lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <ZPtO1VDcYSIFVnie@hog>
Date: Fri, 8 Sep 2023 18:41:57 +0200
From: Sabrina Dubroca <sd@...asysnail.net>
To: "liujian (CE)" <liujian56@...wei.com>
Cc: borisp@...dia.com, john.fastabend@...il.com, kuba@...nel.org,
	davem@...emloft.net, edumazet@...gle.com, pabeni@...hat.com,
	vfedorenko@...ek.ru, netdev@...r.kernel.org
Subject: Re: [PATCH net] tls: do not return error when the tls_bigint
 overflows in tls_advance_record_sn()

2023-09-07, 20:59:51 +0800, liujian (CE) wrote:
> By the way, does the return of EBADMSG mean that the tls link needs to
> renegotiate the encryption information or re-establish the link?

We currently don't support key updates so closing this socket is the
only option for now. AFAIU when we set EBADMSG, we can't fix that socket.

> And is this okay?

Yes, this is what I had in mind.

> diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
> index 1ed4a611631f..d1fc295b83b5 100644
> --- a/net/tls/tls_sw.c
> +++ b/net/tls/tls_sw.c
> @@ -817,7 +817,7 @@ static int bpf_exec_tx_verdict(struct sk_msg *msg,
> struct sock *sk,
>         psock = sk_psock_get(sk);
>         if (!psock || !policy) {
>                 err = tls_push_record(sk, flags, record_type);
> -               if (err && sk->sk_err == EBADMSG) {
> +               if (err && err != -EINPROGRESS && sk->sk_err == EBADMSG) {
>                         *copied -= sk_msg_free(sk, msg);
>                         tls_free_open_rec(sk);
>                         err = -sk->sk_err;
> @@ -846,7 +846,7 @@ static int bpf_exec_tx_verdict(struct sk_msg *msg,
> struct sock *sk,
>         switch (psock->eval) {
>         case __SK_PASS:
>                 err = tls_push_record(sk, flags, record_type);
> -               if (err && sk->sk_err == EBADMSG) {
> +               if (err && err != -EINPROGRESS && sk->sk_err == EBADMSG) {
>                         *copied -= sk_msg_free(sk, msg);
>                         tls_free_open_rec(sk);
>                         err = -sk->sk_err;

-- 
Sabrina

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