[packit] 3.8.0 upstream release
Upstream tag: 3.8.0 Upstream commit: 516e466b Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
This commit is contained in:
parent
9df43c9df7
commit
b08c1d3cb5
3
.gitignore
vendored
3
.gitignore
vendored
@ -141,3 +141,6 @@ gnutls-2.10.1-nosrp.tar.bz2
|
|||||||
/gnutls-3.7.6.tar.xz
|
/gnutls-3.7.6.tar.xz
|
||||||
/gnutls-3.7.7.tar.xz
|
/gnutls-3.7.7.tar.xz
|
||||||
/gnutls-3.7.8.tar.xz
|
/gnutls-3.7.8.tar.xz
|
||||||
|
/gnutls-3.8.0.tar.xz
|
||||||
|
/gnutls-3.8.0.tar.xz.sig
|
||||||
|
/gnutls-release-keyring.gpg
|
||||||
|
@ -15,7 +15,6 @@ actions:
|
|||||||
post-upstream-clone:
|
post-upstream-clone:
|
||||||
- "wget https://src.fedoraproject.org/rpms/gnutls/raw/main/f/gnutls.spec"
|
- "wget https://src.fedoraproject.org/rpms/gnutls/raw/main/f/gnutls.spec"
|
||||||
- "wget https://src.fedoraproject.org/rpms/gnutls/raw/main/f/gnutls-3.2.7-rpath.patch"
|
- "wget https://src.fedoraproject.org/rpms/gnutls/raw/main/f/gnutls-3.2.7-rpath.patch"
|
||||||
- "wget https://src.fedoraproject.org/rpms/gnutls/raw/main/f/gnutls-3.6.7-no-now-guile.patch"
|
|
||||||
get-current-version:
|
get-current-version:
|
||||||
- "git describe --abbrev=0"
|
- "git describe --abbrev=0"
|
||||||
create-archive:
|
create-archive:
|
||||||
|
@ -1,3 +1,3 @@
|
|||||||
This repository is maintained by packit.
|
This repository is maintained by packit.
|
||||||
https://packit.dev/
|
https://packit.dev/
|
||||||
The file was generated using packit 0.60.0.
|
The file was generated using packit 0.67.0.
|
||||||
|
@ -1,11 +0,0 @@
|
|||||||
--- a/guile/src/Makefile.in 2019-03-27 11:51:55.984398001 +0100
|
|
||||||
+++ b/guile/src/Makefile.in 2019-03-27 11:52:27.259626076 +0100
|
|
||||||
@@ -1472,7 +1472,7 @@
|
|
||||||
# Use '-module' to build a "dlopenable module", in Libtool terms.
|
|
||||||
# Use '-undefined' to placate Libtool on Windows; see
|
|
||||||
# <https://lists.gnutls.org/pipermail/gnutls-devel/2014-December/007294.html>.
|
|
||||||
-guile_gnutls_v_2_la_LDFLAGS = -module -no-undefined
|
|
||||||
+guile_gnutls_v_2_la_LDFLAGS = -module -no-undefined -Wl,-z,lazy
|
|
||||||
|
|
||||||
# Linking against GnuTLS.
|
|
||||||
GNUTLS_CORE_LIBS = $(top_builddir)/lib/libgnutls.la
|
|
@ -1,132 +0,0 @@
|
|||||||
From 7fa942e08e64b761b19753ae74503de43cc1ff91 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Daiki Ueno <ueno@gnu.org>
|
|
||||||
Date: Thu, 6 Oct 2022 18:44:48 +0900
|
|
||||||
Subject: build: suppress GCC analyzer warnings
|
|
||||||
|
|
||||||
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
||||||
|
|
||||||
diff --git a/lib/auth/cert.c b/lib/auth/cert.c
|
|
||||||
index 228d98468..f122049e1 100644
|
|
||||||
--- a/lib/auth/cert.c
|
|
||||||
+++ b/lib/auth/cert.c
|
|
||||||
@@ -1636,6 +1636,10 @@ _gnutls_select_server_cert(gnutls_session_t session, const gnutls_cipher_suite_e
|
|
||||||
if (session->internals.selected_cert_list_length == 0)
|
|
||||||
return gnutls_assert_val(GNUTLS_E_INSUFFICIENT_CREDENTIALS);
|
|
||||||
|
|
||||||
+ if (unlikely(session->internals.selected_cert_list == NULL)) {
|
|
||||||
+ return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
_gnutls_debug_log("Selected (%s) cert\n",
|
|
||||||
gnutls_pk_get_name(session->internals.selected_cert_list[0].pubkey->params.algo));
|
|
||||||
}
|
|
||||||
diff --git a/lib/nettle/int/provable-prime.c b/lib/nettle/int/provable-prime.c
|
|
||||||
index 585cd031e..3a626a2c8 100644
|
|
||||||
--- a/lib/nettle/int/provable-prime.c
|
|
||||||
+++ b/lib/nettle/int/provable-prime.c
|
|
||||||
@@ -1173,7 +1173,7 @@ st_provable_prime(mpz_t p,
|
|
||||||
if (iterations > 0) {
|
|
||||||
storage_length = iterations * DIGEST_SIZE;
|
|
||||||
|
|
||||||
- storage = malloc(storage_length);
|
|
||||||
+ storage = gnutls_malloc(storage_length);
|
|
||||||
if (storage == NULL)
|
|
||||||
goto fail;
|
|
||||||
|
|
||||||
@@ -1307,7 +1307,7 @@ st_provable_prime(mpz_t p,
|
|
||||||
mpz_clear(t);
|
|
||||||
mpz_clear(tmp);
|
|
||||||
mpz_clear(c);
|
|
||||||
- free(pseed);
|
|
||||||
- free(storage);
|
|
||||||
+ gnutls_free(pseed);
|
|
||||||
+ gnutls_free(storage);
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
diff --git a/lib/pk.c b/lib/pk.c
|
|
||||||
index c5600a32a..753cecd18 100644
|
|
||||||
--- a/lib/pk.c
|
|
||||||
+++ b/lib/pk.c
|
|
||||||
@@ -93,6 +93,7 @@ _gnutls_encode_ber_rs_raw(gnutls_datum_t * sig_value,
|
|
||||||
}
|
|
||||||
|
|
||||||
if (r->data[0] >= 0x80) {
|
|
||||||
+ assert(tmp);
|
|
||||||
tmp[0] = 0;
|
|
||||||
memcpy(&tmp[1], r->data, r->size);
|
|
||||||
result = asn1_write_value(sig, "r", tmp, 1+r->size);
|
|
||||||
@@ -108,6 +109,7 @@ _gnutls_encode_ber_rs_raw(gnutls_datum_t * sig_value,
|
|
||||||
|
|
||||||
|
|
||||||
if (s->data[0] >= 0x80) {
|
|
||||||
+ assert(tmp);
|
|
||||||
tmp[0] = 0;
|
|
||||||
memcpy(&tmp[1], s->data, s->size);
|
|
||||||
result = asn1_write_value(sig, "s", tmp, 1+s->size);
|
|
||||||
@@ -598,6 +600,10 @@ encode_ber_digest_info(const mac_entry_st * e,
|
|
||||||
uint8_t *tmp_output;
|
|
||||||
int tmp_output_size;
|
|
||||||
|
|
||||||
+ if (unlikely(e == NULL)) {
|
|
||||||
+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
/* prevent asn1_write_value() treating input as string */
|
|
||||||
if (digest->size == 0)
|
|
||||||
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
|
|
||||||
diff --git a/lib/x509/pkcs7-crypt.c b/lib/x509/pkcs7-crypt.c
|
|
||||||
index 59eddcd2a..6f528a911 100644
|
|
||||||
--- a/lib/x509/pkcs7-crypt.c
|
|
||||||
+++ b/lib/x509/pkcs7-crypt.c
|
|
||||||
@@ -1211,6 +1211,10 @@ _gnutls_pkcs_raw_decrypt_data(schema_id schema, asn1_node pkcs8_asn,
|
|
||||||
}
|
|
||||||
|
|
||||||
ce = cipher_to_entry(enc_params->cipher);
|
|
||||||
+ if (unlikely(ce == NULL)) {
|
|
||||||
+ ret = gnutls_assert_val(GNUTLS_E_UNKNOWN_CIPHER_TYPE);
|
|
||||||
+ goto error;
|
|
||||||
+ }
|
|
||||||
block_size = _gnutls_cipher_get_block_size(ce);
|
|
||||||
|
|
||||||
if (ce->type == CIPHER_BLOCK) {
|
|
||||||
diff --git a/src/tests.c b/src/tests.c
|
|
||||||
index 85c4b6699..8526b6943 100644
|
|
||||||
--- a/src/tests.c
|
|
||||||
+++ b/src/tests.c
|
|
||||||
@@ -1613,7 +1613,9 @@ test_code_t test_chain_order(gnutls_session_t session)
|
|
||||||
|
|
||||||
gnutls_free(t.data);
|
|
||||||
}
|
|
||||||
- *pos = 0;
|
|
||||||
+ if (pos) {
|
|
||||||
+ *pos = 0;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
t.size = p_size;
|
|
||||||
t.data = (void*)p;
|
|
||||||
diff --git a/src/tpmtool.c b/src/tpmtool.c
|
|
||||||
index 171b7fd41..1b230c2ff 100644
|
|
||||||
--- a/src/tpmtool.c
|
|
||||||
+++ b/src/tpmtool.c
|
|
||||||
@@ -263,15 +263,15 @@ static void tpm_generate(FILE * out, unsigned int key_type,
|
|
||||||
gnutls_datum_t privkey, pubkey;
|
|
||||||
|
|
||||||
if (!srk_well_known) {
|
|
||||||
- srk_pass = getpass("Enter SRK password: ");
|
|
||||||
- if (srk_pass != NULL)
|
|
||||||
- srk_pass = strdup(srk_pass);
|
|
||||||
+ char *pass = getpass("Enter SRK password: ");
|
|
||||||
+ if (pass != NULL)
|
|
||||||
+ srk_pass = strdup(pass);
|
|
||||||
}
|
|
||||||
|
|
||||||
if (!(flags & GNUTLS_TPM_REGISTER_KEY)) {
|
|
||||||
- key_pass = getpass("Enter key password: ");
|
|
||||||
- if (key_pass != NULL)
|
|
||||||
- key_pass = strdup(key_pass);
|
|
||||||
+ char *pass = getpass("Enter key password: ");
|
|
||||||
+ if (pass != NULL)
|
|
||||||
+ key_pass = strdup(pass);
|
|
||||||
}
|
|
||||||
|
|
||||||
ret =
|
|
@ -1,273 +0,0 @@
|
|||||||
