]> git.proxmox.com Git - mirror_ubuntu-kernels.git/commitdiff
net/tls: avoid spurious decryption error with HW resync
authorJakub Kicinski <jakub.kicinski@netronome.com>
Fri, 10 Jan 2020 12:36:55 +0000 (04:36 -0800)
committerDavid S. Miller <davem@davemloft.net>
Fri, 10 Jan 2020 19:18:15 +0000 (11:18 -0800)
When device loses sync mid way through a record - kernel
has to re-encrypt the part of the record which the device
already decrypted to be able to decrypt and authenticate
the record in its entirety.

The re-encryption piggy backs on the decryption routine,
but obviously because the partially decrypted record can't
be authenticated crypto API returns an error which is then
ignored by tls_device_reencrypt().

Commit 5c5ec6685806 ("net/tls: add TlsDecryptError stat")
added a statistic to count decryption errors, this statistic
can't be incremented when we see the expected re-encryption
error. Move the inc to the caller.

Reported-and-tested-by: David Beckett <david.beckett@netronome.com>
Fixes: 5c5ec6685806 ("net/tls: add TlsDecryptError stat")
Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Reviewed-by: Simon Horman <simon.horman@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/tls/tls_sw.c

index c6803a82b769b15a117fc444ad98861a25c16f28..1bf886269ede45223546d846ea02b88a9b431454 100644 (file)
@@ -256,8 +256,6 @@ static int tls_do_decryption(struct sock *sk,
                        return ret;
 
                ret = crypto_wait_req(ret, &ctx->async_wait);
-       } else if (ret == -EBADMSG) {
-               TLS_INC_STATS(sock_net(sk), LINUX_MIB_TLSDECRYPTERROR);
        }
 
        if (async)
@@ -1515,7 +1513,9 @@ static int decrypt_skb_update(struct sock *sk, struct sk_buff *skb,
                                if (err == -EINPROGRESS)
                                        tls_advance_record_sn(sk, prot,
                                                              &tls_ctx->rx);
-
+                               else if (err == -EBADMSG)
+                                       TLS_INC_STATS(sock_net(sk),
+                                                     LINUX_MIB_TLSDECRYPTERROR);
                                return err;
                        }
                } else {