Compare commits
No commits in common. "c9s" and "c9" have entirely different histories.
@ -1 +0,0 @@
|
||||
1
|
||||
5
.gitignore
vendored
5
.gitignore
vendored
@ -1,4 +1 @@
|
||||
x86_64
|
||||
Makefile
|
||||
ktls-utils-0.11/
|
||||
/ktls-utils-0.11.tar.gz
|
||||
SOURCES/ktls-utils-0.11.tar.gz
|
||||
|
||||
1
.ktls-utils.metadta
Normal file
1
.ktls-utils.metadta
Normal file
@ -0,0 +1 @@
|
||||
9dae5134b7af7ebb14e518f9f4013a92bb44165e SOURCES/ktls-utils-0.11.tar.gz
|
||||
@ -3,7 +3,7 @@
|
||||
|
||||
Name: ktls-utils
|
||||
Version: %{baseversion}
|
||||
Release: 3%{?dist}
|
||||
Release: 1%{?dist}
|
||||
Summary: TLS handshake agent for kernel sockets
|
||||
|
||||
%forgemeta
|
||||
@ -14,12 +14,6 @@ URL: %{forgeurl}
|
||||
# FIXME: is this a bug in the tagging scheme or forgesource macro?
|
||||
Source0: %{forgeurl}/releases/download/%{name}-%{baseversion}/%{name}-%{baseversion}.tar.gz
|
||||
|
||||
#
|
||||
# RHEL-9.6
|
||||
#
|
||||
Patch001: ktls-utils-0.11-nvme-default-keyring.patch
|
||||
Patch002: ktls-utils-0.11-tlshd-Pass-ETIMEDOUT-from-gnutls-to-kernel.patch
|
||||
|
||||
BuildRequires: bash systemd-rpm-macros
|
||||
BuildRequires: gcc make coreutils
|
||||
BuildRequires: pkgconfig(gnutls) >= 3.3.0
|
||||
@ -72,16 +66,7 @@ standard kTLS socket options.
|
||||
%systemd_postun_with_restart tlshd.service
|
||||
|
||||
%changelog
|
||||
* Mon Mar 03 2025 Scott Mayhew <smayhew@redhat.com> 0.11-3
|
||||
- tlshd: Pass ETIMEDOUT from gnutls to kernel
|
||||
|
||||
* Wed Feb 12 2025 Scott Mayhew <smayhew@redhat.com> 0.11-2
|
||||
- Bump release to satisfy the errata automation
|
||||
|
||||
* Tue Feb 04 2025 Steve Dickson <steved@redhat.com> 0.11-1
|
||||
- tlshd: link .nvme default keyring into the session (RHEL-71505)
|
||||
|
||||
* Mon Jun 17 2024 Steve Dickson <steved@redhat.com> 0.11-0
|
||||
* Mon Jun 17 2024 Steve Dickson <steved@redhat.com> 0.11-1
|
||||
- Release ktls-utils 0.11 (RHEL-39442)
|
||||
|
||||
* Thu Feb 29 2024 Steve Dickson <steved@redhat.com> 0.10-0
|
||||
@ -1,6 +0,0 @@
|
||||
--- !Policy
|
||||
product_versions:
|
||||
- rhel-9
|
||||
decision_context: osci_compose_gate
|
||||
rules:
|
||||
- !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
|
||||
@ -1,43 +0,0 @@
|
||||
From 311d9438b984e3b2a36bd88fb3ab8c87c38701fa Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Wagner <wagi@monom.org>
|
||||
Date: Thu, 24 Oct 2024 13:15:44 +0200
|
||||
Subject: [PATCH] tlshd: always link .nvme default keyring into the session
|
||||
|
||||
A common use case for tlshd is to authenticate TLS sessions for the nvme
|
||||
subsystem. Currently, the user has to explicitly list a keyring (even
|
||||
the defautl one) in the configuration file so that tlshd running
|
||||
as daemon (started via systemd) to find any key.
|
||||
|
||||
Thus always link the default .nvme keyring into the current session,
|
||||
which makes the daemon work out of the box for default configurations.
|
||||
|
||||
Signed-off-by: Daniel Wagner <wagi@monom.org>
|
||||
---
|
||||
src/tlshd/config.c | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
diff --git a/src/tlshd/config.c b/src/tlshd/config.c
|
||||
index fae83b3..8becbe0 100644
|
||||
--- a/src/tlshd/config.c
|
||||
+++ b/src/tlshd/config.c
|
||||
@@ -91,10 +91,17 @@ bool tlshd_config_init(const gchar *pathname)
|
||||
"keyrings", &length, NULL);
|
||||
if (keyrings) {
|
||||
for (i = 0; i < length; i++) {
|
||||
+ if (!strcmp(keyrings[i], ".nvme"))
|
||||
+ continue;
|
||||
tlshd_keyring_link_session(keyrings[i]);
|
||||
}
|
||||
g_strfreev(keyrings);
|
||||
}
|
||||
+ /*
|
||||
+ * Always link the default nvme subsystem keyring into the
|
||||
+ * session.
