tls: block decryption when a rekey is pending

When a TLS handshake record carrying a KeyUpdate message is received,
all subsequent records will be encrypted with a new key. We need to
stop decrypting incoming records with the old key, and wait until
userspace provides a new key.

Make a note of this in the RX context just after decrypting that
record, and stop recvmsg/splice calls with EKEYEXPIRED until the new
key is available.

key_update_pending can't be combined with the existing bitfield,
because we will read it locklessly in ->poll.

Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/include/net/tls.h b/include/net/tls.h
index 61fef28801140b14e6efb103c755e0a7414e71ce..857340338b69413bc57da12229900c44a6b46671 100644 (file)
--- a/include/net/tls.h
+++ b/include/net/tls.h
@@ -59,6 +59,8 @@ struct tls_rec;
 
 #define TLS_CRYPTO_INFO_READY(info)    ((info)->cipher_type)
 
+#define TLS_HANDSHAKE_KEYUPDATE                24      /* rfc8446 B.3: Key update */
+
 #define TLS_AAD_SPACE_SIZE             13
 
 #define TLS_MAX_IV_SIZE                        16
@@ -130,6 +132,7 @@ struct tls_sw_context_rx {
        u8 async_capable:1;
        u8 zc_capable:1;
        u8 reader_contended:1;
+       bool key_update_pending;
 
        struct tls_strparser strp;
 

diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
index bbf26cc4f6ee261a0e00d85dfed6cf0170757f3d..3dcf8ee60fea21a57a9d10ab43af9ca623d003ab 100644 (file)
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -1314,6 +1314,10 @@ tls_rx_rec_wait(struct sock *sk, struct sk_psock *psock, bool nonblock,
        int ret = 0;
        long timeo;
 
+       /* a rekey is pending, let userspace deal with it */
+       if (unlikely(ctx->key_update_pending))
+               return -EKEYEXPIRED;
+
        timeo = sock_rcvtimeo(sk, nonblock);
 
        while (!tls_strp_msg_ready(ctx)) {
@@ -1720,6 +1724,34 @@ tls_decrypt_device(struct sock *sk, struct msghdr *msg,
        return 1;
 }
 
+static int tls_check_pending_rekey(struct tls_context *ctx, struct sk_buff *skb)
+{
+       const struct strp_msg *rxm = strp_msg(skb);
+       const struct tls_msg *tlm = tls_msg(skb);
+       char hs_type;
+       int err;
+
+       if (likely(tlm->control != TLS_RECORD_TYPE_HANDSHAKE))
+               return 0;
+
+       if (rxm->full_len < 1)
+               return 0;
+
+       err = skb_copy_bits(skb, rxm->offset, &hs_type, 1);
+       if (err < 0) {
+               DEBUG_NET_WARN_ON_ONCE(1);
+               return err;
+       }
+
+       if (hs_type == TLS_HANDSHAKE_KEYUPDATE) {
+               struct tls_sw_context_rx *rx_ctx = ctx->priv_ctx_rx;
+
+               WRITE_ONCE(rx_ctx->key_update_pending, true);
+       }
+
+       return 0;
+}
+
 static int tls_rx_one_record(struct sock *sk, struct msghdr *msg,
                             struct tls_decrypt_arg *darg)
 {
@@ -1739,7 +1771,7 @@ static int tls_rx_one_record(struct sock *sk, struct msghdr *msg,
        rxm->full_len -= prot->overhead_size;
        tls_advance_record_sn(sk, prot, &tls_ctx->rx);
 
-       return 0;
+       return tls_check_pending_rekey(tls_ctx, darg->skb);
 }
 
 int decrypt_skb(struct sock *sk, struct scatterlist *sgout)
@@ -2719,6 +2751,7 @@ int tls_set_sw_offload(struct sock *sk, int tx)
                crypto_info = &ctx->crypto_recv.info;
                cctx = &ctx->rx;
                aead = &sw_ctx_rx->aead_recv;
+               sw_ctx_rx->key_update_pending = false;
        }
 
        cipher_desc = get_cipher_desc(crypto_info->cipher_type);