From patchwork Thu Mar 8 16:50:52 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dave Watson X-Patchwork-Id: 10268425 X-Patchwork-Delegate: herbert@gondor.apana.org.au Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id AA09F6016D for ; Thu, 8 Mar 2018 16:51:50 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9666E20748 for ; Thu, 8 Mar 2018 16:51:50 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 8A4222624C; Thu, 8 Mar 2018 16:51:50 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id BB6B720748 for ; Thu, 8 Mar 2018 16:51:49 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932801AbeCHQvr (ORCPT ); Thu, 8 Mar 2018 11:51:47 -0500 Received: from mx0a-00082601.pphosted.com ([67.231.145.42]:59320 "EHLO mx0a-00082601.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752151AbeCHQvj (ORCPT ); Thu, 8 Mar 2018 11:51:39 -0500 Received: from pps.filterd (m0109334.ppops.net [127.0.0.1]) by mx0a-00082601.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w28GlU4j006531; Thu, 8 Mar 2018 08:51:01 -0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fb.com; h=date : from : to : cc : subject : message-id : references : mime-version : content-type : in-reply-to; s=facebook; bh=bAEcENLtM3lgW/fJvHxDznHVGvcFnIApkMHqunSSoLg=; b=F+Wr6f5Vo/PXW/NHa3mEjDp6VTQv/1PVFY3WP90XnunFAo+tC3ubHDK2NT1ZgXEbhMD0 kqfkNLjv5FMXQKrpxUcA31B01J1Ns9JEjetVqpFalWWHWxXbis72PfhYpOOGHpw5USB2 jnk8qnqWLQ0Tmel8q1oDlWFv4vMkaUfaK0s= Received: from maileast.thefacebook.com ([199.201.65.23]) by mx0a-00082601.pphosted.com with ESMTP id 2gk8a68642-2 (version=TLSv1 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 08 Mar 2018 08:51:01 -0800 Received: from NAM03-BY2-obe.outbound.protection.outlook.com (192.168.183.28) by o365-in.thefacebook.com (192.168.177.25) with Microsoft SMTP Server (TLS) id 14.3.361.1; Thu, 8 Mar 2018 11:50:59 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fb.onmicrosoft.com; s=selector1-fb-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=bAEcENLtM3lgW/fJvHxDznHVGvcFnIApkMHqunSSoLg=; b=e8A2IPWaWZ1P5gZ1EP7k1CMlZ3FOOyD7qSEk1IJIs0e5YH11iRtVw59DeFV9qiAOX7TzOZO1NUObvKmFaY3pwwNHEXY7dAM4R1EHuOW6NwBX4FwzjR/Xf80m+fu17ZqjCYSAwg6WrPkKUdoleD+oMl+0LGE4CAYxXQD5IUMq2y0= Received: from localhost (2620:10d:c090:180::1:bce7) by MWHPR15MB1135.namprd15.prod.outlook.com (2603:10b6:320:22::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.548.13; Thu, 8 Mar 2018 16:50:55 +0000 Date: Thu, 8 Mar 2018 08:50:52 -0800 From: Dave Watson To: "David S. Miller" , Tom Herbert , Alexei Starovoitov , , , , , CC: Atul Gupta , Vakul Garg , Hannes Frederic Sowa , Steffen Klassert , John Fastabend , Daniel Borkmann Subject: [PATCH RFC 5/5] tls: Add receive path documentation Message-ID: <20180308165052.GA19621@davejwatson-mba> References: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.6.0 (2016-04-01) X-Originating-IP: [2620:10d:c090:180::1:bce7] X-ClientProxiedBy: CY4PR18CA0034.namprd18.prod.outlook.com (2603:10b6:903:9a::20) To MWHPR15MB1135.namprd15.prod.outlook.com (2603:10b6:320:22::13) X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 7d3c422f-c441-4a71-fb43-08d58514c314 X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(5600026)(4604075)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(7193020); SRVR:MWHPR15MB1135; X-Microsoft-Exchange-Diagnostics: 1; MWHPR15MB1135; 3:Ju0B46kI/FkCTLArNg4CS5z2+73KkAQ1zrY3VDHxv2XkpfOBJNQQZAdcQr67XFaq9cb3YTsjJznbT5hsRP1pdTRfnqn3yEFgtl8vtWxHEwGTRK+1Zqkofrj3fEfqB4ao+ZELO9JmIpr764By+PQmoSilK1b2xcgeNLyhhZk/SRjf6J/Tj5qfXlBWpA1pg/XKJlhZIJrwp/g/OrEGVxGtSIRjiUn2HXOc3e7UGXOPkiCDHS0KcofkE1v5TPVLEBdM; 25:HwUQMt5hWL/OLFlm5UGzpr6KbnpDAFD2ufRMFFdNyc1MxQ687bxV1U/o+hZ+yX47gieu9ABVEVHrpZoSbwJfkP2leuPjKq7/OHlAOnPJrcxvEaEAAdQ0cdTyXwZgefuRrNblpb/pxd9Py+AxsP9yUMSIhqcrTGqAYELGI3FqifFHJ3KxBXvXh/krCaelTa7+sYFoRBOA9TtHiDEE6hwLF87wyJ0wWLTjAh38nV+Rb0IWbXAvzNS+er8qPEU54e4oWTafE5oVc1i7O2nGoFw6kiWGlhnvSDlEw3gS+Ly7l5QI7hCRZoYLhhXDJJTSlhxuaOJCpU0fmCSDcRsM2Ml9Qw==; 31:kqW0n8d28jay5ii5Gu9QfvVQ+9du0Op1t9uzRazi+Jjn7yaN1s6+2zPNFAyt0uQuAuslCotxOOpBPykZkNCKvoei4eVReejH2EN1QALH9jz7puaalXGHPfmXhgoKjCukd8QQWilv2bOV6ET0uo7T8qMG+xP6PjPZZtVqJSc/cNNMpdXb7U8AkXTWBdtX0nUsoVo2qyGimVAVklpp3OhfmTK1ZnkCUyBufm3S3sjh4pc= X-MS-TrafficTypeDiagnostic: MWHPR15MB1135: X-Microsoft-Exchange-Diagnostics: 1; MWHPR15MB1135; 20:a5xO2HOUjipgaHXVI3eIJ4d21z1lTRSrrXYnJFbPtxJp2yddBocnaa4oMapuOPJyXcTE8p3mxIpf2pcHCwJCLq/58R8GNcey/VH4t8NdQP1T8O//VVsoUE3Y4cR33Uz7CuQTV3WUBM0n9sWc1b0ERoEQ8kmm349gr4nK/o/NJXMjKB2eun16C4ZcIwvyuIG5x3cwYHEc8pdj5AsIwxUDGfjs9GmrfUd+xrc6cvRkWR834JImdG0d5zMePgS65P3Atnq2f008UpYgL627HtZVQcz8yopunB/24vyjmiqJdym9iacdSUpOlUH/DjpH25TsVS16b6mNr9r3cqCLbFxAeBaGyci0s76ABaQAJjKt7ltwcLsPruYTIsduGTObFSosDAhlfNftOuF5nxBeBZpYLqYcKSk4WPRl2UzIxdnAZm1gjjRscvMc5tx42TyTt+73RoTfSlvAGZC0BXmwU8XaCDpBetRfaG3sxpD9v6SFHcdwgK08u43VvRsUo1tgIMzi; 4:LyPpd3sfc+Wh2Z9J40iCL+6/IFRxsmAy18osmvtZnyuS9akjRwDTGzzVTHxLAGJkLFiTAXuRlcjCP/0HLtZZd3w6m6yCbtXn1LWCLIjsVD94gCUM06klaqoONWZJ5z9/DNjadIbI71+8N0EU6IbvM2UeI6fFvfylyB4Q9IfnFgvAqyZrTx9+8e2OVptHnNEnunmg6Rv0HdjxxO50ifPW29ypmLYOJO1B1JsMHjQIIOACRgGO1U3kjffyy4l8pV8Oa0/oS6QpLzRYUVjXx33Fz/lE9mAyjRdH/1PAWAAoQaZQj0uSpOeLfk4sdExnUdPpHdNbQxR9SJUziT3zltWgdbwE/9v22czGGKM+8/aU1ZqqBwm/wd5OnNDf5KWJ9vZJ X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:(166708455590820)(67672495146484)(266576461109395); X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(8211001083)(6040501)(2401047)(8121501046)(5005006)(3231220)(11241501184)(944501244)(52105095)(3002001)(10201501046)(93006095)(93001095)(6041288)(20161123560045)(20161123562045)(20161123558120)(20161123564045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(6072148)(201708071742011); SRVR:MWHPR15MB1135; BCL:0; PCL:0; RULEID:; SRVR:MWHPR15MB1135; X-Forefront-PRVS: 060503E79B X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10019020)(6069001)(7916004)(366004)(396003)(376002)(346002)(39380400002)(39860400002)(189003)(199004)(50466002)(2906002)(6486002)(68736007)(53936002)(52116002)(16526019)(4326008)(6496006)(8676002)(186003)(8656006)(76506005)(6306002)(106356001)(33656002)(9686003)(105586002)(1076002)(6116002)(8936002)(5660300001)(7416002)(81166006)(52396003)(6666003)(2950100002)(23726003)(39060400002)(33716001)(76176011)(47776003)(110136005)(478600001)(16586007)(58126008)(81156014)(54906003)(25786009)(386003)(7736002)(305945005)(33896004)(46003)(86362001)(316002)(97736004)(18370500001)(217873001); DIR:OUT; SFP:1102; SCL:1; SRVR:MWHPR15MB1135; H:localhost; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en; Received-SPF: None (protection.outlook.com: fb.com does not designate permitted sender hosts) X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; MWHPR15MB1135; 23:uccDHVTJLB3TMaB2YshANOpxJ+oXMltuXDTDXaiNG?= =?us-ascii?Q?UBELU3A3CkCNRGbbBsVZhT93qtzsRy8lLGSvlU1dKfIwfSrPqNknzXZpb6j0?= =?us-ascii?Q?+MmMoBgEz7xG5b1rp+LoiKSrAbzADyHOjPZ6EGLjE6nTA0WST/OKktp9/hYN?= =?us-ascii?Q?4qfW4u/bj/L851XAEqFx/FWTpqRVwlVV9Yxcd6Lix6nRdw/+AXuG1rC08vio?= =?us-ascii?Q?pkCDtAnGnKx4+m0AcCP8jt1ka/G8idItp/dXNhqy+HXCcPMa+WIgqSf/+Md7?= =?us-ascii?Q?VUSjejaPw9QTrsodo55lR9mG5uHSgUaVtqNud7u1ndmiA8AvRUF5m4OvZ9yN?= =?us-ascii?Q?LxnhlE7nU+Hs5N44GOJt3b9aCdtA2UpYk4v1wyoNGUX3xhjP6/+oVqHCKSUu?= =?us-ascii?Q?9gDAkwfnvn2ZxHTtARkFkCkPz9xVqjybAmb7Fmfz3qJbHeZZGn/1yqTHNKbI?= =?us-ascii?Q?jcPH6GINkNIDlc3S0RIQRtEdCxtzLA0iwJhEkx1IhpyO5lWhV8e3vlQy4XFp?= =?us-ascii?Q?ecR5orosvBoIudTryK1oP1eaYgU7iq9ghpRq3eVcF4Lr/eK7r06LIJvjLc3x?= =?us-ascii?Q?hXQKfnSeO8D5zho9xfR3BzOtWCSPKQ/hyqYgXeZPcwHBdQnj5i3NYUORvJZT?= =?us-ascii?Q?MA0SbQi4DkW3hMapaulq9KXF0Zp1joKfrAgO5KKAY/Cuj4tNGx4Il/70axhj?= =?us-ascii?Q?Ymknk26wwfNGz6jqe15ftFuAGUydJuiLaCN7iercw/BnTvI+x/fIjJcu/OMz?= =?us-ascii?Q?rDPoPYaHP/Bx/yLxdHoClj7zJwBKA+Dmayvm6g7ysvkJRUDcprjADloMz1bf?= =?us-ascii?Q?P+xhSTQgkb3c+8sw9Z15sLxZNLslPLJ8hP5RMj9RnarEQ219tDYtSooWZl27?= =?us-ascii?Q?KefuqEAF/XZRyX6X2wPaMMyOXtt5PFoqMhyut+dkM9HdP3otYfv8pQrM3hne?= =?us-ascii?Q?LScSjvzmqokidQfuasXBDB/RZC4vKqEUFlDwOMImUqoaRh8rZvvycrfngui9?= =?us-ascii?Q?Io5a0aSD6E5MZc5U13OffM+5sh6L3b+Xxw3U7LKbs1RB7aH+UpLWBfIDA14Y?= =?us-ascii?Q?rSy1K7PIRZFLj9nATkJ2N6sLz9cQucHg1i7OBq8Vf2WbUK4kPyocNOsCiG1d?= =?us-ascii?Q?dZmO1mDOjE3m5nPu4lI7LsbmleGPkf1i9kcoiQDwPtcy/pgJFypi2PjMLAR2?