Commit eefca7ec authored by Chuck Lever's avatar Chuck Lever Committed by David S. Miller

net/handshake: Enable the SNI extension to work properly

Enable the upper layer protocol to specify the SNI peername. This
avoids the need for tlshd to use a DNS lookup, which can return a
hostname that doesn't match the incoming certificate's SubjectName.

Fixes: 2fd55320 ("net/handshake: Add a kernel API for requesting a TLSv1.3 handshake")
Reviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
Signed-off-by: default avatarChuck Lever <chuck.lever@oracle.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent f921bd41
...@@ -68,6 +68,9 @@ attribute-sets: ...@@ -68,6 +68,9 @@ attribute-sets:
type: nest type: nest
nested-attributes: x509 nested-attributes: x509
multi-attr: true multi-attr: true
-
name: peername
type: string
- -
name: done name: done
attributes: attributes:
...@@ -105,6 +108,7 @@ operations: ...@@ -105,6 +108,7 @@ operations:
- auth-mode - auth-mode
- peer-identity - peer-identity
- certificate - certificate
- peername
- -
name: done name: done
doc: Handler reports handshake completion doc: Handler reports handshake completion
......
...@@ -53,6 +53,7 @@ fills in a structure that contains the parameters of the request: ...@@ -53,6 +53,7 @@ fills in a structure that contains the parameters of the request:
struct socket *ta_sock; struct socket *ta_sock;
tls_done_func_t ta_done; tls_done_func_t ta_done;
void *ta_data; void *ta_data;
const char *ta_peername;
unsigned int ta_timeout_ms; unsigned int ta_timeout_ms;
key_serial_t ta_keyring; key_serial_t ta_keyring;
key_serial_t ta_my_cert; key_serial_t ta_my_cert;
...@@ -71,6 +72,10 @@ instantiated a struct file in sock->file. ...@@ -71,6 +72,10 @@ instantiated a struct file in sock->file.
has completed. Further explanation of this function is in the "Handshake has completed. Further explanation of this function is in the "Handshake
Completion" sesction below. Completion" sesction below.
The consumer can provide a NUL-terminated hostname in the @ta_peername
field that is sent as part of ClientHello. If no peername is provided,
the DNS hostname associated with the server's IP address is used instead.
The consumer can fill in the @ta_timeout_ms field to force the servicing The consumer can fill in the @ta_timeout_ms field to force the servicing
handshake agent to exit after a number of milliseconds. This enables the handshake agent to exit after a number of milliseconds. This enables the
socket to be fully closed once both the kernel and the handshake agent socket to be fully closed once both the kernel and the handshake agent
......
...@@ -24,6 +24,7 @@ struct tls_handshake_args { ...@@ -24,6 +24,7 @@ struct tls_handshake_args {
struct socket *ta_sock; struct socket *ta_sock;
tls_done_func_t ta_done; tls_done_func_t ta_done;
void *ta_data; void *ta_data;
const char *ta_peername;
unsigned int ta_timeout_ms; unsigned int ta_timeout_ms;
key_serial_t ta_keyring; key_serial_t ta_keyring;
key_serial_t ta_my_cert; key_serial_t ta_my_cert;
......
...@@ -44,6 +44,7 @@ enum { ...@@ -44,6 +44,7 @@ enum {
HANDSHAKE_A_ACCEPT_AUTH_MODE, HANDSHAKE_A_ACCEPT_AUTH_MODE,
HANDSHAKE_A_ACCEPT_PEER_IDENTITY, HANDSHAKE_A_ACCEPT_PEER_IDENTITY,
HANDSHAKE_A_ACCEPT_CERTIFICATE, HANDSHAKE_A_ACCEPT_CERTIFICATE,
HANDSHAKE_A_ACCEPT_PEERNAME,
__HANDSHAKE_A_ACCEPT_MAX, __HANDSHAKE_A_ACCEPT_MAX,
HANDSHAKE_A_ACCEPT_MAX = (__HANDSHAKE_A_ACCEPT_MAX - 1) HANDSHAKE_A_ACCEPT_MAX = (__HANDSHAKE_A_ACCEPT_MAX - 1)
......
...@@ -31,6 +31,7 @@ struct tls_handshake_req { ...@@ -31,6 +31,7 @@ struct tls_handshake_req {
int th_type; int th_type;
unsigned int th_timeout_ms; unsigned int th_timeout_ms;
int th_auth_mode; int th_auth_mode;
const char *th_peername;
key_serial_t th_keyring; key_serial_t th_keyring;
key_serial_t th_certificate; key_serial_t th_certificate;
key_serial_t th_privkey; key_serial_t th_privkey;
...@@ -48,6 +49,7 @@ tls_handshake_req_init(struct handshake_req *req, ...@@ -48,6 +49,7 @@ tls_handshake_req_init(struct handshake_req *req,
treq->th_timeout_ms = args->ta_timeout_ms; treq->th_timeout_ms = args->ta_timeout_ms;
treq->th_consumer_done = args->ta_done; treq->th_consumer_done = args->ta_done;
treq->th_consumer_data = args->ta_data; treq->th_consumer_data = args->ta_data;
treq->th_peername = args->ta_peername;
treq->th_keyring = args->ta_keyring; treq->th_keyring = args->ta_keyring;
treq->th_num_peerids = 0; treq->th_num_peerids = 0;
treq->th_certificate = TLS_NO_CERT; treq->th_certificate = TLS_NO_CERT;
...@@ -214,6 +216,12 @@ static int tls_handshake_accept(struct handshake_req *req, ...@@ -214,6 +216,12 @@ static int tls_handshake_accept(struct handshake_req *req,
ret = nla_put_u32(msg, HANDSHAKE_A_ACCEPT_MESSAGE_TYPE, treq->th_type); ret = nla_put_u32(msg, HANDSHAKE_A_ACCEPT_MESSAGE_TYPE, treq->th_type);
if (ret < 0) if (ret < 0)
goto out_cancel; goto out_cancel;
if (treq->th_peername) {
ret = nla_put_string(msg, HANDSHAKE_A_ACCEPT_PEERNAME,
treq->th_peername);
if (ret < 0)
goto out_cancel;
}
if (treq->th_timeout_ms) { if (treq->th_timeout_ms) {
ret = nla_put_u32(msg, HANDSHAKE_A_ACCEPT_TIMEOUT, treq->th_timeout_ms); ret = nla_put_u32(msg, HANDSHAKE_A_ACCEPT_TIMEOUT, treq->th_timeout_ms);
if (ret < 0) if (ret < 0)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment