162306a36Sopenharmony_ci.. SPDX-License-Identifier: GPL-2.0 262306a36Sopenharmony_ci 362306a36Sopenharmony_ci======================= 462306a36Sopenharmony_ciIn-Kernel TLS Handshake 562306a36Sopenharmony_ci======================= 662306a36Sopenharmony_ci 762306a36Sopenharmony_ciOverview 862306a36Sopenharmony_ci======== 962306a36Sopenharmony_ci 1062306a36Sopenharmony_ciTransport Layer Security (TLS) is a Upper Layer Protocol (ULP) that runs 1162306a36Sopenharmony_ciover TCP. TLS provides end-to-end data integrity and confidentiality in 1262306a36Sopenharmony_ciaddition to peer authentication. 1362306a36Sopenharmony_ci 1462306a36Sopenharmony_ciThe kernel's kTLS implementation handles the TLS record subprotocol, but 1562306a36Sopenharmony_cidoes not handle the TLS handshake subprotocol which is used to establish 1662306a36Sopenharmony_cia TLS session. Kernel consumers can use the API described here to 1762306a36Sopenharmony_cirequest TLS session establishment. 1862306a36Sopenharmony_ci 1962306a36Sopenharmony_ciThere are several possible ways to provide a handshake service in the 2062306a36Sopenharmony_cikernel. The API described here is designed to hide the details of those 2162306a36Sopenharmony_ciimplementations so that in-kernel TLS consumers do not need to be 2262306a36Sopenharmony_ciaware of how the handshake gets done. 2362306a36Sopenharmony_ci 2462306a36Sopenharmony_ci 2562306a36Sopenharmony_ciUser handshake agent 2662306a36Sopenharmony_ci==================== 2762306a36Sopenharmony_ci 2862306a36Sopenharmony_ciAs of this writing, there is no TLS handshake implementation in the 2962306a36Sopenharmony_ciLinux kernel. To provide a handshake service, a handshake agent 3062306a36Sopenharmony_ci(typically in user space) is started in each network namespace where a 3162306a36Sopenharmony_cikernel consumer might require a TLS handshake. Handshake agents listen 3262306a36Sopenharmony_cifor events sent from the kernel that indicate a handshake request is 3362306a36Sopenharmony_ciwaiting. 3462306a36Sopenharmony_ci 3562306a36Sopenharmony_ciAn open socket is passed to a handshake agent via a netlink operation, 3662306a36Sopenharmony_ciwhich creates a socket descriptor in the agent's file descriptor table. 3762306a36Sopenharmony_ciIf the handshake completes successfully, the handshake agent promotes 3862306a36Sopenharmony_cithe socket to use the TLS ULP and sets the session information using the 3962306a36Sopenharmony_ciSOL_TLS socket options. The handshake agent returns the socket to the 4062306a36Sopenharmony_cikernel via a second netlink operation. 4162306a36Sopenharmony_ci 4262306a36Sopenharmony_ci 4362306a36Sopenharmony_ciKernel Handshake API 4462306a36Sopenharmony_ci==================== 4562306a36Sopenharmony_ci 4662306a36Sopenharmony_ciA kernel TLS consumer initiates a client-side TLS handshake on an open 4762306a36Sopenharmony_cisocket by invoking one of the tls_client_hello() functions. First, it 4862306a36Sopenharmony_cifills in a structure that contains the parameters of the request: 4962306a36Sopenharmony_ci 5062306a36Sopenharmony_ci.. code-block:: c 5162306a36Sopenharmony_ci 5262306a36Sopenharmony_ci struct tls_handshake_args { 5362306a36Sopenharmony_ci struct socket *ta_sock; 5462306a36Sopenharmony_ci tls_done_func_t ta_done; 5562306a36Sopenharmony_ci void *ta_data; 5662306a36Sopenharmony_ci const char *ta_peername; 5762306a36Sopenharmony_ci unsigned int ta_timeout_ms; 5862306a36Sopenharmony_ci