+5

include/uapi/linux/snmp.h

reviewed

··· 358 358 LINUX_MIB_TLSRXDEVICERESYNC, /* TlsRxDeviceResync */ 359 359 LINUX_MIB_TLSDECRYPTRETRY, /* TlsDecryptRetry */ 360 360 LINUX_MIB_TLSRXNOPADVIOL, /* TlsRxNoPadViolation */ 361 361 + LINUX_MIB_TLSRXREKEYOK, /* TlsRxRekeyOk */ 362 362 + LINUX_MIB_TLSRXREKEYERROR, /* TlsRxRekeyError */ 363 363 + LINUX_MIB_TLSTXREKEYOK, /* TlsTxRekeyOk */ 364 364 + LINUX_MIB_TLSTXREKEYERROR, /* TlsTxRekeyError */ 365 365 + LINUX_MIB_TLSRXREKEYRECEIVED, /* TlsRxRekeyReceived */ 361 366 __LINUX_MIB_TLSMAX 362 367 }; 363 368

+22 -5

net/tls/tls_main.c

reviewed

··· 640 640 /* Currently we only support setting crypto info more 641 641 * than one time for TLS 1.3 642 642 */ 643 643 - if (crypto_info->version != TLS_1_3_VERSION) 643 643 + if (crypto_info->version != TLS_1_3_VERSION) { 644 644 + TLS_INC_STATS(sock_net(sk), tx ? LINUX_MIB_TLSTXREKEYERROR 645 645 + : LINUX_MIB_TLSRXREKEYERROR); 644 646 return -EBUSY; 647 647 + } 645 648 646 649 update = true; 647 650 old_crypto_info = crypto_info; ··· 699 696 update ? crypto_info : NULL); 700 697 if (rc) 701 698 goto err_crypto_info; 702 702 - TLS_INC_STATS(sock_net(sk), LINUX_MIB_TLSTXSW); 703 703 - TLS_INC_STATS(sock_net(sk), LINUX_MIB_TLSCURRTXSW); 699 699 + 700 700 + if (update) { 701 701 + TLS_INC_STATS(sock_net(sk), LINUX_MIB_TLSTXREKEYOK); 702 702 + } else { 703 703 + TLS_INC_STATS(sock_net(sk), LINUX_MIB_TLSTXSW); 704 704 + TLS_INC_STATS(sock_net(sk), LINUX_MIB_TLSCURRTXSW); 705 705 + } 704 706 conf = TLS_SW; 705 707 } 706 708 } else { ··· 719 711 update ? crypto_info : NULL); 720 712 if (rc) 721 713 goto err_crypto_info; 722 722 - TLS_INC_STATS(sock_net(sk), LINUX_MIB_TLSRXSW); 723 723 - TLS_INC_STATS(sock_net(sk), LINUX_MIB_TLSCURRRXSW); 714 714 + 715 715 + if (update) { 716 716 + TLS_INC_STATS(sock_net(sk), LINUX_MIB_TLSRXREKEYOK); 717 717 + } else { 718 718 + TLS_INC_STATS(sock_net(sk), LINUX_MIB_TLSRXSW); 719 719 + TLS_INC_STATS(sock_net(sk), LINUX_MIB_TLSCURRRXSW); 720 720 + } 724 721 conf = TLS_SW; 725 722 } 726 723 if (!update) ··· 748 735 return 0; 749 736 750 737 err_crypto_info: 738 738 + if (update) { 739 739 + TLS_INC_STATS(sock_net(sk), tx ? LINUX_MIB_TLSTXREKEYERROR 740 740 + : LINUX_MIB_TLSRXREKEYERROR); 741 741 + } 751 742 memzero_explicit(crypto_ctx, sizeof(*crypto_ctx)); 752 743 return rc; 753 744 }

+5

net/tls/tls_proc.c

reviewed

··· 22 22 SNMP_MIB_ITEM("TlsRxDeviceResync", LINUX_MIB_TLSRXDEVICERESYNC), 23 23 SNMP_MIB_ITEM("TlsDecryptRetry", LINUX_MIB_TLSDECRYPTRETRY), 24 24 SNMP_MIB_ITEM("TlsRxNoPadViolation", LINUX_MIB_TLSRXNOPADVIOL), 25 25 + SNMP_MIB_ITEM("TlsRxRekeyOk", LINUX_MIB_TLSRXREKEYOK), 26 26 + SNMP_MIB_ITEM("TlsRxRekeyError", LINUX_MIB_TLSRXREKEYERROR), 27 27 + SNMP_MIB_ITEM("TlsTxRekeyOk", LINUX_MIB_TLSTXREKEYOK), 28 28 + SNMP_MIB_ITEM("TlsTxRekeyError", LINUX_MIB_TLSTXREKEYERROR), 29 29 + SNMP_MIB_ITEM("TlsRxRekeyReceived", LINUX_MIB_TLSRXREKEYRECEIVED), 25 30 SNMP_MIB_SENTINEL 26 31 }; 27 32

+4 -2

net/tls/tls_sw.c

reviewed

··· 1724 1724 return 1; 1725 1725 } 1726 1726 1727 1727 - static int tls_check_pending_rekey(struct tls_context *ctx, struct sk_buff *skb) 1727 1727 + static int tls_check_pending_rekey(struct sock *sk, struct tls_context *ctx, 1728 1728 + struct sk_buff *skb) 1728 1729 { 1729 1730 const struct strp_msg *rxm = strp_msg(skb); 1730 1731 const struct tls_msg *tlm = tls_msg(skb); ··· 1748 1747 struct tls_sw_context_rx *rx_ctx = ctx->priv_ctx_rx; 1749 1748 1750 1749 WRITE_ONCE(rx_ctx->key_update_pending, true); 1750 1750 + TLS_INC_STATS(sock_net(sk), LINUX_MIB_TLSRXREKEYRECEIVED); 1751 1751 } 1752 1752 1753 1753 return 0; ··· 1773 1771 rxm->full_len -= prot->overhead_size; 1774 1772 tls_advance_record_sn(sk, prot, &tls_ctx->rx); 1775 1773 1776 1776 - return tls_check_pending_rekey(tls_ctx, darg->skb); 1774 1774 + return tls_check_pending_rekey(sk, tls_ctx, darg->skb); 1777 1775 } 1778 1776 1779 1777 int decrypt_skb(struct sock *sk, struct scatterlist *sgout)