diff options
author | Jakub Kicinski <kuba@kernel.org> | 2022-07-09 04:52:53 +0200 |
---|---|---|
committer | Jakub Kicinski <kuba@kernel.org> | 2022-07-12 04:48:33 +0200 |
commit | bb56cea9abd85c22175b31d8f7c44d6c615fe526 (patch) | |
tree | 39fc221488be3d6da39757990a3403080eb46410 | |
parent | tls: fix spelling of MIB (diff) | |
download | linux-bb56cea9abd85c22175b31d8f7c44d6c615fe526.tar.xz linux-bb56cea9abd85c22175b31d8f7c44d6c615fe526.zip |
tls: rx: add counter for NoPad violations
As discussed with Maxim add a counter for true NoPad violations.
This should help deployments catch unexpected padded records vs
just control records which always need re-encryption.
https: //lore.kernel.org/all/b111828e6ac34baad9f4e783127eba8344ac252d.camel@nvidia.com/
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-rw-r--r-- | Documentation/networking/tls.rst | 4 | ||||
-rw-r--r-- | include/uapi/linux/snmp.h | 1 | ||||
-rw-r--r-- | net/tls/tls_proc.c | 1 | ||||
-rw-r--r-- | net/tls/tls_sw.c | 2 |
4 files changed, 8 insertions, 0 deletions
diff --git a/Documentation/networking/tls.rst b/Documentation/networking/tls.rst index 7a6643836e42..658ed3a71e1b 100644 --- a/Documentation/networking/tls.rst +++ b/Documentation/networking/tls.rst @@ -282,3 +282,7 @@ TLS implementation exposes the following per-namespace statistics number of RX records which had to be re-decrypted due to ``TLS_RX_EXPECT_NO_PAD`` mis-prediction. Note that this counter will also increment for non-data records. + +- ``TlsRxNoPadViolation`` - + number of data RX records which had to be re-decrypted due to + ``TLS_RX_EXPECT_NO_PAD`` mis-prediction. diff --git a/include/uapi/linux/snmp.h b/include/uapi/linux/snmp.h index fd83fb9e525a..4d7470036a8b 100644 --- a/include/uapi/linux/snmp.h +++ b/include/uapi/linux/snmp.h @@ -345,6 +345,7 @@ enum LINUX_MIB_TLSDECRYPTERROR, /* TlsDecryptError */ LINUX_MIB_TLSRXDEVICERESYNC, /* TlsRxDeviceResync */ LINUX_MIB_TLSDECRYPTRETRY, /* TlsDecryptRetry */ + LINUX_MIB_TLSRXNOPADVIOL, /* TlsRxNoPadViolation */ __LINUX_MIB_TLSMAX }; diff --git a/net/tls/tls_proc.c b/net/tls/tls_proc.c index ede9df13c398..68982728f620 100644 --- a/net/tls/tls_proc.c +++ b/net/tls/tls_proc.c @@ -21,6 +21,7 @@ static const struct snmp_mib tls_mib_list[] = { SNMP_MIB_ITEM("TlsDecryptError", LINUX_MIB_TLSDECRYPTERROR), SNMP_MIB_ITEM("TlsRxDeviceResync", LINUX_MIB_TLSRXDEVICERESYNC), SNMP_MIB_ITEM("TlsDecryptRetry", LINUX_MIB_TLSDECRYPTRETRY), + SNMP_MIB_ITEM("TlsRxNoPadViolation", LINUX_MIB_TLSRXNOPADVIOL), SNMP_MIB_SENTINEL }; diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c index e12846d1871a..68d79ee48a56 100644 --- a/net/tls/tls_sw.c +++ b/net/tls/tls_sw.c @@ -1596,6 +1596,8 @@ static int decrypt_skb_update(struct sock *sk, struct sk_buff *skb, if (unlikely(darg->zc && prot->version == TLS_1_3_VERSION && darg->tail != TLS_RECORD_TYPE_DATA)) { darg->zc = false; + if (!darg->tail) + TLS_INC_STATS(sock_net(sk), LINUX_MIB_TLSRXNOPADVIOL); TLS_INC_STATS(sock_net(sk), LINUX_MIB_TLSDECRYPTRETRY); return decrypt_skb_update(sk, skb, dest, darg); } |