diff options
| author | Jakub Kicinski <kuba@kernel.org> | 2023-04-19 18:48:50 -0700 |
|---|---|---|
| committer | Jakub Kicinski <kuba@kernel.org> | 2023-04-19 18:48:50 -0700 |
| commit | a5962e0a8b7b0da2350b4baeefaf7dfa3377bc89 (patch) | |
| tree | 3b7255875d4f657e0cf0e3087ecab918f3d01ba3 /include/net | |
| parent | f1836a424518a09b17ee2b69e81e9477321a0aff (diff) | |
| parent | 88232ec1ec5ecf4aa5de439cff3d5e2b7adcac93 (diff) | |
| download | lwn-a5962e0a8b7b0da2350b4baeefaf7dfa3377bc89.tar.gz lwn-a5962e0a8b7b0da2350b4baeefaf7dfa3377bc89.zip | |
Merge branch 'another-crack-at-a-handshake-upcall-mechanism'
Chuck Lever says:
====================
Another crack at a handshake upcall mechanism
Here is v10 of a series to add generic support for transport layer
security handshake on behalf of kernel socket consumers (user space
consumers use a security library directly, of course). A summary of
the purpose of these patches is archived here:
https://lore.kernel.org/netdev/1DE06BB1-6BA9-4DB4-B2AA-07DE532963D6@oracle.com/
The first patch in the series applies to the top-level .gitignore
file to address the build warnings reported a few days ago. I intend
to submit that separately. I'd like you to consider taking the rest
of this series for v6.4.
The full patch set to support SunRPC with TLSv1.3 is available in
the topic-rpc-with-tls-upcall branch here, based on net-next/main:
https://git.kernel.org/pub/scm/linux/kernel/git/cel/linux.git
This patch set includes support for in-transit confidentiality and
peer authentication for both the Linux NFS client and server.
A user space handshake agent for TLSv1.3 to go along with the kernel
patches is available in the "main" branch here:
https://github.com/oracle/ktls-utils
====================
Link: https://lore.kernel.org/r/168174169259.9520.1911007910797225963.stgit@91.116.238.104.host.secureserver.net
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Diffstat (limited to 'include/net')
| -rw-r--r-- | include/net/handshake.h | 43 |
1 files changed, 43 insertions, 0 deletions
diff --git a/include/net/handshake.h b/include/net/handshake.h new file mode 100644 index 000000000000..3352b1ab43b3 --- /dev/null +++ b/include/net/handshake.h @@ -0,0 +1,43 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ +/* + * Generic netlink HANDSHAKE service. + * + * Author: Chuck Lever <chuck.lever@oracle.com> + * + * Copyright (c) 2023, Oracle and/or its affiliates. + */ + +#ifndef _NET_HANDSHAKE_H +#define _NET_HANDSHAKE_H + +enum { + TLS_NO_KEYRING = 0, + TLS_NO_PEERID = 0, + TLS_NO_CERT = 0, + TLS_NO_PRIVKEY = 0, +}; + +typedef void (*tls_done_func_t)(void *data, int status, + key_serial_t peerid); + +struct tls_handshake_args { + struct socket *ta_sock; + tls_done_func_t ta_done; + void *ta_data; + unsigned int ta_timeout_ms; + key_serial_t ta_keyring; + key_serial_t ta_my_cert; + key_serial_t ta_my_privkey; + unsigned int ta_num_peerids; + key_serial_t ta_my_peerids[5]; +}; + +int tls_client_hello_anon(const struct tls_handshake_args *args, gfp_t flags); +int tls_client_hello_x509(const struct tls_handshake_args *args, gfp_t flags); +int tls_client_hello_psk(const struct tls_handshake_args *args, gfp_t flags); +int tls_server_hello_x509(const struct tls_handshake_args *args, gfp_t flags); +int tls_server_hello_psk(const struct tls_handshake_args *args, gfp_t flags); + +bool tls_handshake_cancel(struct sock *sk); + +#endif /* _NET_HANDSHAKE_H */ |