he main
loop)
- records of the same type (even DATA) shouldn't be merged if one
record of a different type comes in between
Sabrina Dubroca (5):
tls: break out of main loop when PEEK gets a non-data record
tls: stop recv() if initial process_rx_list gave us non-DATA
tls: don't
If we queue 3 records:
- record 1, type DATA
- record 2, some other type
- record 3, type DATA
the current code can look past the 2nd record and merge the 2 data
records.
Signed-off-by: Sabrina Dubroca
---
tools/testing/selftests/net/tls.c | 19 +++
1 file changed, 19
loop since the record was not DATA
Just check the record type and jump to the end in case process_rx_list
did some work.
Fixes: 692d7b5d1f91 ("tls: Fix recvmsg() to be able to peek across multiple
records")
Signed-off-by: Sabrina Dubroca
---
net/tls/tls_sw.c | 2 +-
1 file changed, 1
t had
more data available.
Fixes: 692d7b5d1f91 ("tls: Fix recvmsg() to be able to peek across multiple
records")
Signed-off-by: Sabrina Dubroca
---
net/tls/tls_sw.c | 22 ++
1 file changed, 14 insertions(+), 8 deletions(-)
diff --git a/net/tls/tls_sw.c b/net/tls/tl
Two consecutive control messages of the same type should never be
merged into one large received blob of data.
Signed-off-by: Sabrina Dubroca
---
tools/testing/selftests/net/tls.c | 26 ++
1 file changed, 26 insertions(+)
diff --git a/tools/testing/selftests/net/tls.c
le to peek across multiple
records")
Signed-off-by: Sabrina Dubroca
---
net/tls/tls_sw.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
index 9fbc70200cd0..78aedfc682ba 100644
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -2064,6 +206
2024-02-19, 12:07:03 -0800, Jakub Kicinski wrote:
> On Thu, 15 Feb 2024 17:17:31 +0100 Sabrina Dubroca wrote:
> > @@ -1772,7 +1772,8 @@ static int process_rx_list(struct tls_sw_context_rx
> > *ctx,
> >u8 *control,
> >
2024-02-20, 17:50:53 -0800, Jakub Kicinski wrote:
> On Tue, 20 Feb 2024 00:10:58 +0100 Sabrina Dubroca wrote:
> > 2024-02-19, 12:07:03 -0800, Jakub Kicinski wrote:
> > > On Thu, 15 Feb 2024 17:17:31 +0100 Sabrina Dubroca wrote:
> > > > @@ -1772,7 +1772,8 @@ sta
2024-02-21, 10:33:30 -0800, Jakub Kicinski wrote:
> On Wed, 21 Feb 2024 14:59:40 +0100 Sabrina Dubroca wrote:
> > It's not exactly enough, since tls_record_content_type will return 0
> > on a content type mismatch. We'll have to translate that into an
> > "
Make sure that we don't return more bytes than we actually received if
the userspace buffer was bogus. We expect to receive at least the rest
of rec1, and possibly some of rec2 (currently, we don't, but that
would be ok).
Signed-off-by: Sabrina Dubroca
---
tools/testing/selftests/net/
ftests: tls: add selftests for TLS sockets")
Signed-off-by: Sabrina Dubroca
---
tools/testing/selftests/net/tls.c | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/tools/testing/selftests/net/tls.c
b/tools/testing/selftests/net/tls.c
index 297d972558fb..464853a7f982 10064
2024-05-06, 09:58:26 +0200, Antony Antony wrote:
> Hi,
> This fix, originally intended for XFRM/IPsec, has been recommended by
> Steffen Klassert to submit to the net tree.
>
> The patch addresses a minor issue related to the IPv4 source address of
> ICMP error messages, which originated from an o
Hi Antony,
2024-05-06, 10:05:54 +0200, Antony Antony wrote:
> diff --git a/tools/testing/selftests/net/xfrm_state.sh
> b/tools/testing/selftests/net/xfrm_state.sh
> new file mode 100755
> index ..26eac013abcf
> --- /dev/null
> +++ b/tools/testing/selftests/net/xfrm_state.sh
[...]
> +r
2024-05-06, 17:57:23 +0200, Antony Antony wrote:
> Hi Sabrina,
>
> On Mon, May 06, 2024 at 03:36:15PM +0200, Sabrina Dubroca via Devel wrote:
> > 2024-05-06, 09:58:26 +0200, Antony Antony wrote:
> > > Hi,
> > > This fix, originally intended for XFRM/IPsec, has
Set the initial rec_seq to 0x so that it wraps
immediately. The send() call should fail with EBADMSG.
