From: Jakub Kicinski <kuba@kernel.org>
To: davem@davemloft.net
Cc: netdev@vger.kernel.org, edumazet@google.com, pabeni@redhat.com,
borisp@nvidia.com, john.fastabend@gmail.com, maximmi@nvidia.com,
tariqt@nvidia.com, Jakub Kicinski <kuba@kernel.org>
Subject: [PATCH net-next 2/6] tls: rx: always allocate max possible aad size for decrypt
Date: Wed, 6 Jul 2022 18:35:06 -0700 [thread overview]
Message-ID: <20220707013510.1372695-3-kuba@kernel.org> (raw)
In-Reply-To: <20220707013510.1372695-1-kuba@kernel.org>
AAD size is either 5 or 13. Really no point complicating
the code for the 8B of difference. This will also let us
turn the chunked up buffer into a sane struct.
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
---
include/net/tls.h | 1 +
net/tls/tls_sw.c | 19 ++++++++++---------
2 files changed, 11 insertions(+), 9 deletions(-)
diff --git a/include/net/tls.h b/include/net/tls.h
index 4fc16ca5f469..9394c0459fe8 100644
--- a/include/net/tls.h
+++ b/include/net/tls.h
@@ -66,6 +66,7 @@
#define MAX_IV_SIZE 16
#define TLS_TAG_SIZE 16
#define TLS_MAX_REC_SEQ_SIZE 8
+#define TLS_MAX_AAD_SIZE TLS_AAD_SPACE_SIZE
/* For CCM mode, the full 16-bytes of IV is made of '4' fields of given sizes.
*
diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
index 79043bc3da39..4f6761dd8d86 100644
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -1453,7 +1453,7 @@ static int decrypt_internal(struct sock *sk, struct sk_buff *skb,
aead_size = sizeof(*aead_req) + crypto_aead_reqsize(ctx->aead_recv);
mem_size = aead_size + (nsg * sizeof(struct scatterlist));
- mem_size = mem_size + prot->aad_size;
+ mem_size = mem_size + TLS_MAX_AAD_SIZE;
mem_size = mem_size + MAX_IV_SIZE;
mem_size = mem_size + prot->tail_size;
@@ -1470,7 +1470,7 @@ static int decrypt_internal(struct sock *sk, struct sk_buff *skb,
sgin = (struct scatterlist *)(mem + aead_size);
sgout = sgin + n_sgin;
aad = (u8 *)(sgout + n_sgout);
- iv = aad + prot->aad_size;
+ iv = aad + TLS_MAX_AAD_SIZE;
tail = iv + MAX_IV_SIZE;
/* For CCM based ciphers, first byte of nonce+iv is a constant */
@@ -2474,13 +2474,6 @@ int tls_set_sw_offload(struct sock *sk, struct tls_context *ctx, int tx)
goto free_priv;
}
- /* Sanity-check the sizes for stack allocations. */
- if (iv_size > MAX_IV_SIZE || nonce_size > MAX_IV_SIZE ||
- rec_seq_size > TLS_MAX_REC_SEQ_SIZE || tag_size != TLS_TAG_SIZE) {
- rc = -EINVAL;
- goto free_priv;
- }
-
if (crypto_info->version == TLS_1_3_VERSION) {
nonce_size = 0;
prot->aad_size = TLS_HEADER_SIZE;
@@ -2490,6 +2483,14 @@ int tls_set_sw_offload(struct sock *sk, struct tls_context *ctx, int tx)
prot->tail_size = 0;
}
+ /* Sanity-check the sizes for stack allocations. */
+ if (iv_size > MAX_IV_SIZE || nonce_size > MAX_IV_SIZE ||
+ rec_seq_size > TLS_MAX_REC_SEQ_SIZE || tag_size != TLS_TAG_SIZE ||
+ prot->aad_size > TLS_MAX_AAD_SIZE) {
+ rc = -EINVAL;
+ goto free_priv;
+ }
+
prot->version = crypto_info->version;
prot->cipher_type = crypto_info->cipher_type;
prot->prepend_size = TLS_HEADER_SIZE + nonce_size;
--
2.36.1
next prev parent reply other threads:[~2022-07-07 1:35 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-07 1:35 [PATCH net-next 0/6] tls: pad strparser, internal header, decrypt_ctx etc Jakub Kicinski
2022-07-07 1:35 ` [PATCH net-next 1/6] strparser: pad sk_skb_cb to avoid straddling cachelines Jakub Kicinski
2022-07-07 1:35 ` Jakub Kicinski [this message]
2022-07-07 1:35 ` [PATCH net-next 3/6] tls: rx: wrap decrypt params in a struct Jakub Kicinski
2022-07-07 1:35 ` [PATCH net-next 4/6] tls: rx: coalesce exit paths in tls_decrypt_sg() Jakub Kicinski
2022-07-07 1:35 ` [PATCH net-next 5/6] tls: create an internal header Jakub Kicinski
2022-07-07 16:21 ` kernel test robot
2022-07-07 16:54 ` kernel test robot
2022-07-07 1:35 ` [PATCH net-next 6/6] tls: rx: make tls_wait_data() return an recvmsg retcode Jakub Kicinski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220707013510.1372695-3-kuba@kernel.org \
--to=kuba@kernel.org \
--cc=borisp@nvidia.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=john.fastabend@gmail.com \
--cc=maximmi@nvidia.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=tariqt@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).