162306a36Sopenharmony_ci.. SPDX-License-Identifier: GPL-2.0
262306a36Sopenharmony_ci
362306a36Sopenharmony_ci=======================
462306a36Sopenharmony_ciIn-Kernel TLS Handshake
562306a36Sopenharmony_ci=======================
662306a36Sopenharmony_ci
762306a36Sopenharmony_ciOverview
862306a36Sopenharmony_ci========
962306a36Sopenharmony_ci
1062306a36Sopenharmony_ciTransport Layer Security (TLS) is a Upper Layer Protocol (ULP) that runs
1162306a36Sopenharmony_ciover TCP. TLS provides end-to-end data integrity and confidentiality in
1262306a36Sopenharmony_ciaddition to peer authentication.
1362306a36Sopenharmony_ci
1462306a36Sopenharmony_ciThe kernel's kTLS implementation handles the TLS record subprotocol, but
1562306a36Sopenharmony_cidoes not handle the TLS handshake subprotocol which is used to establish
1662306a36Sopenharmony_cia TLS session. Kernel consumers can use the API described here to
1762306a36Sopenharmony_cirequest TLS session establishment.
1862306a36Sopenharmony_ci
1962306a36Sopenharmony_ciThere are several possible ways to provide a handshake service in the
2062306a36Sopenharmony_cikernel. The API described here is designed to hide the details of those
2162306a36Sopenharmony_ciimplementations so that in-kernel TLS consumers do not need to be
2262306a36Sopenharmony_ciaware of how the handshake gets done.
2362306a36Sopenharmony_ci
2462306a36Sopenharmony_ci
2562306a36Sopenharmony_ciUser handshake agent
2662306a36Sopenharmony_ci====================
2762306a36Sopenharmony_ci
2862306a36Sopenharmony_ciAs of this writing, there is no TLS handshake implementation in the
2962306a36Sopenharmony_ciLinux kernel. To provide a handshake service, a handshake agent
3062306a36Sopenharmony_ci(typically in user space) is started in each network namespace where a
3162306a36Sopenharmony_cikernel consumer might require a TLS handshake. Handshake agents listen
3262306a36Sopenharmony_cifor events sent from the kernel that indicate a handshake request is
3362306a36Sopenharmony_ciwaiting.
3462306a36Sopenharmony_ci
3562306a36Sopenharmony_ciAn open socket is passed to a handshake agent via a netlink operation,
3662306a36Sopenharmony_ciwhich creates a socket descriptor in the agent's file descriptor table.
3762306a36Sopenharmony_ciIf the handshake completes successfully, the handshake agent promotes
3862306a36Sopenharmony_cithe socket to use the TLS ULP and sets the session information using the
3962306a36Sopenharmony_ciSOL_TLS socket options. The handshake agent returns the socket to the
4062306a36Sopenharmony_cikernel via a second netlink operation.
4162306a36Sopenharmony_ci
4262306a36Sopenharmony_ci
4362306a36Sopenharmony_ciKernel Handshake API
4462306a36Sopenharmony_ci====================
4562306a36Sopenharmony_ci
4662306a36Sopenharmony_ciA kernel TLS consumer initiates a client-side TLS handshake on an open
4762306a36Sopenharmony_cisocket by invoking one of the tls_client_hello() functions. First, it
4862306a36Sopenharmony_cifills in a structure that contains the parameters of the request:
4962306a36Sopenharmony_ci
5062306a36Sopenharmony_ci.. code-block:: c
5162306a36Sopenharmony_ci
5262306a36Sopenharmony_ci  struct tls_handshake_args {
5362306a36Sopenharmony_ci        struct socket   *ta_sock;
5462306a36Sopenharmony_ci        tls_done_func_t ta_done;
5562306a36Sopenharmony_ci        void            *ta_data;
5662306a36Sopenharmony_ci        const char      *ta_peername;
5762306a36Sopenharmony_ci        unsigned int    ta_timeout_ms;
5862306a36Sopenharmony_ci        key_serial_t    ta_keyring;
5962306a36Sopenharmony_ci        key_serial_t    ta_my_cert;
6062306a36Sopenharmony_ci        key_serial_t    ta_my_privkey;
6162306a36Sopenharmony_ci        unsigned int    ta_num_peerids;
6262306a36Sopenharmony_ci        key_serial_t    ta_my_peerids[5];
6362306a36Sopenharmony_ci  };
6462306a36Sopenharmony_ci
6562306a36Sopenharmony_ciThe @ta_sock field references an open and connected socket. The consumer
6662306a36Sopenharmony_cimust hold a reference on the socket to prevent it from being destroyed
6762306a36Sopenharmony_ciwhile the handshake is in progress. The consumer must also have
6862306a36Sopenharmony_ciinstantiated a struct file in sock->file.
