Netdev Archive on lore.kernel.org
 help / Atom feed
* [PATCH net-next] net/tls: Do not use async crypto for non-data records
@ 2019-02-11 11:31 Vakul Garg
  2019-02-12 17:35 ` David Miller
  0 siblings, 1 reply; 2+ messages in thread
From: Vakul Garg @ 2019-02-11 11:31 UTC (permalink / raw)
  To: netdev; +Cc: borisp, aviadye, davejwatson, davem, doronrk, Vakul Garg

Addition of tls1.3 support broke tls1.2 handshake when async crypto
accelerator is used. This is because the record type for non-data
records is not propagated to user application. Also when async
decryption happens, the decryption does not stop when two different
types of records get dequeued and submitted for decryption. To address
it, we decrypt tls1.2 non-data records in synchronous way. We check
whether the record we just processed has same type as the previous one
before checking for async condition and jumping to dequeue next record.

Fixes: 130b392c6cd6b ("net: tls: Add tls 1.3 support")
Signed-off-by: Vakul Garg <vakul.garg@nxp.com>
---
 net/tls/tls_sw.c | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
index fe8c287cbaa1..ae4784734547 100644
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -1645,10 +1645,10 @@ int tls_sw_recvmsg(struct sock *sk,
 
 	do {
 		bool retain_skb = false;
-		bool async = false;
 		bool zc = false;
 		int to_decrypt;
 		int chunk = 0;
+		bool async;
 
 		skb = tls_wait_data(sk, psock, flags, timeo, &err);
 		if (!skb) {
@@ -1674,18 +1674,21 @@ int tls_sw_recvmsg(struct sock *sk,
 		    tls_ctx->crypto_recv.info.version != TLS_1_3_VERSION)
 			zc = true;
 
+		/* Do not use async mode if record is non-data */
+		if (ctx->control == TLS_RECORD_TYPE_DATA)
+			async = ctx->async_capable;
+		else
+			async = false;
+
 		err = decrypt_skb_update(sk, skb, &msg->msg_iter,
-					 &chunk, &zc, ctx->async_capable);
+					 &chunk, &zc, async);
 		if (err < 0 && err != -EINPROGRESS) {
 			tls_err_abort(sk, EBADMSG);
 			goto recv_end;
 		}
 
-		if (err == -EINPROGRESS) {
-			async = true;
+		if (err == -EINPROGRESS)
 			num_async++;
-			goto pick_next_record;
-		}
 
 		if (!cmsg) {
 			int cerr;
@@ -1704,6 +1707,9 @@ int tls_sw_recvmsg(struct sock *sk,
 			goto recv_end;
 		}
 
+		if (async)
+			goto pick_next_record;
+
 		if (!zc) {
 			if (rxm->full_len > len) {
 				retain_skb = true;
-- 
2.13.6


^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [PATCH net-next] net/tls: Do not use async crypto for non-data records
  2019-02-11 11:31 [PATCH net-next] net/tls: Do not use async crypto for non-data records Vakul Garg
@ 2019-02-12 17:35 ` David Miller
  0 siblings, 0 replies; 2+ messages in thread
From: David Miller @ 2019-02-12 17:35 UTC (permalink / raw)
  To: vakul.garg; +Cc: netdev, borisp, aviadye, davejwatson, doronrk

From: Vakul Garg <vakul.garg@nxp.com>
Date: Mon, 11 Feb 2019 11:31:05 +0000

> Addition of tls1.3 support broke tls1.2 handshake when async crypto
> accelerator is used. This is because the record type for non-data
> records is not propagated to user application. Also when async
> decryption happens, the decryption does not stop when two different
> types of records get dequeued and submitted for decryption. To address
> it, we decrypt tls1.2 non-data records in synchronous way. We check
> whether the record we just processed has same type as the previous one
> before checking for async condition and jumping to dequeue next record.
> 
> Fixes: 130b392c6cd6b ("net: tls: Add tls 1.3 support")
> Signed-off-by: Vakul Garg <vakul.garg@nxp.com>

Applied, thanks.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, back to index

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-02-11 11:31 [PATCH net-next] net/tls: Do not use async crypto for non-data records Vakul Garg
2019-02-12 17:35 ` David Miller

Netdev Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/netdev/0 netdev/git/0.git
	git clone --mirror https://lore.kernel.org/netdev/1 netdev/git/1.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 netdev netdev/ https://lore.kernel.org/netdev \
		netdev@vger.kernel.org netdev@archiver.kernel.org
	public-inbox-index netdev


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.netdev


AGPL code for this site: git clone https://public-inbox.org/ public-inbox