Allow enabling KTLS with config file
Resolves: #2042009 Signed-off-by: Daiki Ueno <dueno@redhat.com>
This commit is contained in:
parent
a7f3c0212c
commit
9c2a8c7a27
124
gnutls-3.7.6-ktls-disable-by-default.patch
Normal file
124
gnutls-3.7.6-ktls-disable-by-default.patch
Normal file
@ -0,0 +1,124 @@
|
|||||||
|
From f41151c8a218f255af08362b74cd6ee0dfd45c00 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Franti=C5=A1ek=20Kren=C5=BEelok?=
|
||||||
|
<krenzelok.frantisek@gmail.com>
|
||||||
|
Date: Tue, 14 Jun 2022 16:16:11 +0200
|
||||||
|
Subject: [PATCH] KTLS: disable by default enable by config
|
||||||
|
|
||||||
|
KTLS will be disabled by default when build with `--enable-ktls` to
|
||||||
|
enable it, use config file option `ktls = true` in [global] section.
|
||||||
|
|
||||||
|
Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
|
||||||
|
---
|
||||||
|
doc/cha-config.texi | 18 ++++++++----------
|
||||||
|
lib/gnutls_int.h | 2 +-
|
||||||
|
lib/handshake.c | 2 +-
|
||||||
|
lib/priority.c | 12 ++++++------
|
||||||
|
4 files changed, 16 insertions(+), 18 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/doc/cha-config.texi b/doc/cha-config.texi
|
||||||
|
index e550f2e4b1..eaab7fd799 100644
|
||||||
|
--- a/doc/cha-config.texi
|
||||||
|
+++ b/doc/cha-config.texi
|
||||||
|
@@ -26,7 +26,7 @@ used can be queried using @funcref{gnutls_get_system_config_file}.
|
||||||
|
* Querying for disabled algorithms and protocols::
|
||||||
|
* Overriding the parameter verification profile::
|
||||||
|
* Overriding the default priority string::
|
||||||
|
-* Disabling system/acceleration protocols::
|
||||||
|
+* Enabling/Disabling system/acceleration protocols::
|
||||||
|
@end menu
|
||||||
|
|
||||||
|
@node Application-specific priority strings
|
||||||
|
@@ -253,16 +253,14 @@ default-priority-string = SECURE128:-VERS-TLS-ALL:+VERS-TLS1.3
|
||||||
|
@end example
|
||||||
|
|
||||||
|
|
||||||
|
-@node Disabling system/acceleration protocols
|
||||||
|
-@section Disabling system/acceleration protocols
|
||||||
|
-When system/acceleration protocol is enabled during build, it is usually
|
||||||
|
-enabled by default. The following options can overwrite this behavior
|
||||||
|
-system-wide.
|
||||||
|
+@node Enabling/Disabling system/acceleration protocols
|
||||||
|
+@section Enabling/Disabling system/acceleration protocols
|
||||||
|
+The following options can overwrite default behavior of protocols system-wide.
|
||||||
|
@example
|
||||||
|
[global]
|
||||||
|
-ktls = false
|
||||||
|
+ktls = true
|
||||||
|
|
||||||
|
@end example
|
||||||
|
-@subsection Disabling KTLS
|
||||||
|
-When GnuTLS is build with -–enable-ktls configuration, it uses KTLS by default.
|
||||||
|
-This can be overwritten by setting @code{ktls = false} in @code{[global]} section.
|
||||||
|
+@subsection Enabling KTLS
|
||||||
|
+When GnuTLS is build with -–enable-ktls configuration, KTLS is disabled by default.
|
||||||
|
+This can be enabled by setting @code{ktls = true} in @code{[global]} section.
