Message ID | 20190628230759.16360-1-jakub.kicinski@netronome.com |
---|---|
State | Accepted |
Delegated to: | David Miller |
Headers | show |
Series | [net] net/tls: reject offload of TLS 1.3 | expand |
From: Jakub Kicinski <jakub.kicinski@netronome.com> Date: Fri, 28 Jun 2019 16:07:59 -0700 > Neither drivers nor the tls offload code currently supports TLS > version 1.3. Check the TLS version when installing connection > state. TLS 1.3 will just fallback to the kernel crypto for now. > > Fixes: 130b392c6cd6 ("net: tls: Add tls 1.3 support") > Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com> > Reviewed-by: Dirk van der Merwe <dirk.vandermerwe@netronome.com> Applied and queued up for v5.1+ -stable. Thanks.
diff --git a/net/tls/tls_device.c b/net/tls/tls_device.c index 1f9cf57d9754..397990407ed6 100644 --- a/net/tls/tls_device.c +++ b/net/tls/tls_device.c @@ -742,6 +742,11 @@ int tls_set_device_offload(struct sock *sk, struct tls_context *ctx) } crypto_info = &ctx->crypto_send.info; + if (crypto_info->version != TLS_1_2_VERSION) { + rc = -EOPNOTSUPP; + goto free_offload_ctx; + } + switch (crypto_info->cipher_type) { case TLS_CIPHER_AES_GCM_128: nonce_size = TLS_CIPHER_AES_GCM_128_IV_SIZE; @@ -876,6 +881,9 @@ int tls_set_device_offload_rx(struct sock *sk, struct tls_context *ctx) struct net_device *netdev; int rc = 0; + if (ctx->crypto_recv.info.version != TLS_1_2_VERSION) + return -EOPNOTSUPP; + /* We support starting offload on multiple sockets * concurrently, so we only need a read lock here. * This lock must precede get_netdev_for_sock to prevent races between