Re: [PATCH net-next v4 1/6] tls: block decryption when a rekey is pending

[Sabrina Dubroca <sd@queasysnail.net>]

2024-12-03, 19:47:01 -0800, Jakub Kicinski wrote:
> On Thu, 14 Nov 2024 16:50:48 +0100 Sabrina Dubroca wrote:
> > +static int tls_check_pending_rekey(struct tls_context *ctx, struct sk_buff *skb)
> > +{
> > +	const struct tls_msg *tlm = tls_msg(skb);
> > +	const struct strp_msg *rxm = strp_msg(skb);
> > +	char hs_type;
> > +	int err;
> > +
> > +	if (likely(tlm->control != TLS_RECORD_TYPE_HANDSHAKE))
> > +		return 0;
> > +
> > +	if (rxm->full_len < 1)
> > +		return -EINVAL;
> > +
> > +	err = skb_copy_bits(skb, rxm->offset, &hs_type, 1);
> > +	if (err < 0)
> > +		return err;
> > +
> > +	if (hs_type == TLS_HANDSHAKE_KEYUPDATE) {
> > +		struct tls_sw_context_rx *rx_ctx = ctx->priv_ctx_rx;
> > +
> > +		WRITE_ONCE(rx_ctx->key_update_pending, true);
> > +	}
> > +
> > +	return 0;
> > +}
> > +
> >  static int tls_rx_one_record(struct sock *sk, struct msghdr *msg,
> >  			     struct tls_decrypt_arg *darg)
> >  {
> > @@ -1739,6 +1769,10 @@ static int tls_rx_one_record(struct sock *sk, struct msghdr *msg,
> >  	rxm->full_len -= prot->overhead_size;
> >  	tls_advance_record_sn(sk, prot, &tls_ctx->rx);
> >  
> > +	err = tls_check_pending_rekey(tls_ctx, darg->skb);
> > +	if (err < 0)
> > +		return err;
> 
> Sorry if I already asked this, is this 100% safe to error out from here
> after we decrypted the record? Normally once we successfully decrypted
> and pulled the message header / trailer we always call tls_rx_rec_done()

This is the same thing tls_rx_one_record does when tls_decrypt_sw
fails. Return <0 immediately, let the caller deal with the fallout. In
the case where tls_padding_length fails, tls_decrypt_sw has an extra
consume_skb though.

Returning an error here will make tls_rx_one_record() also return an
error, and when that happens we always call tls_err_abort(). It's a
big hammer, but it should be safe.

> The only reason the check_pending_rekey() can fail is if the message is
> mis-formatted, I wonder if we are better off ignoring mis-formatted
> rekeys? User space will see them and break the connection, anyway.
> Alternatively - we could add a selftest for this.


Going back to tls_check_pending_rekey():

> > +	if (rxm->full_len < 1)
> > +		return -EINVAL;

There's no real reason to fail here, we should probably just ignore
it. It's not a rekey, and it's not a valid handshake message, but one
could say that's not the kernel's problem. I'll make that return 0
unless you want to keep -EINVAL.

Hard to write a selftest for because we'd have to do a sendmsg with
len=0, or do the crypto in the selftest.

> > +	err = skb_copy_bits(skb, rxm->offset, &hs_type, 1);
> > +	if (err < 0)
> > +		return err;

This probably means that the skb we got from the parser was broken. If
we can't read 1B with full_len >= 1, something's wrong. Maybe worth a
DEBUG_NET_WARN_ON_ONCE?

> > +	if (hs_type == TLS_HANDSHAKE_KEYUPDATE) {

Here I don't actually check if it's a correct KeyUpdate message [1],
we pause decryption and let userspace decide what to do (probably
break the connection as you said).

[1] https://datatracker.ietf.org/doc/html/rfc8446#page-25
    https://datatracker.ietf.org/doc/html/rfc8446#section-4.6.3

> > +		struct tls_sw_context_rx *rx_ctx = ctx->priv_ctx_rx;
> > +
> > +		WRITE_ONCE(rx_ctx->key_update_pending, true);
> > +	}
> > +
> > +	return 0;
> > +}

-- 
Sabrina