From patchwork Thu Mar 22 17:10:44 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dave Watson X-Patchwork-Id: 10301949 X-Patchwork-Delegate: herbert@gondor.apana.org.au Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 5F13E60216 for ; Thu, 22 Mar 2018 17:12:45 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3836B2882F for ; Thu, 22 Mar 2018 17:12:45 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 357122885E; Thu, 22 Mar 2018 17:12:45 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8FE022882F for ; Thu, 22 Mar 2018 17:11:42 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752188AbeCVRLk (ORCPT ); Thu, 22 Mar 2018 13:11:40 -0400 Received: from mx0a-00082601.pphosted.com ([67.231.145.42]:35174 "EHLO mx0a-00082601.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751670AbeCVRL2 (ORCPT ); Thu, 22 Mar 2018 13:11:28 -0400 Received: from pps.filterd (m0044010.ppops.net [127.0.0.1]) by mx0a-00082601.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w2MHAdIc024045; Thu, 22 Mar 2018 10:10:53 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fb.com; h=date : from : to : cc : subject : message-id : references : mime-version : content-type : in-reply-to; s=facebook; bh=XwyWYy3M2wCPlxUEvwCyhl3Ab+fY8aA9GxunWsNlNio=; b=hzmKCHBbqCBpwiVO7oq1RChUgBkQyyM/4LPmATIpRg4nEDFJKiQWv1pRDmlwuc6UOShC nkND+DNqUxZrz81lDDU3k+woI4u0ijSsrsljvtOJWt95Dtl8n2iTE+feaehp4rDlxOMr uYenSmLpmXjl8lDIcCP86GYxtqyopauDte4= Received: from mail.thefacebook.com ([199.201.64.23]) by mx0a-00082601.pphosted.com with ESMTP id 2gvfvu8616-1 (version=TLSv1 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 22 Mar 2018 10:10:52 -0700 Received: from NAM02-BL2-obe.outbound.protection.outlook.com (192.168.54.28) by o365-in.thefacebook.com (192.168.16.17) with Microsoft SMTP Server (TLS) id 14.3.361.1; Thu, 22 Mar 2018 10:10:50 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fb.onmicrosoft.com; s=selector1-fb-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=XwyWYy3M2wCPlxUEvwCyhl3Ab+fY8aA9GxunWsNlNio=; b=i3fhGGMY92PIDMvrqW7Y72GskX5v6D6KXVTzvHnl1/lGgIBZ/Io48rMi1fVzWkrDuaztBXQXn1gJlnbD9HoQ09WrsnfzCoIaqVf+kI6McaNV7SxOxCGfMW0pCoVidqym11cdNuEcLIITVvhDW4VUZy1kwPAXq8HUA4yvI8Af7DA= Received: from localhost (2620:10d:c090:200::6:9ccb) by CY4PR15MB1128.namprd15.prod.outlook.com (2603:10b6:903:106::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.588.14; Thu, 22 Mar 2018 17:10:48 +0000 Date: Thu, 22 Mar 2018 10:10:44 -0700 From: Dave Watson To: "David S. Miller" , Tom Herbert , Alexei Starovoitov , , , , CC: Atul Gupta , Vakul Garg , Hannes Frederic Sowa , Steffen Klassert , John Fastabend , Daniel Borkmann Subject: [PATCH v2 net-next 6/6] tls: Add receive path documentation Message-ID: <20180322171044.GA67945@GeorgeHnsiPhone.dhcp.thefacebook.com> References: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.6.0 (2016-04-01) X-Originating-IP: [2620:10d:c090:200::6:9ccb] X-ClientProxiedBy: SN4PR0201CA0054.namprd02.prod.outlook.com (2603:10b6:803:20::16) To CY4PR15MB1128.namprd15.prod.outlook.com (2603:10b6:903:106::14) X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 795eec2c-38eb-4a49-9ea6-08d59017dbbf X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(5600026)(4604075)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(7193020); SRVR:CY4PR15MB1128; X-Microsoft-Exchange-Diagnostics: 1; CY4PR15MB1128; 3:0jnFJfjlet8tvE803ZHoHjA5yBtMLV3m1BOzfT1QDxjcKFRKqVzzTgaBzrXLa3c8pdSw9q+lWKB5qohjfUWfAPp2LPXdA9jkyBvKys0N8QpkKsXdzEIAnm2V3c3ZGe83FQMQqP/UEYAfXtaw/B0XzoZH/bu9QDP3Z/gh12MvB5L6bUM0SqRJ97ovh5hTnDF+SwpTm5jr9KoZLCXxU1uDqiFURKxZsFjJaFvwHc17qP48AMJS+SRWh5VyQj9rgEIp; 25:Pyafasl337X8ewO7frFQXOSfe9x2oC6lT+mfJTG71Y8iSg4NsqMuLGdVvvUL753/oEoN4E1pcHGxlrtQCWCx67/a4lWbzL99gjPkosk61AJYmkAxTaxXFLPzdquGB1ea248ImHnrCHDDHD1R8Zvk/tTlVWrcMBtWqutRqlEccaMRrC4tsTBSbYmc8ITFRn7Xexq7ngIr9zGa1F6hT7COdJ/xxZ2jik6jcpFbG8aKE2jo69WtMn7BXAxJNWDVZ7x9BC6H5dfYZd82zrjkZ/enMRO0f+w6uR50+6CJwNzyO9q41B5t8KsP0ByW/pe4E3n8uJ9w1COoEmP8oKS/+u+5iA==; 31:VxctqQq7W4Ynic35GhenkvS3VQslOAw/H5QvXAt3DnDu4pHaKj+TnBwdl46CNsOkdFawFvP8tzGstLMo0BgBbSTdK+To+scsALAwCM8/ZPv6gc8HBIR32Zgf8xQnpxP2CAdWDRCugvnfLPMEaA5fHhbfx88Tp1KS1Anr3CumLQ6K/cGBOawkcff8HlUCGj298Gf1a4gQigc5qsbyjPf0Hrsoc4nGoh3uk1KqG2JO0qI= X-MS-TrafficTypeDiagnostic: CY4PR15MB1128: X-Microsoft-Exchange-Diagnostics: 1; CY4PR15MB1128; 20:PVo9QyKbJsnBF5jf2ggkFitRsTGMt3pJYqoZNhihIQwddFNOCLRzMkR5AFZLtr7t5et023zujHoQDul7zQnwQCfRZrmwdkOxrThdPJxX5g97l45bBaae2DZR2pOk1Ssv1AsnHxbw/LB7XLN8tRSFzfd5Eb5avxyqk7q0JmdfZjJAhr1HNgTQQqe4kOkWQxiObvpI+h9U23mcQpE8wTonA1E8yPZjdrDQVqfKAS1uFVfc3ByApxlsd/dquwAmLZpxdqO6rDnW3lZK7l/4cVLHlat+5/H5yTxBBEzw1ZYzK9wn6Ztllgiw3zmWRgwgiw5itTzuKahdTZEitKKWoSpoCtNsmf0ybFWCth0d+WZ/lLKE+fy8MNRUMO6j9TuXEZZH0bFXYpXzlVx8p4ffH1Z0F7Fvxxk+vLX3cOeBw8cUyJ89VbyU4Sa+ExclWs+Yzz2iTum7ccD4fASWpK5NQ4cVHcUd3H0sxLcfMt2pzr6X1NTSlegLdK1cSH0fS8L6JLLa; 4:pbjMRxuJTqCqoBdbLz8870PtloD0r9jg0EzmtNJtUGc1pIbZUAZxCScXo4I5dZST0PoLfgoIL6GvxTGE4ozFBdMlE385AvFvtjeti/Xr6BMZ4UNOuCmY4qAxckPa0PTGSJKr71AP9ZcMBJg47rx/Zl/GOUeGm7BhkpALCiiGCZ2kxBK0SzkpvMMnXmPj79BeKa+rUbMH6C3SHhED6tvZEtBaSU4sHFOSJwTA3puIBMjGbMvCelbRXfMVhVOL4kVTVe1TJcy4G8pQEg8oZeOSfK4rfDuf82TNIwapKkFvdE5h1DHyMvmTKaiX+5YVKrTV46Tl6MvYPOk/ZaDKRfK2nE/NOhA1wAnALdX8D8Wv5xJnLXPO3GcY4l4Rp4mgbRsk X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:(166708455590820)(67672495146484)(266576461109395); X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(10201501046)(3231221)(11241501184)(944501327)(52105095)(93006095)(93001095)(3002001)(6041310)(20161123562045)(20161123558120)(20161123564045)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(6072148)(201708071742011); SRVR:CY4PR15MB1128; BCL:0; PCL:0; RULEID:; SRVR:CY4PR15MB1128; X-Forefront-PRVS: 0619D53754 X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10019020)(6069001)(366004)(396003)(39380400002)(346002)(376002)(39860400002)(189003)(199004)(6306002)(386003)(105586002)(6666003)(4326008)(33656002)(305945005)(58126008)(316002)(16586007)(110136005)(46003)(8936002)(54906003)(8676002)(7736002)(7416002)(81166006)(81156014)(186003)(6116002)(47776003)(478600001)(39060400002)(33896004)(23726003)(1076002)(97736004)(50466002)(16526019)(76506005)(106356001)(53936002)(25786009)(6496006)(68736007)(8656006)(9686003)(86362001)(6486002)(52396003)(2906002)(76176011)(5660300001)(52116002)(446003)(11346002)(18370500001); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR15MB1128; H:localhost; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en; Received-SPF: None (protection.outlook.com: fb.com does not designate permitted sender hosts) X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; CY4PR15MB1128; 23:EhwEnxBLPhHe7scrcgu3Y//MKmRUKbBAhiPjs5Bb/?= =?us-ascii?Q?EMTOJ20zPWDlxt6OMChdrmBijMR/L4CLQHn6EUB2npVhG51XBUUkJUZ+BSPF?= =?us-ascii?Q?2+JBEzsfQKWfOwcum/k4kvxsoW34K6aOvU1ujFzpC+mWRF8+0QChmVeYoCaJ?= =?us-ascii?Q?oxPzUZ4ZL3Uc3XHGalS8T6JNqfJ/kxpecehMj4kv2Q4cRbijLAbMAAAWEsmY?= =?us-ascii?Q?b4YhbL0zbyqFXGieGja+T03k5EL6ZBMYSHEs6RIt/Bu1+UBPgr8Pkp4OUdyX?= =?us-ascii?Q?nBItt8g/XydXD9pA6s2Vvr9CJfkFuGusRVg+YyVbIJN7EbfFM9VCj57Go4TG?= =?us-ascii?Q?gGGlL69tYd398jozNa4JlPMtZiraYMU8AOZ/z3hOUD1b8nVY50Q+3iwq1sHt?= =?us-ascii?Q?JZPhw8r8P7KfTipBymOhS99aq23CsotsH+ScqFTkvls0/pPVUuyY/WCmxNr7?= =?us-ascii?Q?P94xcQM/mB+baDuBvUDw1LeMdfgTT2RG0IxUegFpU6g8DfIubqtsCC3Ip9Rs?= =?us-ascii?Q?F0lUFj7iHatGrBFDlmhxqgLON2O3cAcPOoXYTUG0na/9eD6KEV2UwvShiKzy?= =?us-ascii?Q?Tf1vF7fV/pG0esrALJ8WZIlRGeFQw1V/KfT688CkaKN/B0mAfqBb9mGPQuVI?= =?us-ascii?Q?H5QYuuNuhj7m707Mr3BKI44P3YFRF6axqV+dfVOdKchhpHYzATpKDIdVJ1w2?= =?us-ascii?Q?Ze8JGcHulVgW+rCKZxAPVERR/jEuox5M9B/n0vPy3a/RjtXoehhw7tiiLMI5?= =?us-ascii?Q?y/kd3mwG+gYEYwQ6KHRykJiIIhq8sfrfdDVkzkFWAghtBJ6q60VdtBlD1TQ8?= =?us-ascii?Q?laZ4F/82cbo2yfXbPXRItTteBlPJOePzJx8cXjptmNe7tweO7f2f3IguO4Sx?= =?us-ascii?Q?LkDLsnTMQ+6v4mGlAinLuzAWSBZjHsdVaVKWkK2bs/JshqeUI5mbmkgZgXHO?= =?us-ascii?Q?yMCuHRp6FtC80rAWWIlRomH/PV1msyXAYnxIjaSsBo26uEqnwN3q4F4vL74B?= =?us-ascii?Q?aGL92dOUCOuCCcxu889CuVGB5jegE+c97B8Kv0RXdSB+F1Kpdq1i9WxTLJL5?= =?us-ascii?Q?KflNgv29/MZyMvAuBLVVVitc5f4xi5YBtE6Cy+9J0YNpY6yl+9wu0zjyRpKo?= =?us-ascii?Q?hXuP3+UTo6gGI05u2a0Wglf0Un0sxQqDOsYjI6vbndry2CoTcLLG5rf7YKqR?= =?us-ascii?Q?ZjIqjcJ6pX5HcaOhUAoYBlzuMzNBeGmU0C2jr2+R+YLp3tFzC2msuYCumo4U?= =?us-ascii?Q?jZ14j8hal1EzqBqZ8+IvyeBDU/yMJIfvpC6+GXP0I/Ziwi7TI8jed44dXEM7?