diff options
| author | Chuck Lever <chuck.lever@oracle.com> | 2023-05-11 18:49:50 +0300 |
|---|---|---|
| committer | Jakub Kicinski <kuba@kernel.org> | 2023-05-25 08:05:24 +0300 |
| commit | 26fb5480a27d34975cc2b680b77af189620dd740 (patch) | |
| tree | 6e14b559ee327c9fde86287f3ba99f47731308dc /include | |
| parent | 1ce77c998f0415d7d9d91cb9bd7665e25c8f75f1 (diff) | |
| download | linux-26fb5480a27d34975cc2b680b77af189620dd740.tar.xz | |
net/handshake: Enable the SNI extension to work properly
Enable the upper layer protocol to specify the SNI peername. This
avoids the need for tlshd to use a DNS lookup, which can return a
hostname that doesn't match the incoming certificate's SubjectName.
Fixes: 2fd5532044a8 ("net/handshake: Add a kernel API for requesting a TLSv1.3 handshake")
Reviewed-by: Simon Horman <simon.horman@corigine.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Diffstat (limited to 'include')
| -rw-r--r-- | include/net/handshake.h | 1 | ||||
| -rw-r--r-- | include/uapi/linux/handshake.h | 1 |
2 files changed, 2 insertions, 0 deletions
diff --git a/include/net/handshake.h b/include/net/handshake.h index 3352b1ab43b3..2e26e436e85f 100644 --- a/include/net/handshake.h +++ b/include/net/handshake.h @@ -24,6 +24,7 @@ struct tls_handshake_args { struct socket *ta_sock; tls_done_func_t ta_done; void *ta_data; + const char *ta_peername; unsigned int ta_timeout_ms; key_serial_t ta_keyring; key_serial_t ta_my_cert; diff --git a/include/uapi/linux/handshake.h b/include/uapi/linux/handshake.h index 1de4d0b95325..3d7ea58778c9 100644 --- a/include/uapi/linux/handshake.h +++ b/include/uapi/linux/handshake.h @@ -44,6 +44,7 @@ enum { HANDSHAKE_A_ACCEPT_AUTH_MODE, HANDSHAKE_A_ACCEPT_PEER_IDENTITY, HANDSHAKE_A_ACCEPT_CERTIFICATE, + HANDSHAKE_A_ACCEPT_PEERNAME, __HANDSHAKE_A_ACCEPT_MAX, HANDSHAKE_A_ACCEPT_MAX = (__HANDSHAKE_A_ACCEPT_MAX - 1) |