Skip to content

Commit 26fb548

Browse files
chuckleverkuba-moo
authored andcommitted
net/handshake: Enable the SNI extension to work properly
Enable the upper layer protocol to specify the SNI peername. This avoids the need for tlshd to use a DNS lookup, which can return a hostname that doesn't match the incoming certificate's SubjectName. Fixes: 2fd5532 ("net/handshake: Add a kernel API for requesting a TLSv1.3 handshake") Reviewed-by: Simon Horman <[email protected]> Signed-off-by: Chuck Lever <[email protected]> Signed-off-by: Jakub Kicinski <[email protected]>
1 parent 1ce77c9 commit 26fb548

File tree

5 files changed

+19
-0
lines changed

5 files changed

+19
-0
lines changed

Documentation/netlink/specs/handshake.yaml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -68,6 +68,9 @@ attribute-sets:
6868
type: nest
6969
nested-attributes: x509
7070
multi-attr: true
71+
-
72+
name: peername
73+
type: string
7174
-
7275
name: done
7376
attributes:
@@ -105,6 +108,7 @@ operations:
105108
- auth-mode
106109
- peer-identity
107110
- certificate
111+
- peername
108112
-
109113
name: done
110114
doc: Handler reports handshake completion

Documentation/networking/tls-handshake.rst

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -53,6 +53,7 @@ fills in a structure that contains the parameters of the request:
5353
struct socket *ta_sock;
5454
tls_done_func_t ta_done;
5555
void *ta_data;
56+
const char *ta_peername;
5657
unsigned int ta_timeout_ms;
5758
key_serial_t ta_keyring;
5859
key_serial_t ta_my_cert;
@@ -71,6 +72,10 @@ instantiated a struct file in sock->file.
7172
has completed. Further explanation of this function is in the "Handshake
7273
Completion" sesction below.
7374

75+
The consumer can provide a NUL-terminated hostname in the @ta_peername
76+
field that is sent as part of ClientHello. If no peername is provided,
77+
the DNS hostname associated with the server's IP address is used instead.
78+
7479
The consumer can fill in the @ta_timeout_ms field to force the servicing
7580
handshake agent to exit after a number of milliseconds. This enables the
7681
socket to be fully closed once both the kernel and the handshake agent

include/net/handshake.h

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,7 @@ struct tls_handshake_args {
2424
struct socket *ta_sock;
2525
tls_done_func_t ta_done;
2626
void *ta_data;
27+
const char *ta_peername;
2728
unsigned int ta_timeout_ms;
2829
key_serial_t ta_keyring;
2930
key_serial_t ta_my_cert;

include/uapi/linux/handshake.h

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -44,6 +44,7 @@ enum {
4444
HANDSHAKE_A_ACCEPT_AUTH_MODE,
4545
HANDSHAKE_A_ACCEPT_PEER_IDENTITY,
4646
HANDSHAKE_A_ACCEPT_CERTIFICATE,
47+
HANDSHAKE_A_ACCEPT_PEERNAME,
4748

4849
__HANDSHAKE_A_ACCEPT_MAX,
4950
HANDSHAKE_A_ACCEPT_MAX = (__HANDSHAKE_A_ACCEPT_MAX - 1)

net/handshake/tlshd.c

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,7 @@ struct tls_handshake_req {
3131
int th_type;
3232
unsigned int th_timeout_ms;
3333
int th_auth_mode;
34+
const char *th_peername;
3435
key_serial_t th_keyring;
3536
key_serial_t th_certificate;
3637
key_serial_t th_privkey;
@@ -48,6 +49,7 @@ tls_handshake_req_init(struct handshake_req *req,
4849
treq->th_timeout_ms = args->ta_timeout_ms;
4950
treq->th_consumer_done = args->ta_done;
5051
treq->th_consumer_data = args->ta_data;
52+
treq->th_peername = args->ta_peername;
5153
treq->th_keyring = args->ta_keyring;
5254
treq->th_num_peerids = 0;
5355
treq->th_certificate = TLS_NO_CERT;
@@ -214,6 +216,12 @@ static int tls_handshake_accept(struct handshake_req *req,
214216
ret = nla_put_u32(msg, HANDSHAKE_A_ACCEPT_MESSAGE_TYPE, treq->th_type);
215217
if (ret < 0)
216218
goto out_cancel;
219+
if (treq->th_peername) {
220+
ret = nla_put_string(msg, HANDSHAKE_A_ACCEPT_PEERNAME,
221+
treq->th_peername);
222+
if (ret < 0)
223+
goto out_cancel;
224+
}
217225
if (treq->th_timeout_ms) {
218226
ret = nla_put_u32(msg, HANDSHAKE_A_ACCEPT_TIMEOUT, treq->th_timeout_ms);
219227
if (ret < 0)

0 commit comments

Comments
 (0)