mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-10-03 15:47:36 +00:00
Merge branch 'tls-rx-follow-ups-to-nopad'
Jakub Kicinski says: ==================== tls: rx: follow-ups to NoPad A few fixes for issues spotted by Maxim. ==================== Link: https://lore.kernel.org/r/20220709025255.323864-1-kuba@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
This commit is contained in:
commit
1c151fedda
6 changed files with 66 additions and 8 deletions
|
@ -282,3 +282,7 @@ TLS implementation exposes the following per-namespace statistics
|
|||
number of RX records which had to be re-decrypted due to
|
||||
``TLS_RX_EXPECT_NO_PAD`` mis-prediction. Note that this counter will
|
||||
also increment for non-data records.
|
||||
|
||||
- ``TlsRxNoPadViolation`` -
|
||||
number of data RX records which had to be re-decrypted due to
|
||||
``TLS_RX_EXPECT_NO_PAD`` mis-prediction.
|
||||
|
|
|
@ -344,7 +344,8 @@ enum
|
|||
LINUX_MIB_TLSRXDEVICE, /* TlsRxDevice */
|
||||
LINUX_MIB_TLSDECRYPTERROR, /* TlsDecryptError */
|
||||
LINUX_MIB_TLSRXDEVICERESYNC, /* TlsRxDeviceResync */
|
||||
LINUX_MIN_TLSDECRYPTRETRY, /* TlsDecryptRetry */
|
||||
LINUX_MIB_TLSDECRYPTRETRY, /* TlsDecryptRetry */
|
||||
LINUX_MIB_TLSRXNOPADVIOL, /* TlsRxNoPadViolation */
|
||||
__LINUX_MIB_TLSMAX
|
||||
};
|
||||
|
||||
|
|
|
@ -539,8 +539,7 @@ static int do_tls_getsockopt_no_pad(struct sock *sk, char __user *optval,
|
|||
int __user *optlen)
|
||||
{
|
||||
struct tls_context *ctx = tls_get_ctx(sk);
|
||||
unsigned int value;
|
||||
int err, len;
|
||||
int value, len;
|
||||
|
||||
if (ctx->prot_info.version != TLS_1_3_VERSION)
|
||||
return -EINVAL;
|
||||
|
@ -551,12 +550,12 @@ static int do_tls_getsockopt_no_pad(struct sock *sk, char __user *optval,
|
|||
return -EINVAL;
|
||||
|
||||
lock_sock(sk);
|
||||
err = -EINVAL;
|
||||
value = -EINVAL;
|
||||
if (ctx->rx_conf == TLS_SW || ctx->rx_conf == TLS_HW)
|
||||
value = ctx->rx_no_pad;
|
||||
release_sock(sk);
|
||||
if (err)
|
||||
return err;
|
||||
if (value < 0)
|
||||
return value;
|
||||
|
||||
if (put_user(sizeof(value), optlen))
|
||||
return -EFAULT;
|
||||
|
|
|
@ -20,7 +20,8 @@ static const struct snmp_mib tls_mib_list[] = {
|
|||
SNMP_MIB_ITEM("TlsRxDevice", LINUX_MIB_TLSRXDEVICE),
|
||||
SNMP_MIB_ITEM("TlsDecryptError", LINUX_MIB_TLSDECRYPTERROR),
|
||||
SNMP_MIB_ITEM("TlsRxDeviceResync", LINUX_MIB_TLSRXDEVICERESYNC),
|
||||
SNMP_MIB_ITEM("TlsDecryptRetry", LINUX_MIN_TLSDECRYPTRETRY),
|
||||
SNMP_MIB_ITEM("TlsDecryptRetry", LINUX_MIB_TLSDECRYPTRETRY),
|
||||
SNMP_MIB_ITEM("TlsRxNoPadViolation", LINUX_MIB_TLSRXNOPADVIOL),
|
||||
SNMP_MIB_SENTINEL
|
||||
};
|
||||
|
||||
|
|
|
@ -1596,7 +1596,9 @@ static int decrypt_skb_update(struct sock *sk, struct sk_buff *skb,
|
|||
if (unlikely(darg->zc && prot->version == TLS_1_3_VERSION &&
|
||||
darg->tail != TLS_RECORD_TYPE_DATA)) {
|
||||
darg->zc = false;
|
||||
TLS_INC_STATS(sock_net(sk), LINUX_MIN_TLSDECRYPTRETRY);
|
||||
if (!darg->tail)
|
||||
TLS_INC_STATS(sock_net(sk), LINUX_MIB_TLSRXNOPADVIOL);
|
||||
TLS_INC_STATS(sock_net(sk), LINUX_MIB_TLSDECRYPTRETRY);
|
||||
return decrypt_skb_update(sk, skb, dest, darg);
|
||||
}
|
||||
|
||||
|
|
|
@ -1674,6 +1674,57 @@ TEST(keysizes) {
|
|||
close(cfd);
|
||||
}
|
||||
|
||||
TEST(no_pad) {
|
||||
struct tls12_crypto_info_aes_gcm_256 tls12;
|
||||
int ret, fd, cfd, val;
|
||||
socklen_t len;
|
||||
bool notls;
|
||||
|
||||
memset(&tls12, 0, sizeof(tls12));
|
||||
tls12.info.version = TLS_1_3_VERSION;
|
||||
tls12.info.cipher_type = TLS_CIPHER_AES_GCM_256;
|
||||
|
||||
ulp_sock_pair(_metadata, &fd, &cfd, ¬ls);
|
||||
|
||||
if (notls)
|
||||
exit(KSFT_SKIP);
|
||||
|
||||
ret = setsockopt(fd, SOL_TLS, TLS_TX, &tls12, sizeof(tls12));
|
||||
EXPECT_EQ(ret, 0);
|
||||
|
||||
ret = setsockopt(cfd, SOL_TLS, TLS_RX, &tls12, sizeof(tls12));
|
||||
EXPECT_EQ(ret, 0);
|
||||
|
||||
val = 1;
|
||||
ret = setsockopt(cfd, SOL_TLS, TLS_RX_EXPECT_NO_PAD,
|
||||
(void *)&val, sizeof(val));
|
||||
EXPECT_EQ(ret, 0);
|
||||
|
||||
len = sizeof(val);
|
||||
val = 2;
|
||||
ret = getsockopt(cfd, SOL_TLS, TLS_RX_EXPECT_NO_PAD,
|
||||
(void *)&val, &len);
|
||||
EXPECT_EQ(ret, 0);
|
||||
EXPECT_EQ(val, 1);
|
||||
EXPECT_EQ(len, 4);
|
||||
|
||||
val = 0;
|
||||
ret = setsockopt(cfd, SOL_TLS, TLS_RX_EXPECT_NO_PAD,
|
||||
(void *)&val, sizeof(val));
|
||||
EXPECT_EQ(ret, 0);
|
||||
|
||||
len = sizeof(val);
|
||||
val = 2;
|
||||
ret = getsockopt(cfd, SOL_TLS, TLS_RX_EXPECT_NO_PAD,
|
||||
(void *)&val, &len);
|
||||
EXPECT_EQ(ret, 0);
|
||||
EXPECT_EQ(val, 0);
|
||||
EXPECT_EQ(len, 4);
|
||||
|
||||
close(fd);
|
||||
close(cfd);
|
||||
}
|
||||
|
||||
TEST(tls_v6ops) {
|
||||
struct tls_crypto_info_keys tls12;
|
||||
struct sockaddr_in6 addr, addr2;
|
||||
|
|
Loading…
Reference in a new issue