6962306a36Sopenharmony_ci
7062306a36Sopenharmony_ci
7162306a36Sopenharmony_ci@ta_done contains a callback function that is invoked when the handshake
7262306a36Sopenharmony_cihas completed. Further explanation of this function is in the "Handshake
7362306a36Sopenharmony_ciCompletion" sesction below.
7462306a36Sopenharmony_ci
7562306a36Sopenharmony_ciThe consumer can provide a NUL-terminated hostname in the @ta_peername
7662306a36Sopenharmony_cifield that is sent as part of ClientHello. If no peername is provided,
7762306a36Sopenharmony_cithe DNS hostname associated with the server's IP address is used instead.
7862306a36Sopenharmony_ci
7962306a36Sopenharmony_ciThe consumer can fill in the @ta_timeout_ms field to force the servicing
8062306a36Sopenharmony_cihandshake agent to exit after a number of milliseconds. This enables the
8162306a36Sopenharmony_cisocket to be fully closed once both the kernel and the handshake agent
8262306a36Sopenharmony_cihave closed their endpoints.
8362306a36Sopenharmony_ci
8462306a36Sopenharmony_ciAuthentication material such as x.509 certificates, private certificate
8562306a36Sopenharmony_cikeys, and pre-shared keys are provided to the handshake agent in keys
8662306a36Sopenharmony_cithat are instantiated by the consumer before making the handshake
8762306a36Sopenharmony_cirequest. The consumer can provide a private keyring that is linked into
8862306a36Sopenharmony_cithe handshake agent's process keyring in the @ta_keyring field to prevent
8962306a36Sopenharmony_ciaccess of those keys by other subsystems.
9062306a36Sopenharmony_ci
9162306a36Sopenharmony_ciTo request an x.509-authenticated TLS session, the consumer fills in
9262306a36Sopenharmony_cithe @ta_my_cert and @ta_my_privkey fields with the serial numbers of
9362306a36Sopenharmony_cikeys containing an x.509 certificate and the private key for that
9462306a36Sopenharmony_cicertificate. Then, it invokes this function:
9562306a36Sopenharmony_ci
9662306a36Sopenharmony_ci.. code-block:: c
9762306a36Sopenharmony_ci
9862306a36Sopenharmony_ci  ret = tls_client_hello_x509(args, gfp_flags);
9962306a36Sopenharmony_ci
10062306a36Sopenharmony_ciThe function returns zero when the handshake request is under way. A
10162306a36Sopenharmony_cizero return guarantees the callback function @ta_done will be invoked
10262306a36Sopenharmony_cifor this socket. The function returns a negative errno if the handshake
10362306a36Sopenharmony_cicould not be started. A negative errno guarantees the callback function
10462306a36Sopenharmony_ci@ta_done will not be invoked on this socket.
