[RFC PATCH net-next 2/2] net: tls: export protocol version and cipher to socket diag

Wed, 05 Jun 2019 08:40:28 -0700 

When an application configures kernel TLS on top of a TCP socket, it's
now possible for inet_diag_handler to collect information regarding the
protocol version and the cipher, in case INET_DIAG_INFO is requested.

Signed-off-by: Davide Caratti <dcara...@redhat.com>
---
 include/uapi/linux/inet_diag.h |  1 +
 include/uapi/linux/tls.h       |  8 +++++++
 net/tls/tls_main.c             | 43 ++++++++++++++++++++++++++++++++++
 3 files changed, 52 insertions(+)

diff --git a/include/uapi/linux/inet_diag.h b/include/uapi/linux/inet_diag.h
index 844133de3212..92208535c096 100644
--- a/include/uapi/linux/inet_diag.h
+++ b/include/uapi/linux/inet_diag.h
@@ -161,6 +161,7 @@ enum {
 
 enum {
        ULP_INFO_NAME,
+       ULP_INFO_TLS,
        __ULP_INFO_MAX,
 };
 
diff --git a/include/uapi/linux/tls.h b/include/uapi/linux/tls.h
index 5b9c26753e46..442348bd2e54 100644
--- a/include/uapi/linux/tls.h
+++ b/include/uapi/linux/tls.h
@@ -109,4 +109,12 @@ struct tls12_crypto_info_aes_ccm_128 {
        unsigned char rec_seq[TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE];
 };
 
+enum {
+       TLS_INFO_VERSION,
+       TLS_INFO_CIPHER,
+       __TLS_INFO_MAX,
+};
+
+#define TLS_INFO_MAX (__TLS_INFO_MAX - 1)
+
 #endif /* _UAPI_LINUX_TLS_H */
diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c
index fc81ae18cc44..14597526981c 100644
--- a/net/tls/tls_main.c
+++ b/net/tls/tls_main.c
@@ -39,6 +39,7 @@
 #include <linux/netdevice.h>
 #include <linux/sched/signal.h>
 #include <linux/inetdevice.h>
+#include <linux/inet_diag.h>
 
 #include <net/tls.h>
 
@@ -798,6 +799,46 @@ static int tls_init(struct sock *sk)
        return rc;
 }
 
+static int tls_get_info(struct sock *sk, struct sk_buff *skb)
+{
+       struct tls_context *ctx = tls_get_ctx(sk);
+       struct nlattr *start = 0;
+       int err = 0;
+
+       if (sk->sk_state != TCP_ESTABLISHED)
+               goto end;
+       start = nla_nest_start_noflag(skb, ULP_INFO_TLS);
+       if (!start) {
+               err = -EMSGSIZE;
+               goto nla_failure;
+       }
+       err = nla_put_u16(skb, TLS_INFO_VERSION, ctx->prot_info.version);
+       if (err < 0)
+               goto nla_failure;
+       err = nla_put_u16(skb, TLS_INFO_CIPHER, ctx->prot_info.cipher_type);
+       if (err < 0)
+               goto nla_failure;
+       nla_nest_end(skb, start);
+end:
+       return err;
+nla_failure:
+       nla_nest_cancel(skb, start);
+       goto end;
+}
+
+static size_t tls_get_info_size(struct sock *sk)
+{
+       size_t size = 0;
+
+       if (sk->sk_state != TCP_ESTABLISHED)
+               return size;
+
+       size +=   nla_total_size(0) /* ULP_INFO_TLS */
+               + nla_total_size(sizeof(__u16)) /* TLS_INFO_VERSION */
+               + nla_total_size(sizeof(__u16)); /* TLS_INFO_CIPHER */
+       return size;
+}
+
 void tls_register_device(struct tls_device *device)
 {
        spin_lock_bh(&device_spinlock);
@@ -818,6 +859,8 @@ static struct tcp_ulp_ops tcp_tls_ulp_ops __read_mostly = {
        .name                   = "tls",
        .owner                  = THIS_MODULE,
        .init                   = tls_init,
+       .get_info               = tls_get_info,
+       .get_info_size          = tls_get_info_size,
 };
 
 static int __init tls_register(void)
-- 
2.20.1

Reply via email to