Allow enabling KTLS with config file
Resolves: #2042009 Signed-off-by: Daiki Ueno <dueno@redhat.com>
This commit is contained in:
Daiki Ueno
parent
a7f3c0212c
commit
9c2a8c7a27
|
|
@ -0,0 +1,124 @@
|
|||
From f41151c8a218f255af08362b74cd6ee0dfd45c00 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Franti=C5=A1ek=20Kren=C5=BEelok?=
|
||||
<krenzelok.frantisek@gmail.com>
|
||||
Date: Tue, 14 Jun 2022 16:16:11 +0200
|
||||
Subject: [PATCH] KTLS: disable by default enable by config
|
||||
|
||||
KTLS will be disabled by default when build with `--enable-ktls` to
|
||||
enable it, use config file option `ktls = true` in [global] section.
|
||||
|
||||
Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
|
||||
---
|
||||
doc/cha-config.texi | 18 ++++++++----------
|
||||
lib/gnutls_int.h | 2 +-
|
||||
lib/handshake.c | 2 +-
|
||||
lib/priority.c | 12 ++++++------
|
||||
4 files changed, 16 insertions(+), 18 deletions(-)
|
||||
|
||||
diff --git a/doc/cha-config.texi b/doc/cha-config.texi
|
||||
index e550f2e4b1..eaab7fd799 100644
|
||||
--- a/doc/cha-config.texi
|
||||
+++ b/doc/cha-config.texi
|
||||
@@ -26,7 +26,7 @@ used can be queried using @funcref{gnutls_get_system_config_file}.
|
||||
* Querying for disabled algorithms and protocols::
|
||||
* Overriding the parameter verification profile::
|
||||
* Overriding the default priority string::
|
||||
-* Disabling system/acceleration protocols::
|
||||
+* Enabling/Disabling system/acceleration protocols::
|
||||
@end menu
|
||||
|
||||
@node Application-specific priority strings
|
||||
@@ -253,16 +253,14 @@ default-priority-string = SECURE128:-VERS-TLS-ALL:+VERS-TLS1.3
|
||||
@end example
|
||||
|
||||
|
||||
-@node Disabling system/acceleration protocols
|
||||
-@section Disabling system/acceleration protocols
|
||||
-When system/acceleration protocol is enabled during build, it is usually
|
||||
-enabled by default. The following options can overwrite this behavior
|
||||
-system-wide.
|
||||
+@node Enabling/Disabling system/acceleration protocols
|
||||
+@section Enabling/Disabling system/acceleration protocols
|
||||
+The following options can overwrite default behavior of protocols system-wide.
|
||||
@example
|
||||
[global]
|
||||
-ktls = false
|
||||
+ktls = true
|
||||
|
||||
@end example
|
||||
-@subsection Disabling KTLS
|
||||
-When GnuTLS is build with -–enable-ktls configuration, it uses KTLS by default.
|
||||
-This can be overwritten by setting @code{ktls = false} in @code{[global]} section.
|
||||
+@subsection Enabling KTLS
|
||||
+When GnuTLS is build with -–enable-ktls configuration, KTLS is disabled by default.
|
||||
+This can be enabled by setting @code{ktls = true} in @code{[global]} section.
