From: Jakub Kicinski <jakub.kicinski@netronome.com>
To: Davide Caratti <dcaratti@redhat.com>
Cc: "David S. Miller" <davem@davemloft.net>,
Dave Watson <davejwatson@fb.com>,
Boris Pismenny <borisp@mellanox.com>,
Aviad Yehezkel <aviadye@mellanox.com>,
John Fastabend <john.fastabend@gmail.com>,
Daniel Borkmann <daniel@iogearbox.net>,
netdev@vger.kernel.org
Subject: Re: [RFC PATCH net-next 2/2] net: tls: export protocol version and cipher to socket diag
Date: Wed, 5 Jun 2019 16:25:55 -0700 [thread overview]
Message-ID: <20190605162555.59b4fb3e@cakuba.netronome.com> (raw)
In-Reply-To: <4262dd2617a24b66f24ec5ddc73f817e683e14e0.1559747691.git.dcaratti@redhat.com>
On Wed, 5 Jun 2019 17:39:23 +0200, Davide Caratti wrote:
> When an application configures kernel TLS on top of a TCP socket, it's
> now possible for inet_diag_handler to collect information regarding the
> protocol version and the cipher, in case INET_DIAG_INFO is requested.
>
> Signed-off-by: Davide Caratti <dcaratti@redhat.com>
> ---
> include/uapi/linux/inet_diag.h | 1 +
> include/uapi/linux/tls.h | 8 +++++++
> net/tls/tls_main.c | 43 ++++++++++++++++++++++++++++++++++
> 3 files changed, 52 insertions(+)
>
> diff --git a/include/uapi/linux/inet_diag.h b/include/uapi/linux/inet_diag.h
> index 844133de3212..92208535c096 100644
> --- a/include/uapi/linux/inet_diag.h
> +++ b/include/uapi/linux/inet_diag.h
> @@ -161,6 +161,7 @@ enum {
>
> enum {
> ULP_INFO_NAME,
> + ULP_INFO_TLS,
> __ULP_INFO_MAX,
> };
>
> diff --git a/include/uapi/linux/tls.h b/include/uapi/linux/tls.h
> index 5b9c26753e46..442348bd2e54 100644
> --- a/include/uapi/linux/tls.h
> +++ b/include/uapi/linux/tls.h
> @@ -109,4 +109,12 @@ struct tls12_crypto_info_aes_ccm_128 {
> unsigned char rec_seq[TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE];
> };
>
> +enum {
USPEC
> + TLS_INFO_VERSION,
> + TLS_INFO_CIPHER,
We need some indication of the directions in which kTLS is active
(none, rx, tx, rx/tx).
Also perhaps could you add TLS_SW vs TLS_HW etc. ? :)
> + __TLS_INFO_MAX,
> +};
> +
Traditionally we put no new line between enum and the max define.
> +#define TLS_INFO_MAX (__TLS_INFO_MAX - 1)
> +
> #endif /* _UAPI_LINUX_TLS_H */
> diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c
> index fc81ae18cc44..14597526981c 100644
> --- a/net/tls/tls_main.c
> +++ b/net/tls/tls_main.c
> @@ -39,6 +39,7 @@
> #include <linux/netdevice.h>
> #include <linux/sched/signal.h>
> #include <linux/inetdevice.h>
> +#include <linux/inet_diag.h>
>
> #include <net/tls.h>
>
> @@ -798,6 +799,46 @@ static int tls_init(struct sock *sk)
> return rc;
> }
>
> +static int tls_get_info(struct sock *sk, struct sk_buff *skb)
> +{
> + struct tls_context *ctx = tls_get_ctx(sk);
> + struct nlattr *start = 0;
Hm.. NULL? Does this not give you a warning?
> + int err = 0;
There should be no need to init this.
> + if (sk->sk_state != TCP_ESTABLISHED)
Hmm.. why this check? We never clean up the state once installed until
the socket dies completely (currently, pending John's unhash work).
> + goto end;
Please don't do this, just return 0; here.
> + start = nla_nest_start_noflag(skb, ULP_INFO_TLS);
> + if (!start) {
> + err = -EMSGSIZE;
> + goto nla_failure;
return -EMSGSIZE;
> + }
> + err = nla_put_u16(skb, TLS_INFO_VERSION, ctx->prot_info.version);
> + if (err < 0)
> + goto nla_failure;
> + err = nla_put_u16(skb, TLS_INFO_CIPHER, ctx->prot_info.cipher_type);
> + if (err < 0)
> + goto nla_failure;
> + nla_nest_end(skb, start);
> +end:
> + return err;
return 0;
> +nla_failure:
> + nla_nest_cancel(skb, start);
> + goto end;
return err;
> +}
> +
> +static size_t tls_get_info_size(struct sock *sk)
> +{
> + size_t size = 0;
> +
> + if (sk->sk_state != TCP_ESTABLISHED)
> + return size;
> +
> + size += nla_total_size(0) /* ULP_INFO_TLS */
> + + nla_total_size(sizeof(__u16)) /* TLS_INFO_VERSION */
> + + nla_total_size(sizeof(__u16)); /* TLS_INFO_CIPHER */
> + return size;
> +}
Same comments as on patch 1 and above.
> void tls_register_device(struct tls_device *device)
> {
> spin_lock_bh(&device_spinlock);
Thanks for working on this, it was on my todo list! :)
next prev parent reply other threads:[~2019-06-05 23:26 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-05 15:39 [RFC PATCH net-next 0/2] net: extend INET_DIAG_INFO with information specific to TCP ULP Davide Caratti
2019-06-05 15:39 ` [RFC PATCH net-next 1/2] tcp: ulp: add functions to dump ulp-specific information Davide Caratti
2019-06-05 23:14 ` Jakub Kicinski
2019-06-17 13:06 ` Davide Caratti
2019-06-17 17:41 ` Jakub Kicinski
2019-06-05 15:39 ` [RFC PATCH net-next 2/2] net: tls: export protocol version and cipher to socket diag Davide Caratti
2019-06-05 23:25 ` Jakub Kicinski [this message]
2019-06-17 16:04 ` Davide Caratti
2019-06-17 18:07 ` Jakub Kicinski
2019-06-06 7:07 ` Boris Pismenny
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190605162555.59b4fb3e@cakuba.netronome.com \
--to=jakub.kicinski@netronome.com \
--cc=aviadye@mellanox.com \
--cc=borisp@mellanox.com \
--cc=daniel@iogearbox.net \
--cc=davejwatson@fb.com \
--cc=davem@davemloft.net \
--cc=dcaratti@redhat.com \
--cc=john.fastabend@gmail.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.