|
||||
+ */
|
||||
+ tlshd_keyring_link_session(".nvme");
|
||||
|
||||
return true;
|
||||
}
|
||||
--
|
||||
2.47.1
|
||||
|
||||
@ -1,48 +0,0 @@
|
||||
From b010190cfed2d9bbd943b3343fdbaeb66efff8e8 Mon Sep 17 00:00:00 2001
|
||||
From: Benjamin Coddington <bcodding@redhat.com>
|
||||
Date: Tue, 11 Feb 2025 11:52:15 -0500
|
||||
Subject: [PATCH] tlshd: Pass ETIMEDOUT from gnutls to kernel
|
||||
|
||||
We've had some QE work that's created a condition (some types of connection
|
||||
instability) where the handshake attempt has timed out. When this happens,
|
||||
tlshd sends EACESS back to the kernel. However, the kernel may not be
|
||||
expecting this error in the context of some NFS operations, for example:
|
||||
writeback. It can handle ETIMEDOUT, and we would like the kernel to
|
||||
perform its normal hard/soft retry routines for this case to re-connect to
|
||||
the server.
|
||||
|
||||
Add an error switch that clearly denotes the error paths we'd like
|
||||
to send back to the kernel. For SUNRPC, there are other insteresting
|
||||
errors that might be included (see call_conenct_status() in
|
||||
net/sunrpc/clnt.c), but are ommitted here because we don't have evidence of
|
||||
them in the wild
|
||||
|
||||
Signed-off-by: Benjamin Coddington <bcodding@redhat.com>
|
||||
---
|
||||
src/tlshd/handshake.c | 8 ++++++--
|
||||
1 file changed, 6 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/tlshd/handshake.c b/src/tlshd/handshake.c
|
||||
index 9bcfc2b..8240b10 100644
|
||||
--- a/src/tlshd/handshake.c
|
||||
+++ b/src/tlshd/handshake.c
|
||||
@@ -94,10 +94,14 @@ void tlshd_start_tls_handshake(gnutls_session_t session,
|
||||
case GNUTLS_E_CERTIFICATE_VERIFICATION_ERROR:
|
||||
tlshd_log_cert_verification_error(session);
|
||||
break;
|
||||
- default:
|
||||
+ case -ETIMEDOUT:
|
||||
tlshd_log_gnutls_error(ret);
|
||||
+ parms->session_status = -ret;
|
||||
+ break;
|
||||
+ default:
|
||||
+ tlshd_log_notice("tlshd_start_tls_handshake unhandled error %d, returning EACCES\n", ret);
|
||||
+ parms->session_status = EACCES;
|
||||
}
|
||||
- parms->session_status = EACCES;
|
||||
return;
|
||||
}
|
||||
|
||||
--
|
||||
2.48.1
|
||||
|
||||
@ -1,12 +0,0 @@
|
||||
summary:
|
||||
Basic sanity test for ktls-utils
|
||||
discover:
|
||||
how: fmf
|
||||
prepare:
|
||||
how: install
|
||||
package:
|
||||
- ktls-utils
|
||||
- nfs-utils
|
||||
- openssl
|
||||
execute:
|
||||
how: tmt
|
||||
1
sources
1
sources
@ -1 +0,0 @@
|
||||
SHA512 (ktls-utils-0.11.tar.gz) = 8c3573fd839fa56db6f3b37b0a9a40668f0f3c73291635a1fa4d28659f5bac81702ce2aee86104769dda0617314271cbc117a0a70bcfb1a4697ae366466dea57
|
||||
@ -1,2 +0,0 @@
|
||||
summary: Basic sanity test for ktls-utils
|
||||
test: ./test.sh
|
||||
@ -1,99 +0,0 @@
|
||||
#!/bin/bash
|
||||
MYOLDHOSTNAME=$(hostnamectl hostname --static)
|
||||
MYHOSTNAME=nfs.ktls-utils.test
|
||||
MYIP=$(ip -o route get to 8.8.8.8 | sed -n 's/.*src \([0-9.]\+\).*/\1/p')
|
||||
|
||||
echo "Setup..."