From 4380f347b2fff4af10537930400b68df61bee442 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
|
|
||||||
Date: Thu, 1 Dec 2022 15:37:33 +0100
|
|
||||||
Subject: [PATCH 1/2] KTLS: add ciphersuites
|
|
||||||
|
|
||||||
* TLS_AES_128_CCM_SHA256
|
|
||||||
* TLS_CHACHA20_POLY1305_SHA256
|
|
||||||
|
|
||||||
Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
|
|
||||||
---
|
|
||||||
lib/system/ktls.c | 159 ++++++++++++++++++++++++++++++++++++++++++++--
|
|
||||||
1 file changed, 153 insertions(+), 6 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/lib/system/ktls.c b/lib/system/ktls.c
|
|
||||||
index 703775960..792d09ccf 100644
|
|
||||||
--- a/lib/system/ktls.c
|
|
||||||
+++ b/lib/system/ktls.c
|
|
||||||
@@ -86,7 +86,7 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable
|
|
||||||
gnutls_datum_t mac_key;
|
|
||||||
gnutls_datum_t iv;
|
|
||||||
gnutls_datum_t cipher_key;
|
|
||||||
- unsigned char seq_number[8];
|
|
||||||
+ unsigned char seq_number[12];
|
|
||||||
int sockin, sockout;
|
|
||||||
int ret;
|
|
||||||
|
|
||||||
@@ -97,7 +97,9 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable
|
|
||||||
int version = gnutls_protocol_get_version(session);
|
|
||||||
if ((version != GNUTLS_TLS1_3 && version != GNUTLS_TLS1_2) ||
|
|
||||||
(gnutls_cipher_get(session) != GNUTLS_CIPHER_AES_128_GCM &&
|
|
||||||
- gnutls_cipher_get(session) != GNUTLS_CIPHER_AES_256_GCM)) {
|
|
||||||
+ gnutls_cipher_get(session) != GNUTLS_CIPHER_AES_256_GCM &&
|
|
||||||
+ gnutls_cipher_get(session) != GNUTLS_CIPHER_AES_128_CCM &&
|
|
||||||
+ gnutls_cipher_get(session) != GNUTLS_CIPHER_CHACHA20_POLY1305)) {
|
|
||||||
return GNUTLS_E_UNIMPLEMENTED_FEATURE;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -114,7 +116,7 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable
|
|
||||||
case GNUTLS_CIPHER_AES_128_GCM:
|
|
||||||
{
|
|
||||||
struct tls12_crypto_info_aes_gcm_128 crypto_info;
|
|
||||||
- memset(&crypto_info, 0, sizeof(crypto_info));
|
|
||||||
+ memset(&crypto_info, 0, sizeof (crypto_info));
|
|
||||||
|
|
||||||
crypto_info.info.cipher_type = TLS_CIPHER_AES_GCM_128;
|
|
||||||
assert(cipher_key.size == TLS_CIPHER_AES_GCM_128_KEY_SIZE);
|
|
||||||
@@ -150,7 +152,7 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable
|
|
||||||
case GNUTLS_CIPHER_AES_256_GCM:
|
|
||||||
{
|
|
||||||
struct tls12_crypto_info_aes_gcm_256 crypto_info;
|
|
||||||
- memset(&crypto_info, 0, sizeof(crypto_info));
|
|
||||||
+ memset(&crypto_info, 0, sizeof (crypto_info));
|
|
||||||
|
|
||||||
crypto_info.info.cipher_type = TLS_CIPHER_AES_GCM_256;
|
|
||||||
assert (cipher_key.size == TLS_CIPHER_AES_GCM_256_KEY_SIZE);
|
|
||||||
@@ -182,9 +184,83 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable
|
|
||||||
}
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
+ case GNUTLS_CIPHER_AES_128_CCM:
|
|
||||||
+ {
|
|
||||||
+ struct tls12_crypto_info_aes_ccm_128 crypto_info;
|
|
||||||
+ memset(&crypto_info, 0, sizeof (crypto_info));
|
|
||||||
+
|
|
||||||
+ crypto_info.info.cipher_type = TLS_CIPHER_AES_CCM_128;
|
|
||||||
+ assert(cipher_key.size == TLS_CIPHER_AES_CCM_128_KEY_SIZE);
|
|
||||||
+
|
|
||||||
+ /* for TLS 1.2 IV is generated in kernel */
|
|
||||||
+ if (version == GNUTLS_TLS1_2) {
|
|
||||||
+ crypto_info.info.version = TLS_1_2_VERSION;
|
|
||||||
+ memcpy(crypto_info.iv, seq_number, TLS_CIPHER_AES_CCM_128_IV_SIZE);
|
|
||||||
+ } else {
|
|
||||||
+ crypto_info.info.version = TLS_1_3_VERSION;
|
|
||||||
+ assert(iv.size == TLS_CIPHER_AES_CCM_128_SALT_SIZE
|
|
||||||
+ + TLS_CIPHER_AES_CCM_128_IV_SIZE);
|
|
||||||
+
|
|
||||||
+ memcpy(crypto_info.iv, iv.data +
|
|
||||||
+ TLS_CIPHER_AES_CCM_128_SALT_SIZE,
|
|
||||||
+ TLS_CIPHER_AES_CCM_128_IV_SIZE);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ memcpy(crypto_info.salt, iv.data,
|
|
||||||
+ TLS_CIPHER_AES_CCM_128_SALT_SIZE);
|
|
||||||
+ memcpy(crypto_info.rec_seq, seq_number,
|
|
||||||
+ TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
|
|
||||||
+ memcpy(crypto_info.key, cipher_key.data,
|
|
||||||
+ TLS_CIPHER_AES_CCM_128_KEY_SIZE);
|
|
||||||
+
|
|
||||||
+ if (setsockopt (sockin, SOL_TLS, TLS_RX,
|
|
||||||
+ &crypto_info, sizeof (crypto_info))) {
|
|
||||||
+ session->internals.ktls_enabled &= ~GNUTLS_KTLS_RECV;
|
|
||||||
+ return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ break;
|
|
||||||
+ case GNUTLS_CIPHER_CHACHA20_POLY1305:
|
|
||||||
+ {
|
|
||||||
+ struct tls12_crypto_info_chacha20_poly1305 crypto_info;
|
|
||||||
+ memset(&crypto_info, 0, sizeof (crypto_info));
|
|
||||||
+
|
|
||||||
+ crypto_info.info.cipher_type = TLS_CIPHER_CHACHA20_POLY1305;
|
|
||||||
+ assert(cipher_key.size == TLS_CIPHER_CHACHA20_POLY1305_KEY_SIZE);
|
|
||||||
+
|
|
||||||
+ /* for TLS 1.2 IV is generated in kernel */
|
|
||||||
+ if (version == GNUTLS_TLS1_2) {
|
|
||||||
+ crypto_info.info.version = TLS_1_2_VERSION;
|
|
||||||
+ memcpy(crypto_info.iv, seq_number, TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE);
|
|
||||||
+ } else {
|
|
||||||
+ crypto_info.info.version = TLS_1_3_VERSION;
|
|
||||||
+ assert(iv.size == TLS_CIPHER_CHACHA20_POLY1305_SALT_SIZE
|
|
||||||
+ + TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE);
|
|
||||||
+
|
|
||||||
+ memcpy(crypto_info.iv, iv.data +
|
|
||||||
+ TLS_CIPHER_CHACHA20_POLY1305_SALT_SIZE,
|
|
||||||
+ TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ memcpy(crypto_info.salt, iv.data,
|
|
||||||
+ TLS_CIPHER_CHACHA20_POLY1305_SALT_SIZE);
|
|
||||||
+ memcpy(crypto_info.rec_seq, seq_number,
|
|
||||||
+ TLS_CIPHER_CHACHA20_POLY1305_REC_SEQ_SIZE);
|
|
||||||
+ memcpy(crypto_info.key, cipher_key.data,
|
|
||||||
+ TLS_CIPHER_CHACHA20_POLY1305_KEY_SIZE);
|
|
||||||
+
|
|
||||||
+ if (setsockopt (sockin, SOL_TLS, TLS_RX,
|
|
||||||
+ &crypto_info, sizeof (crypto_info))) {
|
|
||||||
+ session->internals.ktls_enabled &= ~GNUTLS_KTLS_RECV;
|
|
||||||
+ return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ break;
|
|
||||||
default:
|
|
||||||
assert(0);
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+
|
|
||||||
}
|
|
||||||
|
|
||||||
ret = gnutls_record_get_state (session, 0, &mac_key, &iv, &cipher_key,
|
|
||||||
@@ -198,7 +274,7 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable
|
|
||||||
case GNUTLS_CIPHER_AES_128_GCM:
|
|
||||||
{
|
|
||||||
struct tls12_crypto_info_aes_gcm_128 crypto_info;
|
|
||||||
- memset(&crypto_info, 0, sizeof(crypto_info));
|
|
||||||
+ memset(&crypto_info, 0, sizeof (crypto_info));
|
|
||||||
|
|
||||||
crypto_info.info.cipher_type = TLS_CIPHER_AES_GCM_128;
|
|
||||||
|
|
||||||
@@ -234,7 +310,7 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable
|
|
||||||
case GNUTLS_CIPHER_AES_256_GCM:
|
|
||||||
{
|
|
||||||
struct tls12_crypto_info_aes_gcm_256 crypto_info;
|
|
||||||
- memset(&crypto_info, 0, sizeof(crypto_info));
|
|
||||||
+ memset(&crypto_info, 0, sizeof (crypto_info));
|
|
||||||
|
|
||||||
crypto_info.info.cipher_type = TLS_CIPHER_AES_GCM_256;
|
|
||||||
assert (cipher_key.size == TLS_CIPHER_AES_GCM_256_KEY_SIZE);
|
|
||||||
@@ -266,10 +342,81 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable
|
|
||||||
}
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
+ case GNUTLS_CIPHER_AES_128_CCM:
|
|
||||||
+ {
|
|
||||||
+ struct tls12_crypto_info_aes_ccm_128 crypto_info;
|
|
||||||
+ memset(&crypto_info, 0, sizeof (crypto_info));
|
|
||||||
+
|
|
||||||
