[net-next,v4,1/6] tls: block decryption when a rekey is pending

When a TLS handshake record carrying a KeyUpdate message is received,
all subsequent records will be encrypted with a new key. We need to
stop decrypting incoming records with the old key, and wait until
userspace provides a new key.

Make a note of this in the RX context just after decrypting that
record, and stop recvmsg/splice calls with EKEYEXPIRED until the new
key is available.

key_update_pending can't be combined with the existing bitfield,
because we will read it locklessly in ->poll.

v3:
 - move key_update_pending check into tls_rx_rec_wait (Jakub)
 - TLS_RECORD_TYPE_HANDSHAKE was added to include/net/tls_prot.h by
   the tls handshake series, drop that from this patch
 - move key_update_pending into an existing hole

v4:
 - flip TLS_RECORD_TYPE_HANDSHAKE test and use likely() (Jakub)
 - pass ctx rather than sk to tls_check_pending_rekey (Jakub)
 - use WRITE_ONCE to set key_update_pending to pair with ->poll's
   lockless read

Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
---
 include/net/tls.h |  3 +++
 net/tls/tls_sw.c  | 35 +++++++++++++++++++++++++++++++++++
 2 files changed, 38 insertions(+)

Hi,

On 14/11/24 9:20 pm, Sabrina Dubroca wrote:
> EXTERNAL EMAIL: Do not click links or open attachments unless you know the content is safe
> 
> When a TLS handshake record carrying a KeyUpdate message is received,
> all subsequent records will be encrypted with a new key. We need to
> stop decrypting incoming records with the old key, and wait until
> userspace provides a new key.
> 
> Make a note of this in the RX context just after decrypting that
> record, and stop recvmsg/splice calls with EKEYEXPIRED until the new
> key is available.
> 
> key_update_pending can't be combined with the existing bitfield,
> because we will read it locklessly in ->poll.
> 
> v3:
>   - move key_update_pending check into tls_rx_rec_wait (Jakub)
>   - TLS_RECORD_TYPE_HANDSHAKE was added to include/net/tls_prot.h by
>     the tls handshake series, drop that from this patch
>   - move key_update_pending into an existing hole
> 
> v4:
>   - flip TLS_RECORD_TYPE_HANDSHAKE test and use likely() (Jakub)
>   - pass ctx rather than sk to tls_check_pending_rekey (Jakub)
>   - use WRITE_ONCE to set key_update_pending to pair with ->poll's
>     lockless read
> 
> Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
> ---
>   include/net/tls.h |  3 +++
>   net/tls/tls_sw.c  | 35 +++++++++++++++++++++++++++++++++++
>   2 files changed, 38 insertions(+)
> 
> diff --git a/include/net/tls.h b/include/net/tls.h
> index 3a33924db2bc..870e4421c599 100644
> --- a/include/net/tls.h
> +++ b/include/net/tls.h
> @@ -59,6 +59,8 @@ struct tls_rec;
> 
>   #define TLS_CRYPTO_INFO_READY(info)    ((info)->cipher_type)
> 
> +#define TLS_HANDSHAKE_KEYUPDATE                24      /* rfc8446 B.3: Key update */
> +
>   #define TLS_AAD_SPACE_SIZE             13
> 
>   #define TLS_MAX_IV_SIZE                        16
> @@ -130,6 +132,7 @@ struct tls_sw_context_rx {
>          u8 async_capable:1;
>          u8 zc_capable:1;
>          u8 reader_contended:1;
> +       bool key_update_pending;
> 
>          struct tls_strparser strp;
> 
> diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
> index bbf26cc4f6ee..db98710c4810 100644
> --- a/net/tls/tls_sw.c
> +++ b/net/tls/tls_sw.c
> @@ -1314,6 +1314,10 @@ tls_rx_rec_wait(struct sock *sk, struct sk_psock *psock, bool nonblock,
>          int ret = 0;
>          long timeo;
> 
> +       /* a rekey is pending, let userspace deal with it */
> +       if (unlikely(ctx->key_update_pending))
> +               return -EKEYEXPIRED;
> +
>          timeo = sock_rcvtimeo(sk, nonblock);
> 
>          while (!tls_strp_msg_ready(ctx)) {
> @@ -1720,6 +1724,32 @@ tls_decrypt_device(struct sock *sk, struct msghdr *msg,
>          return 1;
>   }
> 
> +static int tls_check_pending_rekey(struct tls_context *ctx, struct sk_buff *skb)
> +{
> +       const struct tls_msg *tlm = tls_msg(skb);
> +       const struct strp_msg *rxm = strp_msg(skb);
Missing reverse xmas tree format.
> +       char hs_type;
> +       int err;
> +
> +       if (likely(tlm->control != TLS_RECORD_TYPE_HANDSHAKE))
> +               return 0;
> +
> +       if (rxm->full_len < 1)
> +               return -EINVAL;
> +
> +       err = skb_copy_bits(skb, rxm->offset, &hs_type, 1);
> +       if (err < 0)
> +               return err;
> +
> +       if (hs_type == TLS_HANDSHAKE_KEYUPDATE) {
> +               struct tls_sw_context_rx *rx_ctx = ctx->priv_ctx_rx;
> +
> +               WRITE_ONCE(rx_ctx->key_update_pending, true);
> +       }
> +
> +       return 0;
> +}
> +
>   static int tls_rx_one_record(struct sock *sk, struct msghdr *msg,
>                               struct tls_decrypt_arg *darg)
>   {
> @@ -1739,6 +1769,10 @@ static int tls_rx_one_record(struct sock *sk, struct msghdr *msg,
>          rxm->full_len -= prot->overhead_size;
>          tls_advance_record_sn(sk, prot, &tls_ctx->rx);
> 
> +       err = tls_check_pending_rekey(tls_ctx, darg->skb);
I think you can directly return from here.

