From: Dave Watson <davejwatson@fb.com>
To: "David S. Miller" <davem@davemloft.net>,
Tom Herbert <tom@quantonium.net>,
Alexei Starovoitov <alexei.starovoitov@gmail.com>,
<herbert@gondor.apana.org.au>, <linux-crypto@vger.kernel.org>,
<netdev@vger.kernel.org>, <ilyal@mellanox.com>,
<borisp@mellanox.com>
Cc: Atul Gupta <atul.gupta@chelsio.com>,
Vakul Garg <vakul.garg@nxp.com>,
Hannes Frederic Sowa <hannes@stressinduktion.org>,
Steffen Klassert <steffen.klassert@secunet.com>,
John Fastabend <john.fastabend@gmail.com>,
Daniel Borkmann <daniel@iogearbox.net>
Subject: [PATCH RFC 5/5] tls: Add receive path documentation
Date: Thu, 8 Mar 2018 08:50:52 -0800 [thread overview]
Message-ID: <20180308165052.GA19621@davejwatson-mba> (raw)
In-Reply-To: <cover.1520527306.git.davejwatson@fb.com>
Add documentation on rx path setup and cmsg interface.
Signed-off-by: Dave Watson <davejwatson@fb.com>
---
Documentation/networking/tls.txt | 59 ++++++++++++++++++++++++++++++++++++++--
1 file changed, 57 insertions(+), 2 deletions(-)
diff --git a/Documentation/networking/tls.txt b/Documentation/networking/tls.txt
index 77ed006..d341016 100644
--- a/Documentation/networking/tls.txt
+++ b/Documentation/networking/tls.txt
@@ -48,6 +48,9 @@ the transmit and the receive into the kernel.
setsockopt(sock, SOL_TLS, TLS_TX, &crypto_info, sizeof(crypto_info));
+Transmit and receive are set separately, but the setup is the same, using either
+TLS_TX or TLS_RX.
+
Sending TLS application data
----------------------------
@@ -79,6 +82,21 @@ for memory), or the encryption will always succeed. If send() returns
-ENOMEM and some data was left on the socket buffer from a previous
call using MSG_MORE, the MSG_MORE data is left on the socket buffer.
+Receiving TLS application data
+------------------------------
+
+After setting the TLS_RX socket option, all recv family socket calls
+are decrypted using TLS parameters provided. A full TLS record must
+be received before decryption can happen.
+
+ char buffer[16384];
+ recv(sock, buffer, 16384);
+
+Received data is decrypted directly in to the user buffer if it is
+large enough, and no additional allocations occur. If the userspace
+buffer is too small, data is decrypted in the kernel and copied to
+userspace.
+
Send TLS control messages
-------------------------
@@ -118,6 +136,43 @@ using a record of type @record_type.
Control message data should be provided unencrypted, and will be
encrypted by the kernel.
+Receiving TLS control messages
+------------------------------
+
+TLS control messages are passed in the userspace buffer, with message
+type passed via cmsg. If no cmsg buffer is provided, an error is
+returned if a control message is received. Data messages may be
+received without a cmsg buffer set.
+
+ char buffer[16384];
+ char cmsg[CMSG_SPACE(sizeof(unsigned char))];
+ struct msghdr msg = {0};
+ msg.msg_control = cmsg;
+ msg.msg_controllen = sizeof(cmsg);
+
+ struct iovec msg_iov;
+ msg_iov.iov_base = buffer;
+ msg_iov.iov_len = 16384;
+
+ msg.msg_iov = &msg_iov;
+ msg.msg_iovlen = 1;
+
+ int ret = recvmsg(sock, &msg, 0 /* flags */);
+
+ struct cmsghdr *cmsg = CMSG_FIRSTHDR(&msg);
+ if (cmsg->cmsg_level == SOL_TLS &&
+ cmsg->cmsg_type == TLS_GET_RECORD_TYPE) {
+ int record_type = *((unsigned char *)CMSG_DATA(cmsg));
+ // Do something with record_type, and control message data in
+ // buffer.
+ //
+ // Note that record_type may be == to application data (23).
+ } else {
+ // Buffer contains application data.
+ }
+
+recv will never return data from mixed types of TLS records.
+
Integrating in to userspace TLS library
---------------------------------------
@@ -126,10 +181,10 @@ layer of a userspace TLS library.
A patchset to OpenSSL to use ktls as the record layer is here:
-https://github.com/Mellanox/tls-openssl
+https://github.com/Mellanox/openssl/commits/tls_rx
An example of calling send directly after a handshake using
gnutls. Since it doesn't implement a full record layer, control
messages are not supported:
-https://github.com/Mellanox/tls-af_ktls_tool
+https://github.com/ktls/af_ktls-tool/commits/RX
--
2.9.5
prev parent reply other threads:[~2018-03-08 16:51 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <cover.1520527306.git.davejwatson@fb.com>
2018-03-08 16:50 ` [PATCH RFC 1/5] tls: Generalize zerocopy_from_iter Dave Watson
2018-03-08 16:50 ` [PATCH RFC 2/5] tls: Move cipher info to a separate struct Dave Watson
2018-03-08 16:50 ` [PATCH RFC 3/5] tls: Pass error code explicitly to tls_err_abort Dave Watson
2018-03-08 16:50 ` [PATCH RFC 4/5] tls: RX path for ktls Dave Watson
2018-03-08 19:48 ` Boris Pismenny
2018-03-08 22:22 ` Dave Watson
2018-03-08 16:50 ` Dave Watson [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180308165052.GA19621@davejwatson-mba \
--to=davejwatson@fb.com \
--cc=alexei.starovoitov@gmail.com \
--cc=atul.gupta@chelsio.com \
--cc=borisp@mellanox.com \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=hannes@stressinduktion.org \
--cc=herbert@gondor.apana.org.au \
--cc=ilyal@mellanox.com \
--cc=john.fastabend@gmail.com \
--cc=linux-crypto@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=steffen.klassert@secunet.com \
--cc=tom@quantonium.net \
--cc=vakul.garg@nxp.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).