A bug in this code was fixed in commit cfaa80c91f6f ("net/tls: do not
free tls_rec on async operation in bpf_exec_tx_verdict()").
Signed-off-by: Sabrina Dubroca
We're going to expand this test, and macsec offload is only lightly
related to rtnetlink.
Signed-off-by: Sabrina Dubroca
---
.../selftests/drivers/net/netdevsim/Makefile | 1 +
.../selftests/drivers/net/netdevsim/config| 1 +
.../drivers/net/netdevsim/macsec-offload.sh
For all events, we need to loop over the list of secys, so let's move
the common variables out of the switch/case.
Signed-off-by: Sabrina Dubroca
---
drivers/net/macsec.c | 25 +++--
1 file changed, 7 insertions(+), 18 deletions(-)
diff --git a/drivers/net/macse
The test verifies that toggling offload works (both via rtnetlink and
macsec's genetlink APIs). This is only possible when no SA is
configured.
Signed-off-by: Sabrina Dubroca
---
.../drivers/net/netdevsim/macsec-offload.sh | 21 +++
1 file changed, 21 insertions(+)
diff
set, and they're then removed
via ndo_fix_features (macsec_fix_features). This allows the
offloadable features to be automatically enabled if offloading is
turned on after device creation.
Signed-off-by: Sabrina Dubroca
---
drivers/net/macsec.c | 17 +++--
1 file changed, 15
If macsec is offloaded, we need to follow the lower device's
capabilities, like VLAN devices do.
Leave the limits unchanged when the offload is disabled.
Signed-off-by: Sabrina Dubroca
---
drivers/net/macsec.c | 22 ++
1 file changed, 22 insertions(+)
diff --git a/dr
Add a test checking that some features are active by default and
changeable.
Signed-off-by: Sabrina Dubroca
---
.../selftests/drivers/net/netdevsim/Makefile | 1 +
.../drivers/net/netdevsim/ethtool-features.sh | 31 +++
2 files changed, 32 insertions(+)
create mode 100644
The test verifies that available features aren't changed by toggling
offload on the device. Creating a device with offload off and then
enabling it later should result in the same features as creating the
device with offload enabled directly.
Signed-off-by: Sabrina Dubroca
---
.../driver
t TSO limits from the lower device, like
VLAN/macvlan devices do.
This series also moves the existing macsec offload selftest to the
netdevsim selftests before adding tests for the new features. To allow
this new selftest to work, netdevsim's hw_features are expanded.
Sabrina Dubroca (8):
Then HW_CSUM (and thus TSO, thanks to
netdev_fix_features) is not automatically turned back on when offload
is re-enabled.
Signed-off-by: Sabrina Dubroca
---
drivers/net/netdevsim/netdev.c | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/net/netdevsim/netde
E to set key_update_pending to pair with ->poll's
lockless read
Signed-off-by: Sabrina Dubroca
---
include/net/tls.h | 3 +++
net/tls/tls_sw.c | 35 +++
2 files changed, 38 insertions(+)
diff --git a/include/net/tls.h b/include/net/tls.h
index 3a33924db2
l.net/
[v3]
Link: https://lore.kernel.org/netdev/cover.1676052788.git...@queasysnail.net/
[v2]
Link: https://lore.kernel.org/netdev/cover.1673952268.git...@queasysnail.net/
[v1]
Link: https://www.rfc-editor.org/rfc/rfc8446#section-4.6.3 [1]
Link: https://gitlab.com/gnutls/gnutls/-/merge_requests/1625
This allows us to generate different keys, so that we can test that
rekey is using the correct one.
v3: update for newly added tests
v4: update for newly added tests
Signed-off-by: Sabrina Dubroca
---
tools/testing/selftests/net/tls.c | 20 +++-
1 file changed, 11 insertions
This introduces 4 counters to keep track of key updates:
Tls{Rx,Tx}Rekey{Ok,Error}.
