| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAKmqyKP0eB_WTZtMqtaNELPE4Bs9Ln-0U+_Oqk8fuJXTay_DPg@mail.gmail.com> Date: Tue, 21 Oct 2025 11:01:45 +1000 From: Alistair Francis <alistair23@...il.com> To: Hannes Reinecke <hare@...e.de> Cc: chuck.lever@...cle.com, hare@...nel.org, kernel-tls-handshake@...ts.linux.dev, netdev@...r.kernel.org, linux-kernel@...r.kernel.org, linux-doc@...r.kernel.org, linux-nvme@...ts.infradead.org, linux-nfs@...r.kernel.org, kbusch@...nel.org, axboe@...nel.dk, hch@....de, sagi@...mberg.me, kch@...dia.com, Alistair Francis <alistair.francis@....com> Subject: Re: [PATCH v4 0/7] nvme-tcp: Support receiving KeyUpdate requests On Tue, Oct 21, 2025 at 3:46 AM Hannes Reinecke <hare@...e.de> wrote: > > On 10/17/25 06:23, alistair23@...il.com wrote: > > From: Alistair Francis <alistair.francis@....com> > > > > The TLS 1.3 specification allows the TLS client or server to send a > > KeyUpdate. This is generally used when the sequence is about to > > overflow or after a certain amount of bytes have been encrypted. > > > > The TLS spec doesn't mandate the conditions though, so a KeyUpdate > > can be sent by the TLS client or server at any time. This includes > > when running NVMe-OF over a TLS 1.3 connection. > > > > As such Linux should be able to handle a KeyUpdate event, as the > > other NVMe side could initiate a KeyUpdate. > > > > Upcoming WD NVMe-TCP hardware controllers implement TLS support > > and send KeyUpdate requests. > > > > This series builds on top of the existing TLS EKEYEXPIRED work, > > which already detects a KeyUpdate request. We can now pass that > > information up to the NVMe layer (target and host) and then pass > > it up to userspace. > > > > Userspace (ktls-utils) will need to save the connection state > > in the keyring during the initial handshake. The kernel then > > provides the key serial back to userspace when handling a > > KeyUpdate. Userspace can use this to restore the connection > > information and then update the keys, this final process > > is similar to the initial handshake. > > > > I am rather sceptical at the current tlshd implementation. > At which place do you update the sending keys? The sending keys are updated as part of gnutls_session_key_update(). gnutls_session_key_update() calls update_sending_key() which updates the sending keys. The idea is that when the sequence number is about to overflow the kernel will request userspace to update the sending keys via the HANDSHAKE_KEY_UPDATE_TYPE_SEND key_update_type. Userspace updates the keys and initiates a KeyUpdate. > I'm only seeing a call to 'gnutls_handhake_update_receiving_key()'. > > But I haven't found the matching function > 'gnutls_handshake_update_sending_key()' in current gnutls. > So how does updating of the sending keys work? gnutls_session_key_update() calls update_sending_key() which updates the sending keys. When updating the sending keys we want to send a KeyUpdate request, which is why it's a different flow. Alistair > > Cheers, > > Hannes > -- > Dr. Hannes Reinecke Kernel Storage Architect > hare@...e.de +49 911 74053 688 > SUSE Software Solutions GmbH, Frankenstr. 146, 90461 Nürnberg > HRB 36809 (AG Nürnberg), GF: I. Totev, A. McDonald, W. Knoblich
Powered by blists - more mailing lists