Commit bb56cea9 authored by Jakub Kicinski's avatar Jakub Kicinski
Browse files

tls: rx: add counter for NoPad violations 



As discussed with Maxim add a counter for true NoPad violations.
This should help deployments catch unexpected padded records vs
just control records which always need re-encryption.

https: //lore.kernel.org/all/b111828e6ac34baad9f4e783127eba8344ac252d.camel@nvidia.com/
Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parent 1090c1ea

Documentation/networking/tls.rst

+4 −0
Original line number Diff line number Diff line
@@ -282,3 +282,7 @@ TLS implementation exposes the following per-namespace statistics 
  number of RX records which had to be re-decrypted due to

  ``TLS_RX_EXPECT_NO_PAD`` mis-prediction. Note that this counter will

  also increment for non-data records.



- ``TlsRxNoPadViolation`` -

  number of data RX records which had to be re-decrypted due to

  ``TLS_RX_EXPECT_NO_PAD`` mis-prediction.

include/uapi/linux/snmp.h

+1 −0
Original line number Diff line number Diff line
@@ -345,6 +345,7 @@ enum 
	LINUX_MIB_TLSDECRYPTERROR,		/* TlsDecryptError */

	LINUX_MIB_TLSRXDEVICERESYNC,		/* TlsRxDeviceResync */

	LINUX_MIB_TLSDECRYPTRETRY,		/* TlsDecryptRetry */

	LINUX_MIB_TLSRXNOPADVIOL,		/* TlsRxNoPadViolation */

	__LINUX_MIB_TLSMAX

};

net/tls/tls_proc.c

+1 −0
Original line number Diff line number Diff line
@@ -21,6 +21,7 @@ static const struct snmp_mib tls_mib_list[] = { 
	SNMP_MIB_ITEM("TlsDecryptError", LINUX_MIB_TLSDECRYPTERROR),

	SNMP_MIB_ITEM("TlsRxDeviceResync", LINUX_MIB_TLSRXDEVICERESYNC),

	SNMP_MIB_ITEM("TlsDecryptRetry", LINUX_MIB_TLSDECRYPTRETRY),

	SNMP_MIB_ITEM("TlsRxNoPadViolation", LINUX_MIB_TLSRXNOPADVIOL),

	SNMP_MIB_SENTINEL

};

net/tls/tls_sw.c

+2 −0
Original line number Diff line number Diff line
@@ -1596,6 +1596,8 @@ static int decrypt_skb_update(struct sock *sk, struct sk_buff *skb, 
	if (unlikely(darg->zc && prot->version == TLS_1_3_VERSION &&

		     darg->tail != TLS_RECORD_TYPE_DATA)) {

		darg->zc = false;

		if (!darg->tail)

			TLS_INC_STATS(sock_net(sk), LINUX_MIB_TLSRXNOPADVIOL);

		TLS_INC_STATS(sock_net(sk), LINUX_MIB_TLSDECRYPTRETRY);

		return decrypt_skb_update(sk, skb, dest, darg);

	}