|
||||
diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
|
||||
index 872188696b..8c7bdaa1db 100644
|
||||
--- a/lib/gnutls_int.h
|
||||
+++ b/lib/gnutls_int.h
|
||||
@@ -1649,6 +1649,6 @@ get_certificate_type(gnutls_session_t session,
|
||||
|
||||
extern unsigned int _gnutls_global_version;
|
||||
|
||||
-bool _gnutls_config_is_ktls_disabled(void);
|
||||
+bool _gnutls_config_is_ktls_enabled(void);
|
||||
|
||||
#endif /* GNUTLS_LIB_GNUTLS_INT_H */
|
||||
diff --git a/lib/handshake.c b/lib/handshake.c
|
||||
index f3edbbdacb..4dd457bf22 100644
|
||||
--- a/lib/handshake.c
|
||||
+++ b/lib/handshake.c
|
||||
@@ -2815,7 +2815,7 @@ int gnutls_handshake(gnutls_session_t session)
|
||||
|
||||
session->internals.ktls_enabled = 0;
|
||||
#ifdef ENABLE_KTLS
|
||||
- if (_gnutls_config_is_ktls_disabled() == false)
|
||||
+ if (_gnutls_config_is_ktls_enabled() == true)
|
||||
_gnutls_ktls_enable(session);
|
||||
#endif
|
||||
|
||||
diff --git a/lib/priority.c b/lib/priority.c
|
||||
index 7279c03c88..d163d8169f 100644
|
||||
--- a/lib/priority.c
|
||||
+++ b/lib/priority.c
|
||||
@@ -1027,7 +1027,7 @@ static void dummy_func(gnutls_priority_t c)
|
||||
|
||||
struct cfg {
|
||||
bool allowlisting;
|
||||
- bool ktls_disabled;
|
||||
+ bool ktls_enabled;
|
||||
|
||||
name_val_array_t priority_strings;
|
||||
char *priority_string;
|
||||
@@ -1140,7 +1140,7 @@ cfg_steal(struct cfg *dst, struct cfg *src)
|
||||
src->default_priority_string = NULL;
|
||||
|
||||
dst->allowlisting = src->allowlisting;
|
||||
- dst->ktls_disabled = src->ktls_disabled;
|
||||
+ dst->ktls_enabled = src->ktls_enabled;
|
||||
memcpy(dst->ciphers, src->ciphers, sizeof(src->ciphers));
|
||||
memcpy(dst->macs, src->macs, sizeof(src->macs));
|
||||
memcpy(dst->groups, src->groups, sizeof(src->groups));
|
||||
@@ -1268,8 +1268,8 @@ static int global_ini_handler(void *ctx, const char *section, const char *name,
|
||||
}
|
||||
} else if (c_strcasecmp(name, "ktls") == 0) {
|
||||
p = clear_spaces(value, str);
|
||||
- if (c_strcasecmp(p, "false") == 0) {
|
||||
- cfg->ktls_disabled = true;
|
||||
+ if (c_strcasecmp(p, "true") == 0) {
|
||||
+ cfg->ktls_enabled = true;
|
||||
} else {
|
||||
_gnutls_debug_log("cfg: unknown ktls mode %s\n",
|
||||
p);
|
||||
@@ -3490,6 +3490,6 @@ gnutls_priority_string_list(unsigned iter, unsigned int flags)
|
||||
return NULL;
|
||||
}
|
||||
|
||||
-bool _gnutls_config_is_ktls_disabled(void){
|
||||
- return system_wide_config.ktls_disabled;
|
||||
+bool _gnutls_config_is_ktls_enabled(void){
|
||||
+ return system_wide_config.ktls_enabled;
|
||||
}
|
||||
--
|
||||
2.36.1
|
||||
|
||||
|
|
@ -0,0 +1,230 @@
|
|||
From 7b700dbcd5907944a7dd2f74cd26ad8586cd4bac Mon Sep 17 00:00:00 2001
|
||||
From: Daiki Ueno <ueno@gnu.org>
|
||||
Date: Tue, 28 Jun 2022 09:37:22 +0900
|
||||
Subject: [PATCH 1/3] tests: enable KTLS config while running gnutls_ktls test
|
||||
|
||||
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
||||
---
|
||||
tests/Makefile.am | 9 +++++----
|
||||
tests/gnutls_ktls.c | 4 ++--
|
||||
tests/ktls.sh | 46 +++++++++++++++++++++++++++++++++++++++++++++
|
||||
3 files changed, 53 insertions(+), 6 deletions(-)
