diff options
| author |   Jakub Kicinski <kuba@kernel.org> | 2022-07-11 19:48:36 -0700 |
|---|---|---|
| committer | Jakub Kicinski <kuba@kernel.org> | 2022-07-11 19:48:37 -0700 |
| commit | 1c151feddaf555e3af7a5cafb5481926f4f0489e (patch) | |
| tree | 1cba840835cb2caa791c5acacabbba083a2cd0ad | |
| parent | bcm63xx: fix Tx cleanup when NAPI poll budget is zero (diff) | |
| parent | selftests: tls: add test for NoPad getsockopt (diff) | |
| download | linux-dev-1c151feddaf555e3af7a5cafb5481926f4f0489e.tar.xz linux-dev-1c151feddaf555e3af7a5cafb5481926f4f0489e.zip | |
Merge branch 'tls-rx-follow-ups-to-nopad'
Jakub Kicinski says:
====================
tls: rx: follow-ups to NoPad
A few fixes for issues spotted by Maxim.
====================
Link: https://lore.kernel.org/r/20220709025255.323864-1-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
| -rw-r--r-- | Documentation/networking/tls.rst | 4 | ||||
| -rw-r--r-- | include/uapi/linux/snmp.h | 3 | ||||
| -rw-r--r-- | net/tls/tls_main.c | 9 | ||||
| -rw-r--r-- | net/tls/tls_proc.c | 3 | ||||
| -rw-r--r-- | net/tls/tls_sw.c | 4 | ||||
| -rw-r--r-- | tools/testing/selftests/net/tls.c | 51 |
6 files changed, 66 insertions, 8 deletions
diff --git a/Documentation/networking/tls.rst b/Documentation/networking/tls.rst index 7a6643836e42..658ed3a71e1b 100644 --- a/Documentation/networking/tls.rst +++ b/Documentation/networking/tls.rst @@ -282,3 +282,7 @@ TLS implementation exposes the following per-namespace statistics number of RX records which had to be re-decrypted due to ``TLS_RX_EXPECT_NO_PAD`` mis-prediction. Note that this counter will also increment for non-data records. + +- ``TlsRxNoPadViolation`` - + number of data RX records which had to be re-decrypted due to + ``TLS_RX_EXPECT_NO_PAD`` mis-prediction. diff --git a/include/uapi/linux/snmp.h b/include/uapi/linux/snmp.h index 1c9152add663..4d7470036a8b 100644 --- a/include/uapi/linux/snmp.h +++ b/include/uapi/linux/snmp.h @@ -344,7 +344,8 @@ enum LINUX_MIB_TLSRXDEVICE, /* TlsRxDevice */ LINUX_MIB_TLSDECRYPTERROR, /* TlsDecryptError */ LINUX_MIB_TLSRXDEVICERESYNC, /* TlsRxDeviceResync */ - LINUX_MIN_TLSDECRYPTRETRY, /* TlsDecryptRetry */ + LINUX_MIB_TLSDECRYPTRETRY, /* TlsDecryptRetry */ + LINUX_MIB_TLSRXNOPADVIOL, /* TlsRxNoPadViolation */ __LINUX_MIB_TLSMAX }; diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c index f3d9dbfa507e..f71b46568112 100644 --- a/net/tls/tls_main.c +++ b/net/tls/tls_main.c @@ -539,8 +539,7 @@ static int do_tls_getsockopt_no_pad(struct sock *sk, char __user *optval, int __user *optlen) { struct tls_context *ctx = tls_get_ctx(sk); - unsigned int value; - int err, len; + int value, len; if (ctx->prot_info.version != TLS_1_3_VERSION) return -EINVAL; @@ -551,12 +550,12 @@ static int do_tls_getsockopt_no_pad(struct sock *sk, char __user *optval, return -EINVAL; lock_sock(sk); - err = -EINVAL; + value = -EINVAL; if (ctx->rx_conf == TLS_SW || ctx->rx_conf == TLS_HW) value = ctx->rx_no_pad; release_sock(sk); - if (err) - return err; + if (value < 0) + return value; if (put_user(sizeof(value), optlen)) return -EFAULT; diff --git a/net/tls/tls_proc.c b/net/tls/tls_proc.c index 1246e52b48f6..68982728f620 100644 --- a/net/tls/tls_proc.c +++ b/net/tls/tls_proc.c @@ -20,7 +20,8 @@ static const struct snmp_mib tls_mib_list[] = { SNMP_MIB_ITEM("TlsRxDevice", LINUX_MIB_TLSRXDEVICE), SNMP_MIB_ITEM("TlsDecryptError", LINUX_MIB_TLSDECRYPTERROR), SNMP_MIB_ITEM("TlsRxDeviceResync", LINUX_MIB_TLSRXDEVICERESYNC), - SNMP_MIB_ITEM("TlsDecryptRetry", LINUX_MIN_TLSDECRYPTRETRY), + SNMP_MIB_ITEM("TlsDecryptRetry", LINUX_MIB_TLSDECRYPTRETRY), + SNMP_MIB_ITEM("TlsRxNoPadViolation", LINUX_MIB_TLSRXNOPADVIOL), SNMP_MIB_SENTINEL }; diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c index 09370f853031..68d79ee48a56 100644 --- a/net/tls/tls_sw.c +++ b/net/tls/tls_sw.c @@ -1596,7 +1596,9 @@ static int decrypt_skb_update(struct sock *sk, struct sk_buff *skb, if (unlikely(darg->zc && prot->version == TLS_1_3_VERSION && darg->tail != TLS_RECORD_TYPE_DATA)) { darg->zc = false; - TLS_INC_STATS(sock_net(sk), LINUX_MIN_TLSDECRYPTRETRY); + if (!darg->tail) + TLS_INC_STATS(sock_net(sk), LINUX_MIB_TLSRXNOPADVIOL); + TLS_INC_STATS(sock_net(sk), LINUX_MIB_TLSDECRYPTRETRY); return decrypt_skb_update(sk, skb, dest, darg); } diff --git a/tools/testing/selftests/net/tls.c b/tools/testing/selftests/net/tls.c index e71ec5846be9..dc26aae0feb0 100644 --- a/tools/testing/selftests/net/tls.c +++ b/tools/testing/selftests/net/tls.c @@ -1674,6 +1674,57 @@ TEST(keysizes) { close(cfd); } +TEST(no_pad) { + struct tls12_crypto_info_aes_gcm_256 tls12; + int ret, fd, cfd, val; + socklen_t len; + bool notls; + + memset(&tls12, 0, sizeof(tls12)); + tls12.info.version = TLS_1_3_VERSION; + tls12.info.cipher_type = TLS_CIPHER_AES_GCM_256; + + ulp_sock_pair(_metadata, &fd, &cfd, ¬ls); + + if (notls) + exit(KSFT_SKIP); + + ret = setsockopt(fd, SOL_TLS, TLS_TX, &tls12, sizeof(tls12)); + EXPECT_EQ(ret, 0); + + ret = setsockopt(cfd, SOL_TLS, TLS_RX, &tls12, sizeof(tls12)); + EXPECT_EQ(ret, 0); + + val = 1; + ret = setsockopt(cfd, SOL_TLS, TLS_RX_EXPECT_NO_PAD, + (void *)&val, sizeof(val)); + EXPECT_EQ(ret, 0); + + len = sizeof(val); + val = 2; + ret = getsockopt(cfd, SOL_TLS, TLS_RX_EXPECT_NO_PAD, + (void *)&val, &len); + EXPECT_EQ(ret, 0); + EXPECT_EQ(val, 1); + EXPECT_EQ(len, 4); + + val = 0; + ret = setsockopt(cfd, SOL_TLS, TLS_RX_EXPECT_NO_PAD, + (void *)&val, sizeof(val)); + EXPECT_EQ(ret, 0); + + len = sizeof(val); + val = 2; + ret = getsockopt(cfd, SOL_TLS, TLS_RX_EXPECT_NO_PAD, + (void *)&val, &len); + EXPECT_EQ(ret, 0); + EXPECT_EQ(val, 0); + EXPECT_EQ(len, 4); + + close(fd); + close(cfd); +} + TEST(tls_v6ops) { struct tls_crypto_info_keys tls12; struct sockaddr_in6 addr, addr2; |