+ crypto_info.info.cipher_type = TLS_CIPHER_AES_CCM_128;
|
|
||||||
+ assert (cipher_key.size == TLS_CIPHER_AES_CCM_128_KEY_SIZE);
|
|
||||||
+
|
|
||||||
+ /* for TLS 1.2 IV is generated in kernel */
|
|
||||||
+ if (version == GNUTLS_TLS1_2) {
|
|
||||||
+ crypto_info.info.version = TLS_1_2_VERSION;
|
|
||||||
+ memcpy(crypto_info.iv, seq_number, TLS_CIPHER_AES_CCM_128_IV_SIZE);
|
|
||||||
+ } else {
|
|
||||||
+ crypto_info.info.version = TLS_1_3_VERSION;
|
|
||||||
+ assert (iv.size == TLS_CIPHER_AES_CCM_128_SALT_SIZE +
|
|
||||||
+ TLS_CIPHER_AES_CCM_128_IV_SIZE);
|
|
||||||
+
|
|
||||||
+ memcpy (crypto_info.iv, iv.data + TLS_CIPHER_AES_CCM_128_SALT_SIZE,
|
|
||||||
+ TLS_CIPHER_AES_CCM_128_IV_SIZE);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ memcpy (crypto_info.salt, iv.data,
|
|
||||||
+ TLS_CIPHER_AES_CCM_128_SALT_SIZE);
|
|
||||||
+ memcpy (crypto_info.rec_seq, seq_number,
|
|
||||||
+ TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
|
|
||||||
+ memcpy (crypto_info.key, cipher_key.data,
|
|
||||||
+ TLS_CIPHER_AES_CCM_128_KEY_SIZE);
|
|
||||||
+
|
|
||||||
+ if (setsockopt (sockout, SOL_TLS, TLS_TX,
|
|
||||||
+ &crypto_info, sizeof (crypto_info))) {
|
|
||||||
+ session->internals.ktls_enabled &= ~GNUTLS_KTLS_SEND;
|
|
||||||
+ return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ break;
|
|
||||||
+ case GNUTLS_CIPHER_CHACHA20_POLY1305:
|
|
||||||
+ {
|
|
||||||
+ struct tls12_crypto_info_chacha20_poly1305 crypto_info;
|
|
||||||
+ memset(&crypto_info, 0, sizeof (crypto_info));
|
|
||||||
+
|
|
||||||
+ crypto_info.info.cipher_type = TLS_CIPHER_CHACHA20_POLY1305;
|
|
||||||
+ assert (cipher_key.size == TLS_CIPHER_CHACHA20_POLY1305_KEY_SIZE);
|
|
||||||
+
|
|
||||||
+ /* for TLS 1.2 IV is generated in kernel */
|
|
||||||
+ if (version == GNUTLS_TLS1_2) {
|
|
||||||
+ crypto_info.info.version = TLS_1_2_VERSION;
|
|
||||||
+ memcpy(crypto_info.iv, seq_number, TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE);
|
|
||||||
+ } else {
|
|
||||||
+ crypto_info.info.version = TLS_1_3_VERSION;
|
|
||||||
+ assert (iv.size == TLS_CIPHER_CHACHA20_POLY1305_SALT_SIZE +
|
|
||||||
+ TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE);
|
|
||||||
+
|
|
||||||
+ memcpy (crypto_info.iv, iv.data + TLS_CIPHER_CHACHA20_POLY1305_SALT_SIZE,
|
|
||||||
+ TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ memcpy (crypto_info.salt, iv.data,
|
|
||||||
+ TLS_CIPHER_CHACHA20_POLY1305_SALT_SIZE);
|
|
||||||
+ memcpy (crypto_info.rec_seq, seq_number,
|
|
||||||
+ TLS_CIPHER_CHACHA20_POLY1305_REC_SEQ_SIZE);
|
|
||||||
+ memcpy (crypto_info.key, cipher_key.data,
|
|
||||||
+ TLS_CIPHER_CHACHA20_POLY1305_KEY_SIZE);
|
|
||||||
+
|
|
||||||
+ if (setsockopt (sockout, SOL_TLS, TLS_TX,
|
|
||||||
+ &crypto_info, sizeof (crypto_info))) {
|
|
||||||
+ session->internals.ktls_enabled &= ~GNUTLS_KTLS_SEND;
|
|
||||||
+ return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ break;
|
|
||||||
default:
|
|
||||||
assert(0);
|
|
||||||
}
|
|
||||||
|
|
||||||
+
|
|
||||||
// set callback for sending handshake messages
|
|
||||||
gnutls_handshake_set_read_function(session,
|
|
||||||
_gnutls_ktls_send_handshake_msg);
|
|
||||||
--
|
|
||||||
2.38.1
|
|
||||||
|
|
||||||
|
|
||||||
From 24bd0559302f8a7adf9f072f61f2aa03efa664f6 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
|
|
||||||
Date: Fri, 2 Dec 2022 11:07:48 +0100
|
|
||||||
Subject: [PATCH 2/2] KTLS: add ciphersuites (tests)
|
|
||||||
|
|
||||||
Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
|
|
||||||
---
|
|
||||||
tests/gnutls_ktls.c | 4 ++++
|
|
||||||
1 file changed, 4 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/tests/gnutls_ktls.c b/tests/gnutls_ktls.c
|
|
||||||
index 8f9c5fa36..919270778 100644
|
|
||||||
--- a/tests/gnutls_ktls.c
|
|
||||||
+++ b/tests/gnutls_ktls.c
|
|
||||||
@@ -350,8 +350,12 @@ void doit(void)
|
|
||||||
{
|
|
||||||
run("NORMAL:-VERS-ALL:+VERS-TLS1.2:-CIPHER-ALL:+AES-128-GCM");
|
|
||||||
run("NORMAL:-VERS-ALL:+VERS-TLS1.2:-CIPHER-ALL:+AES-256-GCM");
|
|
||||||
+ run("NORMAL:-VERS-ALL:+VERS-TLS1.2:-CIPHER-ALL:+AES-128-CCM");
|
|
||||||
+ run("NORMAL:-VERS-ALL:+VERS-TLS1.2:-CIPHER-ALL:+CHACHA20-POLY1305");
|
|
||||||
run("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-128-GCM");
|
|
||||||
run("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-256-GCM");
|
|
||||||
+ run("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-128-CCM");
|
|
||||||
+ run("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+CHACHA20-POLY1305");
|
|
||||||
}
|
|
||||||
|
|
||||||
#endif /* _WIN32 */
|
|
||||||
--
|
|
||||||
2.38.1
|
|
||||||
|
|
@ -1,62 +0,0 @@
|
|||||||
From 9533fcbacdb5532425568e3874cfea9f0a9b55d5 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Daiki Ueno <ueno@gnu.org>
|
|
||||||
Date: Mon, 28 Nov 2022 11:10:58 +0900
|
|
||||||
Subject: [PATCH 1/2] src: fix memory leak in print_rawpk_info
|
|
||||||
|
|
||||||
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
||||||
---
|
|
||||||
src/common.c | 4 +++-
|
|
||||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/common.c b/src/common.c
|
|
||||||
index 6d2056f95..20327b41c 100644
|
|
||||||
--- a/src/common.c
|
|
||||||
+++ b/src/common.c
|
|
||||||
@@ -222,7 +222,7 @@ print_rawpk_info(gnutls_session_t session, FILE *out, int flag, int print_cert,
|
|
||||||
if (ret < 0) {
|
|
||||||
fprintf(stderr, "Encoding error: %s\n",
|
|
||||||
gnutls_strerror(ret));
|
|
||||||
- return;
|
|
||||||
+ goto cleanup;
|
|
||||||
}
|
|
||||||
|
|
||||||
log_msg(out, "\n%s\n", (char*)pem.data);
|
|
||||||
@@ -230,6 +230,8 @@ print_rawpk_info(gnutls_session_t session, FILE *out, int flag, int print_cert,
|
|
||||||
gnutls_free(pem.data);
|
|
||||||
}
|
|
||||||
|
|
||||||
+ cleanup:
|
|
||||||
+ gnutls_pcert_deinit(&pk_cert);
|
|
||||||
}
|
|
||||||
|
|
||||||
/* returns false (0) if not verified, or true (1) otherwise
|
|
||||||
--
|
|
||||||
2.38.1
|
|
||||||
|
|
||||||
|
|
||||||
From ceac5211c073ba8dc86fe7cfb25504db33729fa9 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Daiki Ueno <ueno@gnu.org>
|
|
||||||
Date: Mon, 28 Nov 2022 11:14:53 +0900
|
|
||||||
Subject: [PATCH 2/2] tests: fix memory leak in resume-with-previous-stek
|
|
||||||
|
|
||||||
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
||||||
---
|
|
||||||
tests/resume-with-previous-stek.c | 2 ++
|
|
||||||
1 file changed, 2 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/tests/resume-with-previous-stek.c b/tests/resume-with-previous-stek.c
|
|
||||||
index 94f165627..98aba8d84 100644
|
|
||||||
--- a/tests/resume-with-previous-stek.c
|
|
||||||
+++ b/tests/resume-with-previous-stek.c
|
|
||||||
@@ -127,6 +127,8 @@ static void client(int fd, int *resume, unsigned rounds, const char *prio)
|
|
||||||
|
|
||||||
gnutls_deinit(session);
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+ gnutls_free(session_data.data);
|
|
||||||
}
|
|
||||||
|
|
||||||
typedef void (* gnutls_stek_rotation_callback_t) (const gnutls_datum_t *prev_key,
|
|
||||||
--
|
|
||||||
2.38.1
|
|
||||||
|
|
@ -1,957 +0,0 @@
|
|||||||
From c83b9ecbe8e7e5442867281236d8c9e1bd227204 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
|
|
||||||
Date: Tue, 2 Aug 2022 15:00:50 +0200
|
|
||||||
Subject: [PATCH 1/7] KTLS: set key on specific interfaces
|
|
||||||
|
|
||||||
It is now possible to set key on specific interface.
|
|
||||||
If interface given is not ktls enabled then it will be ignored.