key_serial_t ta_keyring; 5962306a36Sopenharmony_ci key_serial_t ta_my_cert; 6062306a36Sopenharmony_ci key_serial_t ta_my_privkey; 6162306a36Sopenharmony_ci unsigned int ta_num_peerids; 6262306a36Sopenharmony_ci key_serial_t ta_my_peerids[5]; 6362306a36Sopenharmony_ci }; 6462306a36Sopenharmony_ci 6562306a36Sopenharmony_ciThe @ta_sock field references an open and connected socket. The consumer 6662306a36Sopenharmony_cimust hold a reference on the socket to prevent it from being destroyed 6762306a36Sopenharmony_ciwhile the handshake is in progress. The consumer must also have 6862306a36Sopenharmony_ciinstantiated a struct file in sock->file. 6962306a36Sopenharmony_ci 7062306a36Sopenharmony_ci 7162306a36Sopenharmony_ci@ta_done contains a callback function that is invoked when the handshake 7262306a36Sopenharmony_cihas completed. Further explanation of this function is in the "Handshake 7362306a36Sopenharmony_ciCompletion" sesction below. 7462306a36Sopenharmony_ci 7562306a36Sopenharmony_ciThe consumer can provide a NUL-terminated hostname in the @ta_peername 7662306a36Sopenharmony_cifield that is sent as part of ClientHello. If no peername is provided, 7762306a36Sopenharmony_cithe DNS hostname associated with the server's IP address is used instead. 7862306a36Sopenharmony_ci 7962306a36Sopenharmony_ciThe consumer can fill in the @ta_timeout_ms field to force the servicing 8062306a36Sopenharmony_cihandshake agent to exit after a number of milliseconds. This enables the 8162306a36Sopenharmony_cisocket to be fully closed once both the kernel and the handshake agent 8262306a36Sopenharmony_cihave closed their endpoints. 8362306a36Sopenharmony_ci 8462306a36Sopenharmony_ciAuthentication material such as x.509 certificates, private certificate 8562306a36Sopenharmony_cikeys, and pre-shared keys are provided to the handshake agent in keys 8662306a36Sopenharmony_cithat are instantiated by the consumer before making the handshake 8762306a36Sopenharmony_cirequest. The consumer can provide a private keyring that is linked into 8862306a36Sopenharmony_cithe handshake agent's process keyring in the @ta_keyring field to prevent 8962306a36Sopenharmony_ciaccess of those keys by other subsystems. 9062306a36Sopenharmony_ci 9162306a36Sopenharmony_ciTo request an x.509-authenticated TLS session, the consumer fills in 9262306a36Sopenharmony_cithe @ta_my_cert and @ta_my_privkey fields with the serial numbers of 9362306a36Sopenharmony_cikeys containing an x.509 certificate and the private key for that 9462306a36Sopenharmony_cicertificate. Then, it invokes this function: 9562306a36Sopenharmony_ci 9662306a36Sopenharmony_ci.. code-block:: c 9762306a36Sopenharmony_ci 9862306a36Sopenharmony_ci ret = tls_client_hello_x509(args, gfp_flags); 9962306a36Sopenharmony_ci 10062306a36Sopenharmony_ciThe function returns zero when the handshake request is under way. A 10162306a36Sopenharmony_cizero return guarantees the callback function @ta_done will be invoked 10262306a36Sopenharmony_cifor this socket. The function returns a negative errno if the handshake 10362306a36Sopenharmony_cicould not be started. A negative errno guarantees the callback function 10462306a36Sopenharmony_ci@ta_done will not be invoked on this socket. 