|
||||
create mode 100755 tests/ktls.sh
|
||||
|
||||
diff --git a/tests/Makefile.am b/tests/Makefile.am
|
||||
index 4deeb6462b..cba67e8db8 100644
|
||||
--- a/tests/Makefile.am
|
||||
+++ b/tests/Makefile.am
|
||||
@@ -441,10 +441,6 @@ ctests += x509self x509dn anonself pskself pskself2 dhepskself \
|
||||
resume-with-record-size-limit
|
||||
endif
|
||||
|
||||
-if ENABLE_KTLS
|
||||
-ctests += gnutls_ktls
|
||||
-endif
|
||||
-
|
||||
ctests += record-sendfile
|
||||
|
||||
gc_CPPFLAGS = $(AM_CPPFLAGS) \
|
||||
@@ -500,6 +496,11 @@ if ENABLE_TPM2
|
||||
dist_check_SCRIPTS += tpm2.sh
|
||||
endif
|
||||
|
||||
+if ENABLE_KTLS
|
||||
+indirect_tests += gnutls_ktls
|
||||
+dist_check_SCRIPTS += ktls.sh
|
||||
+endif
|
||||
+
|
||||
if !WINDOWS
|
||||
|
||||
#
|
||||
diff --git a/tests/gnutls_ktls.c b/tests/gnutls_ktls.c
|
||||
index 3966e2b10a..8f9c5fa36e 100644
|
||||
--- a/tests/gnutls_ktls.c
|
||||
+++ b/tests/gnutls_ktls.c
|
||||
@@ -84,7 +84,7 @@ static void client(int fd, const char *prio)
|
||||
|
||||
ret = gnutls_transport_is_ktls_enabled(session);
|
||||
if (!(ret & GNUTLS_KTLS_RECV)){
|
||||
- fail("client: KTLS was not properly inicialized\n");
|
||||
+ fail("client: KTLS was not properly initialized\n");
|
||||
goto end;
|
||||
}
|
||||
|
||||
@@ -208,7 +208,7 @@ static void server(int fd, const char *prio)
|
||||
|
||||
ret = gnutls_transport_is_ktls_enabled(session);
|
||||
if (!(ret & GNUTLS_KTLS_SEND)){
|
||||
- fail("server: KTLS was not properly inicialized\n");
|
||||
+ fail("server: KTLS was not properly initialized\n");
|
||||
goto end;
|
||||
}
|
||||
do {
|
||||
diff --git a/tests/ktls.sh b/tests/ktls.sh
|
||||
new file mode 100755
|
||||
index 0000000000..ba52bd5775
|
||||
--- /dev/null
|
||||
+++ b/tests/ktls.sh
|
||||
@@ -0,0 +1,46 @@
|
||||
+#!/bin/sh
|
||||
+
|
||||
+# Copyright (C) 2022 Red Hat, Inc.
|
||||
+#
|
||||
+# Author: Daiki Ueno
|
||||
+#
|
||||
+# This file is part of GnuTLS.
|
||||
+#
|
||||
+# GnuTLS is free software; you can redistribute it and/or modify it
|
||||
+# under the terms of the GNU General Public License as published by the
|
||||
+# Free Software Foundation; either version 3 of the License, or (at
|
||||
+# your option) any later version.
|
||||
+#
|
||||
+# GnuTLS is distributed in the hope that it will be useful, but
|
||||
+# WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
+# General Public License for more details.
|
||||
+#
|
||||
+# You should have received a copy of the GNU General Public License
|
||||
+# along with GnuTLS; if not, write to the Free Software Foundation,
|
||||
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
||||
+
|
||||
+: ${builddir=.}
|
||||
+
|
||||
+. "$srcdir/scripts/common.sh"
|
||||
+
|
||||
+if ! grep '^tls ' /proc/modules 2>1 >& /dev/null; then
|
||||
+ exit 77
|
||||
+fi
|
||||
+
|
||||
+testdir=`create_testdir ktls`
|
||||
+
|
||||
+cfg="$testdir/config"
|
||||
+
|
||||
+cat <<EOF > "$cfg"
|
||||
+[global]
|
||||
+ktls = true
|
||||
+EOF
|
||||
+
|
||||
+GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1 \
|
||||
+GNUTLS_SYSTEM_PRIORITY_FILE="$cfg" \
|
||||
+"$builddir/gnutls_ktls" "$@"
|
||||
+rc=$?