|
|
||||||
|
|
||||||
Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
|
|
||||||
---
|
|
||||||
lib/handshake.c | 2 +-
|
|
||||||
lib/system/ktls.c | 12 +++++++-----
|
|
||||||
lib/system/ktls.h | 7 ++++++-
|
|
||||||
3 files changed, 14 insertions(+), 7 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/lib/handshake.c b/lib/handshake.c
|
|
||||||
index 21edc5ece..cb2bc3ae9 100644
|
|
||||||
--- a/lib/handshake.c
|
|
||||||
+++ b/lib/handshake.c
|
|
||||||
@@ -2924,7 +2924,7 @@ int gnutls_handshake(gnutls_session_t session)
|
|
||||||
|
|
||||||
#ifdef ENABLE_KTLS
|
|
||||||
if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_DUPLEX)) {
|
|
||||||
- _gnutls_ktls_set_keys(session);
|
|
||||||
+ _gnutls_ktls_set_keys(session, GNUTLS_KTLS_DUPLEX);
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
|
|
||||||
diff --git a/lib/system/ktls.c b/lib/system/ktls.c
|
|
||||||
index ddf27fac7..70b9b9b3a 100644
|
|
||||||
--- a/lib/system/ktls.c
|
|
||||||
+++ b/lib/system/ktls.c
|
|
||||||
@@ -80,7 +80,7 @@ void _gnutls_ktls_enable(gnutls_session_t session)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
-int _gnutls_ktls_set_keys(gnutls_session_t session)
|
|
||||||
+int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable_flags_t in)
|
|
||||||
{
|
|
||||||
gnutls_cipher_algorithm_t cipher = gnutls_cipher_get(session);
|
|
||||||
gnutls_datum_t mac_key;
|
|
||||||
@@ -107,7 +107,9 @@ int _gnutls_ktls_set_keys(gnutls_session_t session)
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if(session->internals.ktls_enabled & GNUTLS_KTLS_RECV){
|
|
||||||
+ in &= session->internals.ktls_enabled;
|
|
||||||
+
|
|
||||||
+ if(in & GNUTLS_KTLS_RECV){
|
|
||||||
switch (cipher) {
|
|
||||||
case GNUTLS_CIPHER_AES_128_GCM:
|
|
||||||
{
|
|
||||||
@@ -191,7 +193,7 @@ int _gnutls_ktls_set_keys(gnutls_session_t session)
|
|
||||||
return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
|
|
||||||
}
|
|
||||||
|
|
||||||
- if(session->internals.ktls_enabled & GNUTLS_KTLS_SEND){
|
|
||||||
+ if(in & GNUTLS_KTLS_SEND){
|
|
||||||
switch (cipher) {
|
|
||||||
case GNUTLS_CIPHER_AES_128_GCM:
|
|
||||||
{
|
|
||||||
@@ -269,7 +271,7 @@ int _gnutls_ktls_set_keys(gnutls_session_t session)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
- return 0;
|
|
||||||
+ return in;
|
|
||||||
}
|
|
||||||
|
|
||||||
ssize_t _gnutls_ktls_send_file(gnutls_session_t session, int fd,
|
|
||||||
@@ -465,7 +467,7 @@ gnutls_transport_is_ktls_enabled(gnutls_session_t session) {
|
|
||||||
void _gnutls_ktls_enable(gnutls_session_t session) {
|
|
||||||
}
|
|
||||||
|
|
||||||
-int _gnutls_ktls_set_keys(gnutls_session_t session) {
|
|
||||||
+int _gnutls_ktls_set_keys(gnutls_session_t sessioni, gnutls_transport_ktls_enable_flags_t in) {
|
|
||||||
return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE);
|
|
||||||
}
|
|
||||||
|
|
||||||
diff --git a/lib/system/ktls.h b/lib/system/ktls.h
|
|
||||||
index 8a98a8eb8..c8059092d 100644
|
|
||||||
--- a/lib/system/ktls.h
|
|
||||||
+++ b/lib/system/ktls.h
|
|
||||||
@@ -4,14 +4,19 @@
|
|
||||||
#include "gnutls_int.h"
|
|
||||||
|
|
||||||
void _gnutls_ktls_enable(gnutls_session_t session);
|
|
||||||
-int _gnutls_ktls_set_keys(gnutls_session_t session);
|
|
||||||
+
|
|
||||||
+int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable_flags_t in);
|
|
||||||
+
|
|
||||||
ssize_t _gnutls_ktls_send_file(gnutls_session_t session, int fd,
|
|
||||||
off_t *offset, size_t count);
|
|
||||||
+
|
|
||||||
int _gnutls_ktls_send_control_msg(gnutls_session_t session, unsigned char record_type,
|
|
||||||
const void *data, size_t data_size);
|
|
||||||
#define _gnutls_ktls_send(x, y, z) _gnutls_ktls_send_control_msg(x, GNUTLS_APPLICATION_DATA, y, z);
|
|
||||||
+
|
|
||||||
int _gnutls_ktls_recv_control_msg(gnutls_session_t session, unsigned char *record_type,
|
|
||||||
void *data, size_t data_size);
|
|
||||||
+
|
|
||||||
int _gnutls_ktls_recv_int(gnutls_session_t session, content_type_t type, void *data, size_t data_size);
|
|
||||||
#define _gnutls_ktls_recv(x, y, z) _gnutls_ktls_recv_int(x, GNUTLS_APPLICATION_DATA, y, z)
|
|
||||||
|
|
||||||
--
|
|
||||||
2.39.0
|
|
||||||
|
|
||||||
|
|
||||||
From f8c71030151e3a0d397e9712541236f1a76434a3 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
|
|
||||||
Date: Tue, 2 Aug 2022 13:35:39 +0200
|
|
||||||
Subject: [PATCH 2/7] KTLS: set new keys for keyupdate
|
|
||||||
|
|
||||||
set new keys durring gnutls_session_key_update()
|
|
||||||
setting keys
|
|
||||||
|
|
||||||
Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
|
|
||||||
---
|
|
||||||
lib/tls13/key_update.c | 9 +++++++++
|
|
||||||
1 file changed, 9 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/lib/tls13/key_update.c b/lib/tls13/key_update.c
|
|
||||||
index c6f6e0aa1..10c0a9110 100644
|
|
||||||
--- a/lib/tls13/key_update.c
|
|
||||||
+++ b/lib/tls13/key_update.c
|
|
||||||
@@ -27,6 +27,7 @@
|
|
||||||
#include "mem.h"
|
|
||||||
#include "mbuffers.h"
|
|
||||||
#include "secrets.h"
|
|
||||||
+#include "system/ktls.h"
|
|
||||||
|
|
||||||
#define KEY_UPDATES_WINDOW 1000
|
|
||||||
#define KEY_UPDATES_PER_WINDOW 8
|
|
||||||
@@ -49,8 +50,16 @@ static int update_keys(gnutls_session_t session, hs_stage_t stage)
|
|
||||||
* write keys */
|
|
||||||
if (session->internals.recv_state == RECV_STATE_EARLY_START) {
|
|
||||||
ret = _tls13_write_connection_state_init(session, stage);
|
|
||||||
+ if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_SEND))
|
|
||||||
+ ret = _gnutls_ktls_set_keys(session, GNUTLS_KTLS_SEND);
|
|
||||||
} else {
|
|
||||||
ret = _tls13_connection_state_init(session, stage);
|
|
||||||
+
|
|
||||||
+ if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_SEND) && stage == STAGE_UPD_OURS)
|
|
||||||
+ ret = _gnutls_ktls_set_keys(session, GNUTLS_KTLS_SEND);
|
|
||||||
+ else if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_RECV) && stage == STAGE_UPD_PEERS)
|
|
||||||
+ ret = _gnutls_ktls_set_keys(session, GNUTLS_KTLS_RECV);
|
|
||||||
+
|
|
||||||
}
|
|
||||||
if (ret < 0)
|
|
||||||
return gnutls_assert_val(ret);
|
|
||||||
--
|
|
||||||
2.39.0
|
|
||||||
|
|
||||||
|
|
||||||
From b93af37d972e02b095e14d4209bf5d5520a4893c Mon Sep 17 00:00:00 2001
|
|
||||||
From: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
|
|
||||||
Date: Wed, 3 Aug 2022 14:20:35 +0200
|
|
||||||
Subject: [PATCH 3/7] KTLS: send update key request
|
|
||||||
|
|
||||||
Set hanshake send function after interface initialization
|
|
||||||
TODO: handel setting function differently
|
|
||||||
|
|
||||||
Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
|
|
||||||
---
|
|
||||||
lib/record.c | 23 ++++++++++++++++-------
|
|
||||||
lib/system/ktls.c | 21 +++++++++++++++++++++
|
|
||||||
lib/system/ktls.h | 5 +++++
|
|
||||||
3 files changed, 42 insertions(+), 7 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/lib/record.c b/lib/record.c
|
|
||||||
index fd24acaf1..aad128e1f 100644
|
|
||||||
--- a/lib/record.c
|
|
||||||
+++ b/lib/record.c
|
|
||||||
@@ -2065,11 +2065,17 @@ gnutls_record_send2(gnutls_session_t session, const void *data,
|
|
||||||
session->internals.rsend_state = RECORD_SEND_KEY_UPDATE_3;
|
|
||||||
FALLTHROUGH;
|
|
||||||
case RECORD_SEND_KEY_UPDATE_3:
|
|
||||||
- ret = _gnutls_send_int(session, GNUTLS_APPLICATION_DATA,
|
|
||||||
- -1, EPOCH_WRITE_CURRENT,
|
|
||||||
- session->internals.record_key_update_buffer.data,
|
|
||||||
- session->internals.record_key_update_buffer.length,
|
|
||||||
- MBUFFER_FLUSH);
|
|
||||||
+ if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_SEND)) {
|
|
||||||
+ return _gnutls_ktls_send(session,
|
|
||||||
+ session->internals.record_key_update_buffer.data,
|
|
||||||
+ session->internals.record_key_update_buffer.length);
|
|
||||||
+ } else {
|
|
||||||
+ ret = _gnutls_send_int(session, GNUTLS_APPLICATION_DATA,
|
|
||||||
+ -1, EPOCH_WRITE_CURRENT,
|
|
||||||
+ session->internals.record_key_update_buffer.data,
|
|
||||||
+ session->internals.record_key_update_buffer.length,
|
|
||||||
+ MBUFFER_FLUSH);
|
|
||||||
+ }
|
|
||||||
_gnutls_buffer_clear(&session->internals.record_key_update_buffer);
|
|
||||||
session->internals.rsend_state = RECORD_SEND_NORMAL;
|
|
||||||
if (ret < 0)
|
|
||||||
@@ -2494,8 +2500,11 @@ gnutls_handshake_write(gnutls_session_t session,
|
|
||||||
return gnutls_assert_val(0);
|
|
||||||
|
|
||||||
/* When using this, the outgoing handshake messages should
|
|
||||||
- * also be handled manually */
|
|
||||||
- if (!session->internals.h_read_func)
|
|
||||||
+ * also be handled manually unless KTLS is enabled exclusively
|
|
||||||
+ * in GNUTLS_KTLS_RECV mode in which case the outgoing messages
|
|
||||||
+ * are handled by GnuTLS.
|
|
||||||
+ */
|
|
||||||
+ if (!session->internals.h_read_func && !IS_KTLS_ENABLED(session, GNUTLS_KTLS_RECV))
|
|
||||||
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
|
|
||||||
|
|
||||||
if (session->internals.initial_negotiation_completed) {
|
|
||||||
diff --git a/lib/system/ktls.c b/lib/system/ktls.c
|
|
||||||
index 70b9b9b3a..5da0a8069 100644
|
|
||||||
--- a/lib/system/ktls.c
|
|
||||||
+++ b/lib/system/ktls.c
|
|
||||||
@@ -269,6 +269,9 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable
|
|
||||||
default:
|
|
||||||
assert(0);
|
|
||||||
}
|
|
||||||
+ // set callback for sending handshake messages
|
|
||||||
+ gnutls_handshake_set_read_function(session,
|
|
||||||
+ _gnutls_ktls_send_handshake_msg);
|
|
||||||
}
|
|
||||||
|
|
||||||
return in;
|
|
||||||
@@ -355,6 +358,15 @@ int _gnutls_ktls_send_control_msg(gnutls_session_t session,
|
|
||||||
return data_size;
|
|
||||||
}
|
|
||||||
|
|
||||||
+int _gnutls_ktls_send_handshake_msg(gnutls_session_t session,
|
|
||||||
+ gnutls_record_encryption_level_t level,
|
|
||||||
+ gnutls_handshake_description_t htype,
|
|
||||||
+ const void *data, size_t data_size)
|
|
||||||
+{
|
|
||||||
+ return _gnutls_ktls_send_control_msg(session, GNUTLS_HANDSHAKE,
|
|
||||||
+ data, data_size);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
int _gnutls_ktls_recv_control_msg(gnutls_session_t session,
|
|
||||||
unsigned char *record_type, void *data, size_t data_size)
|
|
||||||
{
|
|
||||||
@@ -481,6 +493,15 @@ int _gnutls_ktls_send_control_msg(gnutls_session_t session,
|
|
||||||
return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE);
|
|
||||||
}
|
|
||||||
|
|
||||||
+int _gnutls_ktls_send_handshake_msg(gnutls_session_t session,
|
|
||||||
+ gnutls_record_encryption_level_t level,
|
|
||||||
+ gnutls_handshake_description_t htype,
|
|
||||||
+ const void *data, size_t data_size)
|
|
||||||
+{
|
|
||||||
+ (void)level;
|
|
||||||
+ return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
int _gnutls_ktls_recv_int(gnutls_session_t session, content_type_t type,
|
|
||||||
void *data, size_t data_size) {
|
|
||||||
return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE);
|
|
||||||
diff --git a/lib/system/ktls.h b/lib/system/ktls.h
|
|
||||||
index c8059092d..8d61a49df 100644
|
|
||||||
--- a/lib/system/ktls.h
|
|
||||||
+++ b/lib/system/ktls.h
|
|
||||||
@@ -10,6 +10,11 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable
|
|
||||||
ssize_t _gnutls_ktls_send_file(gnutls_session_t session, int fd,
|
|
||||||
off_t *offset, size_t count);
|
|
||||||
|
|
||||||
+int _gnutls_ktls_send_handshake_msg(gnutls_session_t session,
|
|
||||||
+ gnutls_record_encryption_level_t level,
|
|
||||||
+ gnutls_handshake_description_t htype,
|
|
||||||
+ const void *data, size_t data_size);
|
|
||||||
+
|
|
||||||
int _gnutls_ktls_send_control_msg(gnutls_session_t session, unsigned char record_type,
|
|
||||||
const void *data, size_t data_size);
|
|
||||||
#define _gnutls_ktls_send(x, y, z) _gnutls_ktls_send_control_msg(x, GNUTLS_APPLICATION_DATA, y, z);
|
|
||||||
--
|
|
||||||
2.39.0
|
|
||||||
|
|
||||||
|
|
||||||
From 7128338208d092275ac72785f85019d16951fab9 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
|
|
||||||
Date: Mon, 22 Aug 2022 10:50:37 +0200
|
|
||||||
Subject: [PATCH 4/7] KTLS: receive key update
|
|
||||||
|
|
||||||
handle received GNUTLS_HANDSHAKE_KEY_UPDATE set keys accordingly
|
|
||||||
|
|
||||||
Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
|
|
||||||
---
|
|
||||||
lib/system/ktls.c | 8 +++++++-
|
|
||||||
1 file changed, 7 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/lib/system/ktls.c b/lib/system/ktls.c
|
|
||||||
index 5da0a8069..f3cb343ae 100644
|
|
||||||
--- a/lib/system/ktls.c
|
|
||||||
+++ b/lib/system/ktls.c
|
|
||||||
@@ -452,7 +452,13 @@ int _gnutls_ktls_recv_int(gnutls_session_t session, content_type_t type,
|
|
||||||
ret = 0;
|
|
||||||
break;
|
|
||||||
case GNUTLS_HANDSHAKE:
|
|
||||||
- // ignore post-handshake messages
|
|
||||||
+ ret = gnutls_handshake_write(session,
|
|
||||||
+ GNUTLS_ENCRYPTION_LEVEL_APPLICATION,
|
|
||||||
+ data, ret);
|
|
||||||
+
|
|
||||||
+ if (ret < 0)
|
|
||||||
+ return gnutls_assert_val(ret);
|
|
||||||
+
|
|
||||||
if (type != record_type)
|
|
||||||
return GNUTLS_E_AGAIN;
|
|
||||||
break;
|
|
||||||
--
|
|
||||||
2.39.0
|
|
||||||
|
|
||||||
|
|
||||||
From 14eadde1f2cdfaf858dc2029dac5503e48a49935 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
|
|
||||||
Date: Fri, 5 Aug 2022 16:38:02 +0200
|
|
||||||
Subject: [PATCH 5/7] KTLS: set write alert callback
|
|
||||||
|
|
||||||
Use callback for sending alerts.
|
|
||||||
|
|
||||||
Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
|
|
||||||
---
|
|
||||||
lib/alert.c | 13 ++++---------
|
|
||||||
lib/system/ktls.c | 15 +++++++++++++++
|
|
||||||
lib/system/ktls.h | 5 +++++
|
|
||||||
3 files changed, 24 insertions(+), 9 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/lib/alert.c b/lib/alert.c
|
|
||||||
index 50bd1d3de..fda8cd79f 100644
|
|
||||||
--- a/lib/alert.c
|
|
||||||
+++ b/lib/alert.c
|
|
||||||
@@ -182,15 +182,10 @@ gnutls_alert_send(gnutls_session_t session, gnutls_alert_level_t level,
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_SEND)) {
|
|
||||||
- ret =
|
|
||||||
- _gnutls_ktls_send_control_msg(session, GNUTLS_ALERT, data, 2);
|
|
||||||
- } else {
|
|
||||||
- ret =
|
|
||||||
- _gnutls_send_int(session, GNUTLS_ALERT, -1,
|
|
||||||
- EPOCH_WRITE_CURRENT, data, 2,
|
|
||||||
- MBUFFER_FLUSH);
|
|
||||||
- }
|
|
||||||
+ ret = _gnutls_send_int(session, GNUTLS_ALERT, -1,
|
|
||||||
+ EPOCH_WRITE_CURRENT, data, 2,
|
|
||||||
+ MBUFFER_FLUSH);
|
|
||||||
+
|
|
||||||
return (ret < 0) ? ret : 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
diff --git a/lib/system/ktls.c b/lib/system/ktls.c
|
|
||||||
index f3cb343ae..703775960 100644
|
|
||||||
--- a/lib/system/ktls.c
|
|
||||||
+++ b/lib/system/ktls.c
|
|
||||||
@@ -269,9 +269,13 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable
|
|
||||||
default:
|
|
||||||
assert(0);
|
|
||||||
}
|
|
||||||
+
|
|
||||||
// set callback for sending handshake messages
|
|
||||||
gnutls_handshake_set_read_function(session,
|
|
||||||
_gnutls_ktls_send_handshake_msg);
|
|
||||||
+
|
|
||||||
+ // set callback for sending alert messages
|
|
||||||
+ gnutls_alert_set_read_function(session, _gnutls_ktls_send_alert_msg);
|
|
||||||
}
|
|
||||||
|
|
||||||
return in;
|
|
||||||
@@ -367,6 +371,17 @@ int _gnutls_ktls_send_handshake_msg(gnutls_session_t session,
|
|
||||||
data, data_size);
|
|
||||||
}
|
|
||||||
|
|
||||||
+int _gnutls_ktls_send_alert_msg(gnutls_session_t session,
|
|
||||||
+ gnutls_record_encryption_level_t level,
|
|
||||||
+ gnutls_alert_level_t alert_level,
|
|
||||||
+ gnutls_alert_description_t alert_desc)
|
|
||||||
+{
|
|
||||||
+ uint8_t data[2];
|
|
||||||
+ data[0] = (uint8_t) alert_level;
|
|
||||||
+ data[1] = (uint8_t) alert_desc;
|
|
||||||
+ return _gnutls_ktls_send_control_msg(session, GNUTLS_ALERT, data, 2);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
int _gnutls_ktls_recv_control_msg(gnutls_session_t session,
|
|
||||||
unsigned char *record_type, void *data, size_t data_size)
|
|
||||||
{
|
|
||||||
diff --git a/lib/system/ktls.h b/lib/system/ktls.h
|
|
||||||
index 8d61a49df..64e1c9c1c 100644
|
|
||||||
--- a/lib/system/ktls.h
|
|
||||||
+++ b/lib/system/ktls.h
|
|
||||||
@@ -15,6 +15,11 @@ int _gnutls_ktls_send_handshake_msg(gnutls_session_t session,
|
|
||||||
gnutls_handshake_description_t htype,
|
|
||||||
const void *data, size_t data_size);
|
|
||||||
|
|
||||||
+int _gnutls_ktls_send_alert_msg(gnutls_session_t session,
|
|
||||||
+ gnutls_record_encryption_level_t level,
|
|
||||||
+ gnutls_alert_level_t alert_level,
|
|
||||||
+ gnutls_alert_description_t alert_desc);
|
|
||||||
+
|
|
||||||
int _gnutls_ktls_send_control_msg(gnutls_session_t session, unsigned char record_type,
|
|
||||||
const void *data, size_t data_size);
|
|
||||||
#define _gnutls_ktls_send(x, y, z) _gnutls_ktls_send_control_msg(x, GNUTLS_APPLICATION_DATA, y, z);
|
|
||||||
--
|
|
||||||
2.39.0
|
|
||||||
|
|
||||||
|
|
||||||
From 38b8708d66e592c09edf2745c921436f56607a96 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
|
|
||||||
Date: Tue, 9 Aug 2022 12:11:16 +0200
|
|
||||||
Subject: [PATCH 6/7] KTLS: rekey test
|
|
||||||
|
|
||||||
Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
|
|
||||||
---
|
|
||||||
tests/Makefile.am | 2 +
|
|
||||||
tests/ktls_keyupdate.c | 381 ++++++++++++++++++++++++++++++++++++++++
|
|
||||||
tests/ktls_keyupdate.sh | 46 +++++
|
|
||||||
3 files changed, 429 insertions(+)
|
|
||||||
create mode 100644 tests/ktls_keyupdate.c
|
|
||||||
create mode 100755 tests/ktls_keyupdate.sh
|
|
||||||
|
|
||||||
diff --git a/tests/Makefile.am b/tests/Makefile.am
|
|
||||||
index 1122886b3..2d345d478 100644
|
|
||||||
--- a/tests/Makefile.am
|
|
||||||
+++ b/tests/Makefile.am
|
|
||||||
@@ -500,6 +500,8 @@ endif
|
|
||||||
if ENABLE_KTLS
|
|
||||||
indirect_tests += gnutls_ktls
|
|
||||||
dist_check_SCRIPTS += ktls.sh
|
|
||||||
+indirect_tests += ktls_keyupdate
|
|
||||||
+dist_check_SCRIPTS += ktls_keyupdate.sh
|
|
||||||
endif
|
|
||||||
|
|
||||||
if !WINDOWS
|
|
||||||
diff --git a/tests/ktls_keyupdate.c b/tests/ktls_keyupdate.c
|
|
||||||
new file mode 100644
|
|
||||||
index 000000000..9fbff38ae
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/tests/ktls_keyupdate.c
|
|
||||||
@@ -0,0 +1,381 @@
|
|
||||||
+// Copyright (C) 2022 Red Hat, Inc.
|
|
||||||
+//
|
|
||||||
+// Author: Frantisek Krenzelok
|
|
||||||
+//
|
|
||||||
+// This file is part of GnuTLS.
|
|
||||||
+//
|
|
||||||
+// GnuTLS is free software; you can redistribute it and/or modify it
|
|
||||||
+// under the terms of the GNU General Public License as published by the
|
|
||||||
+// Free Software Foundation; either version 3 of the License, or (at
|
|
||||||
+// your option) any later version.
|
|
||||||
+//
|
|
||||||
+// GnuTLS is distributed in the hope that it will be useful, but
|
|
||||||
+// WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
||||||
+// General Public License for more details.
|
|
||||||
+//
|
|
||||||
+// You should have received a copy of the GNU General Public License
|
|
||||||
+// along with GnuTLS; if not, write to the Free Software Foundation,
|
|
||||||
+// Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
|
||||||
+
|
|
||||||
+#ifdef HAVE_CONFIG_H
|
|
||||||
+#include <config.h>
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+#include <stdio.h>
|
|
||||||
+#include <stdlib.h>
|
|
||||||
+#include <string.h>
|
|
||||||
+#include <sys/types.h>
|
|
||||||
+#include <netinet/in.h>
|
|
||||||
+#include <sys/socket.h>
|
|
||||||
+#include <sys/wait.h>
|
|
||||||
+#include <arpa/inet.h>
|
|
||||||
+#include <unistd.h>
|
|
||||||
+#include <gnutls/gnutls.h>
|
|
||||||
+#include <gnutls/crypto.h>
|
|
||||||
+#include <gnutls/dtls.h>
|
|
||||||
+#include <gnutls/socket.h>
|
|
||||||
+#include <signal.h>
|
|
||||||
+#include <assert.h>
|
|
||||||
+#include <errno.h>
|
|
||||||
+
|
|
||||||
+#include "cert-common.h"
|
|
||||||
+#include "utils.h"
|
|
||||||
+
|
|
||||||
+#if defined(_WIN32)
|
|
||||||
+
|
|
||||||
+int main(void)
|
|
||||||
+{
|
|
||||||
+ exit(77);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+#else
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+#define MAX_BUF 1024
|
|
||||||
+#define MSG "Hello world!"
|
|
||||||
+
|
|
||||||
+#define HANDSHAKE(session, name, ret)\
|
|
||||||
+{\
|
|
||||||
+ do {\
|
|
||||||
+ ret = gnutls_handshake(session);\
|
|
||||||
+ }\
|
|
||||||
+ while (ret < 0 && gnutls_error_is_fatal(ret) == 0);\
|
|
||||||
+ if (ret < 0) {\
|
|
||||||
+ fail("%s: Handshake failed\n", name);\
|
|
||||||
+ goto end;\
|
|
||||||
+ }\
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+#define SEND_MSG(session, name, ret)\
|
|
||||||
+{\
|
|
||||||
+ do {\
|
|
||||||
+ ret = gnutls_record_send(session, MSG, strlen(MSG)+1);\
|
|
||||||
+ } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);\
|
|
||||||
+ if (ret < 0) {\
|
|
||||||
+ fail("%s: data sending has failed (%s)\n",name,\
|
|
||||||
+ gnutls_strerror(ret));\
|
|
||||||
+ goto end;\
|
|
||||||
+ }\
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+#define RECV_MSG(session, name, buffer, buffer_len, ret)\
|
|
||||||
+{\
|
|
||||||
+ memset(buffer, 0, sizeof(buffer));\
|
|
||||||
+ do{\
|
|
||||||
+ ret = gnutls_record_recv(session, buffer, sizeof(buffer));\
|
|
||||||
+ }\
|
|
||||||
+ while(ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);\
|
|
||||||
+ if (ret == 0) {\
|
|
||||||
+ success("%s: Peer has closed the TLS connection\n", name);\
|
|
||||||
+ goto end;\
|
|
||||||
+ } else if (ret < 0) {\
|
|
||||||
+ fail("%s: Error -> %s\n", name, gnutls_strerror(ret));\
|
|
||||||
+ goto end;\
|
|
||||||
+ }\
|
|
||||||
+ if(strncmp(buffer, MSG, ret)){\
|
|
||||||
+ fail("%s: Message doesn't match\n", name);\
|
|
||||||
+ goto end;\
|
|
||||||
+ }\
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+#define KEY_UPDATE(session, name, peer_req, ret)\
|
|
||||||
+{\
|
|
||||||
+ do {\
|
|
||||||
+ ret = gnutls_session_key_update(session, peer_req);\
|
|
||||||
+ } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);\
|
|
||||||
+ if (ret < 0) {\
|
|
||||||
+ fail("%s: key update has failed (%s)\n", name, \
|
|
||||||
+ gnutls_strerror(ret));\
|
|
||||||
+ goto end;\
|
|
||||||
+ }\
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+#define CHECK_KTLS_ENABLED(session, ret)\
|
|
||||||
+{\
|
|
||||||
+ ret = gnutls_transport_is_ktls_enabled(session);\
|
|
||||||
+ if (!(ret & GNUTLS_KTLS_RECV)){\
|
|
||||||
+ fail("client: KTLS was not properly initialized\n");\
|
|
||||||
+ goto end;\
|
|
||||||
+ }\
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static void server_log_func(int level, const char *str)
|
|
||||||
+{
|
|
||||||
+ fprintf(stderr, "server|<%d>| %s", level, str);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static void client_log_func(int level, const char *str)
|
|
||||||
+{
|
|
||||||
+ fprintf(stderr, "client|<%d>| %s", level, str);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+static void client(int fd, const char *prio, int pipe)
|
|
||||||
+{
|
|
||||||
+ const char *name = "client";
|
|
||||||
+ int ret;
|
|
||||||
+ char foo;
|
|
||||||
+ char buffer[MAX_BUF + 1];
|
|
||||||
+ gnutls_certificate_credentials_t x509_cred;
|
|
||||||
+ gnutls_session_t session;
|
|
||||||
+
|
|
||||||
+ global_init();
|
|
||||||
+
|
|
||||||
+ if (debug) {
|
|
||||||
+ gnutls_global_set_log_function(client_log_func);
|
|
||||||
+ gnutls_global_set_log_level(7);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ gnutls_certificate_allocate_credentials(&x509_cred);
|
|
||||||
+
|
|
||||||
+ gnutls_init(&session, GNUTLS_CLIENT);
|
|
||||||
+ gnutls_handshake_set_timeout(session, 0);
|
|
||||||
+
|
|
||||||
+ assert(gnutls_priority_set_direct(session, prio, NULL) >= 0);
|
|
||||||
+
|
|
||||||
+ gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred);
|
|
||||||
+
|
|
||||||
+ gnutls_transport_set_int(session, fd);
|
|
||||||
+
|
|
||||||
+ HANDSHAKE(session, name, ret);
|
|
||||||
+
|
|
||||||
+ CHECK_KTLS_ENABLED(session, ret)
|
|
||||||
+
|
|
||||||
+ // Test 0: Try sending/receiving data
|
|
||||||
+ RECV_MSG(session, name, buffer, MAX_BUF+1, ret)
|
|
||||||
+ SEND_MSG(session, name, ret)
|
|
||||||
+
|
|
||||||
+ CHECK_KTLS_ENABLED(session, ret)
|
|
||||||
+
|
|
||||||
+ // Test 1: Servers does key update
|
|
||||||
+ read(pipe, &foo, 1);
|
|
||||||
+ RECV_MSG(session, name, buffer, MAX_BUF+1, ret)
|
|
||||||
+ SEND_MSG(session, name, ret)
|
|
||||||
+
|
|
||||||
+ CHECK_KTLS_ENABLED(session, ret)
|
|
||||||
+
|
|
||||||
+ // Test 2: Does key update witch request
|
|
||||||
+ read(pipe, &foo, 1);
|
|
||||||
+ RECV_MSG(session, name, buffer, MAX_BUF+1, ret)
|
|
||||||
+ SEND_MSG(session, name, ret)
|
|
||||||
+
|
|
||||||
+ CHECK_KTLS_ENABLED(session, ret)
|
|
||||||
+
|
|
||||||
+ ret = gnutls_bye(session, GNUTLS_SHUT_RDWR);
|
|
||||||
+ if (ret < 0) {
|
|
||||||
+ fail("client: error in closing session: %s\n", gnutls_strerror(ret));
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ ret = 0;
|
|
||||||
+ end:
|
|
||||||
+
|
|
||||||
+ close(fd);
|
|
||||||
+
|
|
||||||
+ gnutls_deinit(session);
|
|
||||||
+
|
|
||||||
+ gnutls_certificate_free_credentials(x509_cred);
|
|
||||||
+
|
|
||||||
+ gnutls_global_deinit();
|
|
||||||
+
|
|
||||||
+ if (ret != 0)
|
|
||||||
+ exit(1);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+pid_t child;
|
|
||||||
+static void terminate(void)
|
|
||||||
+{
|
|
||||||
+ assert(child);
|
|
||||||
+ kill(child, SIGTERM);
|
|
||||||
+ exit(1);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static void server(int fd, const char *prio, int pipe)
|
|
||||||
+{
|
|
||||||
+ const char *name = "server";
|
|
||||||
+ int ret;
|
|
||||||
+ char bar = 0;