10562306a36Sopenharmony_ci 10662306a36Sopenharmony_ci 10762306a36Sopenharmony_ciTo initiate a client-side TLS handshake with a pre-shared key, use: 10862306a36Sopenharmony_ci 10962306a36Sopenharmony_ci.. code-block:: c 11062306a36Sopenharmony_ci 11162306a36Sopenharmony_ci ret = tls_client_hello_psk(args, gfp_flags); 11262306a36Sopenharmony_ci 11362306a36Sopenharmony_ciHowever, in this case, the consumer fills in the @ta_my_peerids array 11462306a36Sopenharmony_ciwith serial numbers of keys containing the peer identities it wishes 11562306a36Sopenharmony_cito offer, and the @ta_num_peerids field with the number of array 11662306a36Sopenharmony_cientries it has filled in. The other fields are filled in as above. 11762306a36Sopenharmony_ci 11862306a36Sopenharmony_ci 11962306a36Sopenharmony_ciTo initiate an anonymous client-side TLS handshake use: 12062306a36Sopenharmony_ci 12162306a36Sopenharmony_ci.. code-block:: c 12262306a36Sopenharmony_ci 12362306a36Sopenharmony_ci ret = tls_client_hello_anon(args, gfp_flags); 12462306a36Sopenharmony_ci 12562306a36Sopenharmony_ciThe handshake agent presents no peer identity information to the remote 12662306a36Sopenharmony_ciduring this type of handshake. Only server authentication (ie the client 12762306a36Sopenharmony_civerifies the server's identity) is performed during the handshake. Thus 12862306a36Sopenharmony_cithe established session uses encryption only. 12962306a36Sopenharmony_ci 13062306a36Sopenharmony_ci 13162306a36Sopenharmony_ciConsumers that are in-kernel servers use: 13262306a36Sopenharmony_ci 13362306a36Sopenharmony_ci.. code-block:: c 13462306a36Sopenharmony_ci 13562306a36Sopenharmony_ci ret = tls_server_hello_x509(args, gfp_flags); 13662306a36Sopenharmony_ci 13762306a36Sopenharmony_cior 13862306a36Sopenharmony_ci 13962306a36Sopenharmony_ci.. code-block:: c 14062306a36Sopenharmony_ci 14162306a36Sopenharmony_ci ret = tls_server_hello_psk(args, gfp_flags); 14262306a36Sopenharmony_ci 14362306a36Sopenharmony_ciThe argument structure is filled in as above. 14462306a36Sopenharmony_ci 14562306a36Sopenharmony_ci 14662306a36Sopenharmony_ciIf the consumer needs to cancel the handshake request, say, due to a ^C 14762306a36Sopenharmony_cior other exigent event, the consumer can invoke: 14862306a36Sopenharmony_ci 14962306a36Sopenharmony_ci.. code-block:: c 15062306a36Sopenharmony_ci 15162306a36Sopenharmony_ci bool tls_handshake_cancel(sock); 15262306a36Sopenharmony_ci 15362306a36Sopenharmony_ciThis function returns true if the handshake request associated with 15462306a36Sopenharmony_ci@sock has been canceled. The consumer's handshake completion callback 15562306a36Sopenharmony_ciwill not be invoked. If this function returns false, then the consumer's 15662306a36Sopenharmony_cicompletion callback has already been invoked. 15762306a36Sopenharmony_ci 15862306a36Sopenharmony_ci 15962306a36Sopenharmony_ciHandshake Completion 16062306a36Sopenharmony_ci==================== 16162306a36Sopenharmony_ci 16262306a36Sopenharmony_ciWhen the handshake agent has completed processing, it notifies the 16362306a36Sopenharmony_cikernel that the socket may be used by the consumer again. At this point, 16462306a36Sopenharmony_cithe consumer's handshake completion callback, provided in the @ta_done 16562306a36Sopenharmony_cifield in the tls_handshake_args structure, is invoked. 