aboutsummaryrefslogtreecommitdiffstats
path: root/net/tls/tls_main.c
diff options
context:
space:
mode:
authorJohn Fastabend <john.fastabend@gmail.com>2018-12-20 14:35:36 -0500
committerDaniel Borkmann <daniel@iogearbox.net>2018-12-20 17:47:09 -0500
commit28cb6f1eaffdc5a6a9707cac55f4a43aa3fd7895 (patch)
treecd64f2bdd6ac693f204b18938c5836df2bcc698e /net/tls/tls_main.c
parent0608c69c9a805c6264689d7eab4203eab88cf1da (diff)
bpf: tls_sw, init TLS ULP removes BPF proto hooks
The existing code did not expect users would initialize the TLS ULP without subsequently calling the TLS TX enabling socket option. If the application tries to send data after the TLS ULP enable op but before the TLS TX enable op the BPF sk_msg verdict program is skipped. This patch resolves this by converting the ipv4 sock ops to be calculated at init time the same way ipv6 ops are done. This pulls in any changes to the sock ops structure that have been made after the socket was created including the changes from adding the socket to a sock{map|hash}. This was discovered by running OpenSSL master branch which calls the TLS ULP setsockopt early in TLS handshake but only enables the TLS TX path once the handshake has completed. As a result the datapath missed the initial handshake messages. Fixes: 02c558b2d5d6 ("bpf: sockmap, support for msg_peek in sk_msg with redirect ingress") Signed-off-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Diffstat (limited to 'net/tls/tls_main.c')
-rw-r--r--net/tls/tls_main.c14
1 files changed, 12 insertions, 2 deletions
diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c
index 311cec8e533d..acff12999c06 100644
--- a/net/tls/tls_main.c
+++ b/net/tls/tls_main.c
@@ -55,6 +55,8 @@ enum {
55 55
56static struct proto *saved_tcpv6_prot; 56static struct proto *saved_tcpv6_prot;
57static DEFINE_MUTEX(tcpv6_prot_mutex); 57static DEFINE_MUTEX(tcpv6_prot_mutex);
58static struct proto *saved_tcpv4_prot;
59static DEFINE_MUTEX(tcpv4_prot_mutex);
58static LIST_HEAD(device_list); 60static LIST_HEAD(device_list);
59static DEFINE_MUTEX(device_mutex); 61static DEFINE_MUTEX(device_mutex);
60static struct proto tls_prots[TLS_NUM_PROTS][TLS_NUM_CONFIG][TLS_NUM_CONFIG]; 62static struct proto tls_prots[TLS_NUM_PROTS][TLS_NUM_CONFIG][TLS_NUM_CONFIG];
@@ -690,6 +692,16 @@ static int tls_init(struct sock *sk)
690 mutex_unlock(&tcpv6_prot_mutex); 692 mutex_unlock(&tcpv6_prot_mutex);
691 } 693 }
692 694
695 if (ip_ver == TLSV4 &&
696 unlikely(sk->sk_prot != smp_load_acquire(&saved_tcpv4_prot))) {
697 mutex_lock(&tcpv4_prot_mutex);
698 if (likely(sk->sk_prot != saved_tcpv4_prot)) {
699 build_protos(tls_prots[TLSV4], sk->sk_prot);
700 smp_store_release(&saved_tcpv4_prot, sk->sk_prot);
701 }
702 mutex_unlock(&tcpv4_prot_mutex);
703 }
704
693 ctx->tx_conf = TLS_BASE; 705 ctx->tx_conf = TLS_BASE;
694 ctx->rx_conf = TLS_BASE; 706 ctx->rx_conf = TLS_BASE;
695 update_sk_prot(sk, ctx); 707 update_sk_prot(sk, ctx);
@@ -721,8 +733,6 @@ static struct tcp_ulp_ops tcp_tls_ulp_ops __read_mostly = {
721 733
722static int __init tls_register(void) 734static int __init tls_register(void)
723{ 735{
724 build_protos(tls_prots[TLSV4], &tcp_prot);
725
726 tls_sw_proto_ops = inet_stream_ops; 736 tls_sw_proto_ops = inet_stream_ops;
727 tls_sw_proto_ops.splice_read = tls_sw_splice_read; 737 tls_sw_proto_ops.splice_read = tls_sw_splice_read;
728 738