| Message ID | 167915594811.91792.15722842400657376706.stgit@manet.1015granger.net (mailing list archive) |
|---|---|
| Headers | show |
| Series | Another crack at a handshake upcall mechanism | expand |
> On Mar 18, 2023, at 12:18 PM, Chuck Lever <cel@kernel.org> wrote: > > Hi- > > Here is v7 of a series to add generic support for transport layer > security handshake on behalf of kernel socket consumers (user space > consumers use a security library directly, of course). A summary of > the purpose of these patches is archived here: > > https://lore.kernel.org/netdev/1DE06BB1-6BA9-4DB4-B2AA-07DE532963D6@oracle.com/ > > v7 again has considerable churn, for two reasons: > > - I incorporated more C code generated from the YAML spec, and > - I moved net/tls/tls_handshake.c to net/handshake/ > > Other significant changes are listed below. > > The full patch set to support SunRPC with TLSv1.3 is available in > the topic-rpc-with-tls-upcall branch here, based on net-next/main: > > https://git.kernel.org/pub/scm/linux/kernel/git/cel/linux.git > > This patch set includes support for in-transit confidentiality and > peer authentication for both the Linux NFS client and server. > > A user space handshake agent for TLSv1.3 to go along with the kernel > patches is available in the "netlink-v7" branch here: > > https://github.com/oracle/ktls-utils > > --- > > Major changes since v6: > - YAML spec and generated artifacts are now under dual license > - Addressed Jakub's v6 review comments > - Implemented a memory-sensitive limit on the number of pending > handshake requests > - Implemented upcall support for multiple peer identities Addenda: - I volunteered as maintainer of net/handshake/ - Addressed "undefined references" with certain build configurations > Major changes since v5: > - Added a "timeout" attribute to the handshake netlink protocol > - Removed the GnuTLS-specific "priorities" attribute > - Added support for keyrings to restrict access to keys > - Simplified the kernel consumer TLS handshake API > - The handshake netlink protocol can handle multiple peer IDs or > certificates in the ACCEPT and DONE operations, though the > implementation does not yet support it. > > Major changes since v4: > - Rebased onto net-next/main > - Replaced req reference counting with ->sk_destruct > - CMD_ACCEPT now does the equivalent of a dup(2) rather than an > accept(2) > - CMD_DONE no longer closes the user space socket endpoint > - handshake_req_cancel is now tested and working > - Added a YAML specification for the netlink upcall protocol, and > simplified the protocol to fit the YAML schema > - Added an initial set of tracepoints > > Changes since v3: > - Converted all netlink code to use Generic Netlink > - Reworked handshake request lifetime logic throughout > - Global pending list is now per-net > - On completion, return the remote's identity to the consumer > > Changes since v2: > - PF_HANDSHAKE replaced with NETLINK_HANDSHAKE > - Replaced listen(2) / poll(2) with a multicast notification service > - Replaced accept(2) with a netlink operation that can return an > open fd and handshake parameters > - Replaced close(2) with a netlink operation that can take arguments > > Changes since RFC: > - Generic upcall support split away from kTLS > - Added support for TLS ServerHello > - Documentation has been temporarily removed while API churns > > --- > > Chuck Lever (2): > net/handshake: Create a NETLINK service for handling handshake requests > net/tls: Add kernel APIs for requesting a TLSv1.3 handshake > > > Documentation/netlink/specs/handshake.yaml | 124 ++++++ > Documentation/networking/index.rst | 1 + > Documentation/networking/tls-handshake.rst | 217 +++++++++++ > MAINTAINERS | 10 + > include/net/handshake.h | 43 +++ > include/trace/events/handshake.h | 159 ++++++++ > include/uapi/linux/handshake.h | 72 ++++ > net/Kconfig | 5 + > net/Makefile | 1 + > net/handshake/Makefile | 11 + > net/handshake/genl.c | 58 +++ > net/handshake/genl.h | 24 ++ > net/handshake/handshake.h | 82 ++++ > net/handshake/netlink.c | 316 ++++++++++++++++ > net/handshake/request.c | 307 +++++++++++++++ > net/handshake/tlshd.c | 417 +++++++++++++++++++++ > net/handshake/trace.c | 20 + > 17 files changed, 1867 insertions(+) > create mode 100644 Documentation/netlink/specs/handshake.yaml > create mode 100644 Documentation/networking/tls-handshake.rst > create mode 100644 include/net/handshake.h > create mode 100644 include/trace/events/handshake.h > create mode 100644 include/uapi/linux/handshake.h > create mode 100644 net/handshake/Makefile > create mode 100644 net/handshake/genl.c > create mode 100644 net/handshake/genl.h > create mode 100644 net/handshake/handshake.h > create mode 100644 net/handshake/netlink.c > create mode 100644 net/handshake/request.c > create mode 100644 net/handshake/tlshd.c > create mode 100644 net/handshake/trace.c > > -- > Chuck Lever > > -- Chuck Lever
