From patchwork Tue Mar 20 17:54:43 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dave Watson X-Patchwork-Id: 10297683 X-Patchwork-Delegate: herbert@gondor.apana.org.au Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 3EEB460386 for ; Tue, 20 Mar 2018 17:55:42 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2B91B283A6 for ; Tue, 20 Mar 2018 17:55:42 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 2032428820; Tue, 20 Mar 2018 17:55:42 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4EF32283A6 for ; Tue, 20 Mar 2018 17:55:41 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751578AbeCTRzk (ORCPT ); Tue, 20 Mar 2018 13:55:40 -0400 Received: from mx0b-00082601.pphosted.com ([67.231.153.30]:58310 "EHLO mx0a-00082601.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1751408AbeCTRzi (ORCPT ); Tue, 20 Mar 2018 13:55:38 -0400 Received: from pps.filterd (m0001255.ppops.net [127.0.0.1]) by mx0b-00082601.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w2KHrWop014706; Tue, 20 Mar 2018 10:55:01 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fb.com; h=date : from : to : cc : subject : message-id : references : mime-version : content-type : in-reply-to; s=facebook; bh=jpIn4/T635H+smeRlMdJwbtPqRWrWigxqeSeNg8UgOs=; b=q32AuX0brvQSphM4GVaQ/W1dOAmuy54xFHy4sdnCabTrBE5bdeNOtr3QC4PmrLFAFKZ4 ihswozd+K1fsGnjSz2oV9JGizeajUHsNSnzItMzvRZ3P+CR5jLCMOcu5Ca0xT2J9O062 oTcjDbcBTnvbGxfx9oZbeGP6MnvuRIxlSig= Received: from mail.thefacebook.com ([199.201.64.23]) by mx0b-00082601.pphosted.com with ESMTP id 2gu5yd0bh9-15 (version=TLSv1 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 20 Mar 2018 10:55:01 -0700 Received: from NAM02-SN1-obe.outbound.protection.outlook.com (192.168.54.28) by o365-in.thefacebook.com (192.168.16.15) with Microsoft SMTP Server (TLS) id 14.3.361.1; Tue, 20 Mar 2018 10:54:49 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fb.onmicrosoft.com; s=selector1-fb-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=jpIn4/T635H+smeRlMdJwbtPqRWrWigxqeSeNg8UgOs=; b=H+6zR73ddT0abArUYFcujoXhP0nIzvifUQ336xuXX1VttQnZfxB5xUOH7Gj612AkTQSqWPnrlJlap6Ene1u4PZcxrRtnPXMv5lmDuuspnBdf0CRuSTPIH+OhCPNmtvkpFl84zjLKrNmZglfvP35ilEksefInztmwMeehoKUKXVc= Received: from localhost (2620:10d:c090:180::1:828d) by MWHPR15MB1134.namprd15.prod.outlook.com (2603:10b6:320:22::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.588.14; Tue, 20 Mar 2018 17:54:47 +0000 Date: Tue, 20 Mar 2018 10:54:43 -0700 From: Dave Watson To: "David S. Miller" , Tom Herbert , Alexei Starovoitov , , , , CC: Atul Gupta , Vakul Garg , Hannes Frederic Sowa , Steffen Klassert , John Fastabend , Daniel Borkmann Subject: [PATCH net-next 6/6] tls: Add receive path documentation Message-ID: <20180320175443.GA23990@davejwatson-mba.local> References: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.6.0 (2016-04-01) X-Originating-IP: [2620:10d:c090:180::1:828d] X-ClientProxiedBy: CY4PR14CA0048.namprd14.prod.outlook.com (2603:10b6:903:101::34) To MWHPR15MB1134.namprd15.prod.outlook.com (2603:10b6:320:22::12) X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: d5ef8f8a-509a-4a1f-677b-08d58e8babfe X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(5600026)(4604075)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(7193020); SRVR:MWHPR15MB1134; X-Microsoft-Exchange-Diagnostics: 1; MWHPR15MB1134; 3:yDzRoB8BuVGr1oi9+ZQFcL4k6lzAvQFst/TfSZcIcxUf6qN3s3lHcGb0/9P839nlo4Lf9xLPYBTI5pGPTpg+IolHHUgTkqMM+jgZpQMa0bC+IH4q4GfHx2yiPaJZshzAm9yebyWmw2+nbbAuSMIFhuXRWKPAQzndymZvksvs2yoyAFkgKeuhGFpqsfBLjWoMCovjX8xVazGHl5lSTGzvFwtNuHLLbV/qVWSodvO73iyOjrOMfC1DU0dp2dlOu7eW; 25:oHdct+z5EPWRb6yKB0EF1l7K/u5NDMO3CKVmVBv/GTwnY0fdZwkkvoUXEWGuUHV+G6xuAtRZwEjnVgA8U3K/9UnRrpt+xbL/xXeW2S+KjSh4MlxYM66es6q3KhvcWPXb5a6C5P6JbQnQbJdCKZ0O/fG0u1Xmj3yR27YqZemw4eS45mOyfyE8FXjI6HSwtFyuwEWCr51RHxVP0LGmbAfdyr/4Wm5SuUtElTX8+S+JHOw0xQAjxdTBySV4+f+zaZFQ1u7lJEdmSrdHhbcGDDQLNDsWg5V7zTz22zBmUDBpZKpnmYTg+xNRQTxwSG4tgO9vikovXESxBNqsrDlrj2uFfg==; 31:0x422MRVD3IQmzZTfqxqLDqsT90iomm5EvRIYYs6svXWkfoKXbBj2JRI8ckUwe/4DRas5a7t5jeE2yrGOlrwmBGdEmKciTl/zQaUfUwtmM9EMcOK7gcYcogevRs7ebJ9y2GfpOOzuKi50DNzvSQ6QSWfC+C8+kez94qsvLDeIZYMIhbqgA9Dpwn2zui9gG7o1PWSCQ1RvVmV9YTuSQ1CiMyP3eyLAJxJuS0fBhYYHrM= X-MS-TrafficTypeDiagnostic: MWHPR15MB1134: X-Microsoft-Exchange-Diagnostics: 1; MWHPR15MB1134; 20:rb/5S8AYtz8Ya0w6oZxJqVT5L3VB1wR4DWUHgLWY4/BNTeT2EhwJ4s8d96ISGk/a6K/+PSJF114k+253ZgJqCzgwp0FhRFrSgJ+zYkwoIDJWnShABL4tZEFL+jw1JNn6Gycf1s9SvUYnM1alR1uqJiKQe1i2eq/tBAScE4Y7rb1yGsuWKPGqjNhwVX4QrYghtDPhXShcMJ1CVOehBzqOWEIfnPffxPLCEr4nAP2AR4ATmy5QpqULUJ5T1+XBowgZnAc4cUy/CymjPxc6Ot/jep5yRXy2Qr0O7fmEdKdvs30AJ7faq95ZvQ7FQBYTMZxZH9YwFbYkjiyUx0C04sQ6Ai2OjJVHZ7+Xyw7koHjNRcpcX5urYc1baMpc/HygszLWzJKXD+iEAj69kIBP3iU9ch2jHu/e6lG9O2GEdr+4GKRLGn+UpcNMfgDeOPiCHULvULAlf1uQJ6HqkQ5Fu/JtKxQ/xbHvEpU6ZwaZZSQPnF6x/hgurgNM58PuuaMLhoSS; 4:7Hfa4RVhitKj5TeKtn1QVyeGAnQkBDUaZ637uEVWb3mz0gYwU1/YkLpGITpTaJxyPpWmQhjgJ7SPnjdObRnfLENMB/KZ7g6qcJH7KtP0ZJKEpXWHwlXq1JFUWw+ph531u7rqZVq0uC3LgMlYBCt14KLaUO9BHt7EwgFsmMVl72ZZ49WfA1uOVfbs1xa7VbGr/UusUwis1rbAQjjtbu2qVw1wnk2upde1HEkFTW6JiYQqoDlt3k6jvRYms4zdtDts/X2Od1wfK4Z0OG0hpaboPLVuJf9CbMeVb6JKXrRT6YXtdbzFBxCqAle345WxI/OBVEQCuMkUoJCrSJg85Sm7KA4fUiY0bpaUV5ks7CbB5GKZjJDjXZtuOaWHoYsYKwV0 X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:(166708455590820)(67672495146484)(266576461109395); X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(3002001)(93006095)(93001095)(3231221)(11241501184)(944501313)(52105095)(10201501046)(6041310)(20161123562045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(20161123560045)(20161123558120)(6072148)(201708071742011); SRVR:MWHPR15MB1134; BCL:0; PCL:0; RULEID:; SRVR:MWHPR15MB1134; X-Forefront-PRVS: 