From: Jakub Kicinski Date: Sat, 9 Jul 2022 02:52:53 +0000 (-0700) Subject: tls: rx: add counter for NoPad violations X-Git-Tag: v6.0-rc1~141^2~157^2~2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=bb56cea9abd85c22175b31d8f7c44d6c615fe526;p=thirdparty%2Flinux.git tls: rx: add counter for NoPad violations As discussed with Maxim add a counter for true NoPad violations. This should help deployments catch unexpected padded records vs just control records which always need re-encryption. https: //lore.kernel.org/all/b111828e6ac34baad9f4e783127eba8344ac252d.camel@nvidia.com/ Signed-off-by: Jakub Kicinski --- diff --git a/Documentation/networking/tls.rst b/Documentation/networking/tls.rst index 7a6643836e427..658ed3a71e1b5 100644 --- a/Documentation/networking/tls.rst +++ b/Documentation/networking/tls.rst @@ -282,3 +282,7 @@ TLS implementation exposes the following per-namespace statistics number of RX records which had to be re-decrypted due to ``TLS_RX_EXPECT_NO_PAD`` mis-prediction. Note that this counter will also increment for non-data records. + +- ``TlsRxNoPadViolation`` - + number of data RX records which had to be re-decrypted due to + ``TLS_RX_EXPECT_NO_PAD`` mis-prediction. diff --git a/include/uapi/linux/snmp.h b/include/uapi/linux/snmp.h index fd83fb9e525a7..4d7470036a8b5 100644 --- a/include/uapi/linux/snmp.h +++ b/include/uapi/linux/snmp.h @@ -345,6 +345,7 @@ enum LINUX_MIB_TLSDECRYPTERROR, /* TlsDecryptError */ LINUX_MIB_TLSRXDEVICERESYNC, /* TlsRxDeviceResync */ LINUX_MIB_TLSDECRYPTRETRY, /* TlsDecryptRetry */ + LINUX_MIB_TLSRXNOPADVIOL, /* TlsRxNoPadViolation */ __LINUX_MIB_TLSMAX }; diff --git a/net/tls/tls_proc.c b/net/tls/tls_proc.c index ede9df13c3985..68982728f6209 100644 --- a/net/tls/tls_proc.c +++ b/net/tls/tls_proc.c @@ -21,6 +21,7 @@ static const struct snmp_mib tls_mib_list[] = { SNMP_MIB_ITEM("TlsDecryptError", LINUX_MIB_TLSDECRYPTERROR), SNMP_MIB_ITEM("TlsRxDeviceResync", LINUX_MIB_TLSRXDEVICERESYNC), SNMP_MIB_ITEM("TlsDecryptRetry", LINUX_MIB_TLSDECRYPTRETRY), + SNMP_MIB_ITEM("TlsRxNoPadViolation", LINUX_MIB_TLSRXNOPADVIOL), SNMP_MIB_SENTINEL }; diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c index e12846d1871a0..68d79ee48a568 100644 --- a/net/tls/tls_sw.c +++ b/net/tls/tls_sw.c @@ -1596,6 +1596,8 @@ static int decrypt_skb_update(struct sock *sk, struct sk_buff *skb, if (unlikely(darg->zc && prot->version == TLS_1_3_VERSION && darg->tail != TLS_RECORD_TYPE_DATA)) { darg->zc = false; + if (!darg->tail) + TLS_INC_STATS(sock_net(sk), LINUX_MIB_TLSRXNOPADVIOL); TLS_INC_STATS(sock_net(sk), LINUX_MIB_TLSDECRYPTRETRY); return decrypt_skb_update(sk, skb, dest, darg); }