Re: [PATCH v4 4/7] net/handshake: Support KeyUpdate message types
From: Alistair Francis <hidden>
Date: 2025-10-22 23:48:04
Also in:
linux-doc, linux-nfs, linux-nvme, lkml
On Wed, Oct 22, 2025 at 5:03 PM Hannes Reinecke [off-list ref] wrote:
On 10/22/25 06:40, Alistair Francis wrote:quoted
On Tue, Oct 21, 2025 at 1:19 PM Alistair Francis [off-list ref] wrote:quoted
On Mon, Oct 20, 2025 at 4:09 PM Hannes Reinecke [off-list ref] wrote:quoted
On 10/17/25 06:23, alistair23@gmail.com wrote:quoted
From: Alistair Francis <redacted>[ .. ]>>>> @@ -372,6 +384,44 @@ int tls_client_hello_psk(const struct tls_handshake_args *args, gfp_t flags)quoted
quoted
quoted
quoted
} EXPORT_SYMBOL(tls_client_hello_psk); +/** + * tls_client_keyupdate_psk - request a PSK-based TLS handshake on a socket + * @args: socket and handshake parameters for this request + * @flags: memory allocation control flags + * @keyupdate: specifies the type of KeyUpdate operation + * + * Return values: + * %0: Handshake request enqueue; ->done will be called when complete + * %-EINVAL: Wrong number of local peer IDs + * %-ESRCH: No user agent is available + * %-ENOMEM: Memory allocation failed + */ +int tls_client_keyupdate_psk(const struct tls_handshake_args *args, gfp_t flags, + handshake_key_update_type keyupdate) +{ + struct tls_handshake_req *treq; + struct handshake_req *req; + unsigned int i; + + if (!args->ta_num_peerids || + args->ta_num_peerids > ARRAY_SIZE(treq->th_peerid)) + return -EINVAL; + + req = handshake_req_alloc(&tls_handshake_proto, flags); + if (!req) + return -ENOMEM; + treq = tls_handshake_req_init(req, args); + treq->th_type = HANDSHAKE_MSG_TYPE_CLIENTKEYUPDATE; + treq->th_key_update_request = keyupdate; + treq->th_auth_mode = HANDSHAKE_AUTH_PSK; + treq->th_num_peerids = args->ta_num_peerids; + for (i = 0; i < args->ta_num_peerids; i++) + treq->th_peerid[i] = args->ta_my_peerids[i];Hmm? Do we use the 'peerids'?We don't, this is just copied from the tls_client_hello_psk()/tls_server_hello_psk() to provide the same information to keep things more consistent. I can remove setting theseActually, ktls-utils (tlshd) expects these to be set, so I think we should leave them as isCan't we rather fix up tlshd? It feels really pointless, erroring out on values which are completely irrelevant for the operation...
It's not that simple. For example when we call "done" for a handshake or KeyUpdate we call tls_handshake_done() in the kernel, which calls tls_handshake_remote_peerids(). So the kernel expects the remote peerids to be set. I think there's a lot of value in re-using the existing flows (as a KeyUpdate is similar to a handshake), but the existing flows expect remote peerids to be set. We could duplicate everything just to remove that requirement, but I don't think that's the right approach. Alistair
Cheers, Hannes -- Dr. Hannes Reinecke Kernel Storage Architect hare@suse.de +49 911 74053 688 SUSE Software Solutions GmbH, Frankenstr. 146, 90461 Nürnberg HRB 36809 (AG Nürnberg), GF: I. Totev, A. McDonald, W. Knoblich