* [PATCH net] net/tls: avoid spurious decryption error with HW resync
@ 2020-01-10 12:36 Jakub Kicinski
2020-01-10 19:20 ` David Miller
0 siblings, 1 reply; 2+ messages in thread
From: Jakub Kicinski @ 2020-01-10 12:36 UTC (permalink / raw)
To: davem
Cc: netdev, oss-drivers, borisp, aviadye, john.fastabend, daniel,
Jakub Kicinski, David Beckett, Simon Horman
When device loses sync mid way through a record - kernel
has to re-encrypt the part of the record which the device
already decrypted to be able to decrypt and authenticate
the record in its entirety.
The re-encryption piggy backs on the decryption routine,
but obviously because the partially decrypted record can't
be authenticated crypto API returns an error which is then
ignored by tls_device_reencrypt().
Commit 5c5ec6685806 ("net/tls: add TlsDecryptError stat")
added a statistic to count decryption errors, this statistic
can't be incremented when we see the expected re-encryption
error. Move the inc to the caller.
Reported-and-tested-by: David Beckett <david.beckett@netronome.com>
Fixes: 5c5ec6685806 ("net/tls: add TlsDecryptError stat")
Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Reviewed-by: Simon Horman <simon.horman@netronome.com>
---
net/tls/tls_sw.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
index bb229dc0fa81..5c7c00429f8e 100644
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -256,8 +256,6 @@ static int tls_do_decryption(struct sock *sk,
return ret;
ret = crypto_wait_req(ret, &ctx->async_wait);
- } else if (ret == -EBADMSG) {
- TLS_INC_STATS(sock_net(sk), LINUX_MIB_TLSDECRYPTERROR);
}
if (async)
@@ -1515,7 +1513,9 @@ static int decrypt_skb_update(struct sock *sk, struct sk_buff *skb,
if (err == -EINPROGRESS)
tls_advance_record_sn(sk, prot,
&tls_ctx->rx);
-
+ else if (err == -EBADMSG)
+ TLS_INC_STATS(sock_net(sk),
+ LINUX_MIB_TLSDECRYPTERROR);
return err;
}
} else {
--
2.23.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH net] net/tls: avoid spurious decryption error with HW resync
2020-01-10 12:36 [PATCH net] net/tls: avoid spurious decryption error with HW resync Jakub Kicinski
@ 2020-01-10 19:20 ` David Miller
0 siblings, 0 replies; 2+ messages in thread
From: David Miller @ 2020-01-10 19:20 UTC (permalink / raw)
To: jakub.kicinski
Cc: netdev, oss-drivers, borisp, aviadye, john.fastabend, daniel,
david.beckett, simon.horman
From: Jakub Kicinski <jakub.kicinski@netronome.com>
Date: Fri, 10 Jan 2020 04:36:55 -0800
> When device loses sync mid way through a record - kernel
> has to re-encrypt the part of the record which the device
> already decrypted to be able to decrypt and authenticate
> the record in its entirety.
>
> The re-encryption piggy backs on the decryption routine,
> but obviously because the partially decrypted record can't
> be authenticated crypto API returns an error which is then
> ignored by tls_device_reencrypt().
>
> Commit 5c5ec6685806 ("net/tls: add TlsDecryptError stat")
> added a statistic to count decryption errors, this statistic
> can't be incremented when we see the expected re-encryption
> error. Move the inc to the caller.
>
> Reported-and-tested-by: David Beckett <david.beckett@netronome.com>
> Fixes: 5c5ec6685806 ("net/tls: add TlsDecryptError stat")
> Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
> Reviewed-by: Simon Horman <simon.horman@netronome.com>
Applied.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-01-10 19:20 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-01-10 12:36 [PATCH net] net/tls: avoid spurious decryption error with HW resync Jakub Kicinski
2020-01-10 19:20 ` David Miller
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.