|
||||
hostnamectl hostname --static "$MYHOSTNAME"
|
||||
cp /etc/tlshd.conf /etc/tlshd.conf.bak
|
||||
openssl req -x509 -newkey rsa:4096 -subj "/CN=ktls-utils smoketest CA" -days 365 -noenc -out ca-cert.pem -keyout ca-cert.key >/dev/null 2>&1
|
||||
openssl req -x509 -newkey rsa:4096 -subj "/CN=${MYHOSTNAME}" -addext "subjectAltName=DNS:${MYHOSTNAME},IP:${MYIP}" -days 365 -noenc -CA ca-cert.pem -CAkey ca-cert.key -extensions usr_cert -out ktls.pem -keyout ktls.key >/dev/null 2>&1
|
||||
cp ca-cert.pem /etc/pki/tls/certs
|
||||
cp ktls.pem /etc/pki/tls/certs
|
||||
cp ktls.key /etc/pki/tls/private
|
||||
|
||||
cat <<EOF >/etc/tlshd.conf
|
||||
[debug]
|
||||
loglevel=0
|
||||
tls=0
|
||||
nl=0
|
||||
|
||||
[authenticate]
|
||||
#keyrings= <keyring>;<keyring>;<keyring>
|
||||
|
||||
[authenticate.client]
|
||||
x509.truststore=/etc/pki/tls/certs/ca-cert.pem
|
||||
x509.certificate=/etc/pki/tls/certs/ktls.pem
|
||||
x509.private_key=/etc/pki/tls/private/ktls.key
|
||||
|
||||
[authenticate.server]
|
||||
x509.truststore=/etc/pki/tls/certs/ca-cert.pem
|
||||
x509.certificate=/etc/pki/tls/certs/ktls.pem
|
||||
x509.private_key=/etc/pki/tls/private/ktls.key
|
||||
EOF
|
||||
|
||||
systemctl start tlshd
|
||||
systemctl start nfs-server
|
||||
mkdir /export
|
||||
exportfs -o rw,insecure,no_root_squash,xprtsec=tls:mtls *:/export
|
||||
|
||||
# mount by hostname
|
||||
echo "Try to mount $MYHOSTNAME:/export without xprtsec=tls"
|
||||
mount -o v4.2 $MYHOSTNAME:/export /mnt
|
||||
if [ $? -eq 0 ]; then
|
||||
echo "Mounted $MYHOSTNAME:/export without xprtsec=tls!"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "Try to mount $MYHOSTNAME:/export with xprtsec=tls"
|
||||
mount -o v4.2,xprtsec=tls $MYHOSTNAME:/export /mnt
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "Failed to mount $MYHOSTNAME:/export with xprtsec=tls!"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if ! grep "xprtsec=tls" /proc/mounts; then
|
||||
echo "Failed to find xprtsec=tls in /proc/mounts"
|
||||
exit 1
|
||||
fi
|
||||
umount /mnt
|
||||
|
||||
# mount by ip address
|
||||
echo "Try to mount $MYIP:/export without xprtsec=tls"
|
||||
mount -o v4.2 $MYIP:/export /mnt
|
||||
if [ $? -eq 0 ]; then
|
||||
echo "Mounted $MYIP:/export without xprtsec=tls!"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "Try to mount $MYIP:/export with xprtsec=tls"
|
||||
mount -o v4.2,xprtsec=tls $MYIP:/export /mnt
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "Failed to mount $MYIP:/export with xprtsec=tls!"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if ! grep "xprtsec=tls" /proc/mounts; then
|
||||
echo "Failed to find xprtsec=tls in /proc/mounts"
|
||||
exit 1
|
||||
fi
|
||||
umount /mnt
|
||||
|
||||
echo "Success!"
|
||||
|
||||
echo "Cleanup..."
|
||||
hostnamectl hostname --static "$MYOLDHOSTNAME"
|
||||
exportfs -ua
|
||||
systemctl stop nfs-server
|
||||
rmdir /export
|
||||
systemctl stop tlshd
|
||||
cp /etc/tlshd.conf.bak /etc/tlshd.conf
|
||||
rm -f /etc/pki/tls/certs/ca-cert.pem
|
||||
rm -f /etc/pki/tls/certs/ktls.pem
|
||||
rm -f /etc/pki/tls/private/ktls.key
|
||||
rm -f ca-cert.pem
|
||||
rm -f ca-cert.key
|
||||
rm -f ktls.pem
|
||||
rm -f ktls.key
|
||||
|
||||
exit 0
|
||||
Loading…
Reference in New Issue
Block a user