v4: new patch
Suggested-by: Jakub Kicinski
Signed-off-by: Sabrina Dubroca
---
include/uapi/linux/snmp.h | 4
net/tls/tls_main.c| 27 ++-
net/tls/tls_proc.c| 4
v3: added following Jakub's comment on the cover letter
v4: add the new counters
Signed-off-by: Sabrina Dubroca
---
Documentation/networking/tls.rst | 31 +++
1 file changed, 31 insertions(+)
diff --git a/Documentation/networking/tls.rst b/Documentation/netwo
sk_poll to not say the socket is readable when we're
waiting for a rekey, and wake up poll() when the new key is installed
- use unsafe_memcpy to make FORTIFY_SOURCE happy
v4:
- rebase on top of current net-next
- no {} needed around single line (Simon)
Signed-off-by: Sabrina Dubroca
---
v2: add rekey_fail test (reject changing the version/cipher)
v3: add rekey_peek_splice following Jakub's comment
add rekey+poll tests
v4: rebase, new selftests were added
check that rekey isn't supported on TLS1.2
Signed-off-by: Sabrina Dubroca
---
tools/testing/selftests
Hey Jakub,
2024-11-18, 19:41:58 -0800, Jakub Kicinski wrote:
> On Thu, 14 Nov 2024 16:50:47 +0100 Sabrina Dubroca wrote:
> > This adds support for receiving KeyUpdate messages (RFC 8446, 4.6.3
> > [1]). A sender transmits a KeyUpdate message and then changes its TX
> > key
2024-12-03, 19:51:29 -0800, Jakub Kicinski wrote:
> On Thu, 14 Nov 2024 16:50:51 +0100 Sabrina Dubroca wrote:
> > +To prevent attempting to decrypt incoming records using the wrong key,
> > +decryption will be paused when a KeyUpdate message is received by the
> > +kernel,
2024-12-03, 19:47:01 -0800, Jakub Kicinski wrote:
> On Thu, 14 Nov 2024 16:50:48 +0100 Sabrina Dubroca wrote:
> > +static int tls_check_pending_rekey(struct tls_context *ctx, struct sk_buff
> > *skb)
> > +{
> > + const struct tls_msg *tlm = tls_msg(skb);
> &g
This allows us to generate different keys, so that we can test that
rekey is using the correct one.
Signed-off-by: Sabrina Dubroca
---
v3: update for newly added tests
v4: update for newly added tests
tools/testing/selftests/net/tls.c | 20 +++-
1 file changed, 11 insertions
3]
Link: https://lore.kernel.org/netdev/cover.1676052788.git...@queasysnail.net/
[v2]
Link: https://lore.kernel.org/netdev/cover.1673952268.git...@queasysnail.net/
[v1]
Link: https://www.rfc-editor.org/rfc/rfc8446#section-4.6.3 [1]
Link: https://gitlab.com/gnutls/gnutls/-/merge_requests/1625 [2]
that
record, and stop recvmsg/splice calls with EKEYEXPIRED until the new
key is available.
key_update_pending can't be combined with the existing bitfield,
because we will read it locklessly in ->poll.
Signed-off-by: Sabrina Dubroca
---
v3:
- move key_update_pending check into tls_rx_
This introduces 5 counters to keep track of key updates:
Tls{Rx,Tx}Rekey{Ok,Error} and TlsRxRekeyReceived.
Suggested-by: Jakub Kicinski
Signed-off-by: Sabrina Dubroca
---
v4: new patch, suggested by Jakub
v5: add TlsRxRekeyReceived
include/uapi/linux/snmp.h | 5 +
net/tls/tls_main.c
Test the kernel's ability to:
- update the key (but not the version or cipher), only for TLS1.3
- pause decryption after receiving a KeyUpdate message, until a new
RX key has been provided
- reflect the pause/non-readable socket in poll()
Signed-off-by: Sabrina Dubroca
---
v2
Document the kernel's behavior and userspace expectations.
Suggested-by: Jakub Kicinski
Signed-off-by: Sabrina Dubroca
---
v3: added following Jakub's comment on the cover letter
v4: add the new counters
v5: improve wording for poll() (Jakub)
add the new counter
Documentation/
.
This change only affects tls_sw, since 1.3 offload isn't supported.
Signed-off-by: Sabrina Dubroca
Acked-by: Jakub Kicinski
---
v2:
- reverse xmas tree
- turn the alt_crypto_info into an else if
- don't modify the context when rekey fails
v3:
- only call tls_sw_strparser_arm wh
2024-12-03, 19:54:14 -0800, Jakub Kicinski wrote:
> On Thu, 14 Nov 2024 16:50:50 +0100 Sabrina Dubroca wrote:
> > This introduces 4 counters to keep track of key updates:
> > Tls{Rx,Tx}Rekey{Ok,Error}.
>
> Possibly track detected rekey messages, too? Could help us identify
42 matches
Mail list logo
