€•—jŒsphinx.addnodes”Œdocument”“”)”}”(Œ rawsource”Œ”Œchildren”]”(Œ translations”Œ LanguagesNode”“”)”}”(hhh]”(hŒ pending_xref”“”)”}”(hhh]”Œdocutils.nodes”ŒText”“”ŒChinese (Simplified)”…””}”Œparent”hsbaŒ attributes”}”(Œids”]”Œclasses”]”Œnames”]”Œdupnames”]”Œbackrefs”]”Œ refdomain”Œstd”Œreftype”Œdoc”Œ reftarget”Œ,/translations/zh_CN/networking/tls-handshake”Œmodname”NŒ classname”NŒ refexplicit”ˆuŒtagname”hhh ubh)”}”(hhh]”hŒChinese (Traditional)”…””}”hh2sbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ,/translations/zh_TW/networking/tls-handshake”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒItalian”…””}”hhFsbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ,/translations/it_IT/networking/tls-handshake”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒJapanese”…””}”hhZsbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ,/translations/ja_JP/networking/tls-handshake”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒKorean”…””}”hhnsbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ,/translations/ko_KR/networking/tls-handshake”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒPortuguese (Brazilian)”…””}”hh‚sbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ,/translations/pt_BR/networking/tls-handshake”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒSpanish”…””}”hh–sbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ,/translations/sp_SP/networking/tls-handshake”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubeh}”(h]”h ]”h"]”h$]”h&]”Œcurrent_language”ŒEnglish”uh1h hhŒ _document”hŒsource”NŒline”NubhŒcomment”“”)”}”(hŒ SPDX-License-Identifier: GPL-2.0”h]”hŒ SPDX-License-Identifier: GPL-2.0”…””}”hh·sbah}”(h]”h ]”h"]”h$]”h&]”Œ xml:space”Œpreserve”uh1hµhhh²hh³ŒF/var/lib/git/docbuild/linux/Documentation/networking/tls-handshake.rst”h´KubhŒsection”“”)”}”(hhh]”(hŒtitle”“”)”}”(hŒIn-Kernel TLS Handshake”h]”hŒIn-Kernel TLS Handshake”…””}”(hhÏh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÍhhÊh²hh³hÇh´KubhÉ)”}”(hhh]”(hÎ)”}”(hŒOverview”h]”hŒOverview”…””}”(hhàh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÍhhÝh²hh³hÇh´KubhŒ paragraph”“”)”}”(hŒ²Transport Layer Security (TLS) is an Upper Layer Protocol (ULP) that runs over TCP. TLS provides end-to-end data integrity and confidentiality in addition to peer authentication.”h]”hŒ²Transport Layer Security (TLS) is an Upper Layer Protocol (ULP) that runs over TCP. TLS provides end-to-end data integrity and confidentiality in addition to peer authentication.”…””}”(hhðh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hîh³hÇh´K hhÝh²hubhï)”}”(hŒöThe kernel's kTLS implementation handles the TLS record subprotocol, but does not handle the TLS handshake subprotocol which is used to establish a TLS session. Kernel consumers can use the API described here to request TLS session establishment.”h]”hŒøThe kernel’s kTLS implementation handles the TLS record subprotocol, but does not handle the TLS handshake subprotocol which is used to establish a TLS session. Kernel consumers can use the API described here to request TLS session establishment.”…””}”(hhþh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hîh³hÇh´KhhÝh²hubhï)”}”(hŒõThere are several possible ways to provide a handshake service in the kernel. The API described here is designed to hide the details of those implementations so that in-kernel TLS consumers do not need to be aware of how the handshake gets done.”h]”hŒõThere are several possible ways to provide a handshake service in the kernel. The API described here is designed to hide the details of those implementations so that in-kernel TLS consumers do not need to be aware of how the handshake gets done.”