import CS ktls-utils-0.11-3.el9_6

import CS ktls-utils-0.11-2.el9
2025-03-31 09:47:04 +00:00 · 2025-03-11 07:33:36 +00:00
4 changed files with 108 additions and 2 deletions
--- a/.ktls-utils.metadata
+++ b/.ktls-utils.metadata
--- a/SOURCES/ktls-utils-0.11-nvme-default-keyring.patch
+++ b/SOURCES/ktls-utils-0.11-nvme-default-keyring.patch
@ -0,0 +1,43 @@
 From 311d9438b984e3b2a36bd88fb3ab8c87c38701fa Mon Sep 17 00:00:00 2001
 From: Daniel Wagner <wagi@monom.org>
 Date: Thu, 24 Oct 2024 13:15:44 +0200
 Subject: [PATCH] tlshd: always link .nvme default keyring into the session
 A common use case for tlshd is to authenticate TLS sessions for the nvme
 subsystem. Currently, the user has to explicitly list a keyring (even
 the defautl one) in the configuration file so that tlshd running
 as daemon (started via systemd) to find any key.
 Thus always link the default .nvme keyring into the current session,
 which makes the daemon work out of the box for default configurations.
 Signed-off-by: Daniel Wagner <wagi@monom.org>
 ---
 src/tlshd/config.c | 7 +++++++
 1 file changed, 7 insertions(+)
 diff --git a/src/tlshd/config.c b/src/tlshd/config.c
 index fae83b3..8becbe0 100644
 --- a/src/tlshd/config.c
 +++ b/src/tlshd/config.c
@@ -91,10 +91,17 @@ bool tlshd_config_init(const gchar *pathname)
 					      "keyrings", &length, NULL);
 	if (keyrings) {
 		for (i = 0; i < length; i++) {
 +			if (!strcmp(keyrings[i], ".nvme"))
 +				continue;
 			tlshd_keyring_link_session(keyrings[i]);
 		}
 		g_strfreev(keyrings);
 	}
 +	/*
 +	 * Always link the default nvme subsystem keyring into the
 +	 * session.
 +	 */
 +	tlshd_keyring_link_session(".nvme");
 	return true;
 }
 -- 
 2.47.1
--- a/SOURCES/ktls-utils-0.11-tlshd-Pass-ETIMEDOUT-from-gnutls-to-kernel.patch
+++ b/SOURCES/ktls-utils-0.11-tlshd-Pass-ETIMEDOUT-from-gnutls-to-kernel.patch
@ -0,0 +1,48 @@
 From b010190cfed2d9bbd943b3343fdbaeb66efff8e8 Mon Sep 17 00:00:00 2001
 From: Benjamin Coddington <bcodding@redhat.com>
 Date: Tue, 11 Feb 2025 11:52:15 -0500
 Subject: [PATCH] tlshd: Pass ETIMEDOUT from gnutls to kernel
 We've had some QE work that's created a condition (some types of connection
 instability) where the handshake attempt has timed out.  When this happens,
 tlshd sends EACESS back to the kernel.  However, the kernel may not be
 expecting this error in the context of some NFS operations, for example:
 writeback.  It can handle ETIMEDOUT, and we would like the kernel to
 perform its normal hard/soft retry routines for this case to re-connect to
 the server.
 Add an error switch that clearly denotes the error paths we'd like
 to send back to the kernel.  For SUNRPC, there are other insteresting
 errors that might be included (see call_conenct_status() in
 net/sunrpc/clnt.c), but are ommitted here because we don't have evidence of
 them in the wild
 Signed-off-by: Benjamin Coddington <bcodding@redhat.com>
 ---
 src/tlshd/handshake.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)
 diff --git a/src/tlshd/handshake.c b/src/tlshd/handshake.c
 index 9bcfc2b..8240b10 100644
 --- a/src/tlshd/handshake.c
 +++ b/src/tlshd/handshake.c
@@ -94,10 +94,14 @@ void tlshd_start_tls_handshake(gnutls_session_t session,
 		case GNUTLS_E_CERTIFICATE_VERIFICATION_ERROR:
 			tlshd_log_cert_verification_error(session);
 			break;
 -		default:
 +		case -ETIMEDOUT:
 			tlshd_log_gnutls_error(ret);
 +			parms->session_status = -ret;
 +			break;
 +		default:
 +			tlshd_log_notice("tlshd_start_tls_handshake unhandled error %d, returning EACCES\n", ret);
 +			parms->session_status = EACCES;
 		}
 -		parms->session_status = EACCES;
 		return;
 	}
 -- 
 2.48.1
--- a/SPECS/ktls-utils.spec
+++ b/SPECS/ktls-utils.spec
@ -3,7 +3,7 @@
 Name:           ktls-utils
 Version:        %{baseversion}
-Release:        1%{?dist}
+Release:        3%{?dist}
 Summary:        TLS handshake agent for kernel sockets
 %forgemeta
@ -14,6 +14,12 @@ URL:            %{forgeurl}
 # FIXME: is this a bug in the tagging scheme or forgesource macro?
 Source0:        %{forgeurl}/releases/download/%{name}-%{baseversion}/%{name}-%{baseversion}.tar.gz
 #
 # RHEL-9.6
 #
 Patch001: ktls-utils-0.11-nvme-default-keyring.patch
 Patch002: ktls-utils-0.11-tlshd-Pass-ETIMEDOUT-from-gnutls-to-kernel.patch
 BuildRequires:  bash systemd-rpm-macros
 BuildRequires:  gcc make coreutils
 BuildRequires:  pkgconfig(gnutls) >= 3.3.0
@ -66,7 +72,16 @@ standard kTLS socket options.
 %systemd_postun_with_restart tlshd.service
 %changelog
-* Mon Jun 17 2024 Steve Dickson <steved@redhat.com> 0.11-1
+* Mon Mar 03 2025 Scott Mayhew <smayhew@redhat.com> 0.11-3
 - tlshd: Pass ETIMEDOUT from gnutls to kernel
 * Wed Feb 12 2025 Scott Mayhew <smayhew@redhat.com> 0.11-2
 - Bump release to satisfy the errata automation
 * Tue Feb 04 2025 Steve Dickson <steved@redhat.com> 0.11-1
 - tlshd: link .nvme default keyring into the session (RHEL-71505)
 * Mon Jun 17 2024 Steve Dickson <steved@redhat.com> 0.11-0
 - Release ktls-utils 0.11 (RHEL-39442)
 * Thu Feb 29 2024 Steve Dickson <steved@redhat.com> 0.10-0
Author	SHA1	Message	Date
eabdullin	75230ee03b	import CS ktls-utils-0.11-3.el9_6	2025-03-31 09:47:04 +00:00
eabdullin	3a6cd9870d	import CS ktls-utils-0.11-2.el9	2025-03-11 07:33:36 +00:00