net/tls: add TlsDecryptError stat
authorJakub Kicinski <jakub.kicinski@netronome.com>
Fri, 4 Oct 2019 23:19:26 +0000 (16:19 -0700)
committerDavid S. Miller <davem@davemloft.net>
Sat, 5 Oct 2019 23:29:00 +0000 (16:29 -0700)
Add a statistic for TLS record decryption errors.

Since devices are supposed to pass records as-is when they
encounter errors this statistic will count bad records in
both pure software and inline crypto configurations.

Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Documentation/networking/tls.rst
include/uapi/linux/snmp.h
net/tls/tls_proc.c
net/tls/tls_sw.c

index cfba587af5c95226251f41eab30cfdec7a3fbc72..ab82362dd819ec2f8f099dcbc4ce7bdbfd44a429 100644 (file)
@@ -233,3 +233,6 @@ TLS implementation exposes the following per-namespace statistics
 
 - ``TlsTxDevice``, ``TlsRxDevice`` -
   number of TX and RX sessions opened with NIC cryptography
+
+- ``TlsDecryptError`` -
+  record decryption failed (e.g. due to incorrect authentication tag)
index 1b4613b5af70ea8f45622dcaedd525732ad7d722..c9e4963e26f0f2b9f5fba99780995e48aada50d9 100644 (file)
@@ -335,6 +335,7 @@ enum
        LINUX_MIB_TLSRXSW,                      /* TlsRxSw */
        LINUX_MIB_TLSTXDEVICE,                  /* TlsTxDevice */
        LINUX_MIB_TLSRXDEVICE,                  /* TlsRxDevice */
+       LINUX_MIB_TLSDECRYPTERROR,              /* TlsDecryptError */
        __LINUX_MIB_TLSMAX
 };
 
index 1b1f3783badc2ef3f762732de93b57f1609cd58b..2bea7ef4823c2aac3a0a3048994c7f73343a9fa7 100644 (file)
@@ -15,6 +15,7 @@ static const struct snmp_mib tls_mib_list[] = {
        SNMP_MIB_ITEM("TlsRxSw", LINUX_MIB_TLSRXSW),
        SNMP_MIB_ITEM("TlsTxDevice", LINUX_MIB_TLSTXDEVICE),
        SNMP_MIB_ITEM("TlsRxDevice", LINUX_MIB_TLSRXDEVICE),
+       SNMP_MIB_ITEM("TlsDecryptError", LINUX_MIB_TLSDECRYPTERROR),
        SNMP_MIB_SENTINEL
 };
 
index c2b5e0d2ba1a2a2308a375dfccb49a3760aae64e..0b1e86f856ebbca3ca73ba56533e03a76410f4be 100644 (file)
@@ -168,6 +168,9 @@ static void tls_decrypt_done(struct crypto_async_request *req, int err)
 
        /* Propagate if there was an err */
        if (err) {
+               if (err == -EBADMSG)
+                       TLS_INC_STATS(sock_net(skb->sk),
+                                     LINUX_MIB_TLSDECRYPTERROR);
                ctx->async_wait.err = err;
                tls_err_abort(skb->sk, err);
        } else {
@@ -253,6 +256,8 @@ static int tls_do_decryption(struct sock *sk,
                        return ret;
 
                ret = crypto_wait_req(ret, &ctx->async_wait);
+       } else if (ret == -EBADMSG) {
+               TLS_INC_STATS(sock_net(sk), LINUX_MIB_TLSDECRYPTERROR);
        }
 
        if (async)