| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <167580444939.5328.5412964147692077675.stgit@91.116.238.104.host.secureserver.net>
Date: Tue, 07 Feb 2023 16:41:05 -0500
From: Chuck Lever <chuck.lever@...cle.com>
To: kuba@...nel.org, pabeni@...hat.com, edumazet@...gle.com
Cc: netdev@...r.kernel.org, hare@...e.com, dhowells@...hat.com,
bcodding@...hat.com, kolga@...app.com, jmeneghi@...hat.com
Subject: [PATCH v3 0/2] Another crack at a handshake upcall mechanism
Hi-
Here is v3 of a series to add generic support for transport layer
security handshake on behalf of kernel consumers (user space
consumers use a security library directly, of course).
This version of the series does away with the listen/poll/accept/
close design and replaces it with a full netlink implementation
that handles much of the same function.
The first patch in the series adds a new netlink family to handle
the kernel-user space interaction to request a handshake. The second
patch demonstrates how to extend this new mechanism to support a
particular transport layer security protocol (in this case,
TLSv1.3).
Of particular interest is that the user space handshake agent now
must perform a second downcall when the handshake is complete,
rather than simply closing the socket descriptor. This enables the
user space agent to pass down a session status, whether the session
was mutually authenticated, and the identity of the remote peer.
(Although these facilities are plumbed into the netlink protocol,
they have yet to be fully implemented by the kernel or the sample
user space agent below).
Certificates and pre-shared keys are made available to the user
space agent via keyrings, or the agent can use authentication
materials residing in the local filesystem.
The full patch set to support SunRPC with TLSv1.3 is available in
the topic-rpc-with-tls-upcall branch here, based on v6.1.10:
https://git.kernel.org/pub/scm/linux/kernel/git/cel/linux.git
A sample user space handshake agent with netlink support is
available in the "netlink" branch here:
https://github.com/oracle/ktls-utils
---
Changes since v2:
- PF_HANDSHAKE replaced with NETLINK_HANDSHAKE
- Replaced listen(2) / poll(2) with a multicast notification service
- Replaced accept(2) with a netlink operation that can return an
open fd and handshake parameters
- Replaced close(2) with a netlink operation that can take arguments
Changes since RFC:
- Generic upcall support split away from kTLS
- Added support for TLS ServerHello
- Documentation has been temporarily removed while API churns
Chuck Lever (2):
net/handshake: Create a NETLINK service for handling handshake requests
net/tls: Support AF_HANDSHAKE in kTLS
The use of AF_HANDSHAKE in the short description here is stale. I'll
fix that in a subsequent posting.
include/net/handshake.h | 37 ++
include/net/net_namespace.h | 1 +
include/net/sock.h | 1 +
include/net/tls.h | 16 +
include/uapi/linux/handshake.h | 95 +++++
include/uapi/linux/netlink.h | 1 +
net/Makefile | 1 +
net/handshake/Makefile | 11 +
net/handshake/netlink.c | 320 ++++++++++++++++
net/tls/Makefile | 2 +-
net/tls/tls_handshake.c | 583 +++++++++++++++++++++++++++++
tools/include/uapi/linux/netlink.h | 1 +
12 files changed, 1068 insertions(+), 1 deletion(-)
create mode 100644 include/net/handshake.h
create mode 100644 include/uapi/linux/handshake.h
create mode 100644 net/handshake/Makefile
create mode 100644 net/handshake/netlink.c
create mode 100644 net/tls/tls_handshake.c
--
Chuck Lever
Powered by blists - more mailing lists