| Message ID | 6baaaaf467845c56d7ec47250aaa2138de948003.1731597571.git.sd@queasysnail.net |
|---|---|
| State | Superseded |
| Headers | show |
| Series | tls: implement key updates for TLS1.3 | expand |
2024-12-03, 19:51:29 -0800, Jakub Kicinski wrote: > On Thu, 14 Nov 2024 16:50:51 +0100 Sabrina Dubroca wrote: > > +To prevent attempting to decrypt incoming records using the wrong key, > > +decryption will be paused when a KeyUpdate message is received by the > > +kernel, until the new key has been provided using the TLS_RX socket > > +option. Any read occurring after the KeyUpdate has been read and > > +before the new key is provided will fail with EKEYEXPIRED. Poll()'ing > > +the socket will also sleep until the new key is provided. There is no > > +pausing on the transmit side. > > Thanks for the doc update, very useful. I'm not a socket expert so dunno > if suppressing POLLIN is the right thing to do. Not an expert either. I picked that because there's no data to be read, which is what POLLIN should mean. man 2 poll: POLLIN There is data to read. man 3 poll: POLLIN Data other than high-priority data may be read without blocking. Based on this, reporting POLLIN seems wrong to me. > But a nit on the > phrasing - I'd say "poll() will not report any events from the socket > until.." ? Could be just me but sleep is a second order effect. Agree, thanks for the suggestion. Maybe actually "will not report read events"? Other events are unaffected by a pending rekey.
On Thu, 5 Dec 2024 12:06:37 +0100 Sabrina Dubroca wrote: > > But a nit on the > > phrasing - I'd say "poll() will not report any events from the socket > > until.." ? Could be just me but sleep is a second order effect. > > Agree, thanks for the suggestion. Maybe actually "will not report read > events"? Other events are unaffected by a pending rekey. Good point, SG!
diff --git a/Documentation/networking/tls.rst b/Documentation/networking/tls.rst index 658ed3a71e1b..dfce109fe2ca 100644 --- a/Documentation/networking/tls.rst +++ b/Documentation/networking/tls.rst @@ -200,6 +200,31 @@ received without a cmsg buffer set. recv will never return data from mixed types of TLS records. +TLS 1.3 Key Updates +------------------- + +In TLS 1.3, KeyUpdate handshake messages signal that the sender is +updating its TX key. Any message sent after a KeyUpdate will be +encrypted using the new key. The userspace library can pass the new +key to the kernel using the TLS_TX and TLS_RX socket options, as for +the initial keys. TLS version and cipher cannot be changed. + +To prevent attempting to decrypt incoming records using the wrong key, +decryption will be paused when a KeyUpdate message is received by the +kernel, until the new key has been provided using the TLS_RX socket +option. Any read occurring after the KeyUpdate has been read and +before the new key is provided will fail with EKEYEXPIRED. Poll()'ing +the socket will also sleep until the new key is provided. There is no +pausing on the transmit side. + +Userspace should make sure that the crypto_info provided has been set +properly. In particular, the kernel will not check for key/nonce +reuse. + +The number of successful and failed key updates is tracked in the +``TlsTxRekeyOk``, ``TlsRxRekeyOk``, ``TlsTxRekeyError``, +``TlsRxRekeyError`` statistics. + Integrating in to userspace TLS library --------------------------------------- @@ -286,3 +311,9 @@ TLS implementation exposes the following per-namespace statistics - ``TlsRxNoPadViolation`` - number of data RX records which had to be re-decrypted due to ``TLS_RX_EXPECT_NO_PAD`` mis-prediction. + +- ``TlsTxRekeyOk``, ``TlsRxRekeyOk`` - + number of successful rekeys on existing sessions for TX and RX + +- ``TlsTxRekeyError``, ``TlsRxRekeyError`` - + number of failed rekeys on existing sessions for TX and RX
v3: added following Jakub's comment on the cover letter v4: add the new counters Signed-off-by: Sabrina Dubroca <sd@queasysnail.net> --- Documentation/networking/tls.rst | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+)