|
||||
+
|
||||
+rm -rf "$testdir"
|
||||
+exit $rc
|
||||
--
|
||||
2.36.1
|
||||
|
||||
|
||||
From 4a492462535a7f3a831685d3cf420b50ef219511 Mon Sep 17 00:00:00 2001
|
||||
From: Daiki Ueno <ueno@gnu.org>
|
||||
Date: Tue, 28 Jun 2022 10:23:33 +0900
|
||||
Subject: [PATCH 2/3] handshake: do not reset KTLS enablement in
|
||||
gnutls_handshake
|
||||
|
||||
As gnutls_handshake can be repeatedly called upon non-blocking setup,
|
||||
we shouldn't try to call setsockopt for KTLS upon every call.
|
||||
|
||||
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
||||
---
|
||||
lib/handshake.c | 12 ++++++------
|
||||
1 file changed, 6 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/lib/handshake.c b/lib/handshake.c
|
||||
index 4dd457bf22..3886306eb4 100644
|
||||
--- a/lib/handshake.c
|
||||
+++ b/lib/handshake.c
|
||||
@@ -2813,12 +2813,6 @@ int gnutls_handshake(gnutls_session_t session)
|
||||
const version_entry_st *vers = get_version(session);
|
||||
int ret;
|
||||
|
||||
- session->internals.ktls_enabled = 0;
|
||||
-#ifdef ENABLE_KTLS
|
||||
- if (_gnutls_config_is_ktls_enabled() == true)
|
||||
- _gnutls_ktls_enable(session);
|
||||
-#endif
|
||||
-
|
||||
if (unlikely(session->internals.initial_negotiation_completed)) {
|
||||
if (vers->tls13_sem) {
|
||||
if (session->security_parameters.entity == GNUTLS_CLIENT) {
|
||||
@@ -2864,6 +2858,12 @@ int gnutls_handshake(gnutls_session_t session)
|
||||
end->tv_nsec =
|
||||
(start->tv_nsec + tmo_ms * 1000000LL) % 1000000000LL;
|
||||
}
|
||||
+
|
||||
+#ifdef ENABLE_KTLS
|
||||
+ if (_gnutls_config_is_ktls_enabled()) {
|
||||
+ _gnutls_ktls_enable(session);
|
||||
+ }
|
||||
+#endif
|
||||
}
|
||||
|
||||
if (session->internals.recv_state == RECV_STATE_FALSE_START) {
|
||||
--
|
||||
2.36.1
|
||||
|
||||
|
||||
From ce13208e13b5dec73993c583d4c64ab7714e4a7a Mon Sep 17 00:00:00 2001
|
||||
From: Daiki Ueno <ueno@gnu.org>
|
||||
Date: Tue, 28 Jun 2022 10:53:55 +0900
|
||||
Subject: [PATCH 3/3] ktls: _gnutls_ktls_enable: fix GNUTLS_KTLS_SEND
|
||||
calculation
|
||||
|
||||
Previously, if the first setsockopt for GNUTLS_KTLS_RECV fails and the
|
||||
same socket is used for both sending and receiving, GNUTLS_KTLS_SEND
|
||||
was unconditionally set. This fixes the conditions and also adds more
|
||||
logging.
