Re: Setting TLS_RX and TLS_TX crypto info more than once?

[Sabrina Dubroca <sd@queasysnail.net>]

Hi Marcel,

2023-01-24, 18:48:56 +0100, Marcel Holtmann wrote:
> Hi Ilya,
> 
> in commit 196c31b4b5447 you limited setsockopt for TLS_RX and TLS_TX
> crypto info to just one time.

Looking at commit 196c31b4b5447, that check was already there, it only
got moved.

> 
> +       crypto_info = &ctx->crypto_send;
> +       /* Currently we don't support set crypto info more than one time */
> +       if (TLS_CRYPTO_INFO_READY(crypto_info))
> +               goto out;
> 
> This is a bit unfortunate for TLS 1.3 where the majority of the TLS
> handshake is actually encrypted with handshake traffic secrets and
> only after a successful handshake, the application traffic secrets
> are applied.
> 
> I am hitting this issue since I am just sending ClientHello and only
> reading ServerHello and then switching on TLS_RX right away to receive
> the rest of the handshake via TLS_GET_RECORD_TYPE. This works pretty
> nicely in my code.
> 
> Since this limitation wasn’t there in the first place, can we get it
> removed again and allow setting the crypto info more than once? At
> least updating the key material (the cipher obviously has to match).
> 
> I think this is also needed when having to do any re-keying since I
> have seen patches for that, but it seems they never got applied.

The patches are still under discussion (I only posted them a week ago
so "never got applied" seems a bit harsh):
https://lore.kernel.org/all/cover.1673952268.git.sd@queasysnail.net/T/#u

-- 
Sabrina