= =?us-ascii?Q?CgzKi5WhoHhxc5lxglGdJoYwpkcQcjii1lXzoMYu1XlgppSHDMigzOuioPrP?= =?us-ascii?Q?l31/fnhi0At8KwNFtU1V8Rxa5O/c/OslpMGMC255I+X1sij0hGrf9mlHNSci?= =?us-ascii?Q?ynsWpMHK679ZK8YJGBSoSE2ZnblsteMxkquSCMj2TvH?= X-Microsoft-Antispam-Message-Info: T6Gyo4Je4cx9az28PRsS3Ub7i89E/9sx6ZCCuydFLySHC7Qi5LGdN2C6wobePp0xbYOAVzIbcf2VLQHW3wfqunHnfMSA1lozk8AHFDYcOcTX0hwLvWWdA5X9U6m/1ZoQOeLc9xdLQhX2Tm89pkGxyKW6ccfZnmO3MJOPnl/WIQLz7d4vKGfql6NvDYhqe3af X-Microsoft-Exchange-Diagnostics: 1; MWHPR15MB1135; 6:3sft1XY1VU0XJI5PlahOXHIqxdmcbsJ9YGYwhcUjMDofL6dMKtNZBGo9Vwey8s5cv3QM+XDpkvd8pde3fWFc/H1JpxtNiPtEkJWQxEMFBhw3Qh0iFR82bKGjFULbChPiBQpKhwz6oUnbF4DFuBx55UEKxy6x33Mj18A1r9yjN1up4+npneXMzX6s7iQ5qHmg0USg18s3QwG9d1aSEph879DrXVpAJPnt5vPfHZIb6emt8k3KFtbY6Z7o9epQbwArqmdeQ+Yz8mj1v8xTK9yddI3cmZzbBmx45MoNJeOAoZ1ZRkJ79X6P9IsXKA1eVEPCA6g4Kt8j4lDB9RRuX0/uL4t/7S+ciUrorLK1mqEbvfM=; 5:mfw2wccF5V2YCd5llM8nwv2vsdGk7ZMTxGMMDJzFKnkcigWo4jHXrbnnWSEuXr4+fRXzWMABVs785SS4Hz8p5sTIUTJURReClC1IeVRu+EorjwXz36RdfF61yyNfnX6EZDPaauNTSAOjNsRs0q5juNoQB2+lmCc71aF404IkYXM=; 24:z7qD3JaqpmtVjhMxh7mKEqEdX81B82EnW+mbZKkdn1hhH3O/cnkCOXd6LIVQyq08qi9C0kRvP8VdpfWkEoOBxHxZggCXxK2SnF6mw7P1Oq0=; 7:fvYWl46DEQ8B40AEh3bf3lERsn2PlahZXc1VXr/tufjq/2J7jhqpHanHgE7sKbhbDAPFoZ2ZouDjVUvMkR1xtIql+r0XBz+KEXw3kDXRIthWLFbKTyCbsLMjHIqF1eXRr66UmrarOQ11O100DOOVxhMBX2nVwgXg97q0jXUwxZ1I6yxE8yofNGZtilegFEk4etzcb+p0NFhImudaYh6b5Q7Zk0eGV4SOCV/ko65rGAv/4EblUddBmZNN/HL8L2DG SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1; MWHPR15MB1135; 20:ccn7Hh9GVvSOGeVSg370a6aFQDnAOwhaUtvDhpxkyPeTFuhBZ67c0oDrrPCS/hJhXpn4rnQHMJaqmfozoCtvqh1aNBoT+lv53dRmRO1hCboH1qYApaKIyY1zQlflkSetP+r+kGmh+SuOH9GhTza33cEbi6g19jc57Wp8k7PsVFU= X-MS-Exchange-CrossTenant-OriginalArrivalTime: 08 Mar 2018 16:50:55.9690 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 7d3c422f-c441-4a71-fb43-08d58514c314 X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2 X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR15MB1135 X-OriginatorOrg: fb.com X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2018-03-08_09:, , signatures=0 X-Proofpoint-Spam-Reason: safe X-FB-Internal: Safe Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Add documentation on rx path setup and cmsg interface. Signed-off-by: Dave Watson --- Documentation/networking/tls.txt | 59 ++++++++++++++++++++++++++++++++++++++-- 1 file changed, 57 insertions(+), 2 deletions(-) diff --git a/Documentation/networking/tls.txt b/Documentation/networking/tls.txt index 77ed006..d341016 100644 --- a/Documentation/networking/tls.txt +++ b/Documentation/networking/tls.txt @@ -48,6 +48,9 @@ the transmit and the receive into the kernel. setsockopt(sock, SOL_TLS, TLS_TX, &crypto_info, sizeof(crypto_info)); +Transmit and receive are set