lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <1519733919-16909-1-git-send-email-borisp@mellanox.com>
Date:   Tue, 27 Feb 2018 14:18:38 +0200
From:   Boris Pismenny <borisp@...lanox.com>
To:     netdev@...r.kernel.org, davem@...emloft.net
Cc:     ilyal@...lanox.com, borisp@...lanox.com, tracywwnj@...il.com,
        xiyou.wangcong@...il.com, weiwan@...gle.com, linux@...ck-us.net,
        davejwatson@...com
Subject: [PATCH v4 net] Use correct sk->sk_prot for IPv6 in TLS

The tls ulp overrides sk->prot with a new tls specific proto structs.            
The tls specific structs were previously based on the ipv4 specific              
tcp_prot sturct.                                                                 
As a result, attaching the tls ulp to an ipv6 tcp socket replaced                
some ipv6 callback with the ipv4 equivalents.                                    
                                                                                 
This patch adds ipv6 tls proto structs and uses them when                        
attached to ipv6 sockets. 

Changed since v3:
- Removed the use of tcpv6_prot and the dependency on the IPv6 module.
- Should fix the issue triggered by CVE-2018-5703

Changed since v2: 
- Dropped patch to fix IPv6_ADDRFORM setsockopt
There was some disagreement about the correct way of fixinig it,
and this series does not depend on it.

Changes since v1:                                                                
- TLS now dependes on IPv6                                                       
This fixes complication issues when TLS is built-in and IPv6 is a module.        
The downside should be small as it is unlikely that there are kernel TLS         
users who can't afford to include IPv6 in thier kernel.                          
- tls_init now checks sk->sk_prot directly                                       
This is somewhat safer then checking indirectly through sk->sk_family       

Boris Pismenny (1):
  tls: Use correct sk->sk_prot for IPv6

 net/tls/tls_main.c | 52 +++++++++++++++++++++++++++++++++++++---------------
 1 file changed, 37 insertions(+), 15 deletions(-)

-- 
1.8.3.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