|
||||||
|
diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
|
||||||
|
index 872188696b..8c7bdaa1db 100644
|
||||||
|
--- a/lib/gnutls_int.h
|
||||||
|
+++ b/lib/gnutls_int.h
|
||||||
|
@@ -1649,6 +1649,6 @@ get_certificate_type(gnutls_session_t session,
|
||||||
|
|
||||||
|
extern unsigned int _gnutls_global_version;
|
||||||
|
|
||||||
|
-bool _gnutls_config_is_ktls_disabled(void);
|
||||||
|
+bool _gnutls_config_is_ktls_enabled(void);
|
||||||
|
|
||||||
|
#endif /* GNUTLS_LIB_GNUTLS_INT_H */
|
||||||
|
diff --git a/lib/handshake.c b/lib/handshake.c
|
||||||
|
index f3edbbdacb..4dd457bf22 100644
|
||||||
|
--- a/lib/handshake.c
|
||||||
|
+++ b/lib/handshake.c
|
||||||
|
@@ -2815,7 +2815,7 @@ int gnutls_handshake(gnutls_session_t session)
|
||||||
|
|
||||||
|
session->internals.ktls_enabled = 0;
|
||||||
|
#ifdef ENABLE_KTLS
|
||||||
|
- if (_gnutls_config_is_ktls_disabled() == false)
|
||||||
|
+ if (_gnutls_config_is_ktls_enabled() == true)
|
||||||
|
_gnutls_ktls_enable(session);
|
||||||
|
#endif
|
||||||
|
|
||||||
|
diff --git a/lib/priority.c b/lib/priority.c
|
||||||
|
index 7279c03c88..d163d8169f 100644
|
||||||
|
--- a/lib/priority.c
|
||||||
|
+++ b/lib/priority.c
|
||||||
|
@@ -1027,7 +1027,7 @@ static void dummy_func(gnutls_priority_t c)
|
||||||
|
|
||||||
|
struct cfg {
|
||||||
|
bool allowlisting;
|
||||||
|
- bool ktls_disabled;
|
||||||
|
+ bool ktls_enabled;
|
||||||
|
|
||||||
|
name_val_array_t priority_strings;
|
||||||
|
char *priority_string;
|
||||||
|
@@ -1140,7 +1140,7 @@ cfg_steal(struct cfg *dst, struct cfg *src)
|
||||||
|
src->default_priority_string = NULL;
|
||||||
|
|
||||||
|
dst->allowlisting = src->allowlisting;
|
||||||
|
- dst->ktls_disabled = src->ktls_disabled;
|
||||||
|
+ dst->ktls_enabled = src->ktls_enabled;
|
||||||
|
memcpy(dst->ciphers, src->ciphers, sizeof(src->ciphers));
|
||||||
|
memcpy(dst->macs, src->macs, sizeof(src->macs));
|
||||||
|
memcpy(dst->groups, src->groups, sizeof(src->groups));
|
||||||
|
@@ -1268,8 +1268,8 @@ static int global_ini_handler(void *ctx, const char *section, const char *name,
|
||||||
|
}
|
||||||
|
} else if (c_strcasecmp(name, "ktls") == 0) {
|
||||||
|
p = clear_spaces(value, str);
|
||||||
|
- if (c_strcasecmp(p, "false") == 0) {
|
||||||
|
- cfg->ktls_disabled = true;
|
||||||
|
+ if (c_strcasecmp(p, "true") == 0) {
|
||||||
|
+ cfg->ktls_enabled = true;
|
||||||
|
} else {
|
||||||
|
_gnutls_debug_log("cfg: unknown ktls mode %s\n",
|
||||||
|
p);
|
||||||
|
@@ -3490,6 +3490,6 @@ gnutls_priority_string_list(unsigned iter, unsigned int flags)
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
-bool _gnutls_config_is_ktls_disabled(void){
|
||||||
|
- return system_wide_config.ktls_disabled;
|
||||||
|
+bool _gnutls_config_is_ktls_enabled(void){
|
||||||
|
+ return system_wide_config.ktls_enabled;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.36.1
|
||||||
|
|
230
gnutls-3.7.6-ktls-fixes.patch
Normal file
230
gnutls-3.7.6-ktls-fixes.patch
Normal file
@ -0,0 +1,230 @@
|
|||||||
|
From 7b700dbcd5907944a7dd2f74cd26ad8586cd4bac Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daiki Ueno <ueno@gnu.org>
|
||||||
|
Date: Tue, 28 Jun 2022 09:37:22 +0900
|
||||||
|
Subject: [PATCH 1/3] tests: enable KTLS config while running gnutls_ktls test
|
||||||
|
|
||||||
|
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
||||||
|
---
|
||||||
|
tests/Makefile.am | 9 +++++----
|
||||||
|
tests/gnutls_ktls.c | 4 ++--
|
||||||
|
tests/ktls.sh | 46 +++++++++++++++++++++++++++++++++++++++++++++
|
||||||
|
3 files changed, 53 insertions(+), 6 deletions(-)
