All of lore.kernel.org
 help / color / mirror / Atom feed
From: Sabrina Dubroca <sd@queasysnail.net>
To: netdev@vger.kernel.org
Cc: Sabrina Dubroca <sd@queasysnail.net>,
	Vadim Fedorenko <vfedorenko@novek.ru>,
	Frantisek Krenzelok <fkrenzel@redhat.com>,
	Jakub Kicinski <kuba@kernel.org>,
	Kuniyuki Iwashima <kuniyu@amazon.com>,
	Apoorv Kothari <apoorvko@amazon.com>,
	Boris Pismenny <borisp@nvidia.com>,
	John Fastabend <john.fastabend@gmail.com>,
	Shuah Khan <shuah@kernel.org>,
	linux-kselftest@vger.kernel.org, Gal Pressman <gal@nvidia.com>,
	Marcel Holtmann <marcel@holtmann.org>,
	Jonathan Corbet <corbet@lwn.net>,
	linux-doc@vger.kernel.org
Subject: [PATCH net-next v3 4/6] docs: tls: document TLS1.3 key updates
Date: Wed,  9 Aug 2023 14:58:53 +0200	[thread overview]
Message-ID: <9916d6a35c659d639f6f52488ceea227a523ab63.1691584074.git.sd@queasysnail.net> (raw)
In-Reply-To: <cover.1691584074.git.sd@queasysnail.net>

v3: added following Jakub's comment

Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
---
 Documentation/networking/tls.rst | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/Documentation/networking/tls.rst b/Documentation/networking/tls.rst
index 658ed3a71e1b..ea6a22eafe2b 100644
--- a/Documentation/networking/tls.rst
+++ b/Documentation/networking/tls.rst
@@ -200,6 +200,27 @@ received without a cmsg buffer set.
 
 recv will never return data from mixed types of TLS records.
 
+TLS 1.3 Key Updates
+-------------------
+
+In TLS 1.3, KeyUpdate handshake messages signal that the sender is
+updating its TX key. Any message sent after a KeyUpdate will be
+encrypted using the new key. The userspace library can pass the new
+key to the kernel using the TLS_TX and TLS_RX socket options, as for
+the initial keys. TLS version and cipher cannot be changed.
+
+To prevent attempting to decrypt incoming records using the wrong key,
+decryption will be paused when a KeyUpdate message is received by the
+kernel, until the new key has been provided using the TLS_RX socket
+option. Any read occurring after the KeyUpdate has been read and
+before the new key is provided will fail with EKEYEXPIRED. Poll()'ing
+the socket will also sleep until the new key is provided. There is no
+pausing on the transmit side.
+
+Userspace should make sure that the crypto_info provided has been set
+properly. In particular, the kernel will not check for key/nonce
+reuse.
+
 Integrating in to userspace TLS library
 ---------------------------------------
 
-- 
2.40.1


  parent reply	other threads:[~2023-08-09 12:59 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-08-09 12:58 [PATCH net-next v3 0/6] tls: implement key updates for TLS1.3 Sabrina Dubroca
2023-08-09 12:58 ` [PATCH net-next v3 1/6] tls: remove tls_context argument from tls_set_sw_offload Sabrina Dubroca
2023-08-10 17:42   ` Simon Horman
2023-08-09 12:58 ` [PATCH net-next v3 2/6] tls: block decryption when a rekey is pending Sabrina Dubroca
2023-08-10 17:44   ` Simon Horman
2023-08-12  1:37   ` Jakub Kicinski
2023-08-09 12:58 ` [PATCH net-next v3 3/6] tls: implement rekey for TLS1.3 Sabrina Dubroca
2023-08-10 17:56   ` Simon Horman
2023-08-12  1:43   ` Jakub Kicinski
2023-08-14 15:06     ` Sabrina Dubroca
2023-08-14 15:21       ` Jakub Kicinski
2023-08-14 15:46         ` Sabrina Dubroca
2023-08-09 12:58 ` Sabrina Dubroca [this message]
2023-08-09 12:58 ` [PATCH net-next v3 5/6] selftests: tls: add key_generation argument to tls_crypto_info_init Sabrina Dubroca
2023-08-09 12:58 ` [PATCH net-next v3 6/6] selftests: tls: add rekey tests Sabrina Dubroca
2023-08-10 17:58   ` Simon Horman
2023-08-14 15:09     ` Sabrina Dubroca

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=9916d6a35c659d639f6f52488ceea227a523ab63.1691584074.git.sd@queasysnail.net \
    --to=sd@queasysnail.net \
    --cc=apoorvko@amazon.com \
    --cc=borisp@nvidia.com \
    --cc=corbet@lwn.net \
    --cc=fkrenzel@redhat.com \
    --cc=gal@nvidia.com \
    --cc=john.fastabend@gmail.com \
    --cc=kuba@kernel.org \
    --cc=kuniyu@amazon.com \
    --cc=linux-doc@vger.kernel.org \
    --cc=linux-kselftest@vger.kernel.org \
    --cc=marcel@holtmann.org \
    --cc=netdev@vger.kernel.org \
    --cc=shuah@kernel.org \
    --cc=vfedorenko@novek.ru \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.