tls: rx: add counter for NoPad violations

As discussed with Maxim add a counter for true NoPad violations.
This should help deployments catch unexpected padded records vs
just control records which always need re-encryption.

https: //lore.kernel.org/all/b111828e6ac34baad9f4e783127eba8344ac252d.camel@nvidia.com/
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/Documentation/networking/tls.rst b/Documentation/networking/tls.rst
index 7a66438..658ed3a 100644 (file)
--- a/Documentation/networking/tls.rst
+++ b/Documentation/networking/tls.rst
@@ -282,3 +282,7 @@ TLS implementation exposes the following per-namespace statistics
   number of RX records which had to be re-decrypted due to
   ``TLS_RX_EXPECT_NO_PAD`` mis-prediction. Note that this counter will
   also increment for non-data records.
+
+- ``TlsRxNoPadViolation`` -
+  number of data RX records which had to be re-decrypted due to
+  ``TLS_RX_EXPECT_NO_PAD`` mis-prediction.

diff --git a/include/uapi/linux/snmp.h b/include/uapi/linux/snmp.h
index fd83fb9..4d74700 100644 (file)
--- a/include/uapi/linux/snmp.h
+++ b/include/uapi/linux/snmp.h
@@ -345,6 +345,7 @@ enum
        LINUX_MIB_TLSDECRYPTERROR,              /* TlsDecryptError */
        LINUX_MIB_TLSRXDEVICERESYNC,            /* TlsRxDeviceResync */
        LINUX_MIB_TLSDECRYPTRETRY,              /* TlsDecryptRetry */
+       LINUX_MIB_TLSRXNOPADVIOL,               /* TlsRxNoPadViolation */
        __LINUX_MIB_TLSMAX
 };
 

diff --git a/net/tls/tls_proc.c b/net/tls/tls_proc.c
index ede9df1..6898272 100644 (file)
--- a/net/tls/tls_proc.c
+++ b/net/tls/tls_proc.c
@@ -21,6 +21,7 @@ static const struct snmp_mib tls_mib_list[] = {
        SNMP_MIB_ITEM("TlsDecryptError", LINUX_MIB_TLSDECRYPTERROR),
        SNMP_MIB_ITEM("TlsRxDeviceResync", LINUX_MIB_TLSRXDEVICERESYNC),
        SNMP_MIB_ITEM("TlsDecryptRetry", LINUX_MIB_TLSDECRYPTRETRY),
+       SNMP_MIB_ITEM("TlsRxNoPadViolation", LINUX_MIB_TLSRXNOPADVIOL),
        SNMP_MIB_SENTINEL
 };
 

diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
index e12846d..68d79ee 100644 (file)
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -1596,6 +1596,8 @@ static int decrypt_skb_update(struct sock *sk, struct sk_buff *skb,
        if (unlikely(darg->zc && prot->version == TLS_1_3_VERSION &&
                     darg->tail != TLS_RECORD_TYPE_DATA)) {
                darg->zc = false;
+               if (!darg->tail)
+                       TLS_INC_STATS(sock_net(sk), LINUX_MIB_TLSRXNOPADVIOL);
                TLS_INC_STATS(sock_net(sk), LINUX_MIB_TLSDECRYPTRETRY);
                return decrypt_skb_update(sk, skb, dest, darg);
        }