2024-12-03, 19:47:01 -0800, Jakub Kicinski wrote:
> On Thu, 14 Nov 2024 16:50:48 +0100 Sabrina Dubroca wrote:
> > +static int tls_check_pending_rekey(struct tls_context *ctx, struct sk_buff *skb)
> > +{
> > + const struct tls_msg *tlm = tls_msg(skb);
> > + const struct strp_msg *rxm = strp_msg(skb);
> > + char hs_type;
> > + int err;
> > +
> > + if (likely(tlm->control != TLS_RECORD_TYPE_HANDSHAKE))
> > + return 0;
> > +
> > + if (rxm->full_len < 1)
> > + return -EINVAL;
> > +
> > + err = skb_copy_bits(skb, rxm->offset, &hs_type, 1);
> > + if (err < 0)
> > + return err;
> > +
> > + if (hs_type == TLS_HANDSHAKE_KEYUPDATE) {
> > + struct tls_sw_context_rx *rx_ctx = ctx->priv_ctx_rx;
> > +
> > + WRITE_ONCE(rx_ctx->key_update_pending, true);
> > + }
> > +
> > + return 0;
> > +}
> > +
> > static int tls_rx_one_record(struct sock *sk, struct msghdr *msg,
> > struct tls_decrypt_arg *darg)
> > {
> > @@ -1739,6 +1769,10 @@ static int tls_rx_one_record(struct sock *sk, struct msghdr *msg,
> > rxm->full_len -= prot->overhead_size;
> > tls_advance_record_sn(sk, prot, &tls_ctx->rx);
> >
> > + err = tls_check_pending_rekey(tls_ctx, darg->skb);
> > + if (err < 0)
> > + return err;
>
> Sorry if I already asked this, is this 100% safe to error out from here
> after we decrypted the record? Normally once we successfully decrypted
> and pulled the message header / trailer we always call tls_rx_rec_done()
This is the same thing tls_rx_one_record does when tls_decrypt_sw
fails. Return <0 immediately, let the caller deal with the fallout. In
the case where tls_padding_length fails, tls_decrypt_sw has an extra
consume_skb though.
Returning an error here will make tls_rx_one_record() also return an
error, and when that happens we always call tls_err_abort(). It's a
big hammer, but it should be safe.
> The only reason the check_pending_rekey() can fail is if the message is
> mis-formatted, I wonder if we are better off ignoring mis-formatted
> rekeys? User space will see them and break the connection, anyway.
> Alternatively - we could add a selftest for this.
Going back to tls_check_pending_rekey():
> > + if (rxm->full_len < 1)
> > + return -EINVAL;
There's no real reason to fail here, we should probably just ignore
it. It's not a rekey, and it's not a valid handshake message, but one
could say that's not the kernel's problem. I'll make that return 0
unless you want to keep -EINVAL.
Hard to write a selftest for because we'd have to do a sendmsg with
len=0, or do the crypto in the selftest.
> > + err = skb_copy_bits(skb, rxm->offset, &hs_type, 1);
> > + if (err < 0)
> > + return err;
This probably means that the skb we got from the parser was broken. If
we can't read 1B with full_len >= 1, something's wrong. Maybe worth a
DEBUG_NET_WARN_ON_ONCE?
> > + if (hs_type == TLS_HANDSHAKE_KEYUPDATE) {
Here I don't actually check if it's a correct KeyUpdate message [1],
we pause decryption and let userspace decide what to do (probably
break the connection as you said).
[1] https://datatracker.ietf.org/doc/html/rfc8446#page-25
https://datatracker.ietf.org/doc/html/rfc8446#section-4.6.3
> > + struct tls_sw_context_rx *rx_ctx = ctx->priv_ctx_rx;
> > +
> > + WRITE_ONCE(rx_ctx->key_update_pending, true);
> > + }
> > +
> > + return 0;
> > +}
--
Sabrina
