linux/include/net/handshake.h

/* SPDX-License-Identifier: GPL-2.0-only */
/*
 * Generic netlink HANDSHAKE service.
 *
 * Author: Chuck Lever <chuck.lever@oracle.com>
 *
 * Copyright (c) 2023, Oracle and/or its affiliates.
 */

#ifndef _NET_HANDSHAKE_H
#define _NET_HANDSHAKE_H

enum {
	TLS_NO_KEYRING = 0,
	TLS_NO_PEERID = 0,
	TLS_NO_CERT = 0,
	TLS_NO_PRIVKEY = 0,
};

typedef void	(*tls_done_func_t)(void *data, int status,
				   key_serial_t peerid);

struct tls_handshake_args {
	struct socket		*ta_sock;
	tls_done_func_t		ta_done;
	void			*ta_data;
	const char		*ta_peername;
	unsigned int		ta_timeout_ms;
	key_serial_t		ta_keyring;
	key_serial_t		ta_my_cert;
	key_serial_t		ta_my_privkey;
	unsigned int		ta_num_peerids;
	key_serial_t		ta_my_peerids[5];
};

int tls_client_hello_anon(const struct tls_handshake_args *args, gfp_t flags);
int tls_client_hello_x509(const struct tls_handshake_args *args, gfp_t flags);
int tls_client_hello_psk(const struct tls_handshake_args *args, gfp_t flags);
int tls_server_hello_x509(const struct tls_handshake_args *args, gfp_t flags);
int tls_server_hello_psk(const struct tls_handshake_args *args, gfp_t flags);

bool tls_handshake_cancel(struct sock *sk);
void tls_handshake_close(struct socket *sock);

u8 tls_get_record_type(const struct sock *sk, const struct cmsghdr *msg);
void tls_alert_recv(const struct sock *sk, const struct msghdr *msg,
		    u8 *level, u8 *description);

#endif /* _NET_HANDSHAKE_H */
net/handshake: Add a kernel API for requesting a TLSv1.3 handshake To enable kernel consumers of TLS to request a TLS handshake, add support to net/handshake/ to request a handshake upcall. This patch also acts as a template for adding handshake upcall support for other kernel transport layer security providers. Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org> 2023-04-17 10:32:33 -04:00			`/* SPDX-License-Identifier: GPL-2.0-only */`
			`/*`
			`* Generic netlink HANDSHAKE service.`
			`*`
			`* Author: Chuck Lever <chuck.lever@oracle.com>`
			`*`
			`* Copyright (c) 2023, Oracle and/or its affiliates.`
			`*/`

			`#ifndef _NET_HANDSHAKE_H`
			`#define _NET_HANDSHAKE_H`

			`enum {`
			`TLS_NO_KEYRING = 0,`
			`TLS_NO_PEERID = 0,`
			`TLS_NO_CERT = 0,`
			`TLS_NO_PRIVKEY = 0,`
			`};`

			`typedef void (tls_done_func_t)(void data, int status,`
			`key_serial_t peerid);`

			`struct tls_handshake_args {`
			`struct socket *ta_sock;`
			`tls_done_func_t ta_done;`
			`void *ta_data;`
net/handshake: Enable the SNI extension to work properly Enable the upper layer protocol to specify the SNI peername. This avoids the need for tlshd to use a DNS lookup, which can return a hostname that doesn't match the incoming certificate's SubjectName. Fixes: 2fd5532044a8 ("net/handshake: Add a kernel API for requesting a TLSv1.3 handshake") Reviewed-by: Simon Horman <simon.horman@corigine.com> Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org> 2023-05-11 11:49:50 -04:00			`const char *ta_peername;`
net/handshake: Add a kernel API for requesting a TLSv1.3 handshake To enable kernel consumers of TLS to request a TLS handshake, add support to net/handshake/ to request a handshake upcall. This patch also acts as a template for adding handshake upcall support for other kernel transport layer security providers. Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org> 2023-04-17 10:32:33 -04:00			`unsigned int ta_timeout_ms;`
			`key_serial_t ta_keyring;`
			`key_serial_t ta_my_cert;`
			`key_serial_t ta_my_privkey;`
			`unsigned int ta_num_peerids;`
			`key_serial_t ta_my_peerids[5];`
			`};`

			`int tls_client_hello_anon(const struct tls_handshake_args *args, gfp_t flags);`
			`int tls_client_hello_x509(const struct tls_handshake_args *args, gfp_t flags);`
			`int tls_client_hello_psk(const struct tls_handshake_args *args, gfp_t flags);`
			`int tls_server_hello_x509(const struct tls_handshake_args *args, gfp_t flags);`
			`int tls_server_hello_psk(const struct tls_handshake_args *args, gfp_t flags);`

			`bool tls_handshake_cancel(struct sock *sk);`
net/handshake: Add API for sending TLS Closure alerts This helper sends an alert only if a TLS session was established. Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Link: https://lore.kernel.org/r/169047936730.5241.618595693821012638.stgit@oracle-102.nfsv4bat.org Signed-off-by: Jakub Kicinski <kuba@kernel.org> 2023-07-27 13:36:17 -04:00			`void tls_handshake_close(struct socket *sock);`
net/handshake: Add a kernel API for requesting a TLSv1.3 handshake To enable kernel consumers of TLS to request a TLS handshake, add support to net/handshake/ to request a handshake upcall. This patch also acts as a template for adding handshake upcall support for other kernel transport layer security providers. Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org> 2023-04-17 10:32:33 -04:00
net/handshake: Add helpers for parsing incoming TLS Alerts Kernel TLS consumers can replace common TLS Alert parsing code with these helpers. Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Link: https://lore.kernel.org/r/169047942074.5241.13791647439480672048.stgit@oracle-102.nfsv4bat.org Signed-off-by: Jakub Kicinski <kuba@kernel.org> 2023-07-27 13:37:10 -04:00			`u8 tls_get_record_type(const struct sock sk, const struct cmsghdr msg);`
			`void tls_alert_recv(const struct sock sk, const struct msghdr msg,`
			`u8 level, u8 description);`

net/handshake: Add a kernel API for requesting a TLSv1.3 handshake To enable kernel consumers of TLS to request a TLS handshake, add support to net/handshake/ to request a handshake upcall. This patch also acts as a template for adding handshake upcall support for other kernel transport layer security providers. Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org> 2023-04-17 10:32:33 -04:00			`#endif /* _NET_HANDSHAKE_H */`