| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <4262dd2617a24b66f24ec5ddc73f817e683e14e0.1559747691.git.dcaratti@redhat.com>
Date: Wed, 5 Jun 2019 17:39:23 +0200
From: Davide Caratti <dcaratti@...hat.com>
To: "David S. Miller" <davem@...emloft.net>,
Dave Watson <davejwatson@...com>,
Boris Pismenny <borisp@...lanox.com>,
Aviad Yehezkel <aviadye@...lanox.com>,
John Fastabend <john.fastabend@...il.com>,
Daniel Borkmann <daniel@...earbox.net>, netdev@...r.kernel.org
Subject: [RFC PATCH net-next 2/2] net: tls: export protocol version and cipher to socket diag
When an application configures kernel TLS on top of a TCP socket, it's
now possible for inet_diag_handler to collect information regarding the
protocol version and the cipher, in case INET_DIAG_INFO is requested.
Signed-off-by: Davide Caratti <dcaratti@...hat.com>
---
include/uapi/linux/inet_diag.h | 1 +
include/uapi/linux/tls.h | 8 +++++++
net/tls/tls_main.c | 43 ++++++++++++++++++++++++++++++++++
3 files changed, 52 insertions(+)
diff --git a/include/uapi/linux/inet_diag.h b/include/uapi/linux/inet_diag.h
index 844133de3212..92208535c096 100644
--- a/include/uapi/linux/inet_diag.h
+++ b/include/uapi/linux/inet_diag.h
@@ -161,6 +161,7 @@ enum {
enum {
ULP_INFO_NAME,
+ ULP_INFO_TLS,
__ULP_INFO_MAX,
};
diff --git a/include/uapi/linux/tls.h b/include/uapi/linux/tls.h
index 5b9c26753e46..442348bd2e54 100644
--- a/include/uapi/linux/tls.h
+++ b/include/uapi/linux/tls.h
@@ -109,4 +109,12 @@ struct tls12_crypto_info_aes_ccm_128 {
unsigned char rec_seq[TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE];
};
+enum {
+ TLS_INFO_VERSION,
+ TLS_INFO_CIPHER,
+ __TLS_INFO_MAX,
+};
+
+#define TLS_INFO_MAX (__TLS_INFO_MAX - 1)
+
#endif /* _UAPI_LINUX_TLS_H */
diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c
index fc81ae18cc44..14597526981c 100644
--- a/net/tls/tls_main.c
+++ b/net/tls/tls_main.c
@@ -39,6 +39,7 @@
#include <linux/netdevice.h>
#include <linux/sched/signal.h>
#include <linux/inetdevice.h>
+#include <linux/inet_diag.h>
#include <net/tls.h>
@@ -798,6 +799,46 @@ static int tls_init(struct sock *sk)
return rc;
}
+static int tls_get_info(struct sock *sk, struct sk_buff *skb)
+{
+ struct tls_context *ctx = tls_get_ctx(sk);
+ struct nlattr *start = 0;
+ int err = 0;
+
+ if (sk->sk_state != TCP_ESTABLISHED)
+ goto end;
+ start = nla_nest_start_noflag(skb, ULP_INFO_TLS);
+ if (!start) {
+ err = -EMSGSIZE;
+ goto nla_failure;
+ }
+ err = nla_put_u16(skb, TLS_INFO_VERSION, ctx->prot_info.version);
+ if (err < 0)
+ goto nla_failure;
+ err = nla_put_u16(skb, TLS_INFO_CIPHER, ctx->prot_info.cipher_type);
+ if (err < 0)
+ goto nla_failure;
+ nla_nest_end(skb, start);
+end:
+ return err;
+nla_failure:
+ nla_nest_cancel(skb, start);
+ goto end;
+}
+
+static size_t tls_get_info_size(struct sock *sk)
+{
+ size_t size = 0;
+
+ if (sk->sk_state != TCP_ESTABLISHED)
+ return size;
+
+ size += nla_total_size(0) /* ULP_INFO_TLS */
+ + nla_total_size(sizeof(__u16)) /* TLS_INFO_VERSION */
+ + nla_total_size(sizeof(__u16)); /* TLS_INFO_CIPHER */
+ return size;
+}
+
void tls_register_device(struct tls_device *device)
{
spin_lock_bh(&device_spinlock);
@@ -818,6 +859,8 @@ static struct tcp_ulp_ops tcp_tls_ulp_ops __read_mostly = {
.name = "tls",
.owner = THIS_MODULE,
.init = tls_init,
+ .get_info = tls_get_info,
+ .get_info_size = tls_get_info_size,
};
static int __init tls_register(void)
--
2.20.1
Powered by blists - more mailing lists