Re: Security enhancement proposal for kernel TLS

2018-08-03 Thread Dave Watson
On 08/02/18 05:23 PM, Vakul Garg wrote: > > I agree that Boris' patch does what you say it does - it sets keys > > immediately > > after CCS instead of after FINISHED message. I disagree that the kernel tls > > implementation currently requires that specific ordering, nor do I think > > that it

RE: Security enhancement proposal for kernel TLS

2018-08-02 Thread Vakul Garg
> -Original Message- > From: Dave Watson [mailto:davejwat...@fb.com] > Sent: Thursday, August 2, 2018 2:17 AM > To: Vakul Garg > Cc: netdev@vger.kernel.org; Peter Doliwa ; Boris > Pismenny > Subject: Re: Security enhancement proposal for kernel TLS > >

Re: Security enhancement proposal for kernel TLS

2018-08-01 Thread Dave Watson
On 07/31/18 10:45 AM, Vakul Garg wrote: > > > IIUC, with the upstream implementation of tls record layer in kernel, > > > the decryption of tls FINISHED message happens in kernel. Therefore > > > the keys are already being sent to kernel tls socket before handshake is > > completed. > > > > This i

RE: Security enhancement proposal for kernel TLS

2018-07-31 Thread Vakul Garg
> -Original Message- > From: Dave Watson [mailto:davejwat...@fb.com] > Sent: Tuesday, July 31, 2018 2:46 AM > To: Vakul Garg > Cc: netdev@vger.kernel.org; Peter Doliwa ; Boris > Pismenny > Subject: Re: Security enhancement proposal for kernel TLS > > On 07

Re: Security enhancement proposal for kernel TLS

2018-07-30 Thread Dave Watson
On 07/30/18 06:31 AM, Vakul Garg wrote: > > It's not entirely clear how your TLS handshake daemon works - Why is > > it necessary to set the keys in the kernel tls socket before the handshake > > is > > completed? > > IIUC, with the upstream implementation of tls record layer in kernel, the >

RE: Security enhancement proposal for kernel TLS

2018-07-29 Thread Vakul Garg
Sorry for a delayed response. Kindly see inline. > -Original Message- > From: Dave Watson [mailto:davejwat...@fb.com] > Sent: Wednesday, July 25, 2018 9:30 PM > To: Vakul Garg > Cc: netdev@vger.kernel.org; Peter Doliwa ; Boris > Pismenny > Subject: Re: Security enh

Re: Security enhancement proposal for kernel TLS

2018-07-25 Thread Dave Watson
You would probably get more responses if you cc the relevant people. Comments inline On 07/22/18 12:49 PM, Vakul Garg wrote: > The kernel based TLS record layer allows the user space world to use a > decoupled TLS implementation. > The applications need not be linked with TLS stack. > The TLS ha

Security enhancement proposal for kernel TLS

2018-07-22 Thread Vakul Garg
Hi The kernel based TLS record layer allows the user space world to use a decoupled TLS implementation. The applications need not be linked with TLS stack. The TLS handshake can be done by a TLS daemon on the behalf of applications. Presently, as soon as the handshake process derives keys, it p