From: Hannes Reinecke <hare@suse.de>
To: Chuck Lever <chuck.lever@oracle.com>
Cc: kernel-tls-handshake@lists.linux.dev, Hannes Reinecke <hare@suse.de>
Subject: [PATCH 4/4] tls_handshake: add 'keyring' argument to server hello
Date: Fri, 17 Feb 2023 12:31:45 +0100 [thread overview]
Message-ID: <20230217113145.18916-5-hare@suse.de> (raw)
In-Reply-To: <20230217113145.18916-1-hare@suse.de>
For ServerHello the TLS handshake has to validate the username/identity
with the keys stored on the server, but these might be stored on a
separate keyring. So add an argument 'keyring' to the server hello
functions to transport this information to the userspace daemon.
Signed-off-by: Hannes Reinecke <hare@suse.de>
---
include/net/tls.h | 4 ++--
net/tls/tls_handshake.c | 10 ++++++++--
2 files changed, 10 insertions(+), 4 deletions(-)
diff --git a/include/net/tls.h b/include/net/tls.h
index be65cbf72f8a..2d33e883f7d0 100644
--- a/include/net/tls.h
+++ b/include/net/tls.h
@@ -542,9 +542,9 @@ int tls_client_hello_psk(struct socket *sock, tls_done_func_t done,
key_serial_t peerid, unsigned int timeout);
int tls_server_hello_x509(struct socket *sock, tls_done_func_t done,
void *data, const char *priorities,
- unsigned int timeout);
+ unsigned int timeout, key_serial_t keyring);
int tls_server_hello_psk(struct socket *sock, tls_done_func_t done,
void *data, const char *priorities,
- unsigned int timeout);
+ unsigned int timeout, key_serial_t keyring);
#endif /* _TLS_OFFLOAD_H */
diff --git a/net/tls/tls_handshake.c b/net/tls/tls_handshake.c
index 93bb3deaf2fb..7fa2baa323e4 100644
--- a/net/tls/tls_handshake.c
+++ b/net/tls/tls_handshake.c
@@ -383,6 +383,7 @@ EXPORT_SYMBOL(tls_client_hello_psk);
* @data: token to pass back to @done
* @priorities: GnuTLS TLS priorities string
* @timeout: TLS handshake timeout (in seconds)
+ * @keyring: keyring with the keys to be accepted
*
* Return values:
* %0: Handshake request enqueue; ->done will be called when complete
@@ -391,7 +392,7 @@ EXPORT_SYMBOL(tls_client_hello_psk);
*/
int tls_server_hello_x509(struct socket *sock, tls_done_func_t done,
void *data, const char *priorities,
- unsigned int timeout)
+ unsigned int timeout, key_serial_t keyring)
{
struct tls_handshake_req *treq;
struct handshake_req *req;
@@ -413,6 +414,8 @@ int tls_server_hello_x509(struct socket *sock, tls_done_func_t done,
treq->th_auth_type = HANDSHAKE_GENL_TLS_AUTH_X509;
if (timeout)
treq->th_timeout = timeout;
+ if (keyring)
+ treq->th_keyring = keyring;
return handshake_req_submit(req, flags);
}
@@ -425,6 +428,7 @@ EXPORT_SYMBOL(tls_server_hello_x509);
* @data: token to pass back to @done
* @priorities: GnuTLS TLS priorities string
* @timeout: TLS handshake timeout (in seconds)
+ * @keyring: keyring with the keys to be accepted
*
* Return values:
* %0: Handshake request enqueue; ->done will be called when complete
@@ -433,7 +437,7 @@ EXPORT_SYMBOL(tls_server_hello_x509);
*/
int tls_server_hello_psk(struct socket *sock, tls_done_func_t done,
void *data, const char *priorities,
- unsigned int timeout)
+ unsigned int timeout, key_serial_t keyring)
{
struct tls_handshake_req *treq;
struct handshake_req *req;
@@ -455,6 +459,8 @@ int tls_server_hello_psk(struct socket *sock, tls_done_func_t done,
treq->th_auth_type = HANDSHAKE_GENL_TLS_AUTH_PSK;
if (timeout)
treq->th_timeout = timeout;
+ if (keyring)
+ treq->th_keyring = keyring;
return handshake_req_submit(req, flags);
}
--
2.35.3
next prev parent reply other threads:[~2023-02-17 11:31 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-17 11:31 [PATCH 0/4] tls-handshake: server-side support Hannes Reinecke
2023-02-17 11:31 ` [PATCH 1/4] tls-handshake: add 'timeout' netlink attribute Hannes Reinecke
2023-02-17 11:58 ` Chuck Lever III
2023-02-17 12:17 ` Hannes Reinecke
2023-02-17 12:26 ` Chuck Lever III
2023-02-17 12:36 ` Hannes Reinecke
2023-02-17 12:38 ` Chuck Lever III
2023-02-17 11:31 ` [PATCH 2/4] tls-handshake: add 'keyring' " Hannes Reinecke
2023-02-17 12:00 ` Chuck Lever III
2023-02-17 12:24 ` Hannes Reinecke
2023-02-17 12:32 ` Chuck Lever III
2023-02-17 12:48 ` Hannes Reinecke
2023-02-17 12:56 ` Chuck Lever III
2023-02-17 11:31 ` [PATCH 3/4] net/tls_handshake: split tls_server_hello() Hannes Reinecke
2023-02-17 11:31 ` Hannes Reinecke [this message]
2023-02-17 11:56 ` [PATCH 0/4] tls-handshake: server-side support Chuck Lever III
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230217113145.18916-5-hare@suse.de \
--to=hare@suse.de \
--cc=chuck.lever@oracle.com \
--cc=kernel-tls-handshake@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox