From: Maxim Mikityanskiy <maximmi@nvidia.com>
To: "kuba@kernel.org" <kuba@kernel.org>,
"davem@davemloft.net" <davem@davemloft.net>
Cc: "linux-doc@vger.kernel.org" <linux-doc@vger.kernel.org>,
"linux-kselftest@vger.kernel.org"
<linux-kselftest@vger.kernel.org>,
"edumazet@google.com" <edumazet@google.com>,
"netdev@vger.kernel.org" <netdev@vger.kernel.org>,
"john.fastabend@gmail.com" <john.fastabend@gmail.com>,
"pabeni@redhat.com" <pabeni@redhat.com>,
Boris Pismenny <borisp@nvidia.com>
Subject: Re: [PATCH net-next 3/5] tls: rx: add sockopt for enabling optimistic decrypt with TLS 1.3
Date: Fri, 8 Jul 2022 14:14:44 +0000 [thread overview]
Message-ID: <b111828e6ac34baad9f4e783127eba8344ac252d.camel@nvidia.com> (raw)
In-Reply-To: <20220705235926.1035407-4-kuba@kernel.org>
On Tue, 2022-07-05 at 16:59 -0700, Jakub Kicinski wrote:
> diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c
> index 2ffede463e4a..1b3efc96db0b 100644
> --- a/net/tls/tls_main.c
> +++ b/net/tls/tls_main.c
> @@ -533,6 +533,37 @@ static int do_tls_getsockopt_tx_zc(struct sock *sk, char __user *optval,
> return 0;
> }
>
> +static int do_tls_getsockopt_no_pad(struct sock *sk, char __user *optval,
> + int __user *optlen)
> +{
> + struct tls_context *ctx = tls_get_ctx(sk);
> + unsigned int value;
> + int err, len;
> +
> + if (ctx->prot_info.version != TLS_1_3_VERSION)
> + return -EINVAL;
> +
> + if (get_user(len, optlen))
> + return -EFAULT;
> + if (len < sizeof(value))
> + return -EINVAL;
> +
> + lock_sock(sk);
> + err = -EINVAL;
> + if (ctx->rx_conf == TLS_SW || ctx->rx_conf == TLS_HW)
> + value = ctx->rx_no_pad;
> + release_sock(sk);
> + if (err)
> + return err;
Bug: always returns -EINVAL here, because it's assigned a few lines
above unconditionally.
> +
> + if (put_user(sizeof(value), optlen))
> + return -EFAULT;
> + if (copy_to_user(optval, &value, sizeof(value)))
> + return -EFAULT;
> +
> + return 0;
> +}
>
> diff --git a/net/tls/tls_proc.c b/net/tls/tls_proc.c
> index feeceb0e4cb4..0c200000cc45 100644
> --- a/net/tls/tls_proc.c
> +++ b/net/tls/tls_proc.c
> @@ -18,6 +18,7 @@ static const struct snmp_mib tls_mib_list[] = {
> SNMP_MIB_ITEM("TlsRxDevice", LINUX_MIB_TLSRXDEVICE),
> SNMP_MIB_ITEM("TlsDecryptError", LINUX_MIB_TLSDECRYPTERROR),
> SNMP_MIB_ITEM("TlsRxDeviceResync", LINUX_MIB_TLSRXDEVICERESYNC),
> + SNMP_MIB_ITEM("TlsDecryptRetry", LINUX_MIN_TLSDECRYPTRETRY),
> SNMP_MIB_SENTINEL
> };
>
> diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
> index 2bac57684429..7592b6519953 100644
> --- a/net/tls/tls_sw.c
> +++ b/net/tls/tls_sw.c
> @@ -1601,6 +1601,7 @@ static int decrypt_skb_update(struct sock *sk, struct sk_buff *skb,
> if (unlikely(darg->zc && prot->version == TLS_1_3_VERSION &&
> darg->tail != TLS_RECORD_TYPE_DATA)) {
> darg->zc = false;
> + TLS_INC_STATS(sock_net(sk), LINUX_MIN_TLSDECRYPTRETRY);
> return decrypt_skb_update(sk, skb, dest, darg);
> }
I recall you planned to have two counters:
> You have a point about the more specific counter, let me add a
> counter for NoPad being violated (tail == 0) as well as the overall
> "decryption happened twice" counter.
Did you decide to stick with one?
next prev parent reply other threads:[~2022-07-08 14:14 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-05 23:59 [PATCH net-next 0/5] tls: rx: nopad and backlog flushing Jakub Kicinski
2022-07-05 23:59 ` [PATCH net-next 1/5] tls: rx: don't include tail size in data_len Jakub Kicinski
2022-07-05 23:59 ` [PATCH net-next 2/5] tls: rx: support optimistic decrypt to user buffer with TLS 1.3 Jakub Kicinski
2022-07-05 23:59 ` [PATCH net-next 3/5] tls: rx: add sockopt for enabling optimistic decrypt " Jakub Kicinski
2022-07-08 14:14 ` Maxim Mikityanskiy [this message]
2022-07-08 18:18 ` Jakub Kicinski
2022-07-05 23:59 ` [PATCH net-next 4/5] selftests: tls: add selftest variant for pad Jakub Kicinski
2022-07-05 23:59 ` [PATCH net-next 5/5] tls: rx: periodically flush socket backlog Jakub Kicinski
2022-07-06 12:10 ` [PATCH net-next 0/5] tls: rx: nopad and backlog flushing patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b111828e6ac34baad9f4e783127eba8344ac252d.camel@nvidia.com \
--to=maximmi@nvidia.com \
--cc=borisp@nvidia.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=john.fastabend@gmail.com \
--cc=kuba@kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).