…””}”(hj h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hîh³hÇh´KhhÝh²hubeh}”(h]”Œoverview”ah ]”h"]”Œoverview”ah$]”h&]”uh1hÈhhÊh²hh³hÇh´KubhÉ)”}”(hhh]”(hÎ)”}”(hŒUser handshake agent”h]”hŒUser handshake agent”…””}”(hj%h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÍhj"h²hh³hÇh´Kubhï)”}”(hX_As of this writing, there is no TLS handshake implementation in the Linux kernel. To provide a handshake service, a handshake agent (typically in user space) is started in each network namespace where a kernel consumer might require a TLS handshake. Handshake agents listen for events sent from the kernel that indicate a handshake request is waiting.”h]”hX_As of this writing, there is no TLS handshake implementation in the Linux kernel. To provide a handshake service, a handshake agent (typically in user space) is started in each network namespace where a kernel consumer might require a TLS handshake. Handshake agents listen for events sent from the kernel that indicate a handshake request is waiting.”…””}”(hj3h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hîh³hÇh´Khj"h²hubhï)”}”(hXŠAn open socket is passed to a handshake agent via a netlink operation, which creates a socket descriptor in the agent's file descriptor table. If the handshake completes successfully, the handshake agent promotes the socket to use the TLS ULP and sets the session information using the SOL_TLS socket options. The handshake agent returns the socket to the kernel via a second netlink operation.”h]”hXŒAn open socket is passed to a handshake agent via a netlink operation, which creates a socket descriptor in the agent’s file descriptor table. If the handshake completes successfully, the handshake agent promotes the socket to use the TLS ULP and sets the session information using the SOL_TLS socket options. The handshake agent returns the socket to the kernel via a second netlink operation.”…””}”(hjAh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hîh³hÇh´K#hj"h²hubeh}”(h]”Œuser-handshake-agent”ah ]”h"]”Œuser handshake agent”ah$]”h&]”uh1hÈhhÊh²hh³hÇh´KubhÉ)”}”(hhh]”(hÎ)”}”(hŒKernel Handshake API”h]”hŒKernel Handshake API”…””}”(hjZh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÍhjWh²hh³hÇh´K,ubhï)”}”(hŒÎA kernel TLS consumer initiates a client-side TLS handshake on an open socket by invoking one of the tls_client_hello() functions. First, it fills in a structure that contains the parameters of the request:”h]”hŒÎA kernel TLS consumer initiates a client-side TLS handshake on an open socket by invoking one of the tls_client_hello() functions. First, it fills in a structure that contains the parameters of the request:”…””}”(hjhh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hîh³hÇh´K.hjWh²hubhŒ literal_block”“”)”}”(hX}struct tls_handshake_args { struct socket *ta_sock; tls_done_func_t ta_done; void *ta_data; const char *ta_peername; unsigned int ta_timeout_ms; key_serial_t ta_keyring; key_serial_t ta_my_cert; key_serial_t ta_my_privkey; unsigned int ta_num_peerids; key_serial_t ta_my_peerids[5]; };”h]”hX}struct tls_handshake_args { struct socket *ta_sock; tls_done_func_t ta_done; void *ta_data; const char *ta_peername; unsigned int ta_timeout_ms; key_serial_t ta_keyring; key_serial_t ta_my_cert; key_serial_t ta_my_privkey; unsigned int ta_num_peerids; key_serial_t ta_my_peerids[5]; };”…””}”hjxsbah}”(h]”h ]”h"]”h$]”h&]”hÅhÆŒforce”‰Œlanguage”Œc”Œhighlight_args”}”uh1jvh³hÇh´K2hjWh²hubhï)”}”(hŒùThe @ta_sock field references an open and connected socket. The consumer must hold a reference on the socket to prevent it from being destroyed while the handshake is in progress. The consumer must also have instantiated a struct file in sock->file.”h]”hŒùThe @ta_sock field references an open and connected socket. The consumer must hold a reference on the socket to prevent it from being destroyed while the handshake is in progress. The consumer must also have instantiated a struct file in sock->file.”