10562306a36Sopenharmony_ci
10662306a36Sopenharmony_ci
10762306a36Sopenharmony_ciTo initiate a client-side TLS handshake with a pre-shared key, use:
10862306a36Sopenharmony_ci
10962306a36Sopenharmony_ci.. code-block:: c
11062306a36Sopenharmony_ci
11162306a36Sopenharmony_ci  ret = tls_client_hello_psk(args, gfp_flags);
11262306a36Sopenharmony_ci
11362306a36Sopenharmony_ciHowever, in this case, the consumer fills in the @ta_my_peerids array
11462306a36Sopenharmony_ciwith serial numbers of keys containing the peer identities it wishes
11562306a36Sopenharmony_cito offer, and the @ta_num_peerids field with the number of array
11662306a36Sopenharmony_cientries it has filled in. The other fields are filled in as above.
11762306a36Sopenharmony_ci
11862306a36Sopenharmony_ci
11962306a36Sopenharmony_ciTo initiate an anonymous client-side TLS handshake use:
12062306a36Sopenharmony_ci
12162306a36Sopenharmony_ci.. code-block:: c
12262306a36Sopenharmony_ci
12362306a36Sopenharmony_ci  ret = tls_client_hello_anon(args, gfp_flags);
12462306a36Sopenharmony_ci
12562306a36Sopenharmony_ciThe handshake agent presents no peer identity information to the remote
12662306a36Sopenharmony_ciduring this type of handshake. Only server authentication (ie the client
12762306a36Sopenharmony_civerifies the server's identity) is performed during the handshake. Thus
12862306a36Sopenharmony_cithe established session uses encryption only.
12962306a36Sopenharmony_ci
13062306a36Sopenharmony_ci
13162306a36Sopenharmony_ciConsumers that are in-kernel servers use:
13262306a36Sopenharmony_ci
13362306a36Sopenharmony_ci.. code-block:: c
13462306a36Sopenharmony_ci
13562306a36Sopenharmony_ci  ret = tls_server_hello_x509(args, gfp_flags);
13662306a36Sopenharmony_ci
13762306a36Sopenharmony_cior
13862306a36Sopenharmony_ci
13962306a36Sopenharmony_ci.. code-block:: c
14062306a36Sopenharmony_ci
14162306a36Sopenharmony_ci  ret = tls_server_hello_psk(args, gfp_flags);
14262306a36Sopenharmony_ci
14362306a36Sopenharmony_ciThe argument structure is filled in as above.
14462306a36Sopenharmony_ci
14562306a36Sopenharmony_ci
14662306a36Sopenharmony_ciIf the consumer needs to cancel the handshake request, say, due to a ^C
14762306a36Sopenharmony_cior other exigent event, the consumer can invoke:
14862306a36Sopenharmony_ci
14962306a36Sopenharmony_ci.. code-block:: c
15062306a36Sopenharmony_ci
15162306a36Sopenharmony_ci  bool tls_handshake_cancel(sock);
15262306a36Sopenharmony_ci
15362306a36Sopenharmony_ciThis function returns true if the handshake request associated with
15462306a36Sopenharmony_ci@sock has been canceled. The consumer's handshake completion callback
15562306a36Sopenharmony_ciwill not be invoked. If this function returns false, then the consumer's
15662306a36Sopenharmony_cicompletion callback has already been invoked.
15762306a36Sopenharmony_ci
15862306a36Sopenharmony_ci
15962306a36Sopenharmony_ciHandshake Completion
16062306a36Sopenharmony_ci====================
16162306a36Sopenharmony_ci
16262306a36Sopenharmony_ciWhen the handshake agent has completed processing, it notifies the
16362306a36Sopenharmony_cikernel that the socket may be used by the consumer again. At this point,
16462306a36Sopenharmony_cithe consumer's handshake completion callback, provided in the @ta_done
16562306a36Sopenharmony_cifield in the tls_handshake_args structure, is invoked.
