Hi Guenter,
On 2/23/2018 11:52 PM, Guenter Roeck wrote:
Hi Ilya,
On Mon, Sep 04, 2017 at 01:14:01PM +0300, Ilya Lesokhin wrote:
The tls ulp overrides sk->prot with a new tls specific proto structs.
The tls specific structs were previously based on the ipv4 specific
tcp_prot sturct.
As a result, attaching the tls ulp to an ipv6 tcp socket replaced
some ipv6 callback with the ipv4 equivalents.
This patch adds ipv6 tls proto structs and uses them when
attached to ipv6 sockets.
Do you plan to update this patch with the missing TCPv6 support ?
We'll re-spin a v4 by EOW.
As far as I can see, the part that was accepted upstream does not fix
the TCPv6 protocol issue which triggers CVE-2018-5703.
If adding IPv6 support is not possible/acceptable, would it make sense
to limit TLS support to TCPv4, ie add something like
if (sk->sk_prot != &tcp_prot)
return -EINVAL;
to tls_init() ?
AFAIK there are users of TLS over IPv6 who wouldn't find this acceptable.
Best,
Boris.