061725F016 X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10019020)(6069001)(366004)(39380400002)(376002)(396003)(39860400002)(346002)(199004)(189003)(2950100002)(6486002)(68736007)(33656002)(54906003)(386003)(98436002)(16526019)(316002)(186003)(58126008)(53936002)(110136005)(9686003)(76506005)(16586007)(6306002)(7736002)(105586002)(2906002)(1076002)(6496006)(23726003)(52116002)(47776003)(52396003)(46003)(6666003)(6116002)(50466002)(305945005)(7416002)(4326008)(25786009)(39060400002)(33896004)(76176011)(478600001)(5660300001)(97736004)(106356001)(81156014)(86362001)(81166006)(8656006)(8936002)(8676002)(18370500001); DIR:OUT; SFP:1102; SCL:1; SRVR:MWHPR15MB1134; H:localhost; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; Received-SPF: None (protection.outlook.com: fb.com does not designate permitted sender hosts) X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; MWHPR15MB1134; 23:v8avwrWdbruHZ+aoqCnsKMMVxUP2aDU//F1X24yDK?= =?us-ascii?Q?m0HVfSwWDewPQEGFsmkQ8vM7hg0AcySpCTPo0f7PtC+BpnxSA0clgwHpidX3?= =?us-ascii?Q?OvnUN+bPm1X5aOUgqTk8O8DBBoC5f8S/2D7lxkBRKE60wGi+VDjcbdWi8/If?= =?us-ascii?Q?PkvYiUKcfcVz/Esr8zZ3jXHaJxYIRz9Y9nFNteSbdSHRw1gQuVIEfbTH46n9?= =?us-ascii?Q?UOOu3CVRIOsk1npCOXpwI9p3WMP3ie2DyedOjA7L7dXfNeOpPcUqRv10D+99?= =?us-ascii?Q?7ze6VW9ITByGVbuO38/gZYVdXUZa+yIDzK2SerJMTcrLCBnmQJ/TJ47gy4P9?= =?us-ascii?Q?YW2GXyUPmgO/6Ac5MjakWtPmwmSLXKsHuf9MOf1joDIc+KgsLSoe7kaZtfyB?= =?us-ascii?Q?ooN9ML+fWN+vA20q7JkJnpbfA6kkHobyp2mEp69Mw2Y+Ba9ch3GSTPaGhsL+?= =?us-ascii?Q?WarodHwdE0W0CG7HDrpkMUHgtn3kIZpSyKXQybrkdsP7A+yiht3DKTvkNEBa?= =?us-ascii?Q?Lgo/3QDYXkywAz7uMZF0UpXmzx0XkOGhfyIja7APkPvgtYTOxkxQbQ2UII/C?= =?us-ascii?Q?xdQk38cauxd3iuoALDUUwPkDlCDOJ3SQf62XfaYoRl/78qUU8O3KSZaZDZR6?= =?us-ascii?Q?eOhOeOsHSUcHdKGbfmmtA0VZDT+5b3t1LmOLaHUXql4gML9LvC7bURyKc/v+?= =?us-ascii?Q?/dRt9MBPFzqXWMCDKYoBzy68L9kA0ROlQLjQfy21GOT9gGB078J3MK+UJrcs?= =?us-ascii?Q?ZrhCX+p0y/LO1C+psG/97rK1btDH8+a0Y0AF440FzWdPgGSCQvinpKXXb6oo?= =?us-ascii?Q?atqc+x75YSsN6Ih/slqboHrB4CanVe3kFXGnCv60ZOuWlzm8/fyVJz4Tb89h?= =?us-ascii?Q?yeRV7qofzGAPYHmJhkSq3Ndolrod6ylB7TtRtQRQGU859uEiG4C4JuXshwTb?= =?us-ascii?Q?eyO9jqEk0Py5ECeXRb6r29/knpLxE3CFDwSJzCodHRvT2sq1yj8ceAxEC/hM?= =?us-ascii?Q?NtLNRz1AiQ0Oy4g+blbO6VCeWCUGnMqW9uWXxmGAvyAC6tks5FUdM/vDUSdb?= =?us-ascii?Q?Dozj55uFDS04UUFsovFUsxSLL9/ldJ93q63sgky2weGENNx3t5NwTx1k1D5b?= =?us-ascii?Q?iQrirSK5gQWDuoooLwqmPRqWtXADOXw2gudAsJnMZ/14K5mY9Th1YgP1RKzY?= =?us-ascii?Q?N1IAEHfH5PowfevTKfxl9Y2RVQ907UQsbS2F9kNnSlFW+aO7ifvG5QJtA7Mj?= =?us-ascii?Q?SNbJWsw99paNzJkPwYcc0VROPaTf1nnkkyiIFtcx4/EHzGebelDjdhmfMoRu?= =?us-ascii?B?QT09?