lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <85d4697e-9365-4b9d-ac95-43e0dc31086b@oracle.com>
Date: Fri, 15 Aug 2025 09:40:34 -0400
From: Chuck Lever <chuck.lever@...cle.com>
To: alistair23@...il.com, hare@...nel.org,
        kernel-tls-handshake@...ts.linux.dev, netdev@...r.kernel.org,
        linux-kernel@...r.kernel.org, linux-doc@...r.kernel.org,
        linux-nvme@...ts.infradead.org, linux-nfs@...r.kernel.org
Cc: kbusch@...nel.org, axboe@...nel.dk, hch@....de, sagi@...mberg.me,
        kch@...dia.com, Alistair Francis <alistair.francis@....com>
Subject: Re: [PATCH 7/8] net/handshake: Support decoding the HandshakeType

On 8/15/25 1:02 AM, alistair23@...il.com wrote:
> From: Alistair Francis <alistair.francis@....com>
> 
> Support decoding the HandshakeType as part of the TLS handshake
> protocol.
> 
> Link: https://datatracker.ietf.org/doc/html/rfc8446#section-4
> Signed-off-by: Alistair Francis <alistair.francis@....com>
> ---
>  include/net/handshake.h |  1 +
>  include/net/tls_prot.h  | 17 +++++++++++++++++
>  net/handshake/alert.c   | 26 ++++++++++++++++++++++++++
>  3 files changed, 44 insertions(+)
> 
> diff --git a/include/net/handshake.h b/include/net/handshake.h
> index 8f791c55edc9..d13dc6299c37 100644
> --- a/include/net/handshake.h
> +++ b/include/net/handshake.h
> @@ -54,6 +54,7 @@ void handshake_sk_destruct_req(struct sock *sk);
>  bool handshake_req_cancel(struct sock *sk);
>  
>  u8 tls_get_record_type(const struct sock *sk, const struct cmsghdr *msg);
> +u8 tls_get_handshake_type(const struct sock *sk, const struct cmsghdr *cmsg);
>  void tls_alert_recv(const struct sock *sk, const struct msghdr *msg,
>  		    u8 *level, u8 *description);
>  
> diff --git a/include/net/tls_prot.h b/include/net/tls_prot.h
> index 68a40756440b..5125e7c22cb3 100644
> --- a/include/net/tls_prot.h
> +++ b/include/net/tls_prot.h
> @@ -23,6 +23,23 @@ enum {
>  	TLS_RECORD_TYPE_ACK = 26,
>  };
>  
> +/*
> + * TLS Record protocol: HandshakeType

RFC 8664 Section 4 describes the handshake sub-protocol. AFAIU the
handshake type is part of that protocol, not part of the record
sub-protocol ...

Also, it appears these numbers are managed by and made extensible by an
IANA registry:
https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-7

Let's cite that URL here, and can you include the additional numbers
found in that registry? Or, if we're adding only the type numbers
needed for KeyUpdate here, let's mention the registry anyway and note
that there are other numbers in use.


> + */
> +enum {
> +	TLS_HANDSHAKE_TYPE_CLIENT_HELLO = 1,
> +	TLS_HANDSHAKE_TYPE_SERVER_HELLO = 2,
> +	TLS_HANDSHAKE_TYPE_NEW_SESSION_TICKET = 4,
> +	TLS_HANDSHAKE_TYPE_END_OF_EARLY_DATA = 5,
> +	TLS_HANDSHAKE_TYPE_ENCRYPTED_EXTENSIONS = 8,
> +	TLS_HANDSHAKE_TYPE_CERTIFICATE = 11,
> +	TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST = 13,
> +	TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY = 15,
> +	TLS_HANDSHAKE_TYPE_FINISHED = 20,
> +	TLS_HANDSHAKE_TYPE_KEY_UPDATE = 24,
> +	TLS_HANDSHAKE_TYPE_MESSAGE_HASH = 254,
> +};
> +
>  /*
>   * TLS Alert protocol: AlertLevel
>   */
> diff --git a/net/handshake/alert.c b/net/handshake/alert.c
> index 329d91984683..7e16ef5ed913 100644
> --- a/net/handshake/alert.c
> +++ b/net/handshake/alert.c
> @@ -86,6 +86,32 @@ u8 tls_get_record_type(const struct sock *sk, const struct cmsghdr *cmsg)
>  }
>  EXPORT_SYMBOL(tls_get_record_type);
>  
> +/**
> + * tls_get_handshake_type - Look for TLS HANDSHAKE_TYPE information
> + * @sk: socket (for IP address information)
> + * @cmsg: incoming message to be parsed
> + *
> + * Returns zero or a TLS_HANDSHAKE_TYPE value.
> + */
> +u8 tls_get_handshake_type(const struct sock *sk, const struct cmsghdr *cmsg)
> +{
> +	u8 record_type, msg_type;
> +
> +	if (cmsg->cmsg_level != SOL_TLS)
> +		return 0;
> +	if (cmsg->cmsg_type != TLS_GET_RECORD_TYPE)
> +		return 0;
> +
> +	record_type = *((u8 *)CMSG_DATA(cmsg));
> +
> +	if (record_type != TLS_RECORD_TYPE_HANDSHAKE)
> +		return 0;
> +
> +	msg_type = *((u8 *)CMSG_DATA(cmsg) + 4);
> +	return msg_type;
> +}
> +EXPORT_SYMBOL(tls_get_handshake_type);
> +
>  /**
>   * tls_alert_recv - Parse TLS Alert messages
>   * @sk: socket (for IP address information)


-- 
Chuck Lever

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