|
||||
|
||||
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
||||
---
|
||||
lib/system/ktls.c | 21 ++++++++++++++++-----
|
||||
1 file changed, 16 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/lib/system/ktls.c b/lib/system/ktls.c
|
||||
index b9f7a73fb5..ddf27fac76 100644
|
||||
--- a/lib/system/ktls.c
|
||||
+++ b/lib/system/ktls.c
|
||||
@@ -47,7 +47,7 @@
|
||||
gnutls_transport_ktls_enable_flags_t
|
||||
gnutls_transport_is_ktls_enabled(gnutls_session_t session){
|
||||
if (unlikely(!session->internals.initial_negotiation_completed)){
|
||||
- _gnutls_debug_log("Initial negotiation is not yet complete");
|
||||
+ _gnutls_debug_log("Initial negotiation is not yet complete\n");
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -57,16 +57,27 @@ gnutls_transport_is_ktls_enabled(gnutls_session_t session){
|
||||
void _gnutls_ktls_enable(gnutls_session_t session)
|
||||
{
|
||||
int sockin, sockout;
|
||||
+
|
||||
gnutls_transport_get_int2(session, &sockin, &sockout);
|
||||
|
||||
- if (setsockopt(sockin, SOL_TCP, TCP_ULP, "tls", sizeof ("tls")) == 0)
|
||||
+ if (setsockopt(sockin, SOL_TCP, TCP_ULP, "tls", sizeof ("tls")) == 0) {
|
||||
session->internals.ktls_enabled |= GNUTLS_KTLS_RECV;
|
||||
+ if (sockin == sockout) {
|
||||
+ session->internals.ktls_enabled |= GNUTLS_KTLS_SEND;
|
||||
+ }
|
||||
+ } else {
|
||||
+ _gnutls_record_log("Unable to set TCP_ULP for read socket: %d\n",
|
||||
+ errno);
|
||||
+ }
|
||||
|
||||
if (sockin != sockout) {
|
||||
- if (setsockopt(sockout, SOL_TCP, TCP_ULP, "tls", sizeof ("tls")) == 0)
|
||||
+ if (setsockopt(sockout, SOL_TCP, TCP_ULP, "tls", sizeof ("tls")) == 0) {
|
||||
session->internals.ktls_enabled |= GNUTLS_KTLS_SEND;
|
||||
- } else
|
||||
- session->internals.ktls_enabled |= GNUTLS_KTLS_SEND;
|
||||
+ } else {
|
||||
+ _gnutls_record_log("Unable to set TCP_ULP for write socket: %d\n",
|
||||
+ errno);
|
||||
+ }
|
||||
+ }
|
||||
}
|
||||
|
||||
int _gnutls_ktls_set_keys(gnutls_session_t session)
|
||||
--
|
||||
2.36.1
|
||||
|
||||
|
|
@ -13,7 +13,7 @@ print(string.sub(hash, 0, 16))
|
|||
}
|
||||
|
||||
Version: 3.7.6
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
# not upstreamed
|
||||
Patch: gnutls-3.6.7-no-now-guile.patch
|
||||
Patch: gnutls-3.2.7-rpath.patch
|
||||
|
|
@ -22,6 +22,8 @@ Patch: gnutls-3.7.2-no-explicit-init.patch
|
|||
|
||||
# upstreamed
|
||||
Patch: gnutls-3.7.6-fips-run-selftests.patch
|
||||
Patch: gnutls-3.7.6-ktls-disable-by-default.patch
|
||||
Patch: gnutls-3.7.6-ktls-fixes.patch
|
||||
|
||||
# not upstreamed
|
||||
Patch: gnutls-3.7.3-disable-config-reload.patch
|
||||
|
|
@ -241,6 +243,7 @@ export FIPS_MODULE_NAME="$OS_NAME ${OS_VERSION_ID%%.*} %name"
|
|||
%else
|
||||
--without-tpm2 \
|
||||
%endif
|
||||
--enable-ktls \
|
||||
--htmldir=%{_docdir}/manual \
|
||||
%if %{with guile}
|
||||
--enable-guile \
|
||||
|
|
@ -356,6 +359,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Tue Jul 19 2022 Daiki Ueno <dueno@redhat.com> - 3.7.6-2
|
||||
- Allow enabling KTLS with config file (#2042009)
|
||||
|
||||
* Fri Jul 1 2022 Daiki Ueno <dueno@redhat.com> - 3.7.6-1
|
||||
- Update to gnutls 3.7.6 (#2097327)
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue