lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <167398609604.5631.1363657967245128346.stgit@91.116.238.104.host.secureserver.net>
Date:   Tue, 17 Jan 2023 15:08:16 -0500
From:   Chuck Lever <chuck.lever@...cle.com>
To:     kuba@...nel.org
Cc:     netdev@...r.kernel.org, hare@...e.com, dhowells@...hat.com,
        kolga@...app.com, jmeneghi@...hat.com
Subject: [PATCH RFC 3/3] net/tls: Create a fixed TLS handshake API

We don't want to perturb API consumers whenever the upcall mechanism
is changed or replaced. The handshake API therefore is not a part of
the listen/accept upcall mechanism, but is a separate fixed
component.

Create the consumer handshake API in its own source file to make it
straightforward to modify the handshake mechanism later.

Signed-off-by: Chuck Lever <chuck.lever@...cle.com>
---
 net/tls/Makefile        |    3 +-
 net/tls/tls_handshake.c |   89 +++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 91 insertions(+), 1 deletion(-)
 create mode 100644 net/tls/tls_handshake.c

diff --git a/net/tls/Makefile b/net/tls/Makefile
index 05fbff53ae09..a8bf6aa72e54 100644
--- a/net/tls/Makefile
+++ b/net/tls/Makefile
@@ -7,7 +7,8 @@ CFLAGS_trace.o := -I$(src)
 
 obj-$(CONFIG_TLS) += tls.o
 
-tls-y := af_tlsh.o tls_main.o tls_sw.o tls_proc.o trace.o tls_strp.o
+tls-y := af_tlsh.o tls_handshake.o tls_main.o tls_sw.o tls_proc.o \
+	 trace.o tls_strp.o
 
 tls-$(CONFIG_TLS_TOE) += tls_toe.o
 tls-$(CONFIG_TLS_DEVICE) += tls_device.o tls_device_fallback.o
diff --git a/net/tls/tls_handshake.c b/net/tls/tls_handshake.c
new file mode 100644
index 000000000000..f3726eeb55db
--- /dev/null
+++ b/net/tls/tls_handshake.c
@@ -0,0 +1,89 @@
+// SPDX-License-Identifier: GPL-2.0-only
+/*
+ * TLS handshake consumer API
+ *
+ * Author: Chuck Lever <chuck.lever@...cle.com>
+ *
+ * Copyright (c) 2023, Oracle and/or its affiliates.
+ *
+ * When a kernel TLS consumer wants to establish a TLS session, it
+ * uses the API calls in this file to request a TLS handshake.
+ *
+ * This is an asynchronous API. These calls do not sleep.
+ */
+
+#include <linux/types.h>
+#include <linux/socket.h>
+
+#include <net/tls.h>
+#include <net/tlsh.h>
+
+#include "tls.h"
+
+/**
+ * tls_client_hello_anon - request an anonymous TLS handshake on a socket
+ * @sock: connected socket on which to perform the handshake
+ * @done: function to call when the handshake has completed
+ * @data: token to pass back to @done
+ * @priorities: GnuTLS TLS priorities string
+ *
+ * Return values:
+ *   %0: Handshake request enqueue; ->done will be called when complete
+ *   %-ENOENT: No user agent is available
+ *   %-ENOMEM: Memory allocation failed
+ */
+int tls_client_hello_anon(struct socket *sock,
+			  void (*done)(void *data, int status), void *data,
+			  const char *priorities)
+{
+	/* Use the listen/accept upcall mechanism */
+	return tlsh_client_hello_anon(sock, done, data, priorities);
+}
+EXPORT_SYMBOL(tls_client_hello_anon);
+
+/**
+ * tls_client_hello_x509 - request an x.509-based TLS handshake on a socket
+ * @sock: connected socket on which to perform the handshake
+ * @done: function to call when the handshake has completed
+ * @data: token to pass back to @done
+ * @priorities: GnuTLS TLS priorities string
+ * @cert: serial number of key containing client's x.509 certificate
+ * @privkey: serial number of key containing client's private key
+ *
+ * Return values:
+ *   %0: Handshake request enqueue; ->done will be called when complete
+ *   %-ENOENT: No user agent is available
+ *   %-ENOMEM: Memory allocation failed
+ */
+int tls_client_hello_x509(struct socket *sock,
+			  void (*done)(void *data, int status), void *data,
+			  const char *priorities, key_serial_t cert,
+			  key_serial_t privkey)
+{
+	/* Use the listen/accept upcall mechanism */
+	return tlsh_client_hello_x509(sock, done, data, priorities, cert,
+				      privkey);
+}
+EXPORT_SYMBOL(tls_client_hello_x509);
+
+/**
+ * tls_client_hello_psk - request a PSK-based TLS handshake on a socket
+ * @sock: connected socket on which to perform the handshake
+ * @done: function to call when the handshake has completed
+ * @data: token to pass back to @done
+ * @priorities: GnuTLS TLS priorities string
+ * @peerid: serial number of key containing TLS identity
+ *
+ * Return values:
+ *   %0: Handshake request enqueue; ->done will be called when complete
+ *   %-ENOENT: No user agent is available
+ *   %-ENOMEM: Memory allocation failed
+ */
+int tls_client_hello_psk(struct socket *sock,
+			 void (*done)(void *data, int status), void *data,
+			 const char *priorities, key_serial_t peerid)
+{
+	/* Use the listen/accept upcall mechanism */
+	return tlsh_client_hello_psk(sock, done, data, priorities, peerid);
+}
+EXPORT_SYMBOL(tls_client_hello_psk);

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