separately, but the setup is the same, using either +TLS_TX or TLS_RX. + Sending TLS application data ---------------------------- @@ -79,6 +82,21 @@ for memory), or the encryption will always succeed. If send() returns -ENOMEM and some data was left on the socket buffer from a previous call using MSG_MORE, the MSG_MORE data is left on the socket buffer. +Receiving TLS application data +------------------------------ + +After setting the TLS_RX socket option, all recv family socket calls +are decrypted using TLS parameters provided. A full TLS record must +be received before decryption can happen. + + char buffer[16384]; + recv(sock, buffer, 16384); + +Received data is decrypted directly in to the user buffer if it is +large enough, and no additional allocations occur. If the userspace +buffer is too small, data is decrypted in the kernel and copied to +userspace. + Send TLS control messages ------------------------- @@ -118,6 +136,43 @@ using a record of type @record_type. Control message data should be provided unencrypted, and will be encrypted by the kernel. +Receiving TLS control messages +------------------------------ + +TLS control messages are passed in the userspace buffer, with message +type passed via cmsg. If no cmsg buffer is provided, an error is +returned if a control message is received. Data messages may be +received without a cmsg buffer set. + + char buffer[16384]; + char cmsg[CMSG_SPACE(sizeof(unsigned char))]; + struct msghdr msg = {0}; + msg.msg_control = cmsg; + msg.msg_controllen = sizeof(cmsg); + + struct iovec msg_iov; + msg_iov.iov_base = buffer; + msg_iov.iov_len = 16384; + + msg.msg_iov = &msg_iov; + msg.msg_iovlen = 1; + + int ret = recvmsg(sock, &msg, 0 /* flags */); + + struct cmsghdr *cmsg = CMSG_FIRSTHDR(&msg); + if (cmsg->cmsg_level == SOL_TLS && + cmsg->cmsg_type == TLS_GET_RECORD_TYPE) { + int record_type = *((unsigned char *)CMSG_DATA(cmsg)); + // Do something with record_type, and control message data in + // buffer. + // + // Note that record_type may be == to application data (23). + } else { + // Buffer contains application data. + } + +recv will never return data from mixed types of TLS records. + Integrating in to userspace TLS library --------------------------------------- @@ -126,10 +181,10 @@ layer of a userspace TLS library. A patchset to OpenSSL to use ktls as the record layer is here: -https://github.com/Mellanox/tls-openssl +https://github.com/Mellanox/openssl/commits/tls_rx An example of calling send directly after a handshake using gnutls. Since it doesn't implement a full record layer, control messages are not supported: -https://github.com/Mellanox/tls-af_ktls_tool +https://github.com/ktls/af_ktls-tool/commits/RX