lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Tue, 27 Feb 2018 09:49:36 +0200
From:   Boris Pismenny <borisp@...lanox.com>
To:     Guenter Roeck <linux@...ck-us.net>,
        Ilya Lesokhin <ilyal@...lanox.com>
Cc:     netdev@...r.kernel.org, davem@...emloft.net, davejwatson@...com,
        aviadye@...lanox.com
Subject: Re: [v3,net-next,2/2] tls: Use correct sk->sk_prot for IPV6

Hi Guenter,

On 2/23/2018 11:52 PM, Guenter Roeck wrote:
> Hi Ilya,
> 
> On Mon, Sep 04, 2017 at 01:14:01PM +0300, Ilya Lesokhin wrote:
>> The tls ulp overrides sk->prot with a new tls specific proto structs.
>> The tls specific structs were previously based on the ipv4 specific
>> tcp_prot sturct.
>> As a result, attaching the tls ulp to an ipv6 tcp socket replaced
>> some ipv6 callback with the ipv4 equivalents.
>>
>> This patch adds ipv6 tls proto structs and uses them when
>> attached to ipv6 sockets.
>>
> 
> Do you plan to update this patch with the missing TCPv6 support ?

We'll re-spin a v4 by EOW.

> As far as I can see, the part that was accepted upstream does not fix
> the TCPv6 protocol issue which triggers CVE-2018-5703.
> 
> If adding IPv6 support is not possible/acceptable, would it make sense
> to limit TLS support to TCPv4, ie add something like
> 
> 	if (sk->sk_prot != &tcp_prot)
> 		return -EINVAL;
> 
> to tls_init() ?

AFAIK there are users of TLS over IPv6 who wouldn't find this acceptable.

Best,
Boris.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