|
||||||
|
create mode 100755 tests/ktls.sh
|
||||||
|
|
||||||
|
diff --git a/tests/Makefile.am b/tests/Makefile.am
|
||||||
|
index 4deeb6462b..cba67e8db8 100644
|
||||||
|
--- a/tests/Makefile.am
|
||||||
|
+++ b/tests/Makefile.am
|
||||||
|
@@ -441,10 +441,6 @@ ctests += x509self x509dn anonself pskself pskself2 dhepskself \
|
||||||
|
resume-with-record-size-limit
|
||||||
|
endif
|
||||||
|
|
||||||
|
-if ENABLE_KTLS
|
||||||
|
-ctests += gnutls_ktls
|
||||||
|
-endif
|
||||||
|
-
|
||||||
|
ctests += record-sendfile
|
||||||
|
|
||||||
|
gc_CPPFLAGS = $(AM_CPPFLAGS) \
|
||||||
|
@@ -500,6 +496,11 @@ if ENABLE_TPM2
|
||||||
|
dist_check_SCRIPTS += tpm2.sh
|
||||||
|
endif
|
||||||
|
|
||||||
|
+if ENABLE_KTLS
|
||||||
|
+indirect_tests += gnutls_ktls
|
||||||
|
+dist_check_SCRIPTS += ktls.sh
|
||||||
|
+endif
|
||||||
|
+
|
||||||
|
if !WINDOWS
|
||||||
|
|
||||||
|
#
|
||||||
|
diff --git a/tests/gnutls_ktls.c b/tests/gnutls_ktls.c
|
||||||
|
index 3966e2b10a..8f9c5fa36e 100644
|
||||||
|
--- a/tests/gnutls_ktls.c
|
||||||
|
+++ b/tests/gnutls_ktls.c
|
||||||
|
@@ -84,7 +84,7 @@ static void client(int fd, const char *prio)
|
||||||
|
|
||||||
|
ret = gnutls_transport_is_ktls_enabled(session);
|
||||||
|
if (!(ret & GNUTLS_KTLS_RECV)){
|
||||||
|
- fail("client: KTLS was not properly inicialized\n");
|
||||||
|
+ fail("client: KTLS was not properly initialized\n");
|
||||||
|
goto end;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -208,7 +208,7 @@ static void server(int fd, const char *prio)
|
||||||
|
|
||||||
|
ret = gnutls_transport_is_ktls_enabled(session);
|
||||||
|
if (!(ret & GNUTLS_KTLS_SEND)){
|
||||||
|
- fail("server: KTLS was not properly inicialized\n");
|
||||||
|
+ fail("server: KTLS was not properly initialized\n");
|
||||||
|
goto end;
|
||||||
|
}
|
||||||
|
do {
|
||||||
|
diff --git a/tests/ktls.sh b/tests/ktls.sh
|
||||||
|
new file mode 100755
|
||||||
|
index 0000000000..ba52bd5775
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/tests/ktls.sh
|
||||||
|
@@ -0,0 +1,46 @@
|
||||||
|
+#!/bin/sh
|
||||||
|
+
|
||||||
|
+# Copyright (C) 2022 Red Hat, Inc.
|
||||||
|
+#
|
||||||
|
+# Author: Daiki Ueno
|
||||||
|
+#
|
||||||
|
+# This file is part of GnuTLS.
|
||||||
|
+#
|
||||||
|
+# GnuTLS is free software; you can redistribute it and/or modify it
|
||||||
|
+# under the terms of the GNU General Public License as published by the
|
||||||
|
+# Free Software Foundation; either version 3 of the License, or (at
|
||||||
|
+# your option) any later version.
|
||||||
|
+#
|
||||||
|
+# GnuTLS is distributed in the hope that it will be useful, but
|
||||||
|
+# WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||||
|
+# General Public License for more details.
|
||||||
|
+#
|
||||||
|
+# You should have received a copy of the GNU General Public License
|
||||||
|
+# along with GnuTLS; if not, write to the Free Software Foundation,
|
||||||
|
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
||||||
|
+
|
||||||
|
+: ${builddir=.}
|
||||||
|
+
|
||||||
|
+. "$srcdir/scripts/common.sh"
|
||||||
|
+
|
||||||
|
+if ! grep '^tls ' /proc/modules 2>1 >& /dev/null; then
|
||||||
|
+ exit 77
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+testdir=`create_testdir ktls`
|
||||||
|
+
|
||||||
|
+cfg="$testdir/config"
|
||||||
|
+
|
||||||
|
+cat <<EOF > "$cfg"
|
||||||
|
+[global]
|
||||||
|
+ktls = true
|
||||||
|
+EOF
|
||||||
|
+
|
||||||
|
+GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1 \
|
||||||
|
+GNUTLS_SYSTEM_PRIORITY_FILE="$cfg" \
|
||||||
|
+"$builddir/gnutls_ktls" "$@"
|
||||||
|
+rc=$?
