From: Scott Mayhew <smayhew@redhat.com>
To: cel@kernel.org, sagi@grimberg.me
Cc: linux-nfs@vger.kernel.org, kernel-tls-handshake@lists.linux.dev
Subject: [PATCH] tlshd: fix keyring cert retrieval
Date: Fri, 1 May 2026 15:58:56 -0400 [thread overview]
Message-ID: <20260501195856.1126025-1-smayhew@redhat.com> (raw)
In-Reply-To: <92a53963-1e4b-42eb-af81-6be9f63f9e43@app.fastmail.com>
The code that gets certs from keyrings currently only gets RSA certs, so
we need to zero out the PQ certs length fields when a keyring is used.
Otherwise the retrieval callback will look in the wrong offset in the
tlshd_certs list.
Reported-by: Sagi Grimberg <sagi@grimberg.me>
Fixes: facd084 ("tlshd: Client-side dual certificate support")
Fixes: 14f5349 ("tlshd: Server-side dual certificate support")
Signed-off-by: Scott Mayhew <smayhew@redhat.com>
---
src/tlshd/client.c | 4 +++-
src/tlshd/server.c | 4 +++-
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/src/tlshd/client.c b/src/tlshd/client.c
index 2664ffb..f291ee5 100644
--- a/src/tlshd/client.c
+++ b/src/tlshd/client.c
@@ -195,9 +195,11 @@ static gnutls_pk_algorithm_t tlshd_pq_pkalg = GNUTLS_PK_UNKNOWN;
*/
static bool tlshd_x509_client_get_certs(struct tlshd_handshake_parms *parms)
{
- if (parms->x509_cert != TLS_NO_CERT)
+ if (parms->x509_cert != TLS_NO_CERT) {
+ tlshd_pq_certs_len = 0;
return tlshd_keyring_get_certs(parms->x509_cert, tlshd_certs,
&tlshd_certs_len);
+ }
return tlshd_config_get_certs(PEER_TYPE_CLIENT, tlshd_certs,
&tlshd_pq_certs_len, &tlshd_certs_len,
&tlshd_pq_pkalg);
diff --git a/src/tlshd/server.c b/src/tlshd/server.c
index 8e0f192..e8fe5c8 100644
--- a/src/tlshd/server.c
+++ b/src/tlshd/server.c
@@ -92,10 +92,12 @@ static gnutls_pk_algorithm_t tlshd_server_pq_pkalg = GNUTLS_PK_UNKNOWN;
*/
static bool tlshd_x509_server_get_certs(struct tlshd_handshake_parms *parms)
{
- if (parms->x509_cert != TLS_NO_CERT)
+ if (parms->x509_cert != TLS_NO_CERT) {
+ tlshd_server_pq_certs_len = 0;
return tlshd_keyring_get_certs(parms->x509_cert,
tlshd_server_certs,
&tlshd_server_certs_len);
+ }
return tlshd_config_get_certs(PEER_TYPE_SERVER, tlshd_server_certs,
&tlshd_server_pq_certs_len,
&tlshd_server_certs_len,
--
2.54.0
next prev parent reply other threads:[~2026-05-01 19:59 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-30 13:32 Breakage in ktls-utils with nfs keyring? Sagi Grimberg
2026-04-30 13:38 ` Chuck Lever
2026-05-01 19:58 ` Scott Mayhew [this message]
2026-05-03 7:30 ` [PATCH] tlshd: fix keyring cert retrieval Sagi Grimberg
2026-05-01 20:19 ` Breakage in ktls-utils with nfs keyring? Scott Mayhew
2026-05-02 3:08 ` Chuck Lever
2026-05-03 7:48 ` Sagi Grimberg
2026-05-03 19:11 ` Chuck Lever
2026-05-03 20:37 ` Sagi Grimberg
2026-05-04 6:44 ` Chuck Lever
2026-05-04 8:02 ` Sagi Grimberg
2026-05-04 8:21 ` Hannes Reinecke
2026-05-05 8:15 ` Chuck Lever
2026-05-05 8:32 ` Sagi Grimberg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260501195856.1126025-1-smayhew@redhat.com \
--to=smayhew@redhat.com \
--cc=cel@kernel.org \
--cc=kernel-tls-handshake@lists.linux.dev \
--cc=linux-nfs@vger.kernel.org \
--cc=sagi@grimberg.me \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox