From patchwork Thu Jul 27 17:35:23 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Chuck Lever X-Patchwork-Id: 13330471 X-Patchwork-Delegate: kuba@kernel.org Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1088C15AF5; Thu, 27 Jul 2023 17:35:35 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id F1B65C433C8; Thu, 27 Jul 2023 17:35:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1690479335; bh=1gId2qU5YyEKz8aLJMQLJoFuQSFQRWWUSPfXMTYJBsE=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=rdZizWc9/8Vc5y9rZc6qQwRZxWsVnodVTYfj2FtDCmIux/GU2sNxTI8Uxeze3P74W X4tTXFrk9faQz9i0xPbE3uBB9r/fewQqg/W1Y3ksdpx8fJD+EzlUb/gphGOQxILe87 BCY2+OWD59JG32IzqtVZFpOd417+5AvCPD6LfHyEAzmR6BjYO1VXDTmCnsq7e+qCYe RvZHIW5cYKmEbU7fV69kuyuX9vzUqW+6Cj9Lz+Va77kRWe8b8rPG0y2+SEL3LYZsBl Jtk/ulBj3/o3Bpw3lUXw3thbtZkuPtPl7yo13ffWdQGmVbh2hUz8wZygvEjAtJRtRR fUoikf5hXm3/A== Subject: [PATCH net-next v3 1/7] net/tls: Move TLS protocol elements to a separate header From: Chuck Lever To: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com Cc: netdev@vger.kernel.org, kernel-tls-handshake@lists.linux.dev Date: Thu, 27 Jul 2023 13:35:23 -0400 Message-ID: <169047931374.5241.7713175865185969309.stgit@oracle-102.nfsv4bat.org> In-Reply-To: <169047923706.5241.1181144206068116926.stgit@oracle-102.nfsv4bat.org> References: <169047923706.5241.1181144206068116926.stgit@oracle-102.nfsv4bat.org> User-Agent: StGit/1.5 Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org From: Chuck Lever Kernel TLS consumers will need definitions of various parts of the TLS protocol, but often do not need the function declarations and other infrastructure provided in . Break out existing standardized protocol elements into a separate header, and make room for a few more elements in subsequent patches. Signed-off-by: Chuck Lever --- .../ethernet/chelsio/inline_crypto/chtls/chtls.h | 1 + include/net/tls.h | 4 --- include/net/tls_prot.h | 26 ++++++++++++++++++++ net/sunrpc/svcsock.c | 1 + net/sunrpc/xprtsock.c | 1 + net/tls/tls.h | 1 + 6 files changed, 30 insertions(+), 4 deletions(-) create mode 100644 include/net/tls_prot.h diff --git a/drivers/net/ethernet/chelsio/inline_crypto/chtls/chtls.h b/drivers/net/ethernet/chelsio/inline_crypto/chtls/chtls.h index 68562a82d036..62f62bff74a5 100644 --- a/drivers/net/ethernet/chelsio/inline_crypto/chtls/chtls.h +++ b/drivers/net/ethernet/chelsio/inline_crypto/chtls/chtls.h @@ -22,6 +22,7 @@ #include #include #include +#include #include #include "t4fw_api.h" diff --git a/include/net/tls.h b/include/net/tls.h index 5e71dd3df8ca..06fca9160346 100644 --- a/include/net/tls.h +++ b/include/net/tls.h @@ -69,10 +69,6 @@ extern const struct tls_cipher_size_desc tls_cipher_size_desc[]; #define TLS_CRYPTO_INFO_READY(info) ((info)->cipher_type) -#define TLS_RECORD_TYPE_ALERT 0x15 -#define TLS_RECORD_TYPE_HANDSHAKE 0x16 -#define TLS_RECORD_TYPE_DATA 0x17 - #define TLS_AAD_SPACE_SIZE 13 #define MAX_IV_SIZE 16 diff --git a/include/net/tls_prot.h b/include/net/tls_prot.h new file mode 100644 index 000000000000..47d6cfd1619e --- /dev/null +++ b/include/net/tls_prot.h @@ -0,0 +1,26 @@ +/* SPDX-License-Identifier: GPL-2.0 OR BSD-3-Clause */ +/* + * Copyright (c) 2023, Oracle and/or its affiliates. + * + * TLS Protocol definitions + * + * From https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml + */ + +#ifndef _TLS_PROT_H +#define _TLS_PROT_H + +/* + * TLS Record protocol: ContentType + */ +enum { + TLS_RECORD_TYPE_CHANGE_CIPHER_SPEC = 20, + TLS_RECORD_TYPE_ALERT = 21, + TLS_RECORD_TYPE_HANDSHAKE = 22, + TLS_RECORD_TYPE_DATA = 23, + TLS_RECORD_TYPE_HEARTBEAT = 24, + TLS_RECORD_TYPE_TLS12_CID = 25, + TLS_RECORD_TYPE_ACK = 26, +}; + +#endif /* _TLS_PROT_H */ diff --git a/net/sunrpc/svcsock.c b/net/sunrpc/svcsock.c index e43f26382411..449df8cabfcb 100644 --- a/net/sunrpc/svcsock.c +++ b/net/sunrpc/svcsock.c @@ -44,6 +44,7 @@ #include #include #include +#include #include #include #include diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c index 9f010369100a..9457ebf22fb1 100644 --- a/net/sunrpc/xprtsock.c +++ b/net/sunrpc/xprtsock.c @@ -48,6 +48,7 @@ #include #include #include +#include #include #include diff --git a/net/tls/tls.h b/net/tls/tls.h index 86cef1c68e03..26a0358f6f49 100644 --- a/net/tls/tls.h +++ b/net/tls/tls.h @@ -39,6 +39,7 @@ #include #include #include +#include #define TLS_PAGE_ORDER (min_t(unsigned int, PAGE_ALLOC_COSTLY_ORDER, \ TLS_MAX_PAYLOAD_SIZE >> PAGE_SHIFT)) From patchwork Thu Jul 27 17:35:50 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Chuck Lever X-Patchwork-Id: 13330472 X-Patchwork-Delegate: kuba@kernel.org Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9DAF727149; Thu, 27 Jul 2023 17:36:02 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id A0744C433C7; Thu, 27 Jul 2023 17:36:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1690479362; bh=sVcTDgPOd4yAbHuo94lN5jWZtzHaNprOQV340C6DlT8=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=MnIlYLsZNnXt/typgniAyWsLolJ51mS/qhsJnbipASxJeXxlLnUJuzCnhmE4Jwtn0 mjznBwJglxIAeUsPFf/WL71y2prs4OpZOLX3e9r+jllp+1BmalhkiQvzNipNP3JMoH 6hnY5XFFl72HSY/EyylFaXFb9beP4NYsmpSwj65y+UENF/+KIzQM2XuzTzwh3ycTkn x6YOmoPVd30P0hJrk8tEAI7J+oJyQMs5bL2W6NFWxDdn7V8kvTEVJqVb93Uz96FBuz HKmOPw3aWtLDU2c3z6qW4GthGnN1ypsAxpSpHZmqh6pIRQppqa3vrBw84XHX38pyNW /5qwGnbduwitw== Subject: [PATCH net-next v3 2/7] net/tls: Add TLS Alert definitions From: Chuck Lever To: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com Cc: netdev@vger.kernel.org, kernel-tls-handshake@lists.linux.dev Date: Thu, 27 Jul 2023 13:35:50 -0400 Message-ID: <169047934064.5241.8377890858495063518.stgit@oracle-102.nfsv4bat.org> In-Reply-To: <169047923706.5241.1181144206068116926.stgit@oracle-102.nfsv4bat.org> References: <169047923706.5241.1181144206068116926.stgit@oracle-102.nfsv4bat.org> User-Agent: StGit/1.5 Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org From: Chuck Lever I'm about to add support for kernel handshake API consumers to send TLS Alerts, so introduce the needed protocol definitions in the new header tls_prot.h. This presages support for Closure alerts. Also, support for alerts is a pre-requite for handling session re-keying, where one peer will signal the need for a re-key by sending a TLS Alert. Reviewed-by: Hannes Reinecke Signed-off-by: Chuck Lever --- include/net/tls_prot.h | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/include/net/tls_prot.h b/include/net/tls_prot.h index 47d6cfd1619e..68a40756440b 100644 --- a/include/net/tls_prot.h +++ b/include/net/tls_prot.h @@ -23,4 +23,46 @@ enum { TLS_RECORD_TYPE_ACK = 26, }; +/* + * TLS Alert protocol: AlertLevel + */ +enum { + TLS_ALERT_LEVEL_WARNING = 1, + TLS_ALERT_LEVEL_FATAL = 2, +}; + +/* + * TLS Alert protocol: AlertDescription + */ +enum { + TLS_ALERT_DESC_CLOSE_NOTIFY = 0, + TLS_ALERT_DESC_UNEXPECTED_MESSAGE = 10, + TLS_ALERT_DESC_BAD_RECORD_MAC = 20, + TLS_ALERT_DESC_RECORD_OVERFLOW = 22, + TLS_ALERT_DESC_HANDSHAKE_FAILURE = 40, + TLS_ALERT_DESC_BAD_CERTIFICATE = 42, + TLS_ALERT_DESC_UNSUPPORTED_CERTIFICATE = 43, + TLS_ALERT_DESC_CERTIFICATE_REVOKED = 44, + TLS_ALERT_DESC_CERTIFICATE_EXPIRED = 45, + TLS_ALERT_DESC_CERTIFICATE_UNKNOWN = 46, + TLS_ALERT_DESC_ILLEGAL_PARAMETER = 47, + TLS_ALERT_DESC_UNKNOWN_CA = 48, + TLS_ALERT_DESC_ACCESS_DENIED = 49, + TLS_ALERT_DESC_DECODE_ERROR = 50, + TLS_ALERT_DESC_DECRYPT_ERROR = 51, + TLS_ALERT_DESC_TOO_MANY_CIDS_REQUESTED = 52, + TLS_ALERT_DESC_PROTOCOL_VERSION = 70, + TLS_ALERT_DESC_INSUFFICIENT_SECURITY = 71, + TLS_ALERT_DESC_INTERNAL_ERROR = 80, + TLS_ALERT_DESC_INAPPROPRIATE_FALLBACK = 86, + TLS_ALERT_DESC_USER_CANCELED = 90, + TLS_ALERT_DESC_MISSING_EXTENSION = 109, + TLS_ALERT_DESC_UNSUPPORTED_EXTENSION = 110, + TLS_ALERT_DESC_UNRECOGNIZED_NAME = 112, + TLS_ALERT_DESC_BAD_CERTIFICATE_STATUS_RESPONSE = 113, + TLS_ALERT_DESC_UNKNOWN_PSK_IDENTITY = 115, + TLS_ALERT_DESC_CERTIFICATE_REQUIRED = 116, + TLS_ALERT_DESC_NO_APPLICATION_PROTOCOL = 120, +}; + #endif /* _TLS_PROT_H */ From patchwork Thu Jul 27 17:36:17 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Chuck Lever X-Patchwork-Id: 13330473 X-Patchwork-Delegate: kuba@kernel.org Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5C930171D0; Thu, 27 Jul 2023 17:36:29 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 5CE2BC433C7; Thu, 27 Jul 2023 17:36:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1690479388; bh=Baa84B0LBfTXJKcOLEFb3vDZi/aHYn/vWaeUyeHhHnM=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=iyLGe3zYBOgZYnwN62ZOLaBp+Ad2Rs9zHyk+If1/3e6kMhdJduyv9ksNM9SehxNq3 7kRGOuT7Aty1sEDXa+CIRB2U2OHkujEhyKq+e9saneORd/yayYybuHcw7DnG9x7vv6 0ByE7PNj31KVz7WDh0zUegKYmoM+Lxfq64iED3oRdxhCPRcSriaMWnL7bmsiu7lNbB 3iBx/jaH8nd8YNXiGkPHfQpw8mQrGxFKpI1G59aF776M+KfVt+umpYFYhFHrJtDahS sk/F8SESYm+mc63u+QNizzfX5VZTb+ToWiSRHjAR7Q/HurI0Mwdc3LAoXDYj+0AMLP Q4IcLknJHENeQ== Subject: [PATCH net-next v3 3/7] net/handshake: Add API for sending TLS Closure alerts From: Chuck Lever To: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com Cc: netdev@vger.kernel.org, kernel-tls-handshake@lists.linux.dev Date: Thu, 27 Jul 2023 13:36:17 -0400 Message-ID: <169047936730.5241.618595693821012638.stgit@oracle-102.nfsv4bat.org> In-Reply-To: <169047923706.5241.1181144206068116926.stgit@oracle-102.nfsv4bat.org> References: <169047923706.5241.1181144206068116926.stgit@oracle-102.nfsv4bat.org> User-Agent: StGit/1.5 Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org From: Chuck Lever This helper sends an alert only if a TLS session was established. Signed-off-by: Chuck Lever --- include/net/handshake.h | 1 + net/handshake/Makefile | 2 + net/handshake/alert.c | 61 +++++++++++++++++++++++++++++++++++++++++++++ net/handshake/handshake.h | 6 ++++ net/handshake/tlshd.c | 23 +++++++++++++++++ 5 files changed, 92 insertions(+), 1 deletion(-) create mode 100644 net/handshake/alert.c diff --git a/include/net/handshake.h b/include/net/handshake.h index 2e26e436e85f..bb88dfa6e3c9 100644 --- a/include/net/handshake.h +++ b/include/net/handshake.h @@ -40,5 +40,6 @@ int tls_server_hello_x509(const struct tls_handshake_args *args, gfp_t flags); int tls_server_hello_psk(const struct tls_handshake_args *args, gfp_t flags); bool tls_handshake_cancel(struct sock *sk); +void tls_handshake_close(struct socket *sock); #endif /* _NET_HANDSHAKE_H */ diff --git a/net/handshake/Makefile b/net/handshake/Makefile index 247d73c6ff6e..ef4d9a2112bd 100644 --- a/net/handshake/Makefile +++ b/net/handshake/Makefile @@ -8,6 +8,6 @@ # obj-y += handshake.o -handshake-y := genl.o netlink.o request.o tlshd.o trace.o +handshake-y := alert.o genl.o netlink.o request.o tlshd.o trace.o obj-$(CONFIG_NET_HANDSHAKE_KUNIT_TEST) += handshake-test.o diff --git a/net/handshake/alert.c b/net/handshake/alert.c new file mode 100644 index 000000000000..2f1a16868ff6 --- /dev/null +++ b/net/handshake/alert.c @@ -0,0 +1,61 @@ +// SPDX-License-Identifier: GPL-2.0-only +/* + * Handle the TLS Alert protocol + * + * Author: Chuck Lever + * + * Copyright (c) 2023, Oracle and/or its affiliates. + */ + +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include + +#include "handshake.h" + +/** + * tls_alert_send - send a TLS Alert on a kTLS socket + * @sock: open kTLS socket to send on + * @level: TLS Alert level + * @description: TLS Alert description + * + * Returns zero on success or a negative errno. + */ +int tls_alert_send(struct socket *sock, u8 level, u8 description) +{ + u8 record_type = TLS_RECORD_TYPE_ALERT; + u8 buf[CMSG_SPACE(sizeof(record_type))]; + struct msghdr msg = { 0 }; + struct cmsghdr *cmsg; + struct kvec iov; + u8 alert[2]; + int ret; + + alert[0] = level; + alert[1] = description; + iov.iov_base = alert; + iov.iov_len = sizeof(alert); + + memset(buf, 0, sizeof(buf)); + msg.msg_control = buf; + msg.msg_controllen = sizeof(buf); + msg.msg_flags = MSG_DONTWAIT; + + cmsg = CMSG_FIRSTHDR(&msg); + cmsg->cmsg_level = SOL_TLS; + cmsg->cmsg_type = TLS_SET_RECORD_TYPE; + cmsg->cmsg_len = CMSG_LEN(sizeof(record_type)); + memcpy(CMSG_DATA(cmsg), &record_type, sizeof(record_type)); + + iov_iter_kvec(&msg.msg_iter, ITER_SOURCE, &iov, 1, iov.iov_len); + ret = sock_sendmsg(sock, &msg); + return ret < 0 ? ret : 0; +} diff --git a/net/handshake/handshake.h b/net/handshake/handshake.h index 4dac965c99df..a48163765a7a 100644 --- a/net/handshake/handshake.h +++ b/net/handshake/handshake.h @@ -41,8 +41,11 @@ struct handshake_req { enum hr_flags_bits { HANDSHAKE_F_REQ_COMPLETED, + HANDSHAKE_F_REQ_SESSION, }; +struct genl_info; + /* Invariants for all handshake requests for one transport layer * security protocol */ @@ -63,6 +66,9 @@ enum hp_flags_bits { HANDSHAKE_F_PROTO_NOTIFY, }; +/* alert.c */ +int tls_alert_send(struct socket *sock, u8 level, u8 description); + /* netlink.c */ int handshake_genl_notify(struct net *net, const