|
||||||
|
+
|
||||||
|
+rm -rf "$testdir"
|
||||||
|
+exit $rc
|
||||||
|
--
|
||||||
|
2.36.1
|
||||||
|
|
||||||
|
|
||||||
|
From 4a492462535a7f3a831685d3cf420b50ef219511 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daiki Ueno <ueno@gnu.org>
|
||||||
|
Date: Tue, 28 Jun 2022 10:23:33 +0900
|
||||||
|
Subject: [PATCH 2/3] handshake: do not reset KTLS enablement in
|
||||||
|
gnutls_handshake
|
||||||
|
|
||||||
|
As gnutls_handshake can be repeatedly called upon non-blocking setup,
|
||||||
|
we shouldn't try to call setsockopt for KTLS upon every call.
|
||||||
|
|
||||||
|
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
||||||
|
---
|
||||||
|
lib/handshake.c | 12 ++++++------
|
||||||
|
1 file changed, 6 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/handshake.c b/lib/handshake.c
|
||||||
|
index 4dd457bf22..3886306eb4 100644
|
||||||
|
--- a/lib/handshake.c
|
||||||
|
+++ b/lib/handshake.c
|
||||||
|
@@ -2813,12 +2813,6 @@ int gnutls_handshake(gnutls_session_t session)
|
||||||
|
const version_entry_st *vers = get_version(session);
|
||||||
|
int ret;
|
||||||
|
|
||||||
|
- session->internals.ktls_enabled = 0;
|
||||||
|
-#ifdef ENABLE_KTLS
|
||||||
|
- if (_gnutls_config_is_ktls_enabled() == true)
|
||||||
|
- _gnutls_ktls_enable(session);
|
||||||
|
-#endif
|
||||||
|
-
|
||||||
|
if (unlikely(session->internals.initial_negotiation_completed)) {
|
||||||
|
if (vers->tls13_sem) {
|
||||||
|
if (session->security_parameters.entity == GNUTLS_CLIENT) {
|
||||||
|
@@ -2864,6 +2858,12 @@ int gnutls_handshake(gnutls_session_t session)
|
||||||
|
end->tv_nsec =
|
||||||
|
(start->tv_nsec + tmo_ms * 1000000LL) % 1000000000LL;
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+#ifdef ENABLE_KTLS
|
||||||
|
+ if (_gnutls_config_is_ktls_enabled()) {
|
||||||
|
+ _gnutls_ktls_enable(session);
|
||||||
|
+ }
|
||||||
|
+#endif
|
||||||
|
}
|
||||||
|
|
||||||
|
if (session->internals.recv_state == RECV_STATE_FALSE_START) {
|
||||||
|
--
|
||||||
|
2.36.1
|
||||||
|
|
||||||
|
|
||||||
|
From ce13208e13b5dec73993c583d4c64ab7714e4a7a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daiki Ueno <ueno@gnu.org>
|
||||||
|
Date: Tue, 28 Jun 2022 10:53:55 +0900
|
||||||
|
Subject: [PATCH 3/3] ktls: _gnutls_ktls_enable: fix GNUTLS_KTLS_SEND
|
||||||
|
calculation
|
||||||
|
|
||||||
|
Previously, if the first setsockopt for GNUTLS_KTLS_RECV fails and the
|
||||||
|
same socket is used for both sending and receiving, GNUTLS_KTLS_SEND
|
||||||
|
was unconditionally set. This fixes the conditions and also adds more
|
||||||
|
logging.
