| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 15 Feb 2023 14:23:07 -0500
From: Chuck Lever <chuck.lever@...cle.com>
To: kuba@...nel.org, pabeni@...hat.com, edumazet@...gle.com
Cc: netdev@...r.kernel.org, chuck.lever@...cle.com, hare@...e.com,
dhowells@...hat.com, bcodding@...hat.com, kolga@...app.com,
jmeneghi@...hat.com
Subject: [PATCH v4 0/2] Another crack at a handshake upcall mechanism
Hi-
Here is v4 of a series to add generic support for transport layer
security handshake on behalf of kernel socket consumers (user space
consumers use a security library directly, of course).
A summary of the purpose of these patches is archived here:
https://lore.kernel.org/netdev/1DE06BB1-6BA9-4DB4-B2AA-07DE532963D6@oracle.com/
This version of the series replaces Classic Netlink infrastructure
with Generic Netlink, as requested. It is again a signficant rewrite
of the previous version of the series. There are several more tasks
to complete, including the creation of a YAML protocol
specification and the ability to return multiple remote peer
identities upon handshake completion.
The full patch set to support SunRPC with TLSv1.3 is available in
the topic-rpc-with-tls-upcall branch here, based on v6.1.12:
https://git.kernel.org/pub/scm/linux/kernel/git/cel/linux.git
A sample user space handshake agent with netlink support is
available in the "netlink" branch here:
https://github.com/oracle/ktls-utils
---
Changes since v3:
- Converted all netlink code to use Generic Netlink
- Reworked handshake request lifetime logic throughout
- Global pending list is now per-net
- On completion, return the remote's identity to the consumer
Changes since v2:
- PF_HANDSHAKE replaced with NETLINK_HANDSHAKE
- Replaced listen(2) / poll(2) with a multicast notification service
- Replaced accept(2) with a netlink operation that can return an
open fd and handshake parameters
- Replaced close(2) with a netlink operation that can take arguments
Changes since RFC:
- Generic upcall support split away from kTLS
- Added support for TLS ServerHello
- Documentation has been temporarily removed while API churns
Chuck Lever (2):
net/handshake: Create a NETLINK service for handling handshake requests
net/tls: Add kernel APIs for requesting a TLSv1.3 handshake
Documentation/networking/index.rst | 1 +
Documentation/networking/tls-handshake.rst | 146 ++++++++
include/net/handshake.h | 46 +++
include/net/net_namespace.h | 5 +
include/net/sock.h | 1 +
include/net/tls.h | 23 ++
include/uapi/linux/handshake.h | 100 ++++++
net/Makefile | 1 +
net/handshake/Makefile | 11 +
net/handshake/handshake.h | 43 +++
net/handshake/netlink.c | 373 ++++++++++++++++++++
net/handshake/request.c | 160 +++++++++
net/tls/Makefile | 2 +-
net/tls/tls_handshake.c | 388 +++++++++++++++++++++
14 files changed, 1299 insertions(+), 1 deletion(-)
create mode 100644 Documentation/networking/tls-handshake.rst
create mode 100644 include/net/handshake.h
create mode 100644 include/uapi/linux/handshake.h
create mode 100644 net/handshake/Makefile
create mode 100644 net/handshake/handshake.h
create mode 100644 net/handshake/netlink.c
create mode 100644 net/handshake/request.c
create mode 100644 net/tls/tls_handshake.c
--
Chuck Lever
Powered by blists - more mailing lists