|
|
||||||
+ char buffer[MAX_BUF + 1];
|
|
||||||
+ gnutls_certificate_credentials_t x509_cred;
|
|
||||||
+ gnutls_session_t session;
|
|
||||||
+
|
|
||||||
+ global_init();
|
|
||||||
+
|
|
||||||
+ if (debug) {
|
|
||||||
+ gnutls_global_set_log_function(server_log_func);
|
|
||||||
+ gnutls_global_set_log_level(7);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ gnutls_certificate_allocate_credentials(&x509_cred);
|
|
||||||
+ ret = gnutls_certificate_set_x509_key_mem(x509_cred, &server_cert,
|
|
||||||
+ &server_key,
|
|
||||||
+ GNUTLS_X509_FMT_PEM);
|
|
||||||
+ if (ret < 0)
|
|
||||||
+ exit(1);
|
|
||||||
+
|
|
||||||
+ gnutls_init(&session, GNUTLS_SERVER);
|
|
||||||
+ gnutls_handshake_set_timeout(session, 0);
|
|
||||||
+
|
|
||||||
+ assert(gnutls_priority_set_direct(session, prio, NULL)>=0);
|
|
||||||
+
|
|
||||||
+ gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred);
|
|
||||||
+
|
|
||||||
+ gnutls_transport_set_int(session, fd);
|
|
||||||
+
|
|
||||||
+ HANDSHAKE(session, name, ret)
|
|
||||||
+
|
|
||||||
+ CHECK_KTLS_ENABLED(session, ret)
|
|
||||||
+
|
|
||||||
+ success("Test 0: sending/receiving data\n");
|
|
||||||
+ SEND_MSG(session, name, ret)
|
|
||||||
+ RECV_MSG(session, name, buffer, MAX_BUF+1, ret)
|
|
||||||
+
|
|
||||||
+ CHECK_KTLS_ENABLED(session, ret)
|
|
||||||
+
|
|
||||||
+ success("Test 1: server key update without request\n");
|
|
||||||
+ KEY_UPDATE(session, name, 0, ret)
|
|
||||||
+ write(pipe, &bar, 1);
|
|
||||||
+ SEND_MSG(session, name, ret)
|
|
||||||
+ RECV_MSG(session, name, buffer, MAX_BUF+1, ret)
|
|
||||||
+
|
|
||||||
+ CHECK_KTLS_ENABLED(session, ret)
|
|
||||||
+
|
|
||||||
+ success("Test 2: server key update with request\n");
|
|
||||||
+ KEY_UPDATE(session, name, GNUTLS_KU_PEER, ret)
|
|
||||||
+ write(pipe, &bar, 1);
|
|
||||||
+ SEND_MSG(session, name, ret)
|
|
||||||
+ RECV_MSG(session, name, buffer, MAX_BUF+1, ret)
|
|
||||||
+
|
|
||||||
+ CHECK_KTLS_ENABLED(session, ret)
|
|
||||||
+
|
|
||||||
+ ret = gnutls_bye(session, GNUTLS_SHUT_RDWR);
|
|
||||||
+ if (ret < 0) {
|
|
||||||
+ fail("server: error in closing session: %s\n", gnutls_strerror(ret));
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ ret = 0;
|
|
||||||
+end:
|
|
||||||
+ close(fd);
|
|
||||||
+ gnutls_deinit(session);
|
|
||||||
+
|
|
||||||
+ gnutls_certificate_free_credentials(x509_cred);
|
|
||||||
+
|
|
||||||
+ gnutls_global_deinit();
|
|
||||||
+
|
|
||||||
+ if (ret){
|
|
||||||
+ terminate();
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (debug)
|
|
||||||
+ success("server: finished\n");
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static void ch_handler(int sig)
|
|
||||||
+{
|
|
||||||
+ return;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static void run(const char *prio)
|
|
||||||
+{
|
|
||||||
+ int ret;
|
|
||||||
+ struct sockaddr_in saddr;
|
|
||||||
+ socklen_t addrlen;
|
|
||||||
+ int listener;
|
|
||||||
+ int fd;
|
|
||||||
+
|
|
||||||
+ int sync_pipe[2]; //used for synchronization
|
|
||||||
+ pipe(sync_pipe);
|
|
||||||
+
|
|
||||||
+ success("running ktls test with %s\n", prio);
|
|
||||||
+
|
|
||||||
+ signal(SIGCHLD, ch_handler);
|
|
||||||
+ signal(SIGPIPE, SIG_IGN);
|
|
||||||
+
|
|
||||||
+ listener = socket(AF_INET, SOCK_STREAM, 0);
|
|
||||||
+ if (listener == -1){
|
|
||||||
+ fail("error in listener(): %s\n", strerror(errno));
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ memset(&saddr, 0, sizeof(saddr));
|
|
||||||
+ saddr.sin_family = AF_INET;
|
|
||||||
+ saddr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
|
|
||||||
+ saddr.sin_port = 0;
|
|
||||||
+
|
|
||||||
+ ret = bind(listener, (struct sockaddr*)&saddr, sizeof(saddr));
|
|
||||||
+ if (ret == -1){
|
|
||||||
+ fail("error in bind(): %s\n", strerror(errno));
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ addrlen = sizeof(saddr);
|
|
||||||
+ ret = getsockname(listener, (struct sockaddr*)&saddr, &addrlen);
|
|
||||||
+ if (ret == -1){
|
|
||||||
+ fail("error in getsockname(): %s\n", strerror(errno));
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ child = fork();
|
|
||||||
+ if (child < 0) {
|
|
||||||
+ fail("error in fork(): %s\n", strerror(errno));
|
|
||||||
+ exit(1);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (child) {
|
|
||||||
+ int status;
|
|
||||||
+ /* parent */
|
|
||||||
+ ret = listen(listener, 1);
|
|
||||||
+ if (ret == -1) {
|
|
||||||
+ fail("error in listen(): %s\n", strerror(errno));
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ fd = accept(listener, NULL, NULL);
|
|
||||||
+ if (fd == -1) {
|
|
||||||
+ fail("error in accept(): %s\n", strerror(errno));
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ close(sync_pipe[0]);
|
|
||||||
+ server(fd, prio, sync_pipe[1]);
|
|
||||||
+
|
|
||||||
+ wait(&status);
|
|
||||||
+ check_wait_status(status);
|
|
||||||
+ } else {
|
|
||||||
+ fd = socket(AF_INET, SOCK_STREAM, 0);
|
|
||||||
+ if (fd == -1){
|
|
||||||
+ fail("error in socket(): %s\n", strerror(errno));
|
|
||||||
+ exit(1);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ usleep(1000000);
|
|
||||||
+ connect(fd, (struct sockaddr*)&saddr, addrlen);
|
|
||||||
+
|
|
||||||
+ close(sync_pipe[1]);
|
|
||||||
+ client(fd, prio, sync_pipe[0]);
|
|
||||||
+ exit(0);
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+void doit(void)
|
|
||||||
+{
|
|
||||||
+ run("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-128-GCM");
|
|
||||||
+ run("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-256-GCM");
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+#endif /* _WIN32 */
|
|
||||||
diff --git a/tests/ktls_keyupdate.sh b/tests/ktls_keyupdate.sh
|
|
||||||
new file mode 100755
|
|
||||||
index 000000000..d072acafc
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/tests/ktls_keyupdate.sh
|
|
||||||
@@ -0,0 +1,46 @@
|
|
||||||
+#!/bin/sh
|
|
||||||
+
|
|
||||||
+# Copyright (C) 2022 Red Hat, Inc.
|
|
||||||
+#
|
|
||||||
+# Author: Daiki Ueno
|
|
||||||
+#
|
|
||||||
+# This file is part of GnuTLS.
|
|
||||||
+#
|
|
||||||
+# GnuTLS is free software; you can redistribute it and/or modify it
|
|
||||||
+# under the terms of the GNU General Public License as published by the
|
|
||||||
+# Free Software Foundation; either version 3 of the License, or (at
|
|
||||||
+# your option) any later version.
|
|
||||||
+#
|
|
||||||
+# GnuTLS is distributed in the hope that it will be useful, but
|
|
||||||
+# WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
||||||
+# General Public License for more details.
|
|
||||||
+#
|
|
||||||
+# You should have received a copy of the GNU General Public License
|
|
||||||
+# along with GnuTLS; if not, write to the Free Software Foundation,
|
|
||||||
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
|
||||||
+
|
|
||||||
+: ${builddir=.}
|
|
||||||
+
|
|
||||||
+. "$srcdir/scripts/common.sh"
|
|
||||||
+
|
|
||||||
+if ! grep '^tls ' /proc/modules 2>&1 /dev/null; then
|
|
||||||
+ exit 77
|
|
||||||
+fi
|
|
||||||
+
|
|
||||||
+testdir=`create_testdir ktls_keyupdate`
|
|
||||||
+
|
|
||||||
+cfg="$testdir/config"
|
|
||||||
+
|
|
||||||
+cat <<EOF > "$cfg"
|
|
||||||
+[global]
|
|
||||||
+ktls = true
|
|
||||||
+EOF
|
|
||||||
+
|
|
||||||
+GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1 \
|
|
||||||
+GNUTLS_SYSTEM_PRIORITY_FILE="$cfg" \
|
|
||||||
+"$builddir/ktls_keyupdate" "$@"
|
|
||||||
+rc=$?