= X-Microsoft-Antispam-Message-Info: xWF8z0b7mx+sb8EvcCLDtgMmHIM9sN64WWbSCNvc/0/WMkUYguXp05TL40XpBYIUEOTy7ieveq79xtthNBzt2Yk4IRXh109ISaMrY+uKMM1cL6dnv5sjqB0SqmATZSs0FAaux3d+oUfec+w1yi7TTF8Uz+VoS667EHC8ckk0ud2sCYn2kdQRE9Y/U9bpwl2a X-Microsoft-Exchange-Diagnostics: 1; MWHPR15MB1134; 6:A6FQ35bTs0113rBcHJ03qduwqvBbI9s58MHRl8nOl8hO3h3MA0zv+67fJRLZRzQhWGHtyDhI7KULEFB2exOdyIwS+urLARPZ1JT6DV4zpXv3kHfDEDTZjeE+xe+3k/7Jh0FvckLZAmZi+ygHrdCJ7JnEQlt+fn0w5Vv6IcSI+pcjtcV9JZ8PYBeA0SfRnqMP7QVL1RUf6HOlrhZNDNHht+4Xxl3PfD59l7mpMK4S9db2BwisIAijk7dtsudUq2XynLSWr8XMOhOTkjiVLBEYSl1nfvasm4UIWKrnyUv03vdtVN8PC9bFx88vFLdqpP42W/h0cpiUC6X4ggFfCdVqv/HElvD+Fcjcgs7k4sxTGUs=; 5:M0j5rQKxTADEM6Jwluy2A8JW65kgy9LkgHneIitow7V9hPCVXAGsqNIsvV/POJo5QNi4hGH58OWNptNmwMz/uzTQ+3isRvbJ5h62T9xyewKrTnnBu2uy/XI0bUFHRPRTNvdkAt3/4GA3dZWq3pwbxwbD7FAJaqm71YzBjTKYxd0=; 24:GGywCPkY0EGpzXc6c2GNAFaUSc04PEYo74gTydzCMHecw962rR3MsG2+ELoNSUCLCi3ncankXQlGkDO6MOacBOuNWEoiGNlNz+hEzjEudKs=; 7:lxkekTi6iTh6CRjuIVt818tjo20B4aSCvwjqppQCRLXYjfrlu658yBOQNkgtji+jywz/bZOYtF3x/2YEJ/lQZzYJW5Dk+EBt0bzDRLfYC3rakwsk8tW2ARAvlnMKCLAzVbo0KzHFr/LfQRfFQjn2NaB/qQxvEMNa2yFcOzfw7WUPQlcmbai+5eBGd/8yCxTE6dC6ljBwW2D+mwk/YdkVrdGJQp/+kFgywEWzq2uIWXWMbp71LcLZupZEhtUjk+ux SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1; MWHPR15MB1134; 20:jor33L8rpnCRMWfnHRZmRtEMAfeaVp6b2jmgQVDaN+OC+pXHn+7Sqv0WmYor2kL4DfpENDMdBNYsoWDh9VDwChguBl9oUbIbQXxRmEsvNtmBGrDi76Ka9JoUPZnWXK1oKV3zvHlhFAfXHxqObruTGk3LYxMAaXrj3BxPnQxpZKM= X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Mar 2018 17:54:47.7936 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: d5ef8f8a-509a-4a1f-677b-08d58e8babfe X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2 X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR15MB1134 X-OriginatorOrg: fb.com X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2018-03-20_06:, , signatures=0 X-Proofpoint-Spam-Reason: safe X-FB-Internal: Safe Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Add documentation on rx path setup and cmsg interface. Signed-off-by: Dave Watson --- Documentation/networking/tls.txt | 67 ++++++++++++++++++++++++++++++++++++++-- 1 file changed, 65 insertions(+), 2 deletions(-) diff --git a/Documentation/networking/tls.txt b/Documentation/networking/tls.txt index 77ed006..6c39505 100644 --- a/Documentation/networking/tls.txt +++ b/Documentation/networking/tls.txt @@ -48,6 +48,9 @@ the transmit and the receive into the kernel. setsockopt(sock, SOL_TLS, TLS_TX, &crypto_info, sizeof(crypto_info)); +Transmit and receive are set separately, but the setup is the same, using either +TLS_TX or TLS_RX. + Sending TLS application data ---------------------------- @@ -79,6 +82,29 @@ for memory), or the encryption will always succeed. If send() returns -ENOMEM and some data was left on the