tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
tls: rx: add counter for NoPad violations
As discussed with Maxim add a counter for true NoPad violations.
This should help deployments catch unexpected padded records vs
just control records which always need re-encryption.
https: //lore.kernel.org/all/b111828e6ac34baad9f4e783127eba8344ac252d.camel@nvidia.com/
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+8
+4
Documentation/networking/tls.rst
+4
Documentation/networking/tls.rst
···
282
282
number of RX records which had to be re-decrypted due to
283
283
``TLS_RX_EXPECT_NO_PAD`` mis-prediction. Note that this counter will
284
284
also increment for non-data records.
285
+
286
+
- ``TlsRxNoPadViolation`` -
287
+
number of data RX records which had to be re-decrypted due to
288
+
``TLS_RX_EXPECT_NO_PAD`` mis-prediction.
+1
include/uapi/linux/snmp.h
+1
include/uapi/linux/snmp.h
+1
net/tls/tls_proc.c
+1
net/tls/tls_proc.c
···
21
21
SNMP_MIB_ITEM("TlsDecryptError", LINUX_MIB_TLSDECRYPTERROR),
22
22
SNMP_MIB_ITEM("TlsRxDeviceResync", LINUX_MIB_TLSRXDEVICERESYNC),
23
23
SNMP_MIB_ITEM("TlsDecryptRetry", LINUX_MIB_TLSDECRYPTRETRY),
24
+
SNMP_MIB_ITEM("TlsRxNoPadViolation", LINUX_MIB_TLSRXNOPADVIOL),
24
25
SNMP_MIB_SENTINEL
25
26
};
26
27
+2
net/tls/tls_sw.c
+2
net/tls/tls_sw.c
···
1596
1596
if (unlikely(darg->zc && prot->version == TLS_1_3_VERSION &&
1597
1597
darg->tail != TLS_RECORD_TYPE_DATA)) {
1598
1598
darg->zc = false;
1599
+
if (!darg->tail)
1600
+
TLS_INC_STATS(sock_net(sk), LINUX_MIB_TLSRXNOPADVIOL);
1599
1601
TLS_INC_STATS(sock_net(sk), LINUX_MIB_TLSDECRYPTRETRY);
1600
1602
return decrypt_skb_update(sk, skb, dest, darg);
1601
1603
}