= =?us-ascii?B?UT09?= X-Microsoft-Antispam-Message-Info: t5yT+zMgQoWltfZh49Wolah2CHcFcWSPA5AxEz40wg3dYQO1i1Q1MnTaw27P23vituXQD3d0mfLc+l1veHqsf/BUqqGqOabUtZemQ3astBnQM3wvjPqahbiUlEmWWIttcRvngDzqyDGoLrorVwv4/L874XUvPtLkOIdMnghmLACVO5sQLL3h8O4QXiztVqq6 X-Microsoft-Exchange-Diagnostics: 1; CY4PR15MB1128; 6:SJ/AGf4UdXOa6CCBr7YdMUM8GWvpzMyAetjyDD594bujtXwO9w6zDuDDEKBTA8ya+NG7Ek8bx68WRM7k9gWAs5gxDM6Iyx4lS65XWqXjOLVzidIy3DmrovUi7mhGBzTSRk4kI7+GPHQAMFyws83B1mtNNXDf9kv48yCqJM2e6IQPbdoSDYxZwFmjDuOCnv6GQ7QtoNruojBa5fWUAoxgko9tgraL74PYaWigOft5V5nV5x3yUKMEsbOqdIaZg/NVswEp97H9Z8927VVd+h/jJl9wSuTyo0d+N0GoAJdJ1uWtvye8P27czHQX8xBN4ftbsys9nknxjp485mA0bOckh9G+Cj/x3Cy1VhOLUKm0q1I=; 5:SEz9XOSgdJYWjzIT9NJuNU6VouptStV6cnwRzQGp7gkO5vrrbcHe0r4pcvwIPUqzsUUyI2M2lyA1g726/jDEdbm5VyddaZaT8EWSKI64mNGDMKa+NLNgxOOo1bd9dVrKgLGE9btIgR9zde61L0OjfYPLPgQtoQIE8+e31JDQVhQ=; 24:u/Xqsa+QZEvNJFes2StzJfO2yy6QQLBpKq8o4uyM3Lb2rEQBfsIX52lP6kze1lPQzdMNiopPsfTmbLvkObspUSkoH8JnHnxLAyYkovCt2Qk=; 7:HuM/itrXw7Btk8D0PR9jqVl6ajW67QiGSo55R4oefuzw718VdaiUERX1wboG22VgoUY0s2K3UD+8mjAkkeaKLHey9GgjU1zlNy3+7By5TcQxaAjO7zuG9ng2W1H0Qnrtc6Io/vL8upbkna+3JR+jskdwYEUqP6wOME/hf1Bfm/exdFzZM3FEVBTU1nQrP6dM9KSxs+9XkdCEdnkOQQ+RfAkXO98HjnlSq75GKi4a8Xd+KCTkdAL84tJXioROD7MH SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1; CY4PR15MB1128; 20:Yu6KcxHBZ+kih0izn3iJm5vGFLkRwBGxzSmsq5BzSHob8Nb/5dpEqWObFwi4Mot/TtepDQzy0yPcSQMnCfuQ8v3xATcEMqSL1HebWfInPnSd4SBg/2/OSXejEoADaZ+rCJNfwMuU07d4mOcpcOYOT83hjiOqUb3Sme8UkSyTfB4= X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Mar 2018 17:10:48.6021 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 795eec2c-38eb-4a49-9ea6-08d59017dbbf X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2 X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR15MB1128 X-OriginatorOrg: fb.com X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2018-03-22_09:, , signatures=0 X-Proofpoint-Spam-Reason: safe X-FB-Internal: Safe Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Add documentation on rx path setup and cmsg interface. Signed-off-by: Dave Watson --- Documentation/networking/tls.txt | 66 ++++++++++++++++++++++++++++++++++++++-- 1 file changed, 64 insertions(+), 2 deletions(-) diff --git a/Documentation/networking/tls.txt b/Documentation/networking/tls.txt index 77ed006..58b5ef7 100644 --- a/Documentation/networking/tls.txt +++ b/Documentation/networking/tls.txt @@ -48,6 +48,9 @@ the transmit and the receive into the kernel. setsockopt(sock, SOL_TLS, TLS_TX, &crypto_info, sizeof(crypto_info)); +Transmit and receive are set separately, but the setup is the same, using either +TLS_TX or TLS_RX. + Sending TLS application data ---------------------------- @@ -79,6 +82,28 @@ for memory), or the encryption will always succeed. If send() returns -ENOMEM and some data was left on the socket buffer from a previous call using MSG_MORE, the MSG_MORE data is left on the socket buffer. +Receiving TLS application data +------------------------------ + +After setting the TLS_RX socket option, all recv family socket calls +are decrypted using TLS parameters provided. A full TLS record must +be received before decryption can happen. + + char buffer[16384]; + recv(sock, buffer, 16384); + +Received data is decrypted directly in to the user buffer if it is +large enough, and no additional allocations occur. If the userspace +buffer is too small, data is decrypted in the kernel and copied to +userspace. + +EINVAL is returned if the TLS version in the received message does not +match the version passed in setsockopt. + +EMSGSIZE is returned if the received message is too big. + +EBADMSG is returned if decryption failed for any other reason. + Send TLS control messages ------------------------- @@ -118,6 +143,43 @@ using a record of type @record_type. Control message data should be provided unencrypted, and will be encrypted by the kernel. +Receiving TLS control messages +------------------------------ + +TLS control messages are passed in the userspace buffer, with message +type passed via cmsg. If no cmsg buffer is provided, an error is +returned if a control message is received. Data messages may be +received without a cmsg buffer set. + + char buffer[16384]; + char cmsg[CMSG_SPACE(sizeof(unsigned char))]; + struct msghdr msg = {0}; + msg.msg_control = cmsg; + msg.msg_controllen = sizeof(cmsg); + + struct iovec msg_iov; + msg_iov.iov_base = buffer; + msg_iov.iov_len = 16384; + + msg.msg_iov = &msg_iov; + msg.msg_iovlen = 1; + + int ret = recvmsg(sock, &msg, 0 /* flags */); + + struct cmsghdr *cmsg = CMSG_FIRSTHDR(&msg); + if (cmsg->cmsg_level == SOL_TLS && + cmsg->cmsg_type == TLS_GET_RECORD_TYPE) { + int record_type = *((unsigned char *)CMSG_DATA(cmsg)); + // Do something with record_type, and control message data in + // buffer. + // + // Note that record_type may be == to application data (23). + } else { + // Buffer contains application data. + } + +recv will never return data from mixed types of TLS records. + Integrating in to userspace TLS library --------------------------------------- @@ -126,10 +188,10 @@ layer of a userspace TLS library. A patchset to OpenSSL to use ktls as the record layer is here: -https://github.com/Mellanox/tls-openssl +https://github.com/Mellanox/openssl/commits/tls_rx2 An example of calling send directly after a handshake using gnutls. Since it doesn't implement a full record layer, control messages are not supported: -https://github.com/Mellanox/tls-af_ktls_tool +https://github.com/ktls/af_ktls-tool/commits/RX