socket buffer from a previous call using MSG_MORE, the MSG_MORE data is left on the socket buffer. +Receiving TLS application data +------------------------------ + +After setting the TLS_RX socket option, all recv family socket calls +are decrypted using TLS parameters provided. A full TLS record must +be received before decryption can happen. + + char buffer[16384]; + recv(sock, buffer, 16384); + +Received data is decrypted directly in to the user buffer if it is +large enough, and no additional allocations occur. If the userspace +buffer is too small, data is decrypted in the kernel and copied to +userspace. + +EINVAL is returned if the TLS version in the received message does not +match the version passed in setsockopt. + +EMSGSIZE is returned if the received message is too big, or too small +when crypto overheads are included. + +EBADMSG is returned if decryption failed for any other reason. + Send TLS control messages ------------------------- @@ -118,6 +144,43 @@ using a record of type @record_type. Control message data should be provided unencrypted, and will be encrypted by the kernel. +Receiving TLS control messages +------------------------------ + +TLS control messages are passed in the userspace buffer, with message +type passed via cmsg. If no cmsg buffer is provided, an error is +returned if a control message is received. Data messages may be +received without a cmsg buffer set. + + char buffer[16384]; + char cmsg[CMSG_SPACE(sizeof(unsigned char))]; + struct msghdr msg = {0}; + msg.msg_control = cmsg; + msg.msg_controllen = sizeof(cmsg); + + struct iovec msg_iov; + msg_iov.iov_base = buffer; + msg_iov.iov_len = 16384; + + msg.msg_iov = &msg_iov; + msg.msg_iovlen = 1; + + int ret = recvmsg(sock, &msg, 0 /* flags */); + + struct cmsghdr *cmsg = CMSG_FIRSTHDR(&msg); + if (cmsg->cmsg_level == SOL_TLS && + cmsg->cmsg_type == TLS_GET_RECORD_TYPE) { + int record_type = *((unsigned char *)CMSG_DATA(cmsg)); + // Do something with record_type, and control message data in + // buffer. + // + // Note that record_type may be == to application data (23). + } else { + // Buffer contains application data. + } + +recv will never return data from mixed types of TLS records. + Integrating in to userspace TLS library --------------------------------------- @@ -126,10 +189,10 @@ layer of a userspace TLS library. A patchset to OpenSSL to use ktls as the record layer is here: -https://github.com/Mellanox/tls-openssl +https://github.com/Mellanox/openssl/commits/tls_rx2 An example of calling send directly after a handshake using gnutls. Since it doesn't implement a full record layer, control messages are not supported: -https://github.com/Mellanox/tls-af_ktls_tool +https://github.com/ktls/af_ktls-tool/commits/RX