struct handshake_proto *proto, gfp_t flags); diff --git a/net/handshake/tlshd.c b/net/handshake/tlshd.c index b735f5cced2f..bbfb4095ddd6 100644 --- a/net/handshake/tlshd.c +++ b/net/handshake/tlshd.c @@ -18,6 +18,7 @@ #include #include #include +#include #include #include @@ -100,6 +101,9 @@ static void tls_handshake_done(struct handshake_req *req, if (info) tls_handshake_remote_peerids(treq, info); + if (!status) + set_bit(HANDSHAKE_F_REQ_SESSION, &req->hr_flags); + treq->th_consumer_done(treq->th_consumer_data, -status, treq->th_peerid[0]); } @@ -424,3 +428,22 @@ bool tls_handshake_cancel(struct sock *sk) return handshake_req_cancel(sk); } EXPORT_SYMBOL(tls_handshake_cancel); + +/** + * tls_handshake_close - send a Closure alert + * @sock: an open socket + * + */ +void tls_handshake_close(struct socket *sock) +{ + struct handshake_req *req; + + req = handshake_req_hash_lookup(sock->sk); + if (!req) + return; + if (!test_and_clear_bit(HANDSHAKE_F_REQ_SESSION, &req->hr_flags)) + return; + tls_alert_send(sock, TLS_ALERT_LEVEL_WARNING, + TLS_ALERT_DESC_CLOSE_NOTIFY); +} +EXPORT_SYMBOL(tls_handshake_close); From patchwork Thu Jul 27 17:36:44 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Chuck Lever X-Patchwork-Id: 13330484 X-Patchwork-Delegate: kuba@kernel.org Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AB20B27148; Thu, 27 Jul 2023 17:36:55 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 1272BC433C7; Thu, 27 Jul 2023 17:36:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1690479415; bh=MKrUk89gpzTbXM0B5xC6xWf1BYGOXULrlR87/6kKwJ4=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=IPG2EopmLuSt9VDOdNJWNfaQwwixSjk8ecCB1imMEIY/BXVJCVbqST9Volt9gRavD SFhX2clFKhjI+Dx1eFcjcJpD7i4GTjBtu/CHzBe7y/h8B+yWNlETwDIu/GTACiTwVz dAj0DJx8fT7X4YhAWqnydF3472sl5noG48uuPeTgTugJSpCZgkxYd/lMf6aCMmcTh+ UEBGwAomV4qjeEnxwFPQwOe9SbP+r3WWIx7BNYp8LwKvutsQS1GnsLECSqMTE075Z3 EZ0jbH/c6dij2N2pOwQjf0pASBqTYazf9U1pt3xjtkLZX7FAixnNnIqkOinLM3FsoE NWfWzBr3bWGZA== Subject: [PATCH net-next v3 4/7] SUNRPC: Send TLS Closure alerts before closing a TCP socket From: Chuck Lever To: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com Cc: netdev@vger.kernel.org, kernel-tls-handshake@lists.linux.dev Date: Thu, 27 Jul 2023 13:36:44 -0400 Message-ID: <169047939404.5241.14392506226409865832.stgit@oracle-102.nfsv4bat.org> In-Reply-To: <169047923706.5241.1181144206068116926.stgit@oracle-102.nfsv4bat.org> References: <169047923706.5241.1181144206068116926.stgit@oracle-102.nfsv4bat.org> User-Agent: StGit/1.5 Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org From: Chuck Lever Before closing a TCP connection, the TLS protocol wants peers to send session close Alert notifications. Add those in both the RPC client and server. Signed-off-by: Chuck Lever --- net/sunrpc/svcsock.c | 2 ++ net/sunrpc/xprtsock.c | 2 ++ 2 files changed, 4 insertions(+) diff --git a/net/sunrpc/svcsock.c b/net/sunrpc/svcsock.c index 449df8cabfcb..cca6ee716020 100644 --- a/net/sunrpc/svcsock.c +++ b/net/sunrpc/svcsock.c @@ -1622,6 +1622,8 @@ static void svc_tcp_sock_detach(struct svc_xprt *xprt) { struct svc_sock *svsk = container_of(xprt, struct svc_sock, sk_xprt); + tls_handshake_close(svsk->sk_sock); + svc_sock_detach(xprt); if (!test_bit(XPT_LISTENER, &xprt->xpt_flags)) { diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c index 9457ebf22fb1..5096aa62de5c 100644 --- a/net/sunrpc/xprtsock.c +++ b/net/sunrpc/xprtsock.c @@ -1293,6 +1293,8 @@ static void xs_close(struct rpc_xprt *xprt) dprintk("RPC: xs_close xprt %p\n", xprt); + if (transport->sock) + tls_handshake_close(transport->sock); xs_reset_transport(transport); xprt->reestablish_timeout = 0; } From patchwork Thu Jul 27 17:37:10 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Chuck Lever X-Patchwork-Id: 13330485 X-Patchwork-Delegate: kuba@kernel.org Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6E10C27157; Thu, 27 Jul 2023 17:37:22 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id C36FEC433C8; Thu, 27 Jul 2023 17:37:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1690479442; bh=tLXSEmT7SV/rFU/8utCAHr2L3R6bQxYWNEw6U5SLsKk=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=txSf/cFjSZkBlHzSW4vIa/V6a//L2CA0z1CiyXQh26FT5pL9Qytzl9qETiSpTDnWG