Best regards,
Parthiban V
> +       if (err < 0)
> +               return err;
> +
>          return 0;
>   }
> 
> @@ -2719,6 +2753,7 @@ int tls_set_sw_offload(struct sock *sk, int tx)
>                  crypto_info = &ctx->crypto_recv.info;
>                  cctx = &ctx->rx;
>                  aead = &sw_ctx_rx->aead_recv;
> +               sw_ctx_rx->key_update_pending = false;
>          }
> 
>          cipher_desc = get_cipher_desc(crypto_info->cipher_type);
> --
> 2.47.0
> 
>

2024-12-03, 19:47:01 -0800, Jakub Kicinski wrote:
> On Thu, 14 Nov 2024 16:50:48 +0100 Sabrina Dubroca wrote:
> > +static int tls_check_pending_rekey(struct tls_context *ctx, struct sk_buff *skb)
> > +{
> > +	const struct tls_msg *tlm = tls_msg(skb);
> > +	const struct strp_msg *rxm = strp_msg(skb);
> > +	char hs_type;
> > +	int err;
> > +
> > +	if (likely(tlm->control != TLS_RECORD_TYPE_HANDSHAKE))
> > +		return 0;
> > +
> > +	if (rxm->full_len < 1)
> > +		return -EINVAL;
> > +
> > +	err = skb_copy_bits(skb, rxm->offset, &hs_type, 1);
> > +	if (err < 0)
> > +		return err;
> > +
> > +	if (hs_type == TLS_HANDSHAKE_KEYUPDATE) {
> > +		struct tls_sw_context_rx *rx_ctx = ctx->priv_ctx_rx;
> > +
> > +		WRITE_ONCE(rx_ctx->key_update_pending, true);
> > +	}
> > +
> > +	return 0;
> > +}
> > +
> >  static int tls_rx_one_record(struct sock *sk, struct msghdr *msg,
> >  			     struct tls_decrypt_arg *darg)
> >  {
> > @@ -1739,6 +1769,10 @@ static int tls_rx_one_record(struct sock *sk, struct msghdr *msg,
> >  	rxm->full_len -= prot->overhead_size;
> >  	tls_advance_record_sn(sk, prot, &tls_ctx->rx);
> >  
> > +	err = tls_check_pending_rekey(tls_ctx, darg->skb);
> > +	if (err < 0)
> > +		return err;
> 
> Sorry if I already asked this, is this 100% safe to error out from here
> after we decrypted the record? Normally once we successfully decrypted
> and pulled the message header / trailer we always call tls_rx_rec_done()

