lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <167398534919.5631.3008767788631058826.stgit@91.116.238.104.host.secureserver.net>
Date:   Tue, 17 Jan 2023 15:07:55 -0500
From:   Chuck Lever <chuck.lever@...cle.com>
To:     kuba@...nel.org
Cc:     netdev@...r.kernel.org, hare@...e.com, dhowells@...hat.com,
        kolga@...app.com, jmeneghi@...hat.com
Subject: [PATCH RFC 0/3] Another crack at a handshake upcall mechanism

Hello Jakub-

I've addressed the thing you liked least about last year's handshake
upcall attempt: gathering the handshake parameters from socket
options. That is now done instead via a generic netlink service.
I'm a rank netlink amateur, so any guidance there is helpful.

Probably the next step is to divorce AF_TLSH from net/tls and make
it general so that other security protocols can make use of it.

A sample user space handshake daemon is available here:

   https://github.com/oracle/ktls-utils

The "main" branch has patches that add a netlink client to replace
the use of getsockopt(3).

---

Chuck Lever (3):
      net/tls: Add an AF_TLSH address family
      net/tls: Add support for PF_TLSH (a TLS handshake listener)
      net/tls: Create a fixed TLS handshake API


 Documentation/networking/index.rst            |    1 +
 .../networking/tls-in-kernel-handshake.rst    |  123 ++
 include/linux/socket.h                        |    4 +-
 include/net/sock.h                            |    3 +
 include/net/tls.h                             |   12 +
 include/net/tlsh.h                            |   25 +
 include/uapi/linux/tls.h                      |   43 +
 net/core/sock.c                               |    4 +-
 net/socket.c                                  |    1 +
 net/tls/Makefile                              |    3 +-
 net/tls/af_tlsh.c                             | 1266 +++++++++++++++++
 net/tls/tls.h                                 |   15 +
 net/tls/tls_handshake.c                       |   89 ++
 net/tls/tls_main.c                            |   19 +-
 net/tls/trace.c                               |    3 +
 net/tls/trace.h                               |  341 +++++
 security/selinux/hooks.c                      |    4 +-
 security/selinux/include/classmap.h           |    4 +-
 .../perf/trace/beauty/include/linux/socket.h  |    4 +-
 19 files changed, 1957 insertions(+), 7 deletions(-)
 create mode 100644 Documentation/networking/tls-in-kernel-handshake.rst
 create mode 100644 include/net/tlsh.h
 create mode 100644 net/tls/af_tlsh.c
 create mode 100644 net/tls/tls_handshake.c

--
Chuck Lever

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