kX0uv81cwhZe6j7qxA/qiUowvumOU6r87yJE8+SjbWraBZeTQWD8nxtMFoq6KrxSdu 4LP9F1Xv0rgyU5kbgbaESPaS+1pAT3VSIbYNz3ZbzNDLTswrW0mvnZi+nMxvGKJ8rM uIQSdnRkKTf0FoUIsU5YLsR7Gu0hTtGR5kLo/LLiJSywyhNL2H+McgGr3FhO4HquGN Z/+i+uBv0CA96Q04xGblLKE4ePr5oGVsKo/0J/7VGQ+vnk9LF10W/8z+aZNXsJQqXp KB3jx7R3krcbg== Subject: [PATCH net-next v3 5/7] net/handshake: Add helpers for parsing incoming TLS Alerts From: Chuck Lever To: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com Cc: netdev@vger.kernel.org, kernel-tls-handshake@lists.linux.dev Date: Thu, 27 Jul 2023 13:37:10 -0400 Message-ID: <169047942074.5241.13791647439480672048.stgit@oracle-102.nfsv4bat.org> In-Reply-To: <169047923706.5241.1181144206068116926.stgit@oracle-102.nfsv4bat.org> References: <169047923706.5241.1181144206068116926.stgit@oracle-102.nfsv4bat.org> User-Agent: StGit/1.5 Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org From: Chuck Lever Kernel TLS consumers can replace common TLS Alert parsing code with these helpers. Signed-off-by: Chuck Lever --- include/net/handshake.h | 4 ++++ net/handshake/alert.c | 42 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 46 insertions(+) diff --git a/include/net/handshake.h b/include/net/handshake.h index bb88dfa6e3c9..8ebd4f9ed26e 100644 --- a/include/net/handshake.h +++ b/include/net/handshake.h @@ -42,4 +42,8 @@ int tls_server_hello_psk(const struct tls_handshake_args *args, gfp_t flags); bool tls_handshake_cancel(struct sock *sk); void tls_handshake_close(struct socket *sock); +u8 tls_get_record_type(const struct sock *sk, const struct cmsghdr *msg); +void tls_alert_recv(const struct sock *sk, const struct msghdr *msg, + u8 *level, u8 *description); + #endif /* _NET_HANDSHAKE_H */ diff --git a/net/handshake/alert.c b/net/handshake/alert.c index 2f1a16868ff6..286bf94d93a3 100644 --- a/net/handshake/alert.c +++ b/net/handshake/alert.c @@ -59,3 +59,45 @@ int tls_alert_send(struct socket *sock, u8 level, u8 description) ret = sock_sendmsg(sock, &msg); return ret < 0 ? ret : 0; } + +/** + * tls_get_record_type - Look for TLS RECORD_TYPE information + * @sk: socket (for IP address information) + * @cmsg: incoming message to be parsed + * + * Returns zero or a TLS_RECORD_TYPE value. + */ +u8 tls_get_record_type(const struct sock *sk, const struct cmsghdr *cmsg) +{ + u8 record_type; + + if (cmsg->cmsg_level != SOL_TLS) + return 0; + if (cmsg->cmsg_type != TLS_GET_RECORD_TYPE) + return 0; + + record_type = *((u8 *)CMSG_DATA(cmsg)); + return record_type; +} +EXPORT_SYMBOL(tls_get_record_type); + +/** + * tls_alert_recv - Parse TLS Alert messages + * @sk: socket (for IP address information) + * @msg: incoming message to be parsed + * @level: OUT - TLS AlertLevel value + * @description: OUT - TLS AlertDescription value + * + */ +void tls_alert_recv(const struct sock *sk, const struct msghdr *msg, + u8 *level, u8 *description) +{ + const struct kvec *iov; + u8 *data; + + iov = msg->msg_iter.kvec; + data = iov->iov_base; + *level = data[0]; + *description = data[1]; +} +EXPORT_SYMBOL(tls_alert_recv); From patchwork Thu Jul 27 17:37:37 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Chuck Lever X-Patchwork-Id: 13330486 X-Patchwork-Delegate: kuba@kernel.org Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 691A127155; Thu, 27 Jul 2023 17:37:49 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6FBE6C433C7; Thu, 27 Jul 2023 17:37:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1690479468; bh=QaNK9hk2HpOQmQAQ7sH5iMshAw6ApAwr/mrgE8tyYQc=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=tRoiLLVMXly4eqj26fqrlSPgpYTbRlwTX0aXEhPukriBEKoAW3TM8qHfHR6qMInAI CD3GIIUtdswdVhBp++nFRL9IF3Q/msH+GwlWKtOqjjWnc2UGTmyhe2GyQo7NN8oiTW gTEZpvzmoI+7r+fWqOV72oZDAOUv2PM4vTiGcjB9AFG5EYuBYJs9BmblWUSCQYu3Cp hQh/a6eFP6fEpSug1AkuLoVXYhdGN4YH0o3jw9bLV6TTO8EVsMbex4N3Dq+RmfoQ2O 4vdqSKHpoR3LbVWgAA03duo01FZxP/dvNUHJemAW4PjxM6R3ewmKkogN8alMoqdQR6 lNsa7EmUUaI7A== Subject: [PATCH net-next v3 6/7] SUNRPC: Use new helpers to handle TLS Alerts From: Chuck Lever To: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com Cc: netdev@vger.kernel.org, kernel-tls-handshake@lists.linux.dev Date: Thu, 27 Jul 2023 13:37:37 -0400 Message-ID: <169047944747.5241.1974889594004407123.stgit@oracle-102.nfsv4bat.org> In-Reply-To: <169047923706.5241.1181144206068116926.stgit@oracle-102.nfsv4bat.org> References: <169047923706.5241.1181144206068116926.stgit@oracle-102.nfsv4bat.org> User-Agent: StGit/1.5 Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org From: Chuck Lever Use the helpers to parse the level and description fields in incoming alerts. "Warning" alerts are discarded, and "fatal" alerts mean the session is no longer valid. Signed-off-by: Chuck Lever --- net/sunrpc/svcsock.c | 47 +++++++++++++++++++++++++---------------------- net/sunrpc/xprtsock.c | 42 +++++++++++++++++++++++------------------- 2 files changed, 48 insertions(+), 41 deletions(-) diff --git a/net/sunrpc/svcsock.c b/net/sunrpc/svcsock.c index cca6ee716020..2ed29e40c6a9 100644 --- a/net/sunrpc/svcsock.c +++ b/net/sunrpc/svcsock.c @@ -43,7 +43,6 @@ #include #include #include -#include #include #include #include @@ -227,27 +226,30 @@ static int svc_one_sock_name(struct svc_sock *svsk, char *buf, int remaining) } static int -svc_tcp_sock_process_cmsg(struct svc_sock *svsk, struct msghdr *msg, +svc_tcp_sock_process_cmsg(struct socket *sock, struct msghdr *msg, struct cmsghdr *cmsg, int ret) { - if (cmsg->cmsg_level == SOL_TLS && - cmsg->cmsg_type == TLS_GET_RECORD_TYPE) { - u8 content_type = *((u8 *)CMSG_DATA(cmsg)); - - switch (content_type) { - case TLS_RECORD_TYPE_DATA: - /* TLS sets EOR at the end of each application data - * record, even though there might be more frames - * waiting to be decrypted. - */ - msg->msg_flags &= ~MSG_EOR; - break; - case TLS_RECORD_TYPE_ALERT: - ret = -ENOTCONN; - break; - default: - ret = -EAGAIN; - } + u8 content_type = tls_get_record_type(sock->sk, cmsg); + u8 level, description; + + switch (content_type) { + case 0: + break; + case TLS_RECORD_TYPE_DATA: + /* TLS sets EOR at the end of each application data + * record, even though there might be more frames + * waiting to be decrypted. + */ + msg->msg_flags &= ~MSG_EOR; + break; + case TLS_RECORD_TYPE_ALERT: + tls_alert_recv(sock->sk, msg, &level, &description); + ret = (level == TLS_ALERT_LEVEL_FATAL) ? + -ENOTCONN : -EAGAIN; + break; + default: + /* discard this record type */ + ret = -EAGAIN; } return ret; } @@ -259,13 +261,14 @@ svc_tcp_sock_recv_cmsg(struct svc_sock *svsk, struct msghdr *msg) struct cmsghdr cmsg; u8 buf[CMSG_SPACE(sizeof(u8))]; } u; + struct socket *sock = svsk->sk_sock; int ret; msg->msg_control = &u; msg->msg_controllen = sizeof(u); - ret = sock_recvmsg(svsk->sk_sock, msg, MSG_DONTWAIT); + ret = sock_recvmsg(sock, msg, MSG_DONTWAIT); if (unlikely(msg->msg_controllen != sizeof(u))) - ret = svc_tcp_sock_process_cmsg(svsk, msg, &u.cmsg, ret); + ret = svc_tcp_sock_process_cmsg(sock, msg, &u.cmsg, ret); return ret; } diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c index 5096aa62de5c..268a2cc61acd 100644 --- a/net/sunrpc/xprtsock.c +++ b/net/sunrpc/xprtsock.c @@ -47,7 +47,6 @@ #include #include #include -#include #include #include @@ -361,24 +360,27 @@ static int xs_sock_process_cmsg(struct socket *sock, struct msghdr *msg, struct cmsghdr *cmsg, int ret) { - if (cmsg->cmsg_level == SOL_TLS && - cmsg->cmsg_type == TLS_GET_RECORD_TYPE) { - u8 content_type = *((u8 *)CMSG_DATA(cmsg)); - - switch (content_type) { - case TLS_RECORD_TYPE_DATA: - /* TLS sets EOR at the end of each application data - * record, even though there might be more frames - * waiting to be decrypted. - */ - msg->msg_flags &= ~MSG_EOR; - break; - case TLS_RECORD_TYPE_ALERT: - ret = -ENOTCONN; - break; - default: - ret = -EAGAIN; - } + u8 content_type = tls_get_record_type(sock->sk, cmsg); + u8 level, description; + + switch (content_type) { + case 0: + break; + case TLS_RECORD_TYPE_DATA: + /* TLS sets EOR at the end of each application data + * record, even though there might be more frames + * waiting to be decrypted. + */ + msg->msg_flags &= ~MSG_EOR; + break; + case TLS_RECORD_TYPE_ALERT: + tls_alert_recv(sock->sk, msg, &level, &description); + ret = (level == TLS_ALERT_LEVEL_FATAL) ? + -EACCES : -EAGAIN; + break; + default: + /* discard this record type */ + ret = -EAGAIN; } return ret; } @@ -778,6 +780,8 @@ static void xs_stream_data_receive(struct sock_xprt *transport) } if (ret == -ESHUTDOWN) kernel_sock_shutdown(transport->sock, SHUT_RDWR); + else if (ret == -EACCES) + xprt_wake_pending_tasks(&transport->xprt, -EACCES); else xs_poll_check_readable(transport); out: From patchwork Thu Jul 27 17:38:04 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Chuck Lever X-Patchwork-Id: 13330487 X-Patchwork-Delegate: kuba@kernel.org Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3490F171B6; Thu, 27 Jul 2023 17:38:13 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 33188C433C7; Thu, 27 Jul 2023 17:38:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1690479493; bh=2AL6/PDFszll7xPmWIqkX9L9tX8homIH5dViTU/s24U=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=ZmTHSxN1/v+K7ksiXIouQf1sAuYsNZGL1a2mfRfYpSOjH/PvSbC98RVgRk7Kdigni 2WPn2Xd0Q43a7vqtkk5ELz+ewcZk1LWDi3dEDg5JUqa2+83DGMnU1W17OL7P42iCz9 VKcl6kp7zny7O0D4wruFUJBakw2Bhcme16FksljcERkAE5brMdozosQkknkAJEWVeB uqdkw9E5mFMzuL6jILi2TbArCx2erotvJ4TUF4asEjX224tHN143ylHS5KYW1F+ocg SE4wT88wjUPUSdgXOSaGmFf1ZCTtf+/782I5tJ+2qfsVQbsh/jrvggQlb4YjhYFD1u INWJWkU1jmcFg== Subject: [PATCH net-next v3 7/7] net/handshake: Trace events for TLS Alert helpers From: Chuck Lever To: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com Cc: netdev@vger.kernel.org, kernel-tls-handshake@lists.linux.dev Date: Thu, 27 Jul 2023 13:38:04 -0400 Message-ID: <169047947409.5241.14548832149596892717.stgit@oracle-102.nfsv4bat.org> In-Reply-To: <169047923706.5241.1181144206068116926.stgit@oracle-102.nfsv4bat.org> References: <169047923706.5241.1181144206068116926.stgit@oracle-102.nfsv4bat.org> User-Agent: StGit/1.5 Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org From: Chuck Lever Add observability for the new TLS Alert infrastructure. Reviewed-by: Hannes Reinecke Signed-off-by: Chuck Lever --- include/trace/events/handshake.h | 160 ++++++++++++++++++++++++++++++++++++++ net/handshake/alert.c | 7 ++ net/handshake/trace.c | 2 3 files changed, 169 insertions(+) diff --git a/include/trace/events/handshake.h b/include/trace/events/handshake.h index 8dadcab5f12a..bdd8a03cf5ba 100644 --- a/include/trace/events/handshake.h +++ b/include/trace/events/handshake.h @@ -6,7 +6,86 @@ #define _TRACE_HANDSHAKE_H #include +#include #include +#include + +#define TLS_RECORD_TYPE_LIST \ + record_type(CHANGE_CIPHER_SPEC) \ + record_type(ALERT) \ + record_type(HANDSHAKE) \ + record_type(DATA) \ + record_type(HEARTBEAT) \ + record_type(TLS12_CID) \ + record_type_end(ACK) + +#undef record_type +#undef record_type_end +#define record_type(x) TRACE_DEFINE_ENUM(TLS_RECORD_TYPE_##x); +#define record_type_end(x) TRACE_DEFINE_ENUM(TLS_RECORD_TYPE_##x); + +TLS_RECORD_TYPE_LIST + +#undef record_type +#undef record_type_end +#define record_type(x) { TLS_RECORD_TYPE_##x, #x }, +#define record_type_end(x) { TLS_RECORD_TYPE_##x, #x } + +#define show_tls_content_type(type) \ + __print_symbolic(type, TLS_RECORD_TYPE_LIST) + +TRACE_DEFINE_ENUM(TLS_ALERT_LEVEL_WARNING); +TRACE_DEFINE_ENUM(TLS_ALERT_LEVEL_FATAL); + +#define show_tls_alert_level(level) \ + __print_symbolic(level, \ + { TLS_ALERT_LEVEL_WARNING, "Warning" }, \ + { TLS_ALERT_LEVEL_FATAL, "Fatal" }) + +#define TLS_ALERT_DESCRIPTION_LIST \ + alert_description(CLOSE_NOTIFY) \ + alert_description(UNEXPECTED_MESSAGE) \ + alert_description(BAD_RECORD_MAC) \ + alert_description(RECORD_OVERFLOW) \ + alert_description(HANDSHAKE_FAILURE) \ + alert_description(BAD_CERTIFICATE) \ + alert_description(UNSUPPORTED_CERTIFICATE) \ + alert_description(CERTIFICATE_REVOKED) \ + alert_description(CERTIFICATE_EXPIRED) \ + alert_description(CERTIFICATE_UNKNOWN) \ + alert_description(ILLEGAL_PARAMETER) \ + alert_description(UNKNOWN_CA) \ + alert_description(ACCESS_DENIED) \ + alert_description(DECODE_ERROR) \ + alert_description(DECRYPT_ERROR) \ + alert_description(TOO_MANY_CIDS_REQUESTED) \ + alert_description(PROTOCOL_VERSION) \ + alert_description(INSUFFICIENT_SECURITY) \ + alert_description(INTERNAL_ERROR) \ + alert_description(INAPPROPRIATE_FALLBACK) \ + alert_description(USER_CANCELED) \ + alert_description(MISSING_EXTENSION) \ + alert_description(UNSUPPORTED_EXTENSION) \ + alert_description(UNRECOGNIZED_NAME) \ + alert_description(BAD_CERTIFICATE_STATUS_RESPONSE) \ + alert_description(UNKNOWN_PSK_IDENTITY) \ + alert_description(CERTIFICATE_REQUIRED) \ + alert_description_end(NO_APPLICATION_PROTOCOL) + +#undef