…””}”(hj‹h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hîh³hÇh´KAhjWh²hubhï)”}”(hŒ­@ta_done contains a callback function that is invoked when the handshake has completed. Further explanation of this function is in the "Handshake Completion" sesction below.”h]”hŒ±@ta_done contains a callback function that is invoked when the handshake has completed. Further explanation of this function is in the “Handshake Completion†sesction below.”…””}”(hj™h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hîh³hÇh´KGhjWh²hubhï)”}”(hŒ×The consumer can provide a NUL-terminated hostname in the @ta_peername field that is sent as part of ClientHello. If no peername is provided, the DNS hostname associated with the server's IP address is used instead.”h]”hŒÙThe consumer can provide a NUL-terminated hostname in the @ta_peername field that is sent as part of ClientHello. If no peername is provided, the DNS hostname associated with the server’s IP address is used instead.”…””}”(hj§h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hîh³hÇh´KKhjWh²hubhï)”}”(hŒõThe consumer can fill in the @ta_timeout_ms field to force the servicing handshake agent to exit after a number of milliseconds. This enables the socket to be fully closed once both the kernel and the handshake agent have closed their endpoints.”h]”hŒõThe consumer can fill in the @ta_timeout_ms field to force the servicing handshake agent to exit after a number of milliseconds. This enables the socket to be fully closed once both the kernel and the handshake agent have closed their endpoints.”…””}”(hjµh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hîh³hÇh´KOhjWh²hubhï)”}”(hX‹Authentication material such as x.509 certificates, private certificate keys, and pre-shared keys are provided to the handshake agent in keys that are instantiated by the consumer before making the handshake request. The consumer can provide a private keyring that is linked into the handshake agent's process keyring in the @ta_keyring field to prevent access of those keys by other subsystems.”h]”hXAuthentication material such as x.509 certificates, private certificate keys, and pre-shared keys are provided to the handshake agent in keys that are instantiated by the consumer before making the handshake request. The consumer can provide a private keyring that is linked into the handshake agent’s process keyring in the @ta_keyring field to prevent access of those keys by other subsystems.”…””}”(hjÃh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hîh³hÇh´KThjWh²hubhï)”}”(hŒøTo request an x.509-authenticated TLS session, the consumer fills in the @ta_my_cert and @ta_my_privkey fields with the serial numbers of keys containing an x.509 certificate and the private key for that certificate. Then, it invokes this function:”h]”hŒøTo request an x.509-authenticated TLS session, the consumer fills in the @ta_my_cert and @ta_my_privkey fields with the serial numbers of keys containing an x.509 certificate and the private key for that certificate. Then, it invokes this function:”…””}”(hjÑh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hîh³hÇh´K[hjWh²hubjw)”}”(hŒ-ret = tls_client_hello_x509(args, gfp_flags);”h]”hŒ-ret = tls_client_hello_x509(args, gfp_flags);”…””}”hjßsbah}”(h]”h ]”h"]”h$]”h&]”hÅhÆj†‰j‡jˆj‰}”uh1jvh³hÇh´K`hjWh²hubhï)”}”(hXGThe function returns zero when the handshake request is under way. A zero return guarantees the callback