver itself when creating the TLS RX decryption offload filter.
    
    TLS receive tags have a modify callback to tell the network driver about
    the progress of decryption. Currently decryption is done IP packet by IP
    packet, even if the IP packet contains a partial TLS record. The modify
    callback allows the network driver to keep track of TCP sequence numbers
    pointing to the beginning of TLS records after TCP packet reassembly.
    These callbacks only happen when encrypted or partially decrypted data is
    received and are used to verify the decryptions starting point for the
    hardware. Typically the hardware will guess where TLS headers start and
    needs help from the software to know if the guess was correct. This is
    the purpose of the modify callback.
    
    Differential Revision:  https://reviews.freebsd.org/D32356
    Discussed with: jhb@
    MFC after:      1 week
    Sponsored by:   NVIDIA Networking
---
 sys/net/if_var.h | 26 +++++++++++++++++++++++++-
 1 file changed, 25 insertions(+), 1 deletion(-)

diff --git a/sys/net/if_var.h b/sys/net/if_var.h
index f181780501fe..dedc73718125 100644
--- a/sys/net/if_var.h
+++ b/sys/net/if_var.h
@@ -192,7 +192,8 @@ struct m_snd_tag;
 #define	IF_SND_TAG_TYPE_UNLIMITED 1
 #define	IF_SND_TAG_TYPE_TLS 2
 #define	IF_SND_TAG_TYPE_TLS_RATE_LIMIT 3
-#define	IF_SND_TAG_TYPE_MAX 4
+#define	IF_SND_TAG_TYPE_TLS_RX 4
+#define	IF_SND_TAG_TYPE_MAX 5
 
 struct if_snd_tag_alloc_header {
 	uint32_t type;		/* send tag type, see IF_SND_TAG_XXX */
@@ -214,6 +215,13 @@ struct if_snd_tag_alloc_tls {
 	const struct ktls_session *tls;
 };
 
+struct if_snd_tag_alloc_tls_rx {
+	struct if_snd_tag_alloc_header hdr;
+	struct inpcb *inp;
+	const struct ktls_session *tls;
+	uint16_t vlan_id;	/* valid if non-zero */
+};
+
 struct if_snd_tag_alloc_tls_rate_limit {
 	struct if_snd_tag_alloc_header hdr;
 	struct inpcb *inp;
@@ -229,11 +237,26 @@ struct if_snd_tag_rate_limit_params {
 	uint32_t flags;		/* M_NOWAIT or M_WAITOK */
 };
 
+struct if_snd_tag_modify_tls_rx {
+	/* TCP sequence number of TLS header in host endian format */
+	uint32_t tls_hdr_tcp_sn;
+
+	/*
+	 * TLS record length, including all headers, data and trailers.
+	 * If the tls_rec_length is zero, it means HW encryption resumed.
+	 */
+	uint32_t tls_rec_length;
+
+	/* TLS sequence number in host endian format */
+	uint64_t tls_seq_number;
+};
+
 union if_snd_tag_alloc_params {
 	struct if_snd_tag_alloc_header hdr;
 	struct if_snd_tag_alloc_rate_limit rate_limit;
 	struct if_snd_tag_alloc_rate_limit unlimited;
 	struct if_snd_tag_alloc_tls tls;
+	struct if_snd_tag_alloc_tls_rx tls_rx;
 	struct if_snd_tag_alloc_tls_rate_limit tls_rate_limit;
 };
 
@@ -241,6 +264,7 @@ union if_snd_tag_modify_params {
 	struct if_snd_tag_rate_limit_params rate_limit;
 	struct if_snd_tag_rate_limit_params unlimited;
 	struct if_snd_tag_rate_limit_params tls_rate_limit;
+	struct if_snd_tag_modify_tls_rx tls_rx;
 };
 
 union if_snd_tag_query_params {