alert_description +#undef alert_description_end +#define alert_description(x) TRACE_DEFINE_ENUM(TLS_ALERT_DESC_##x); +#define alert_description_end(x) TRACE_DEFINE_ENUM(TLS_ALERT_DESC_##x); + +TLS_ALERT_DESCRIPTION_LIST + +#undef alert_description +#undef alert_description_end +#define alert_description(x) { TLS_ALERT_DESC_##x, #x }, +#define alert_description_end(x) { TLS_ALERT_DESC_##x, #x } + +#define show_tls_alert_description(desc) \ + __print_symbolic(desc, TLS_ALERT_DESCRIPTION_LIST) DECLARE_EVENT_CLASS(handshake_event_class, TP_PROTO( @@ -106,6 +185,47 @@ DECLARE_EVENT_CLASS(handshake_error_class, ), \ TP_ARGS(net, req, sk, err)) +DECLARE_EVENT_CLASS(handshake_alert_class, + TP_PROTO( + const struct sock *sk, + unsigned char level, + unsigned char description + ), + TP_ARGS(sk, level, description), + TP_STRUCT__entry( + /* sockaddr_in6 is always bigger than sockaddr_in */ + __array(__u8, saddr, sizeof(struct sockaddr_in6)) + __array(__u8, daddr, sizeof(struct sockaddr_in6)) + __field(unsigned int, netns_ino) + __field(unsigned long, level) + __field(unsigned long, description) + ), + TP_fast_assign( + const struct inet_sock *inet = inet_sk(sk); + + memset(__entry->saddr, 0, sizeof(struct sockaddr_in6)); + memset(__entry->daddr, 0, sizeof(struct sockaddr_in6)); + TP_STORE_ADDR_PORTS(__entry, inet, sk); + + __entry->netns_ino = sock_net(sk)->ns.inum; + __entry->level = level; + __entry->description = description; + ), + TP_printk("src=%pISpc dest=%pISpc %s: %s", + __entry->saddr, __entry->daddr, + show_tls_alert_level(__entry->level), + show_tls_alert_description(__entry->description) + ) +); +#define DEFINE_HANDSHAKE_ALERT(name) \ + DEFINE_EVENT(handshake_alert_class, name, \ + TP_PROTO( \ + const struct sock *sk, \ + unsigned char level, \ + unsigned char description \ + ), \ + TP_ARGS(sk, level, description)) + /* * Request lifetime events @@ -154,6 +274,46 @@ DEFINE_HANDSHAKE_ERROR(handshake_cmd_accept_err); DEFINE_HANDSHAKE_FD_EVENT(handshake_cmd_done); DEFINE_HANDSHAKE_ERROR(handshake_cmd_done_err); +/* + * TLS Record events + */ + +TRACE_EVENT(tls_contenttype, + TP_PROTO( + const struct sock *sk, + unsigned char type + ), + TP_ARGS(sk, type), + TP_STRUCT__entry( + /* sockaddr_in6 is always bigger than sockaddr_in */ + __array(__u8, saddr, sizeof(struct sockaddr_in6)) + __array(__u8, daddr, sizeof(struct sockaddr_in6)) + __field(unsigned int, netns_ino) + __field(unsigned long, type) + ), + TP_fast_assign( + const struct inet_sock *inet = inet_sk(sk); + + memset(__entry->saddr, 0, sizeof(struct sockaddr_in6)); + memset(__entry->daddr, 0, sizeof(struct sockaddr_in6)); + TP_STORE_ADDR_PORTS(__entry, inet, sk); + + __entry->netns_ino = sock_net(sk)->ns.inum; + __entry->type = type; + ), + TP_printk("src=%pISpc dest=%pISpc %s", + __entry->saddr, __entry->daddr, + show_tls_content_type(__entry->type) + ) +); + +/* + * TLS Alert events + */ + +DEFINE_HANDSHAKE_ALERT(tls_alert_send); +DEFINE_HANDSHAKE_ALERT(tls_alert_recv); + #endif /* _TRACE_HANDSHAKE_H */ #include diff --git a/net/handshake/alert.c b/net/handshake/alert.c index 286bf94d93a3..329d91984683 100644 --- a/net/handshake/alert.c +++ b/net/handshake/alert.c @@ -21,6 +21,8 @@ #include "handshake.h" +#include + /** * tls_alert_send - send a TLS Alert on a kTLS socket * @sock: open kTLS socket to send on @@ -39,6 +41,8 @@ int tls_alert_send(struct socket *sock, u8 level, u8 description) u8 alert[2]; int ret; + trace_tls_alert_send(sock->sk, level, description); + alert[0] = level; alert[1] = description; iov.iov_base = alert; @@ -77,6 +81,7 @@ u8 tls_get_record_type(const struct sock *sk, const struct cmsghdr *cmsg) return 0; record_type = *((u8 *)CMSG_DATA(cmsg)); + trace_tls_contenttype(sk, record_type); return record_type; } EXPORT_SYMBOL(tls_get_record_type); @@ -99,5 +104,7 @@ void tls_alert_recv(const struct sock *sk, const struct msghdr *msg, data = iov->iov_base; *level = data[0]; *description = data[1]; + + trace_tls_alert_recv(sk, *level, *description); } EXPORT_SYMBOL(tls_alert_recv); diff --git a/net/handshake/trace.c b/net/handshake/trace.c index 1c4d8e27e17a..44432d0857b9 100644 --- a/net/handshake/trace.c +++ b/net/handshake/trace.c @@ -8,8 +8,10 @@ */ #include +#include #include +#include #include #include