lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20190829145642.3f3de3ae@cakuba.netronome.com>
Date:   Thu, 29 Aug 2019 14:56:42 -0700
From:   Jakub Kicinski <jakub.kicinski@...ronome.com>
To:     Davide Caratti <dcaratti@...hat.com>
Cc:     borisp@...lanox.com, Eric Dumazet <eric.dumazet@...il.com>,
        aviadye@...lanox.com, davejwatson@...com, davem@...emloft.net,
        john.fastabend@...il.com,
        Matthieu Baerts <matthieu.baerts@...sares.net>,
        netdev@...r.kernel.org
Subject: Re: [PATCH net-next v2 3/3] net: tls: export protocol version,
 cipher, tx_conf/rx_conf to socket diag

On Thu, 29 Aug 2019 18:48:04 +0200, Davide Caratti wrote:
> When an application configures kernel TLS on top of a TCP socket, it's
> now possible for inet_diag_handler() to collect information regarding the
> protocol version, the cipher type and TX / RX configuration, in case
> INET_DIAG_INFO is requested.
> 
> Signed-off-by: Davide Caratti <dcaratti@...hat.com>

> diff --git a/include/net/tls.h b/include/net/tls.h
> index 4997742475cd..990f1d9182a3 100644
> --- a/include/net/tls.h
> +++ b/include/net/tls.h
> @@ -431,6 +431,25 @@ static inline bool is_tx_ready(struct tls_sw_context_tx *ctx)
>  	return READ_ONCE(rec->tx_ready);
>  }
>  
> +static inline u16 tls_user_config(struct tls_context *ctx, bool tx)
> +{
> +	u16 config = tx ? ctx->tx_conf : ctx->rx_conf;
> +
> +	switch (config) {
> +	case TLS_BASE:
> +		return TLS_CONF_BASE;
> +	case TLS_SW:
> +		return TLS_CONF_SW;
> +#ifdef CONFIG_TLS_DEVICE

Recently the TLS_HW define was taken out of the ifdef, so the ifdef
around this is no longer necessary.

> +	case TLS_HW:
> +		return TLS_CONF_HW;
> +#endif
> +	case TLS_HW_RECORD:
> +		return TLS_CONF_HW_RECORD;
> +	}
> +	return 0;
> +}
> +
>  struct sk_buff *
>  tls_validate_xmit_skb(struct sock *sk, struct net_device *dev,
>  		      struct sk_buff *skb);

> diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c
> index f8f2d2c3d627..3351a2ace369 100644
> --- a/net/tls/tls_main.c
> +++ b/net/tls/tls_main.c
> @@ -39,6 +39,7 @@
>  #include <linux/netdevice.h>
>  #include <linux/sched/signal.h>
>  #include <linux/inetdevice.h>
> +#include <linux/inet_diag.h>
>  
>  #include <net/tls.h>
>  
> @@ -835,6 +836,67 @@ static void tls_update(struct sock *sk, struct proto *p)
>  	}
>  }
>  
> +static int tls_get_info(const struct sock *sk, struct sk_buff *skb)
> +{
> +	struct tls_context *ctx;
> +	u16 version, cipher_type;

Unfortunately revere christmas tree will be needed :(

> +	struct nlattr *start;
> +	int err;

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