, ,

torvalds/linux

news image

Overview ======== Transport Layer Security (TLS) is a Upper Layer Protocol (ULP) that runs over TCP. TLS offers end-to-end info integrity and confidentiality. User interface ============== Setting up a TLS connection ————————- First assemble a new TCP socket and attach the TLS ULP. sock = socket(AF_INET, SOCK_STREAM, zero); setsockopt(sock, SOL_TCP, TCP_ULP, “tls”, sizeof(“tls”)); Setting the TLS ULP permits us to attach/accumulate TLS socket alternate solutions. Currently easiest the symmetric encryption is handled within the kernel. After the TLS handshake is complete, now we fetch the entire parameters required to circulate the info-path to the kernel. There is a separate socket risk for animated the transmit and the receive into the kernel. /* From linux/tls.h */ struct tls_crypto_info { unsigned rapid model; unsigned rapid cipher_type; }; struct tls12_crypto_info_aes_gcm_128 { struct tls_crypto_info info; unsigned char iv[TLS_CIPHER_AES_GCM_128_IV_SIZE]; unsigned char key[TLS_CIPHER_AES_GCM_128_KEY_SIZE]; unsigned char salt[TLS_CIPHER_AES_GCM_128_SALT_SIZE]; unsigned char rec_seq[TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE]; }; struct tls12_crypto_info_aes_gcm_128 crypto_info; crypto_info.info.model = TLS_1_2_VERSION; crypto_info.info.cipher_type = TLS_CIPHER_AES_GCM_128; memcpy(crypto_info.iv, iv_write, TLS_CIPHER_AES_GCM_128_IV_SIZE); memcpy(crypto_info.rec_seq, seq_number_write, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE); memcpy(crypto_info.key, cipher_key_write, TLS_CIPHER_AES_GCM_128_KEY_SIZE); memcpy(crypto_info.salt, implicit_iv_write, TLS_CIPHER_AES_GCM_128_SALT_SIZE); setsockopt(sock, SOL_TLS, TLS_TX, &crypto_info, sizeof(crypto_info)); Sending TLS application info —————————- After setting the TLS_TX socket risk all application info despatched over this socket is encrypted the usage of TLS and the parameters supplied within the socket risk. As an instance, we can ship an encrypted hey world document as follows: const char *msg = “hey worldn”; ship(sock, msg, strlen(msg)); ship() info is at once encrypted from the userspace buffer supplied to the encrypted kernel ship buffer if that it’s doubtless you’ll ponder of. The sendfile system call will ship the file’s info over TLS info of most length (2^14). file = launch(filename, O_RDONLY); fstat(file, &stat); sendfile(sock, file, &offset, stat.st_size); TLS info are created and despatched after every ship() call, except MSG_MORE is passed. MSG_MORE will prolong advent of a document till MSG_MORE is no longer passed, or some of the document size is reached. The kernel will must allocate a buffer for the encrypted info. This buffer is disbursed on the time ship() is named, such that either the entire ship() call will return -ENOMEM (or block ready for memory), or the encryption will continually be triumphant. If ship() returns -ENOMEM and a few info changed into once left on the socket buffer from a earlier call the usage of MSG_MORE, the MSG_MORE info is left on the socket buffer. Ship TLS control messages ————————- Diversified than application info, TLS has control messages equivalent to alert messages (document form 21) and handshake messages (document form 22), etc. These messages could perhaps also fair also be despatched over the socket by providing the TLS document form via a CMSG. As an instance the following characteristic sends @info of @length bytes the usage of a document of form @record_type. /* ship TLS control message the usage of record_type */ static int klts_send_ctrl_message(int sock, unsigned char record_type, void *info, size_t length) { struct msghdr msg = {zero}; int cmsg_len = sizeof(record_type); struct cmsghdr *cmsg; char buf[CMSG_SPACE(cmsg_len)]; struct iovec msg_iov; /* Vector of info to ship/receive into. */ msg.msg_control = buf; msg.msg_controllen = sizeof(buf); cmsg = CMSG_FIRSTHDR(&msg); cmsg->cmsg_level = SOL_TLS; cmsg->cmsg_type = TLS_SET_RECORD_TYPE; cmsg->cmsg_len = CMSG_LEN(cmsg_len); *CMSG_DATA(cmsg) = record_type; msg.msg_controllen = cmsg->cmsg_len; msg_iov.iov_base = info; msg_iov.iov_len = length; msg.msg_iov = &msg_iov; msg.msg_iovlen = 1; return sendmsg(sock, &msg, zero); } Control message info need to soundless be supplied unencrypted, and will most likely be encrypted by the kernel. Integrating in to userspace TLS library ————————————— At a excessive diploma, the kernel TLS ULP is a replacement for the document layer of a userspace TLS library. A patchset to OpenSSL to exhaust ktls as the document layer is right here: https://github.com/Mellanox/tls-openssl An instance of calling ship at once after a handshake the usage of gnutls. Since it would not put into effect a fleshy document layer, control messages are no longer supported: https://github.com/Mellanox/tls-af_ktls_tool

Learn More

What do you think?

0 points
Upvote Downvote

Total votes: 0

Upvotes: 0

Upvotes percentage: 0.000000%

Downvotes: 0

Downvotes percentage: 0.000000%