function @ta_done will be invoked for this socket. The function returns a negative errno if the handshake could not be started. A negative errno guarantees the callback function @ta_done will not be invoked on this socket.”h]”hXGThe function returns zero when the handshake request is under way. A zero return guarantees the callback function @ta_done will be invoked for this socket. The function returns a negative errno if the handshake could not be started. A negative errno guarantees the callback function @ta_done will not be invoked on this socket.”…””}”(hjîh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hîh³hÇh´KdhjWh²hubhï)”}”(hŒCTo initiate a client-side TLS handshake with a pre-shared key, use:”h]”hŒCTo initiate a client-side TLS handshake with a pre-shared key, use:”…””}”(hjüh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hîh³hÇh´KkhjWh²hubjw)”}”(hŒ,ret = tls_client_hello_psk(args, gfp_flags);”h]”hŒ,ret = tls_client_hello_psk(args, gfp_flags);”…””}”hj sbah}”(h]”h ]”h"]”h$]”h&]”hÅhÆj†‰j‡jˆj‰}”uh1jvh³hÇh´KmhjWh²hubhï)”}”(hXHowever, in this case, the consumer fills in the @ta_my_peerids array with serial numbers of keys containing the peer identities it wishes to offer, and the @ta_num_peerids field with the number of array entries it has filled in. The other fields are filled in as above.”h]”hXHowever, in this case, the consumer fills in the @ta_my_peerids array with serial numbers of keys containing the peer identities it wishes to offer, and the @ta_num_peerids field with the number of array entries it has filled in. The other fields are filled in as above.”…””}”(hjh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hîh³hÇh´KqhjWh²hubhï)”}”(hŒ7To initiate an anonymous client-side TLS handshake use:”h]”hŒ7To initiate an anonymous client-side TLS handshake use:”…””}”(hj'h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hîh³hÇh´KwhjWh²hubjw)”}”(hŒ-ret = tls_client_hello_anon(args, gfp_flags);”h]”hŒ-ret = tls_client_hello_anon(args, gfp_flags);”…””}”hj5sbah}”(h]”h ]”h"]”h$]”h&]”hÅhÆj†‰j‡jˆj‰}”uh1jvh³hÇh´KyhjWh²hubhï)”}”(hXThe handshake agent presents no peer identity information to the remote during this type of handshake. Only server authentication (ie the client verifies the server's identity) is performed during the handshake. Thus the established session uses encryption only.”h]”hXThe handshake agent presents no peer identity information to the remote during this type of handshake. Only server authentication (ie the client verifies the server’s identity) is performed during the handshake. Thus the established session uses encryption only.”…””}”(hjDh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hîh³hÇh´K}hjWh²hubhï)”}”(hŒ)Consumers that are in-kernel servers use:”h]”hŒ)Consumers that are in-kernel servers use:”…””}”(hjRh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hîh³hÇh´KƒhjWh²hubjw)”}”(hŒ-ret = tls_server_hello_x509(args, gfp_flags);”h]”hŒ-ret = tls_server_hello_x509(args, gfp_flags);”…””}”hj`sbah}”(h]”h ]”h"]”h$]”h&]”hÅhÆj†‰j‡jˆj‰}”uh1jvh³hÇh´K…hjWh²hubhï)”}”(hŒor”h]”hŒor”…””}”(hjoh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hîh³hÇh´K‰hjWh²hubjw)”}”(hŒ,ret = tls_server_hello_psk(args, gfp_flags);”h]”hŒ,ret = tls_server_hello_psk(args, gfp_flags);”…””}”hj}sbah}”(h]”h ]”h"]”h$]”h&]”hÅhÆj†‰j‡jˆj‰}”uh1jvh³hÇh´K‹hjWh²hubhï)”}”(hŒ-The argument structure is filled in as above.”h]”hŒ-The argument structure is filled in as above.”