16662306a36Sopenharmony_ci 16762306a36Sopenharmony_ciThe synopsis of this function is: 16862306a36Sopenharmony_ci 16962306a36Sopenharmony_ci.. code-block:: c 17062306a36Sopenharmony_ci 17162306a36Sopenharmony_ci typedef void (*tls_done_func_t)(void *data, int status, 17262306a36Sopenharmony_ci key_serial_t peerid); 17362306a36Sopenharmony_ci 17462306a36Sopenharmony_ciThe consumer provides a cookie in the @ta_data field of the 17562306a36Sopenharmony_citls_handshake_args structure that is returned in the @data parameter of 17662306a36Sopenharmony_cithis callback. The consumer uses the cookie to match the callback to the 17762306a36Sopenharmony_cithread waiting for the handshake to complete. 17862306a36Sopenharmony_ci 17962306a36Sopenharmony_ciThe success status of the handshake is returned via the @status 18062306a36Sopenharmony_ciparameter: 18162306a36Sopenharmony_ci 18262306a36Sopenharmony_ci+------------+----------------------------------------------+ 18362306a36Sopenharmony_ci| status | meaning | 18462306a36Sopenharmony_ci+============+==============================================+ 18562306a36Sopenharmony_ci| 0 | TLS session established successfully | 18662306a36Sopenharmony_ci+------------+----------------------------------------------+ 18762306a36Sopenharmony_ci| -EACCESS | Remote peer rejected the handshake or | 18862306a36Sopenharmony_ci| | authentication failed | 18962306a36Sopenharmony_ci+------------+----------------------------------------------+ 19062306a36Sopenharmony_ci| -ENOMEM | Temporary resource allocation failure | 19162306a36Sopenharmony_ci+------------+----------------------------------------------+ 19262306a36Sopenharmony_ci| -EINVAL | Consumer provided an invalid argument | 19362306a36Sopenharmony_ci+------------+----------------------------------------------+ 19462306a36Sopenharmony_ci| -ENOKEY | Missing authentication material | 19562306a36Sopenharmony_ci+------------+----------------------------------------------+ 19662306a36Sopenharmony_ci| -EIO | An unexpected fault occurred | 19762306a36Sopenharmony_ci+------------+----------------------------------------------+ 19862306a36Sopenharmony_ci 19962306a36Sopenharmony_ciThe @peerid parameter contains the serial number of a key containing the 20062306a36Sopenharmony_ciremote peer's identity or the value TLS_NO_PEERID if the session is not 20162306a36Sopenharmony_ciauthenticated. 20262306a36Sopenharmony_ci 20362306a36Sopenharmony_ciA best practice is to close and destroy the socket immediately if the 20462306a36Sopenharmony_cihandshake failed. 20562306a36Sopenharmony_ci 20662306a36Sopenharmony_ci 20762306a36Sopenharmony_ciOther considerations 20862306a36Sopenharmony_ci-------------------- 20962306a36Sopenharmony_ci 21062306a36Sopenharmony_ciWhile a handshake is under way, the kernel consumer must alter the 21162306a36Sopenharmony_cisocket's sk_data_ready callback function to ignore all incoming data. 21262306a36Sopenharmony_ciOnce the handshake completion callback function has been invoked, normal 21362306a36Sopenharmony_cireceive operation can be resumed. 21462306a36Sopenharmony_ci 21562306a36Sopenharmony_ciOnce a TLS session is established, the consumer must provide a buffer 21662306a36Sopenharmony_cifor and then examine the control message (CMSG) that is part of every 21762306a36Sopenharmony_cisubsequent sock_recvmsg(). Each control message indicates whether the 21862306a36Sopenharmony_cireceived message data is TLS record data or session metadata. 21962306a36Sopenharmony_ci 22062306a36Sopenharmony_ciSee tls.rst for details on how a kTLS consumer recognizes incoming 22162306a36Sopenharmony_ci(decrypted) application data, alerts, and handshake packets once the 22262306a36Sopenharmony_cisocket has been promoted to use the TLS ULP. 223