net/handshake: Enable the SNI extension to work properly

Enable the upper layer protocol to specify the SNI peername. This avoids the need for tlshd to use a DNS lookup, which can return a hostname that doesn't match the incoming certificate's SubjectName. Fixes: 2fd5532044a8 ("net/handshake: Add a kernel API for requesting a TLSv1.3 handshake") Reviewed-by: Simon Horman <simon.horman@corigine.com> Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org>
author: Chuck Lever <chuck.lever@oracle.com> 2023-05-11 11:49:50 -0400
committer: Jakub Kicinski <kuba@kernel.org> 2023-05-24 22:05:24 -0700
commit: 26fb5480a27d34975cc2b680b77af189620dd740 (patch)
tree: 6e14b559ee327c9fde86287f3ba99f47731308dc /include
parent: 1ce77c998f0415d7d9d91cb9bd7665e25c8f75f1 (diff)
2 files changed, 2 insertions, 0 deletions
diff --git a/include/net/handshake.h b/include/net/handshake.h
index 3352b1ab43b3..2e26e436e85f 100644
--- a/include/net/handshake.h
+++ b/include/net/handshake.h
@@ -24,6 +24,7 @@ struct tls_handshake_args {
 	struct socket		*ta_sock;
 	tls_done_func_t		ta_done;
 	void			*ta_data;
+	const char		*ta_peername;
 	unsigned int		ta_timeout_ms;
 	key_serial_t		ta_keyring;
 	key_serial_t		ta_my_cert;
diff --git a/include/uapi/linux/handshake.h b/include/uapi/linux/handshake.h
index 1de4d0b95325..3d7ea58778c9 100644
--- a/include/uapi/linux/handshake.h
+++ b/include/uapi/linux/handshake.h
@@ -44,6 +44,7 @@ enum {
 	HANDSHAKE_A_ACCEPT_AUTH_MODE,
 	HANDSHAKE_A_ACCEPT_PEER_IDENTITY,
 	HANDSHAKE_A_ACCEPT_CERTIFICATE,
+	HANDSHAKE_A_ACCEPT_PEERNAME,
 
 	__HANDSHAKE_A_ACCEPT_MAX,
 	HANDSHAKE_A_ACCEPT_MAX = (__HANDSHAKE_A_ACCEPT_MAX - 1)
author	Chuck Lever <chuck.lever@oracle.com>	2023-05-11 11:49:50 -0400
committer	Jakub Kicinski <kuba@kernel.org>	2023-05-24 22:05:24 -0700
commit	26fb5480a27d34975cc2b680b77af189620dd740 (patch)
tree	6e14b559ee327c9fde86287f3ba99f47731308dc /include
parent	1ce77c998f0415d7d9d91cb9bd7665e25c8f75f1 (diff)