…””}”(hjŒh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hîh³hÇh´KhjWh²hubhï)”}”(hŒxIf the consumer needs to cancel the handshake request, say, due to a ^C or other exigent event, the consumer can invoke:”h]”hŒxIf the consumer needs to cancel the handshake request, say, due to a ^C or other exigent event, the consumer can invoke:”…””}”(hjšh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hîh³hÇh´K’hjWh²hubjw)”}”(hŒ bool tls_handshake_cancel(sock);”h]”hŒ bool tls_handshake_cancel(sock);”…””}”hj¨sbah}”(h]”h ]”h"]”h$]”h&]”hÅhÆj†‰j‡jˆj‰}”uh1jvh³hÇh´K•hjWh²hubhï)”}”(hXThis function returns true if the handshake request associated with @sock has been canceled. The consumer's handshake completion callback will not be invoked. If this function returns false, then the consumer's completion callback has already been invoked.”h]”hXThis function returns true if the handshake request associated with @sock has been canceled. The consumer’s handshake completion callback will not be invoked. If this function returns false, then the consumer’s completion callback has already been invoked.”…””}”(hj·h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hîh³hÇh´K™hjWh²hubeh}”(h]”Œkernel-handshake-api”ah ]”h"]”Œkernel handshake api”ah$]”h&]”uh1hÈhhÊh²hh³hÇh´K,ubhÉ)”}”(hhh]”(hÎ)”}”(hŒHandshake Completion”h]”hŒHandshake Completion”…””}”(hjÐh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÍhjÍh²hh³hÇh´K ubhï)”}”(hX When the handshake agent has completed processing, it notifies the kernel that the socket may be used by the consumer again. At this point, the consumer's handshake completion callback, provided in the @ta_done field in the tls_handshake_args structure, is invoked.”h]”hX When the handshake agent has completed processing, it notifies the kernel that the socket may be used by the consumer again. At this point, the consumer’s handshake completion callback, provided in the @ta_done field in the tls_handshake_args structure, is invoked.”…””}”(hjÞh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hîh³hÇh´K¢hjÍh²hubhï)”}”(hŒ!The synopsis of this function is:”h]”hŒ!The synopsis of this function is:”…””}”(hjìh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hîh³hÇh´K§hjÍh²hubjw)”}”(hŒotypedef void (*tls_done_func_t)(void *data, int status, key_serial_t peerid);”h]”hŒotypedef void (*tls_done_func_t)(void *data, int status, key_serial_t peerid);”…””}”hjúsbah}”(h]”h ]”h"]”h$]”h&]”hÅhÆj†‰j‡jˆj‰}”uh1jvh³hÇh´K©hjÍh²hubhï)”}”(hŒúThe consumer provides a cookie in the @ta_data field of the tls_handshake_args structure that is returned in the @data parameter of this callback. The consumer uses the cookie to match the callback to the thread waiting for the handshake to complete.”h]”hŒúThe consumer provides a cookie in the @ta_data field of the tls_handshake_args structure that is returned in the @data parameter of this callback. The consumer uses the cookie to match the callback to the thread waiting for the handshake to complete.”…””}”(hj h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hîh³hÇh´K®hjÍh²hubhï)”}”(hŒJThe success status of the handshake is returned via the @status parameter:”h]”hŒJThe success status of the handshake is returned via the @status parameter:”…””}”(hjh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hîh³hÇh´K³hjÍh²hubhŒtable”“”)”}”(hhh]”hŒtgroup”“”)”}”(hhh]”(hŒcolspec”“”)”}”(hhh]”h}”(h]”h ]”h"]”h$]”h&]”Œcolwidth”K uh1j/hj,ubj0)”}”(hhh]”h}”(h]”h ]”h"]”h$]”h&]”Œcolwidth”K.uh1j/hj,ubhŒthead”“”)”}”(hhh]”hŒrow”“”)”}”(hhh]”(hŒentry”“”)”}”(hhh]”hï)”}”(hŒstatus”h]”hŒstatus”…””}”(hjTh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hîh³hÇh´K·hjQubah}”(h]”h ]”h"]”h$]”h&]”uh1jOhjLubjP)”}”(hhh]”hï)”}”(hŒmeaning”h]”hŒmeaning”…””}”(hjkh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hîh³hÇh´K·hjhubah}”(h]”h ]”h"]”h$]”h&]”uh1jOhjLubeh}”(h]”h ]”h"]”h$]”h&]”uh1jJhjGubah}”(h]”h ]”h"]”h$]”h&]”uh1jEhj,ubhŒtbody”“”)”}”(hhh]”(jK)”}”(hhh]”(jP)”}”(hhh]”hï)”}”(hŒ0”h]”hŒ0”…””}”(hj–h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hîh³hÇh´K¹hj“ubah}”(h]”h ]”h"]”h$]”h&]”uh1jOhjubjP)”}”(hhh]”hï)”}”(hŒ$TLS session established successfully”h]”hŒ$TLS session established successfully”…””}”(hj­h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hîh³hÇh´K¹hjªubah}”(h]”h ]”h"]”h$]”h&]”uh1jOhjubeh}”(h]”h ]”h"]”h$]”h&]”uh1jJhjubjK)”}”(hhh]”(jP)”}”(hhh]”hï)”}”(hŒ-EACCESS”h]”hŒ-EACCESS”…””}”(hjÍh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hîh³hÇh´K»hjÊubah}”(h]”h ]”h"]”h$]”h&]”uh1jOhjÇubjP)”}”(hhh]”hï)”}”(hŒ;Remote peer rejected the handshake or authentication failed”h]”hŒ;Remote peer rejected the handshake or authentication failed”…””}”(hjäh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hîh³hÇh´K»hjáubah}”(h]”h ]”h"]”h$]”h&]”uh1jOhjÇubeh}”(h]”h ]”h"]”h$]”h&]”uh1jJhjubjK)”}”(hhh]”(jP)”}”(hhh]”hï)”}”(hŒ-ENOMEM”h]”hŒ-ENOMEM”…””}”(hjh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hîh³hÇh´K¾hjubah}”(h]”h ]”h"]”h$]”h&]”uh1jOhjþubjP)”}”(hhh]”hï)”}”(hŒ%Temporary resource allocation failure”h]”hŒ%Temporary resource allocation failure”…””}”(hjh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hîh³hÇh´K¾hjubah}”(h]”h ]”h"]”h$]”h&]”uh1jOhjþubeh}”(h]”h ]”h"]”h$]”h&]”uh1jJhjubjK)”}”(hhh]”(jP)”}”(hhh]”hï)”}”(hŒ-EINVAL”h]”hŒ-EINVAL”…””}”(hj;h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hîh³hÇh´KÀhj8ubah}”(h]”h ]”h"]”h$]”h&]”uh1jOhj5ubjP)”}”(hhh]”hï)”}”(hŒ%Consumer provided an invalid argument”h]”hŒ%Consumer provided an invalid argument”…””}”(hjRh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hîh³hÇh´KÀhjOubah}”(h]”h ]”h"]”h$]”h&]”uh1jOhj5ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jJhjubjK)”}”(hhh]”(jP)”}”(hhh]”hï)”}”(hŒ-ENOKEY”h]”hŒ-ENOKEY”…””}”(hjrh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hîh³hÇh´KÂhjoubah}”(h]”h ]”h"]”h$]”h&]”uh1jOhjlubjP)”}”(hhh]”hï)”}”(hŒMissing authentication material”h]”hŒMissing authentication material”…””}”(hj‰h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hîh³hÇh´KÂhj†ubah}”(h]”h ]”h"]”h$]”h&]”uh1jOhjlubeh}”(h]”h ]”h"]”h$]”h&]”uh1jJhjubjK)”}”(hhh]”(jP)”}”(hhh]”hï)”}”(hŒ-EIO”h]”hŒ-EIO”…””}”(hj©h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hîh³hÇh´KÄhj¦ubah}”(h]”h ]”h"]”h$]”h&]”uh1jOhj£ubjP)”}”(hhh]”hï)”}”(hŒAn unexpected fault occurred”h]”hŒAn unexpected fault occurred”…””}”(hjÀh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hîh³hÇh´KÄhj½ubah}”(h]”h ]”h"]”h$]”h&]”uh1jOhj£ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jJhjubeh}”(h]”h ]”h"]”h$]”h&]”uh1j‹hj,ubeh}”(h]”h ]”h"]”h$]”h&]”Œcols”Kuh1j*hj'ubah}”(h]”h ]”h"]”h$]”h&]”uh1j%hjÍh²hh³hÇh´Nubhï)”}”(hŒŸThe @peerid parameter contains the serial number of a key containing the remote peer's identity or the value TLS_NO_PEERID if the session is not authenticated.”h]”hŒ¡The @peerid parameter contains the serial number of a key containing the remote peer’s identity or the value TLS_NO_PEERID if the session is not authenticated.”…””}”(hjíh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hîh³hÇh´KÇhjÍh²hubhï)”}”(hŒWA best practice is to close and destroy the socket immediately if the handshake failed.”h]”hŒWA best practice is to close and destroy the socket immediately if the handshake failed.”…””}”(hjûh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hîh³hÇh´KËhjÍh²hubhÉ)”}”(hhh]”(hÎ)”}”(hŒOther considerations”h]”hŒOther considerations”…””}”(hj h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÍhj h²hh³hÇh´KÐubhï)”}”(hŒóWhile a handshake is under way, the kernel consumer must alter the socket's sk_data_ready callback function to ignore all incoming data. Once the handshake completion callback function has been invoked, normal receive operation can be resumed.”h]”hŒõWhile a handshake is under way, the kernel consumer must alter the socket’s sk_data_ready callback function to ignore all incoming data. Once the handshake completion callback function has been invoked, normal receive operation can be resumed.”