[PATCH RFC 0/3] Another crack at a handshake upcall mechanism
From: Chuck Lever <chuck.lever@oracle.com>
Date: 2023-01-17 21:46:32
Hello Jakub- I've addressed the thing you liked least about last year's handshake upcall attempt: gathering the handshake parameters from socket options. That is now done instead via a generic netlink service. I'm a rank netlink amateur, so any guidance there is helpful. Probably the next step is to divorce AF_TLSH from net/tls and make it general so that other security protocols can make use of it. A sample user space handshake daemon is available here: https://github.com/oracle/ktls-utils The "main" branch has patches that add a netlink client to replace the use of getsockopt(3). --- Chuck Lever (3): net/tls: Add an AF_TLSH address family net/tls: Add support for PF_TLSH (a TLS handshake listener) net/tls: Create a fixed TLS handshake API Documentation/networking/index.rst | 1 + .../networking/tls-in-kernel-handshake.rst | 123 ++ include/linux/socket.h | 4 +- include/net/sock.h | 3 + include/net/tls.h | 12 + include/net/tlsh.h | 25 + include/uapi/linux/tls.h | 43 + net/core/sock.c | 4 +- net/socket.c | 1 + net/tls/Makefile | 3 +- net/tls/af_tlsh.c | 1266 +++++++++++++++++ net/tls/tls.h | 15 + net/tls/tls_handshake.c | 89 ++ net/tls/tls_main.c | 19 +- net/tls/trace.c | 3 + net/tls/trace.h | 341 +++++ security/selinux/hooks.c | 4 +- security/selinux/include/classmap.h | 4 +- .../perf/trace/beauty/include/linux/socket.h | 4 +- 19 files changed, 1957 insertions(+), 7 deletions(-) create mode 100644 Documentation/networking/tls-in-kernel-handshake.rst create mode 100644 include/net/tlsh.h create mode 100644 net/tls/af_tlsh.c create mode 100644 net/tls/tls_handshake.c -- Chuck Lever