|
||||||
|
|
||||||
|
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
||||||
|
---
|
||||||
|
lib/system/ktls.c | 21 ++++++++++++++++-----
|
||||||
|
1 file changed, 16 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/system/ktls.c b/lib/system/ktls.c
|
||||||
|
index b9f7a73fb5..ddf27fac76 100644
|
||||||
|
--- a/lib/system/ktls.c
|
||||||
|
+++ b/lib/system/ktls.c
|
||||||
|
@@ -47,7 +47,7 @@
|
||||||
|
gnutls_transport_ktls_enable_flags_t
|
||||||
|
gnutls_transport_is_ktls_enabled(gnutls_session_t session){
|
||||||
|
if (unlikely(!session->internals.initial_negotiation_completed)){
|
||||||
|
- _gnutls_debug_log("Initial negotiation is not yet complete");
|
||||||
|
+ _gnutls_debug_log("Initial negotiation is not yet complete\n");
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -57,16 +57,27 @@ gnutls_transport_is_ktls_enabled(gnutls_session_t session){
|
||||||
|
void _gnutls_ktls_enable(gnutls_session_t session)
|
||||||
|
{
|
||||||
|
int sockin, sockout;
|
||||||
|
+
|
||||||
|
gnutls_transport_get_int2(session, &sockin, &sockout);
|
||||||
|
|
||||||
|
- if (setsockopt(sockin, SOL_TCP, TCP_ULP, "tls", sizeof ("tls")) == 0)
|
||||||
|
+ if (setsockopt(sockin, SOL_TCP, TCP_ULP, "tls", sizeof ("tls")) == 0) {
|
||||||
|
session->internals.ktls_enabled |= GNUTLS_KTLS_RECV;
|
||||||
|
+ if (sockin == sockout) {
|
||||||
|
+ session->internals.ktls_enabled |= GNUTLS_KTLS_SEND;
|
||||||
|
+ }
|
||||||
|
+ } else {
|
||||||
|
+ _gnutls_record_log("Unable to set TCP_ULP for read socket: %d\n",
|
||||||
|
+ errno);
|
||||||
|
+ }
|
||||||
|
|
||||||
|
if (sockin != sockout) {
|
||||||
|
- if (setsockopt(sockout, SOL_TCP, TCP_ULP, "tls", sizeof ("tls")) == 0)
|
||||||
|
+ if (setsockopt(sockout, SOL_TCP, TCP_ULP, "tls", sizeof ("tls")) == 0) {
|
||||||
|
session->internals.ktls_enabled |= GNUTLS_KTLS_SEND;
|
||||||
|
- } else
|
||||||
|
- session->internals.ktls_enabled |= GNUTLS_KTLS_SEND;
|
||||||
|
+ } else {
|
||||||
|
+ _gnutls_record_log("Unable to set TCP_ULP for write socket: %d\n",
|
||||||
|
+ errno);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
int _gnutls_ktls_set_keys(gnutls_session_t session)
|
||||||
|
--
|
||||||
|
2.36.1
|
||||||
|
|
@ -13,7 +13,7 @@ print(string.sub(hash, 0, 16))
|
|||||||
}
|
}
|
||||||
|
|
||||||
Version: 3.7.6
|
Version: 3.7.6
|
||||||
Release: 1%{?dist}
|
Release: 2%{?dist}
|
||||||
# not upstreamed
|
# not upstreamed
|
||||||
Patch: gnutls-3.6.7-no-now-guile.patch
|
Patch: gnutls-3.6.7-no-now-guile.patch
|
||||||
Patch: gnutls-3.2.7-rpath.patch
|
Patch: gnutls-3.2.7-rpath.patch
|
||||||
@ -22,6 +22,8 @@ Patch: gnutls-3.7.2-no-explicit-init.patch
|
|||||||
|
|
||||||
# upstreamed
|
# upstreamed
|
||||||
Patch: gnutls-3.7.6-fips-run-selftests.patch
|
Patch: gnutls-3.7.6-fips-run-selftests.patch
|
||||||
|
Patch: gnutls-3.7.6-ktls-disable-by-default.patch
|
||||||
|
Patch: gnutls-3.7.6-ktls-fixes.patch
|
||||||
|
|
||||||
# not upstreamed
|
# not upstreamed
|
||||||
Patch: gnutls-3.7.3-disable-config-reload.patch
|
Patch: gnutls-3.7.3-disable-config-reload.patch
|
||||||
@ -241,6 +243,7 @@ export FIPS_MODULE_NAME="$OS_NAME ${OS_VERSION_ID%%.*} %name"
|
|||||||
%else
|
%else
|
||||||
--without-tpm2 \
|
--without-tpm2 \
|
||||||
%endif
|
%endif
|
||||||
|
--enable-ktls \
|
||||||
--htmldir=%{_docdir}/manual \
|
--htmldir=%{_docdir}/manual \
|
||||||
%if %{with guile}
|
%if %{with guile}
|
||||||
--enable-guile \
|
--enable-guile \
|
||||||
@ -356,6 +359,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Jul 19 2022 Daiki Ueno <dueno@redhat.com> - 3.7.6-2
|
||||||
|
- Allow enabling KTLS with config file (#2042009)
|
||||||
|
|
||||||
* Fri Jul 1 2022 Daiki Ueno <dueno@redhat.com> - 3.7.6-1
|
* Fri Jul 1 2022 Daiki Ueno <dueno@redhat.com> - 3.7.6-1
|
||||||
- Update to gnutls 3.7.6 (#2097327)
|
- Update to gnutls 3.7.6 (#2097327)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user