…””}”(hjh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hîh³hÇh´KÒhj h²hubhï)”}”(hXOnce a TLS session is established, the consumer must provide a buffer for and then examine the control message (CMSG) that is part of every subsequent sock_recvmsg(). Each control message indicates whether the received message data is TLS record data or session metadata.”h]”hXOnce a TLS session is established, the consumer must provide a buffer for and then examine the control message (CMSG) that is part of every subsequent sock_recvmsg(). Each control message indicates whether the received message data is TLS record data or session metadata.”…””}”(hj(h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hîh³hÇh´K×hj h²hubhï)”}”(hŒ´See tls.rst for details on how a kTLS consumer recognizes incoming (decrypted) application data, alerts, and handshake packets once the socket has been promoted to use the TLS ULP.”h]”hŒ´See tls.rst for details on how a kTLS consumer recognizes incoming (decrypted) application data, alerts, and handshake packets once the socket has been promoted to use the TLS ULP.”…””}”(hj6h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hîh³hÇh´KÜhj h²hubeh}”(h]”Œother-considerations”ah ]”h"]”Œother considerations”ah$]”h&]”uh1hÈhjÍh²hh³hÇh´KÐubeh}”(h]”Œhandshake-completion”ah ]”h"]”Œhandshake completion”ah$]”h&]”uh1hÈhhÊh²hh³hÇh´K ubeh}”(h]”Œin-kernel-tls-handshake”ah ]”h"]”Œin-kernel tls handshake”ah$]”h&]”uh1hÈhhh²hh³hÇh´Kubeh}”(h]”h ]”h"]”h$]”h&]”Œsource”hÇuh1hŒcurrent_source”NŒ current_line”NŒsettings”Œdocutils.frontend”ŒValues”“”)”}”(hÍNŒ generator”NŒ datestamp”NŒ source_link”NŒ source_url”NŒ toc_backlinks”jOŒfootnote_backlinks”KŒ sectnum_xform”KŒstrip_comments”NŒstrip_elements_with_classes”NŒ strip_classes”NŒ report_level”KŒ halt_level”KŒexit_status_level”KŒdebug”NŒwarning_stream”NŒ traceback”ˆŒinput_encoding”Œ utf-8-sig”Œinput_encoding_error_handler”Œstrict”Œoutput_encoding”Œutf-8”Œoutput_encoding_error_handler”j~Œerror_encoding”Œutf-8”Œerror_encoding_error_handler”Œbackslashreplace”Œ language_code”Œen”Œrecord_dependencies”NŒconfig”NŒ id_prefix”hŒauto_id_prefix”Œid”Œ dump_settings”NŒdump_internals”NŒdump_transforms”NŒdump_pseudo_xml”NŒexpose_internals”NŒstrict_visitor”NŒ_disable_config”NŒ_source”hÇŒ _destination”NŒ _config_files”]”Œ7/var/lib/git/docbuild/linux/Documentation/docutils.conf”aŒfile_insertion_enabled”ˆŒ raw_enabled”KŒline_length_limit”M'Œpep_references”NŒ pep_base_url”Œhttps://peps.python.org/”Œpep_file_url_template”Œpep-%04d”Œrfc_references”NŒ rfc_base_url”Œ&https://datatracker.ietf.org/doc/html/”Œ tab_width”KŒtrim_footnote_reference_space”‰Œsyntax_highlight”Œlong”Œ smart_quotes”ˆŒsmartquotes_locales”]”Œcharacter_level_inline_markup”‰Œdoctitle_xform”‰Œ docinfo_xform”KŒsectsubtitle_xform”‰Œ image_loading”Œlink”Œembed_stylesheet”‰Œcloak_email_addresses”ˆŒsection_self_link”‰Œenv”NubŒreporter”NŒindirect_targets”]”Œsubstitution_defs”}”Œsubstitution_names”}”Œrefnames”}”Œrefids”}”Œnameids”}”(jYjVjjjTjQjÊjÇjQjNjIjFuŒ nametypes”}”(jY‰j‰jT‰jʉjQ‰jI‰uh}”(jVhÊjhÝjQj"jÇjWjNjÍjFj uŒ footnote_refs”}”Œ citation_refs”}”Œ autofootnotes”]”Œautofootnote_refs”]”Œsymbol_footnotes”]”Œsymbol_footnote_refs”]”Œ footnotes”]”Œ citations”]”Œautofootnote_start”KŒsymbol_footnote_start”KŒ id_counter”Œ collections”ŒCounter”“”}”…”R”Œparse_messages”]”Œtransform_messages”]”Œ transformer”NŒ include_log”]”Œ decoration”Nh²hub.