Hi- Here is v7 of a series to add generic support for transport layer security handshake on behalf of kernel socket consumers (user space consumers use a security library directly, of course). A summary of the purpose of these patches is archived here: https://lore.kernel.org/netdev/1DE06BB1-6BA9-4DB4-B2AA-07DE532963D6@oracle.com/ v7 again has considerable churn, for two reasons: - I incorporated more C code generated from the YAML spec, and - I moved net/tls/tls_handshake.c to net/handshake/ Other significant changes are listed below. The full patch set to support SunRPC with TLSv1.3 is available in the topic-rpc-with-tls-upcall branch here, based on net-next/main: https://git.kernel.org/pub/scm/linux/kernel/git/cel/linux.git This patch set includes support for in-transit confidentiality and peer authentication for both the Linux NFS client and server. A user space handshake agent for TLSv1.3 to go along with the kernel patches is available in the "netlink-v7" branch here: https://github.com/oracle/ktls-utils --- Major changes since v6: - YAML spec and generated artifacts are now under dual license - Addressed Jakub's v6 review comments - Implemented a memory-sensitive limit on the number of pending handshake requests - Implemented upcall support for multiple peer identities Major changes since v5: - Added a "timeout" attribute to the handshake netlink protocol - Removed the GnuTLS-specific "priorities" attribute - Added support for keyrings to restrict access to keys - Simplified the kernel consumer TLS handshake API - The handshake netlink protocol can handle multiple peer IDs or certificates in the ACCEPT and DONE operations, though the implementation does not yet support it. Major changes since v4: - Rebased onto net-next/main - Replaced req reference counting with ->sk_destruct - CMD_ACCEPT now does the equivalent of a dup(2) rather than an accept(2) - CMD_DONE no longer closes the user space socket endpoint - handshake_req_cancel is now tested and working - Added a YAML specification for the netlink upcall protocol, and simplified the protocol to fit the YAML schema - Added an initial set of tracepoints Changes since v3: - Converted all netlink code to use Generic Netlink - Reworked handshake request lifetime logic throughout - Global pending list is now per-net - On completion, return the remote's identity to the consumer Changes since v2: - PF_HANDSHAKE replaced with NETLINK_HANDSHAKE - Replaced listen(2) / poll(2) with a multicast notification service - Replaced accept(2) with a netlink operation that can return an open fd and handshake parameters - Replaced close(2) with a netlink operation that can take arguments Changes since RFC: - Generic upcall support split away from kTLS - Added support for TLS ServerHello - Documentation has been temporarily removed while API churns --- Chuck Lever (2): net/handshake: Create a NETLINK service for handling handshake requests net/tls: Add kernel APIs for requesting a TLSv1.3 handshake Documentation/netlink/specs/handshake.yaml | 124 ++++++ Documentation/networking/index.rst | 1 + Documentation/networking/tls-handshake.rst | 217 +++++++++++ MAINTAINERS | 10 + include/net/handshake.h | 43 +++ include/trace/events/handshake.h | 159 ++++++++ include/uapi/linux/handshake.h | 72 ++++ net/Kconfig | 5 + net/Makefile | 1 + net/handshake/Makefile | 11 + net/handshake/genl.c | 58 +++ net/handshake/genl.h | 24 ++ net/handshake/handshake.h | 82 ++++ net/handshake/netlink.c | 316 ++++++++++++++++ net/handshake/request.c | 307 +++++++++++++++ net/handshake/tlshd.c | 417 +++++++++++++++++++++ net/handshake/trace.c | 20 + 17 files changed, 1867 insertions(+) create mode 100644 Documentation/netlink/specs/handshake.yaml create mode 100644 Documentation/networking/tls-handshake.rst create mode 100644 include/net/handshake.h create mode 100644 include/trace/events/handshake.h create mode 100644 include/uapi/linux/handshake.h create mode 100644 net/handshake/Makefile create mode 100644 net/handshake/genl.c create mode 100644 net/handshake/genl.h create mode 100644 net/handshake/handshake.h create mode 100644 net/handshake/netlink.c create mode 100644 net/handshake/request.c create mode 100644 net/handshake/tlshd.c create mode 100644 net/handshake/trace.c -- Chuck Lever