16662306a36Sopenharmony_ci
16762306a36Sopenharmony_ciThe synopsis of this function is:
16862306a36Sopenharmony_ci
16962306a36Sopenharmony_ci.. code-block:: c
17062306a36Sopenharmony_ci
17162306a36Sopenharmony_ci  typedef void	(*tls_done_func_t)(void *data, int status,
17262306a36Sopenharmony_ci                                   key_serial_t peerid);
17362306a36Sopenharmony_ci
17462306a36Sopenharmony_ciThe consumer provides a cookie in the @ta_data field of the
17562306a36Sopenharmony_citls_handshake_args structure that is returned in the @data parameter of
17662306a36Sopenharmony_cithis callback. The consumer uses the cookie to match the callback to the
17762306a36Sopenharmony_cithread waiting for the handshake to complete.
17862306a36Sopenharmony_ci
17962306a36Sopenharmony_ciThe success status of the handshake is returned via the @status
18062306a36Sopenharmony_ciparameter:
18162306a36Sopenharmony_ci
18262306a36Sopenharmony_ci+------------+----------------------------------------------+
18362306a36Sopenharmony_ci|  status    |  meaning                                     |
18462306a36Sopenharmony_ci+============+==============================================+
18562306a36Sopenharmony_ci|  0         |  TLS session established successfully        |
18662306a36Sopenharmony_ci+------------+----------------------------------------------+
18762306a36Sopenharmony_ci|  -EACCESS  |  Remote peer rejected the handshake or       |
18862306a36Sopenharmony_ci|            |  authentication failed                       |
18962306a36Sopenharmony_ci+------------+----------------------------------------------+
19062306a36Sopenharmony_ci|  -ENOMEM   |  Temporary resource allocation failure       |
19162306a36Sopenharmony_ci+------------+----------------------------------------------+
19262306a36Sopenharmony_ci|  -EINVAL   |  Consumer provided an invalid argument       |
19362306a36Sopenharmony_ci+------------+----------------------------------------------+
19462306a36Sopenharmony_ci|  -ENOKEY   |  Missing authentication material             |
19562306a36Sopenharmony_ci+------------+----------------------------------------------+
19662306a36Sopenharmony_ci|  -EIO      |  An unexpected fault occurred                |
19762306a36Sopenharmony_ci+------------+----------------------------------------------+
19862306a36Sopenharmony_ci
19962306a36Sopenharmony_ciThe @peerid parameter contains the serial number of a key containing the
20062306a36Sopenharmony_ciremote peer's identity or the value TLS_NO_PEERID if the session is not
20162306a36Sopenharmony_ciauthenticated.
20262306a36Sopenharmony_ci
20362306a36Sopenharmony_ciA best practice is to close and destroy the socket immediately if the
20462306a36Sopenharmony_cihandshake failed.
20562306a36Sopenharmony_ci
20662306a36Sopenharmony_ci
20762306a36Sopenharmony_ciOther considerations
20862306a36Sopenharmony_ci--------------------
20962306a36Sopenharmony_ci
21062306a36Sopenharmony_ciWhile a handshake is under way, the kernel consumer must alter the
21162306a36Sopenharmony_cisocket's sk_data_ready callback function to ignore all incoming data.
21262306a36Sopenharmony_ciOnce the handshake completion callback function has been invoked, normal
21362306a36Sopenharmony_cireceive operation can be resumed.
21462306a36Sopenharmony_ci
21562306a36Sopenharmony_ciOnce a TLS session is established, the consumer must provide a buffer
21662306a36Sopenharmony_cifor and then examine the control message (CMSG) that is part of every
21762306a36Sopenharmony_cisubsequent sock_recvmsg(). Each control message indicates whether the
21862306a36Sopenharmony_cireceived message data is TLS record data or session metadata.
21962306a36Sopenharmony_ci
22062306a36Sopenharmony_ciSee tls.rst for details on how a kTLS consumer recognizes incoming
22162306a36Sopenharmony_ci(decrypted) application data, alerts, and handshake packets once the
22262306a36Sopenharmony_cisocket has been promoted to use the TLS ULP.
223