lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 6 Jun 2019 07:07:35 +0000
From:   Boris Pismenny <borisp@...lanox.com>
To:     Davide Caratti <dcaratti@...hat.com>,
        "David S. Miller" <davem@...emloft.net>,
        Dave Watson <davejwatson@...com>,
        Aviad Yehezkel <aviadye@...lanox.com>,
        John Fastabend <john.fastabend@...il.com>,
        Daniel Borkmann <daniel@...earbox.net>,
        "netdev@...r.kernel.org" <netdev@...r.kernel.org>
Subject: Re: [RFC PATCH net-next 2/2] net: tls: export protocol version and
 cipher to socket diag

Hi Davide,

TLS statistics are long overdue. I'd like to extend this later for the 
tls_device code, e.g. device_decrypted vs. software_decrypted.

On 6/5/2019 6:39 PM, Davide Caratti wrote:

>   
> +static int tls_get_info(struct sock *sk, struct sk_buff *skb)
> +{
> +	struct tls_context *ctx = tls_get_ctx(sk);
> +	struct nlattr *start = 0;
> +	int err = 0;
> +
> +	if (sk->sk_state != TCP_ESTABLISHED)
> +		goto end;

Maybe it would be best to verify that the version and cipher have been 
initialized. As the TLS_ULP might be enabled but no socket option has 
been called to set its values.

Also, I suggest this check is placed in the tls_get_info_size to make 
this more explicit to the user.

> +	start = nla_nest_start_noflag(skb, ULP_INFO_TLS);
> +	if (!start) {
> +		err = -EMSGSIZE;
> +		goto nla_failure;
> +	}
> +	err = nla_put_u16(skb, TLS_INFO_VERSION, ctx->prot_info.version);
> +	if (err < 0)
> +		goto nla_failure;
> +	err = nla_put_u16(skb, TLS_INFO_CIPHER, ctx->prot_info.cipher_type);
> +	if (err < 0)
> +		goto nla_failure;
> +	nla_nest_end(skb, start);
> +end:
> +	return err;
> +nla_failure:
> +	nla_nest_cancel(skb, start);
> +	goto end;
> +}
> +
> +static size_t tls_get_info_size(struct sock *sk)
> +{
> +	size_t size = 0;
> +
> +	if (sk->sk_state != TCP_ESTABLISHED)
> +		return size;
> +
> +	size +=   nla_total_size(0) /* ULP_INFO_TLS */
> +		+ nla_total_size(sizeof(__u16))	/* TLS_INFO_VERSION */
> +		+ nla_total_size(sizeof(__u16)); /* TLS_INFO_CIPHER */
> +	return size;
> +}


Thanks,
Boris.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