Compare commits
2 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 75230ee03b | |||
| 3a6cd9870d |
43
SOURCES/ktls-utils-0.11-nvme-default-keyring.patch
Normal file
43
SOURCES/ktls-utils-0.11-nvme-default-keyring.patch
Normal file
@ -0,0 +1,43 @@
|
||||
From 311d9438b984e3b2a36bd88fb3ab8c87c38701fa Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Wagner <wagi@monom.org>
|
||||
Date: Thu, 24 Oct 2024 13:15:44 +0200
|
||||
Subject: [PATCH] tlshd: always link .nvme default keyring into the session
|
||||
|
||||
A common use case for tlshd is to authenticate TLS sessions for the nvme
|
||||
subsystem. Currently, the user has to explicitly list a keyring (even
|
||||
the defautl one) in the configuration file so that tlshd running
|
||||
as daemon (started via systemd) to find any key.
|
||||
|
||||
Thus always link the default .nvme keyring into the current session,
|
||||
which makes the daemon work out of the box for default configurations.
|
||||
|
||||
Signed-off-by: Daniel Wagner <wagi@monom.org>
|
||||
---
|
||||
src/tlshd/config.c | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
diff --git a/src/tlshd/config.c b/src/tlshd/config.c
|
||||
index fae83b3..8becbe0 100644
|
||||
--- a/src/tlshd/config.c
|
||||
+++ b/src/tlshd/config.c
|
||||
@@ -91,10 +91,17 @@ bool tlshd_config_init(const gchar *pathname)
|
||||
"keyrings", &length, NULL);
|
||||
if (keyrings) {
|
||||
for (i = 0; i < length; i++) {
|
||||
+ if (!strcmp(keyrings[i], ".nvme"))
|
||||
+ continue;
|
||||
tlshd_keyring_link_session(keyrings[i]);
|
||||
}
|
||||
g_strfreev(keyrings);
|
||||
}
|
||||
+ /*
|
||||
+ * Always link the default nvme subsystem keyring into the
|
||||
+ * session.
|
||||
+ */
|
||||
+ tlshd_keyring_link_session(".nvme");
|
||||
|
||||
return true;
|
||||
}
|
||||
--
|
||||
2.47.1
|
||||
|
||||
@ -0,0 +1,48 @@
|
||||
From b010190cfed2d9bbd943b3343fdbaeb66efff8e8 Mon Sep 17 00:00:00 2001
|
||||
From: Benjamin Coddington <bcodding@redhat.com>
|
||||
Date: Tue, 11 Feb 2025 11:52:15 -0500
|
||||
Subject: [PATCH] tlshd: Pass ETIMEDOUT from gnutls to kernel
|
||||
|
||||
We've had some QE work that's created a condition (some types of connection
|
||||
instability) where the handshake attempt has timed out. When this happens,
|
||||
tlshd sends EACESS back to the kernel. However, the kernel may not be
|
||||
expecting this error in the context of some NFS operations, for example:
|
||||
writeback. It can handle ETIMEDOUT, and we would like the kernel to
|
||||
perform its normal hard/soft retry routines for this case to re-connect to
|
||||
the server.
|
||||
|
||||
Add an error switch that clearly denotes the error paths we'd like
|
||||
to send back to the kernel. For SUNRPC, there are other insteresting
|
||||
errors that might be included (see call_conenct_status() in
|
||||
net/sunrpc/clnt.c), but are ommitted here because we don't have evidence of
|
||||
them in the wild
|
||||
|
||||
Signed-off-by: Benjamin Coddington <bcodding@redhat.com>
|
||||
---
|
||||
src/tlshd/handshake.c | 8 ++++++--
|
||||
1 file changed, 6 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/tlshd/handshake.c b/src/tlshd/handshake.c
|
||||
index 9bcfc2b..8240b10 100644
|
||||
--- a/src/tlshd/handshake.c
|
||||
+++ b/src/tlshd/handshake.c
|
||||
@@ -94,10 +94,14 @@ void tlshd_start_tls_handshake(gnutls_session_t session,
|
||||
case GNUTLS_E_CERTIFICATE_VERIFICATION_ERROR:
|
||||
tlshd_log_cert_verification_error(session);
|
||||
break;
|
||||
- default:
|
||||
+ case -ETIMEDOUT:
|
||||
tlshd_log_gnutls_error(ret);
|
||||
+ parms->session_status = -ret;
|
||||
+ break;
|
||||
+ default:
|
||||
+ tlshd_log_notice("tlshd_start_tls_handshake unhandled error %d, returning EACCES\n", ret);
|
||||
+ parms->session_status = EACCES;
|
||||
}
|
||||
- parms->session_status = EACCES;
|
||||
return;
|
||||
}
|
||||
|
||||
--
|
||||
2.48.1
|
||||
|
||||
@ -3,7 +3,7 @@
|
||||
|
||||
Name: ktls-utils
|
||||
Version: %{baseversion}
|
||||
Release: 1%{?dist}
|
||||
Release: 3%{?dist}
|
||||
Summary: TLS handshake agent for kernel sockets
|
||||
|
||||
%forgemeta
|
||||
@ -14,6 +14,12 @@ URL: %{forgeurl}
|
||||
# FIXME: is this a bug in the tagging scheme or forgesource macro?
|
||||
Source0: %{forgeurl}/releases/download/%{name}-%{baseversion}/%{name}-%{baseversion}.tar.gz
|
||||
|
||||
#
|
||||
# RHEL-9.6
|
||||
#
|
||||
Patch001: ktls-utils-0.11-nvme-default-keyring.patch
|
||||
Patch002: ktls-utils-0.11-tlshd-Pass-ETIMEDOUT-from-gnutls-to-kernel.patch
|
||||
|
||||
BuildRequires: bash systemd-rpm-macros
|
||||
BuildRequires: gcc make coreutils
|
||||
BuildRequires: pkgconfig(gnutls) >= 3.3.0
|
||||
@ -66,7 +72,16 @@ standard kTLS socket options.
|
||||
%systemd_postun_with_restart tlshd.service
|
||||
|
||||
%changelog
|
||||
* Mon Jun 17 2024 Steve Dickson <steved@redhat.com> 0.11-1
|
||||
* Mon Mar 03 2025 Scott Mayhew <smayhew@redhat.com> 0.11-3
|
||||
- tlshd: Pass ETIMEDOUT from gnutls to kernel
|
||||
|
||||
* Wed Feb 12 2025 Scott Mayhew <smayhew@redhat.com> 0.11-2
|
||||
- Bump release to satisfy the errata automation
|
||||
|
||||
* Tue Feb 04 2025 Steve Dickson <steved@redhat.com> 0.11-1
|
||||
- tlshd: link .nvme default keyring into the session (RHEL-71505)
|
||||
|
||||
* Mon Jun 17 2024 Steve Dickson <steved@redhat.com> 0.11-0
|
||||
- Release ktls-utils 0.11 (RHEL-39442)
|
||||
|
||||
* Thu Feb 29 2024 Steve Dickson <steved@redhat.com> 0.10-0
|
||||
|
||||
Loading…
Reference in New Issue
Block a user