This is the same thing tls_rx_one_record does when tls_decrypt_sw
fails. Return <0 immediately, let the caller deal with the fallout. In
the case where tls_padding_length fails, tls_decrypt_sw has an extra
consume_skb though.

Returning an error here will make tls_rx_one_record() also return an
error, and when that happens we always call tls_err_abort(). It's a
big hammer, but it should be safe.

> The only reason the check_pending_rekey() can fail is if the message is
> mis-formatted, I wonder if we are better off ignoring mis-formatted
> rekeys? User space will see them and break the connection, anyway.
> Alternatively - we could add a selftest for this.


Going back to tls_check_pending_rekey():

> > +	if (rxm->full_len < 1)
> > +		return -EINVAL;

There's no real reason to fail here, we should probably just ignore
it. It's not a rekey, and it's not a valid handshake message, but one
could say that's not the kernel's problem. I'll make that return 0
unless you want to keep -EINVAL.

Hard to write a selftest for because we'd have to do a sendmsg with
len=0, or do the crypto in the selftest.

> > +	err = skb_copy_bits(skb, rxm->offset, &hs_type, 1);
> > +	if (err < 0)
> > +		return err;

This probably means that the skb we got from the parser was broken. If
we can't read 1B with full_len >= 1, something's wrong. Maybe worth a
DEBUG_NET_WARN_ON_ONCE?

> > +	if (hs_type == TLS_HANDSHAKE_KEYUPDATE) {

Here I don't actually check if it's a correct KeyUpdate message [1],
we pause decryption and let userspace decide what to do (probably
break the connection as you said).

[1] https://datatracker.ietf.org/doc/html/rfc8446#page-25
    https://datatracker.ietf.org/doc/html/rfc8446#section-4.6.3

> > +		struct tls_sw_context_rx *rx_ctx = ctx->priv_ctx_rx;
> > +
> > +		WRITE_ONCE(rx_ctx->key_update_pending, true);
> > +	}
> > +
> > +	return 0;
> > +}

On Tue, 10 Dec 2024 17:16:09 +0100 Sabrina Dubroca wrote:
> > The only reason the check_pending_rekey() can fail is if the message is
> > mis-formatted, I wonder if we are better off ignoring mis-formatted
> > rekeys? User space will see them and break the connection, anyway.
> > Alternatively - we could add a selftest for this.  
> 
> Going back to tls_check_pending_rekey():
> 
> > > +	if (rxm->full_len < 1)
> > > +		return -EINVAL;  
> 
> There's no real reason to fail here, we should probably just ignore
> it. It's not a rekey, and it's not a valid handshake message, but one
> could say that's not the kernel's problem. I'll make that return 0
> unless you want to keep -EINVAL.

returning 0 SGTM

> Hard to write a selftest for because we'd have to do a sendmsg with
> len=0, or do the crypto in the selftest.
> 
> > > +	err = skb_copy_bits(skb, rxm->offset, &hs_type, 1);
> > > +	if (err < 0)
> > > +		return err;  
> 
> This probably means that the skb we got from the parser was broken. If
> we can't read 1B with full_len >= 1, something's wrong. Maybe worth a
> DEBUG_NET_WARN_ON_ONCE?

Also SG!

> > > +	if (hs_type == TLS_HANDSHAKE_KEYUPDATE) {  
> 
> Here I don't actually check if it's a correct KeyUpdate message [1],
> we pause decryption and let userspace decide what to do (probably
> break the connection as you said).