path: root/net
diff options
authorJakub Kicinski <jakub.kicinski@netronome.com>2020-01-10 04:36:55 -0800
committerDavid S. Miller <davem@davemloft.net>2020-01-10 11:18:15 -0800
commit5c5d22a750d4bcf35e9539dccec397b0edcce176 (patch)
tree728fb2d0b6e72573d77d9c739c0915c29c3820eb /net
parente267371dd376d1b3ebc9f01229845a9656734d97 (diff)
net/tls: avoid spurious decryption error with HW resync
When device loses sync mid way through a record - kernel has to re-encrypt the part of the record which the device already decrypted to be able to decrypt and authenticate the record in its entirety. The re-encryption piggy backs on the decryption routine, but obviously because the partially decrypted record can't be authenticated crypto API returns an error which is then ignored by tls_device_reencrypt(). Commit 5c5ec6685806 ("net/tls: add TlsDecryptError stat") added a statistic to count decryption errors, this statistic can't be incremented when we see the expected re-encryption error. Move the inc to the caller. Reported-and-tested-by: David Beckett <david.beckett@netronome.com> Fixes: 5c5ec6685806 ("net/tls: add TlsDecryptError stat") Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com> Reviewed-by: Simon Horman <simon.horman@netronome.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
1 files changed, 3 insertions, 3 deletions
diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
index c6803a82b769..1bf886269ede 100644
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -256,8 +256,6 @@ static int tls_do_decryption(struct sock *sk,
return ret;
ret = crypto_wait_req(ret, &ctx->async_wait);
- } else if (ret == -EBADMSG) {
if (async)
@@ -1515,7 +1513,9 @@ static int decrypt_skb_update(struct sock *sk, struct sk_buff *skb,
if (err == -EINPROGRESS)
tls_advance_record_sn(sk, prot,
+ else if (err == -EBADMSG)
+ TLS_INC_STATS(sock_net(sk),
return err;
} else {

Privacy Policy