| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <8310f232-4a7b-8bf0-7589-ffc4c300d8d6@mellanox.com>
Date: Tue, 27 Feb 2018 09:49:36 +0200
From: Boris Pismenny <borisp@...lanox.com>
To: Guenter Roeck <linux@...ck-us.net>,
Ilya Lesokhin <ilyal@...lanox.com>
Cc: netdev@...r.kernel.org, davem@...emloft.net, davejwatson@...com,
aviadye@...lanox.com
Subject: Re: [v3,net-next,2/2] tls: Use correct sk->sk_prot for IPV6
Hi Guenter,
On 2/23/2018 11:52 PM, Guenter Roeck wrote:
> Hi Ilya,
>
> On Mon, Sep 04, 2017 at 01:14:01PM +0300, Ilya Lesokhin wrote:
>> The tls ulp overrides sk->prot with a new tls specific proto structs.
>> The tls specific structs were previously based on the ipv4 specific
>> tcp_prot sturct.
>> As a result, attaching the tls ulp to an ipv6 tcp socket replaced
>> some ipv6 callback with the ipv4 equivalents.
>>
>> This patch adds ipv6 tls proto structs and uses them when
>> attached to ipv6 sockets.
>>
>
> Do you plan to update this patch with the missing TCPv6 support ?
We'll re-spin a v4 by EOW.
> As far as I can see, the part that was accepted upstream does not fix
> the TCPv6 protocol issue which triggers CVE-2018-5703.
>
> If adding IPv6 support is not possible/acceptable, would it make sense
> to limit TLS support to TCPv4, ie add something like
>
> if (sk->sk_prot != &tcp_prot)
> return -EINVAL;
>
> to tls_init() ?
AFAIK there are users of TLS over IPv6 who wouldn't find this acceptable.
Best,
Boris.
Powered by blists - more mailing lists