2024-12-03, 19:47:01 -0800, Jakub Kicinski wrote:
On Thu, 14 Nov 2024 16:50:48 +0100 Sabrina Dubroca wrote:
+static int tls_check_pending_rekey(struct tls_context *ctx, struct sk_buff *skb) +{
- const struct tls_msg *tlm = tls_msg(skb);
- const struct strp_msg *rxm = strp_msg(skb);
- char hs_type;
- int err;
- if (likely(tlm->control != TLS_RECORD_TYPE_HANDSHAKE))
return 0;- if (rxm->full_len < 1)
return -EINVAL;- err = skb_copy_bits(skb, rxm->offset, &hs_type, 1);
- if (err < 0)
return err;- if (hs_type == TLS_HANDSHAKE_KEYUPDATE) {
struct tls_sw_context_rx *rx_ctx = ctx->priv_ctx_rx;WRITE_ONCE(rx_ctx->key_update_pending, true);- }
- return 0;
+}
static int tls_rx_one_record(struct sock *sk, struct msghdr *msg, struct tls_decrypt_arg *darg) { @@ -1739,6 +1769,10 @@ static int tls_rx_one_record(struct sock *sk, struct msghdr *msg, rxm->full_len -= prot->overhead_size; tls_advance_record_sn(sk, prot, &tls_ctx->rx);
- err = tls_check_pending_rekey(tls_ctx, darg->skb);
- if (err < 0)
return err;Sorry if I already asked this, is this 100% safe to error out from here after we decrypted the record? Normally once we successfully decrypted and pulled the message header / trailer we always call tls_rx_rec_done()
This is the same thing tls_rx_one_record does when tls_decrypt_sw fails. Return <0 immediately, let the caller deal with the fallout. In the case where tls_padding_length fails, tls_decrypt_sw has an extra consume_skb though.
Returning an error here will make tls_rx_one_record() also return an error, and when that happens we always call tls_err_abort(). It's a big hammer, but it should be safe.
The only reason the check_pending_rekey() can fail is if the message is mis-formatted, I wonder if we are better off ignoring mis-formatted rekeys? User space will see them and break the connection, anyway. Alternatively - we could add a selftest for this.
Going back to tls_check_pending_rekey():
- if (rxm->full_len < 1)
return -EINVAL;
There's no real reason to fail here, we should probably just ignore it. It's not a rekey, and it's not a valid handshake message, but one could say that's not the kernel's problem. I'll make that return 0 unless you want to keep -EINVAL.
Hard to write a selftest for because we'd have to do a sendmsg with len=0, or do the crypto in the selftest.
- err = skb_copy_bits(skb, rxm->offset, &hs_type, 1);
- if (err < 0)
return err;
This probably means that the skb we got from the parser was broken. If we can't read 1B with full_len >= 1, something's wrong. Maybe worth a DEBUG_NET_WARN_ON_ONCE?
- if (hs_type == TLS_HANDSHAKE_KEYUPDATE) {
Here I don't actually check if it's a correct KeyUpdate message [1], we pause decryption and let userspace decide what to do (probably break the connection as you said).
[1] https://datatracker.ietf.org/doc/html/rfc8446#page-25 https://datatracker.ietf.org/doc/html/rfc8446#section-4.6.3
struct tls_sw_context_rx *rx_ctx = ctx->priv_ctx_rx;WRITE_ONCE(rx_ctx->key_update_pending, true);- }
- return 0;
+}