Commit 1de5900c authored by Jakub Kicinski's avatar Jakub Kicinski
Browse files

Merge branch 'bug-fixes-for-net-handshake' 

Chuck Lever says:

====================
Bug fixes for net/handshake

Paolo observed that there is a possible leak of sock->file. I
haven't looked into that yet, but it seems to be separate from
the fixes in this series, so no need to hold these up.
====================

The submissions mentions net-next but it means netdev (perhaps
merge window left over when trees are converged). In any case,
it should have gone into net, but was instead applied to net-next
as commit deb2e484 ("Merge branch 'net-handshake-fixes'").
These are fixes tho, and Chuck needs them to make progress with
the client so double-merging them into net... it is what it is :(

Link: https://lore.kernel.org/r/168381978252.84244.1933636428135211300.stgit@91.116.238.104.host.secureserver.net


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parents 0c615f1c 26fb5480

Documentation/netlink/specs/handshake.yaml

+4 −0
Original line number Diff line number Diff line
@@ -68,6 +68,9 @@ attribute-sets: 
        type: nest

        nested-attributes: x509

        multi-attr: true

      -

        name: peername

        type: string

  -

    name: done

    attributes:
@@ -105,6 +108,7 @@ operations: 
            - auth-mode

            - peer-identity

            - certificate

            - peername

    -

      name: done

      doc: Handler reports handshake completion

Documentation/networking/tls-handshake.rst

+5 −0
Original line number Diff line number Diff line
@@ -53,6 +53,7 @@ fills in a structure that contains the parameters of the request: 
        struct socket   *ta_sock;

        tls_done_func_t ta_done;

        void            *ta_data;

        const char      *ta_peername;

        unsigned int    ta_timeout_ms;

        key_serial_t    ta_keyring;

        key_serial_t    ta_my_cert;
@@ -71,6 +72,10 @@ instantiated a struct file in sock->file. 
has completed. Further explanation of this function is in the "Handshake

Completion" sesction below.



The consumer can provide a NUL-terminated hostname in the @ta_peername

field that is sent as part of ClientHello. If no peername is provided,

the DNS hostname associated with the server's IP address is used instead.



The consumer can fill in the @ta_timeout_ms field to force the servicing

handshake agent to exit after a number of milliseconds. This enables the

socket to be fully closed once both the kernel and the handshake agent

include/net/handshake.h

+1 −0
Original line number Diff line number Diff line
@@ -24,6 +24,7 @@ struct tls_handshake_args { 
	struct socket		*ta_sock;

	tls_done_func_t		ta_done;

	void			*ta_data;

	const char		*ta_peername;

	unsigned int		ta_timeout_ms;

	key_serial_t		ta_keyring;

	key_serial_t		ta_my_cert;

include/uapi/linux/handshake.h

+1 −0
Original line number Diff line number Diff line
@@ -44,6 +44,7 @@ enum { 
	HANDSHAKE_A_ACCEPT_AUTH_MODE,

	HANDSHAKE_A_ACCEPT_PEER_IDENTITY,

	HANDSHAKE_A_ACCEPT_CERTIFICATE,

	HANDSHAKE_A_ACCEPT_PEERNAME,



	__HANDSHAKE_A_ACCEPT_MAX,

	HANDSHAKE_A_ACCEPT_MAX = (__HANDSHAKE_A_ACCEPT_MAX - 1)

net/handshake/handshake.h

+1 −0
Original line number Diff line number Diff line
@@ -31,6 +31,7 @@ struct handshake_req { 
	struct list_head		hr_list;

	struct rhash_head		hr_rhash;

	unsigned long			hr_flags;

	struct file			*hr_file;

	const struct handshake_proto	*hr_proto;

	struct sock			*hr_sk;

	void				(*hr_odestruct)(struct sock *sk);