| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <4a9a82a0eaa47319e0e7a7fe525bd37f25b61cb5.1676052788.git.sd@queasysnail.net>
Date: Tue, 14 Feb 2023 12:17:39 +0100
From: Sabrina Dubroca <sd@...asysnail.net>
To: netdev@...r.kernel.org
Cc: Sabrina Dubroca <sd@...asysnail.net>,
Vadim Fedorenko <vfedorenko@...ek.ru>,
Frantisek Krenzelok <fkrenzel@...hat.com>,
Jakub Kicinski <kuba@...nel.org>,
Kuniyuki Iwashima <kuniyu@...zon.com>,
Apoorv Kothari <apoorvko@...zon.com>,
Boris Pismenny <borisp@...dia.com>,
John Fastabend <john.fastabend@...il.com>,
Shuah Khan <shuah@...nel.org>, linux-kselftest@...r.kernel.org,
Gal Pressman <gal@...dia.com>,
Marcel Holtmann <marcel@...tmann.org>
Subject: [PATCH net-next v2 2/5] tls: block decryption when a rekey is pending
When a TLS handshake record carrying a KeyUpdate message is received,
all subsequent records will be encrypted with a new key. We need to
stop decrypting incoming records with the old key, and wait until
userspace provides a new key.
Make a note of this in the RX context just after decrypting that
record, and stop recvmsg/splice calls with EKEYEXPIRED until the new
key is available.
Signed-off-by: Sabrina Dubroca <sd@...asysnail.net>
---
include/net/tls.h | 4 ++++
net/tls/tls_sw.c | 44 ++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 48 insertions(+)
diff --git a/include/net/tls.h b/include/net/tls.h
index 154949c7b0c8..297732f23804 100644
--- a/include/net/tls.h
+++ b/include/net/tls.h
@@ -69,8 +69,11 @@ extern const struct tls_cipher_size_desc tls_cipher_size_desc[];
#define TLS_CRYPTO_INFO_READY(info) ((info)->cipher_type)
+#define TLS_RECORD_TYPE_HANDSHAKE 0x16
#define TLS_RECORD_TYPE_DATA 0x17
+#define TLS_HANDSHAKE_KEYUPDATE 24 /* rfc8446 B.3: Key update */
+
#define TLS_AAD_SPACE_SIZE 13
#define MAX_IV_SIZE 16
@@ -145,6 +148,7 @@ struct tls_sw_context_rx {
struct tls_strparser strp;
+ bool key_update_pending;
atomic_t decrypt_pending;
/* protect crypto_wait with decrypt_pending*/
spinlock_t decrypt_compl_lock;
diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
index 238bd18c5eb6..149a39d9a56a 100644
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -1687,6 +1687,33 @@ tls_decrypt_device(struct sock *sk, struct msghdr *msg,
return 1;
}
+static int tls_check_pending_rekey(struct sock *sk, struct sk_buff *skb)
+{
+ const struct tls_msg *tlm = tls_msg(skb);
+ const struct strp_msg *rxm = strp_msg(skb);
+
+ if (tlm->control == TLS_RECORD_TYPE_HANDSHAKE) {
+ char hs_type;
+ int err;
+
+ if (rxm->full_len < 1)
+ return -EINVAL;
+
+ err = skb_copy_bits(skb, rxm->offset, &hs_type, 1);
+ if (err < 0)
+ return err;
+
+ if (hs_type == TLS_HANDSHAKE_KEYUPDATE) {
+ struct tls_context *ctx = tls_get_ctx(sk);
+ struct tls_sw_context_rx *rx_ctx = ctx->priv_ctx_rx;
+
+ rx_ctx->key_update_pending = true;
+ }
+ }
+
+ return 0;
+}
+
static int tls_rx_one_record(struct sock *sk, struct msghdr *msg,
struct tls_decrypt_arg *darg)
{
@@ -1706,6 +1733,10 @@ static int tls_rx_one_record(struct sock *sk, struct msghdr *msg,
rxm->full_len -= prot->overhead_size;
tls_advance_record_sn(sk, prot, &tls_ctx->rx);
+ err = tls_check_pending_rekey(sk, darg->skb);
+ if (err < 0)
+ return err;
+
return 0;
}
@@ -1957,6 +1988,12 @@ int tls_sw_recvmsg(struct sock *sk,
struct tls_decrypt_arg darg;
int to_decrypt, chunk;
+ /* a rekey is pending, let userspace deal with it */
+ if (unlikely(ctx->key_update_pending)) {
+ err = -EKEYEXPIRED;
+ break;
+ }
+
err = tls_rx_rec_wait(sk, psock, flags & MSG_DONTWAIT,
released);
if (err <= 0) {
@@ -2141,6 +2178,12 @@ ssize_t tls_sw_splice_read(struct socket *sock, loff_t *ppos,
if (err < 0)
return err;
+ /* a rekey is pending, let userspace deal with it */
+ if (unlikely(ctx->key_update_pending)) {
+ err = -EKEYEXPIRED;
+ goto splice_read_end;
+ }
+
if (!skb_queue_empty(&ctx->rx_list)) {
skb = __skb_dequeue(&ctx->rx_list);
} else {
@@ -2526,6 +2569,7 @@ int tls_set_sw_offload(struct sock *sk, int tx)
skb_queue_head_init(&sw_ctx_rx->rx_list);
skb_queue_head_init(&sw_ctx_rx->async_hold);
aead = &sw_ctx_rx->aead_recv;
+ sw_ctx_rx->key_update_pending = false;
}
switch (crypto_info->cipher_type) {
--
2.38.1
Powered by blists - more mailing lists