From: Sabrina Dubroca <sd@queasysnail.net>
To: Marcel Holtmann <marcel@holtmann.org>
Cc: Ilya Lesokhin <ilyal@mellanox.com>,
Dave Watson <davejwatson@fb.com>,
netdev@vger.kernel.org
Subject: Re: Setting TLS_RX and TLS_TX crypto info more than once?
Date: Tue, 24 Jan 2023 23:29:35 +0100 [thread overview]
Message-ID: <Y9Bbz60sAwkmrsrt@hog> (raw)
In-Reply-To: <A07B819E-A406-457A-B7DB-8926DCEBADCD@holtmann.org>
Hi Marcel,
2023-01-24, 18:48:56 +0100, Marcel Holtmann wrote:
> Hi Ilya,
>
> in commit 196c31b4b5447 you limited setsockopt for TLS_RX and TLS_TX
> crypto info to just one time.
Looking at commit 196c31b4b5447, that check was already there, it only
got moved.
>
> + crypto_info = &ctx->crypto_send;
> + /* Currently we don't support set crypto info more than one time */
> + if (TLS_CRYPTO_INFO_READY(crypto_info))
> + goto out;
>
> This is a bit unfortunate for TLS 1.3 where the majority of the TLS
> handshake is actually encrypted with handshake traffic secrets and
> only after a successful handshake, the application traffic secrets
> are applied.
>
> I am hitting this issue since I am just sending ClientHello and only
> reading ServerHello and then switching on TLS_RX right away to receive
> the rest of the handshake via TLS_GET_RECORD_TYPE. This works pretty
> nicely in my code.
>
> Since this limitation wasn’t there in the first place, can we get it
> removed again and allow setting the crypto info more than once? At
> least updating the key material (the cipher obviously has to match).
>
> I think this is also needed when having to do any re-keying since I
> have seen patches for that, but it seems they never got applied.
The patches are still under discussion (I only posted them a week ago
so "never got applied" seems a bit harsh):
https://lore.kernel.org/all/cover.1673952268.git.sd@queasysnail.net/T/#u
--
Sabrina
next prev parent reply other threads:[~2023-01-24 22:31 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-24 17:48 Setting TLS_RX and TLS_TX crypto info more than once? Marcel Holtmann
2023-01-24 22:29 ` Sabrina Dubroca [this message]
2023-01-25 10:24 ` Marcel Holtmann
2023-01-25 18:22 ` Jakub Kicinski
2023-01-26 8:34 ` Boris Pismenny
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y9Bbz60sAwkmrsrt@hog \
--to=sd@queasysnail.net \
--cc=davejwatson@fb.com \
--cc=ilyal@mellanox.com \
--cc=marcel@holtmann.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).