|
|
||||||
+
|
|
||||||
+rm -rf "$testdir"
|
|
||||||
+exit $rc
|
|
||||||
--
|
|
||||||
2.39.0
|
|
||||||
|
|
||||||
|
|
||||||
From 67843b3a8e28e4c74296caea2d1019065c87afb3 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
|
|
||||||
Date: Mon, 5 Sep 2022 13:05:17 +0200
|
|
||||||
Subject: [PATCH 7/7] KTLS: fallback to default
|
|
||||||
|
|
||||||
If an error occurs during setting of keys either initial or key update
|
|
||||||
then fallback to default mode of operation (disable ktls) and let the
|
|
||||||
user know
|
|
||||||
|
|
||||||
Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
|
|
||||||
---
|
|
||||||
lib/handshake.c | 7 ++++++-
|
|
||||||
lib/tls13/key_update.c | 23 +++++++++++++++++++----
|
|
||||||
2 files changed, 25 insertions(+), 5 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/lib/handshake.c b/lib/handshake.c
|
|
||||||
index cb2bc3ae9..14bcdea56 100644
|
|
||||||
--- a/lib/handshake.c
|
|
||||||
+++ b/lib/handshake.c
|
|
||||||
@@ -2924,7 +2924,12 @@ int gnutls_handshake(gnutls_session_t session)
|
|
||||||
|
|
||||||
#ifdef ENABLE_KTLS
|
|
||||||
if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_DUPLEX)) {
|
|
||||||
- _gnutls_ktls_set_keys(session, GNUTLS_KTLS_DUPLEX);
|
|
||||||
+ ret = _gnutls_ktls_set_keys(session, GNUTLS_KTLS_DUPLEX);
|
|
||||||
+ if (ret < 0) {
|
|
||||||
+ session->internals.ktls_enabled = 0;
|
|
||||||
+ _gnutls_audit_log(session,
|
|
||||||
+ "disabling KTLS: failed to set keys\n");
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
|
|
||||||
diff --git a/lib/tls13/key_update.c b/lib/tls13/key_update.c
|
|
||||||
index 10c0a9110..acfda4129 100644
|
|
||||||
--- a/lib/tls13/key_update.c
|
|
||||||
+++ b/lib/tls13/key_update.c
|
|
||||||
@@ -32,6 +32,20 @@
|
|
||||||
#define KEY_UPDATES_WINDOW 1000
|
|
||||||
#define KEY_UPDATES_PER_WINDOW 8
|
|
||||||
|
|
||||||
+/*
|
|
||||||
+ * Sets kTLS keys if enabled.
|
|
||||||
+ * If this operation fails with GNUTLS_E_INTERNAL_ERROR, KTLS is disabled
|
|
||||||
+ * because KTLS most likely doesn't support key update.
|
|
||||||
+ */
|
|
||||||
+#define SET_KTLS_KEYS(session, interface)\
|
|
||||||
+{\
|
|
||||||
+ if(_gnutls_ktls_set_keys(session, interface) < 0) {\
|
|
||||||
+ session->internals.ktls_enabled = 0;\
|
|
||||||
+ _gnutls_audit_log(session, \
|
|
||||||
+ "disabling KTLS: couldn't update keys\n");\
|
|
||||||
+ }\
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static int update_keys(gnutls_session_t session, hs_stage_t stage)
|
|
||||||
{
|
|
||||||
int ret;
|
|
||||||
@@ -51,15 +65,16 @@ static int update_keys(gnutls_session_t session, hs_stage_t stage)
|
|
||||||
if (session->internals.recv_state == RECV_STATE_EARLY_START) {
|
|
||||||
ret = _tls13_write_connection_state_init(session, stage);
|
|
||||||
if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_SEND))
|
|
||||||
- ret = _gnutls_ktls_set_keys(session, GNUTLS_KTLS_SEND);
|
|
||||||
+ SET_KTLS_KEYS(session, GNUTLS_KTLS_SEND)
|
|
||||||
} else {
|
|
||||||
ret = _tls13_connection_state_init(session, stage);
|
|
||||||
+ if (ret < 0)
|
|
||||||
+ return gnutls_assert_val(ret);
|
|
||||||
|
|
||||||
if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_SEND) && stage == STAGE_UPD_OURS)
|
|
||||||
- ret = _gnutls_ktls_set_keys(session, GNUTLS_KTLS_SEND);
|
|
||||||
+ SET_KTLS_KEYS(session, GNUTLS_KTLS_SEND)
|
|
||||||
else if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_RECV) && stage == STAGE_UPD_PEERS)
|
|
||||||
- ret = _gnutls_ktls_set_keys(session, GNUTLS_KTLS_RECV);
|
|
||||||
-
|
|
||||||
+ SET_KTLS_KEYS(session, GNUTLS_KTLS_RECV)
|
|
||||||
}
|
|
||||||
if (ret < 0)
|
|
||||||
return gnutls_assert_val(ret);
|
|
||||||
--
|
|
||||||
2.39.0
|
|
||||||
|
|
@ -1,155 +0,0 @@
|
|||||||
From ccf4463f343a9394a22833ee1de7886e459d3c91 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Daiki Ueno <ueno@gnu.org>
|
|
||||||
Date: Mon, 28 Nov 2022 12:17:12 +0900
|
|
||||||
Subject: [PATCH 1/3] includes: move KTLS function definition out of
|
|
||||||
<gnutls/socket.h>
|
|
||||||
|
|
||||||
<gnutls/socket.h> is meant for the functions that depend on
|
|
||||||
<sys/socket.h>, which is not available on Windows platforms.
|
|
||||||
|
|
||||||
As the KTLS API doesn't rely on <sys/socket.h>, move the function and
|
|
||||||
enum to <gnutls/gnutls.h>.
|
|
||||||
|
|
||||||
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
||||||
---
|
|
||||||
lib/includes/gnutls/gnutls.h.in | 21 +++++++++++++++++++++
|
|
||||||
lib/includes/gnutls/socket.h | 21 ---------------------
|
|
||||||
2 files changed, 21 insertions(+), 21 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
|
|
||||||
index 394d465e3..830ce5f95 100644
|
|
||||||
--- a/lib/includes/gnutls/gnutls.h.in
|
|
||||||
+++ b/lib/includes/gnutls/gnutls.h.in
|
|
||||||
@@ -3421,6 +3421,27 @@ int gnutls_fips140_pop_context(void);
|
|
||||||
|
|
||||||
int gnutls_fips140_run_self_tests(void);
|
|
||||||
|
|
||||||
+/**
|
|
||||||
+ * gnutls_transport_ktls_enable_flags_t:
|
|
||||||
+ * @GNUTLS_KTLS_RECV: ktls enabled for recv function.
|
|
||||||
+ * @GNUTLS_KTLS_SEND: ktls enabled for send function.
|
|
||||||
+ * @GNUTLS_KTLS_DUPLEX: ktls enabled for both recv and send functions.
|
|
||||||
+ *
|
|
||||||
+ * Flag enumeration of ktls enable status for recv and send functions.
|
|
||||||
+ * This is used by gnutls_transport_is_ktls_enabled().
|
|
||||||
+ *
|
|
||||||
+ * Since: 3.7.3
|
|
||||||
+ */
|
|
||||||
+typedef enum {
|
|
||||||
+ GNUTLS_KTLS_RECV = 1 << 0,
|
|
||||||
+ GNUTLS_KTLS_SEND = 1 << 1,
|
|
||||||
+ GNUTLS_KTLS_DUPLEX = GNUTLS_KTLS_RECV | GNUTLS_KTLS_SEND,
|
|
||||||
+} gnutls_transport_ktls_enable_flags_t;
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+gnutls_transport_ktls_enable_flags_t
|
|
||||||
+gnutls_transport_is_ktls_enabled(gnutls_session_t session);
|
|
||||||
+
|
|
||||||
/* Gnutls error codes. The mapping to a TLS alert is also shown in
|
|
||||||
* comments.
|
|
||||||
*/
|
|
||||||
diff --git a/lib/includes/gnutls/socket.h b/lib/includes/gnutls/socket.h
|
|
||||||
index 4df7bb2e0..64eb19f89 100644
|
|
||||||
--- a/lib/includes/gnutls/socket.h
|
|
||||||
+++ b/lib/includes/gnutls/socket.h
|
|
||||||
@@ -37,27 +37,6 @@ extern "C" {
|
|
||||||
#endif
|
|
||||||
/* *INDENT-ON* */
|
|
||||||
|
|
||||||
-/**
|
|
||||||
- * gnutls_transport_ktls_enable_flags_t:
|
|
||||||
- * @GNUTLS_KTLS_RECV: ktls enabled for recv function.
|
|
||||||
- * @GNUTLS_KTLS_SEND: ktls enabled for send function.
|
|
||||||
- * @GNUTLS_KTLS_DUPLEX: ktls enabled for both recv and send functions.
|
|
||||||
- *
|
|
||||||
- * Flag enumeration of ktls enable status for recv and send functions.
|
|
||||||
- * This is used by gnutls_transport_is_ktls_enabled().
|
|
||||||
- *
|
|
||||||
- * Since: 3.7.3
|
|
||||||
- */
|
|
||||||
-typedef enum {
|
|
||||||
- GNUTLS_KTLS_RECV = 1 << 0,
|
|
||||||
- GNUTLS_KTLS_SEND = 1 << 1,
|
|
||||||
- GNUTLS_KTLS_DUPLEX = GNUTLS_KTLS_RECV | GNUTLS_KTLS_SEND,
|
|
||||||
-} gnutls_transport_ktls_enable_flags_t;
|
|
||||||
-
|
|
||||||
-
|
|
||||||
-gnutls_transport_ktls_enable_flags_t
|
|
||||||
-gnutls_transport_is_ktls_enabled(gnutls_session_t session);
|
|
||||||
-
|
|
||||||
void gnutls_transport_set_fastopen(gnutls_session_t session,
|
|
||||||
int fd,
|
|
||||||
struct sockaddr *connect_addr,
|
|
||||||
--
|
|
||||||
2.38.1
|
|
||||||
|
|
||||||
|
|
||||||
From 90b036e82a95f9379d99d5cabd0e33905d1e3ddc Mon Sep 17 00:00:00 2001
|
|
||||||
From: Daiki Ueno <ueno@gnu.org>
|
|
||||||
Date: Mon, 28 Nov 2022 12:13:31 +0900
|
|
||||||
Subject: [PATCH 2/3] src: print KTLS enablement status in
|
|
||||||
gnutls-serv/gnutls-cli
|
|
||||||
|
|
||||||
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
||||||
---
|
|
||||||
src/common.c | 10 ++++++++++
|
|
||||||
1 file changed, 10 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/src/common.c b/src/common.c
|
|
||||||
index 6d2056f95..d357c7fb8 100644
|
|
||||||
--- a/src/common.c
|
|
||||||
+++ b/src/common.c
|
|
||||||
@@ -498,6 +498,7 @@ int print_info(gnutls_session_t session, int verbose, int flags)
|
|
||||||
gnutls_datum_t p;
|
|
||||||
char *desc;
|
|
||||||
gnutls_protocol_t version;
|
|
||||||
+ gnutls_transport_ktls_enable_flags_t ktls_flags;
|
|
||||||
int rc;
|
|
||||||
|
|
||||||
desc = gnutls_session_get_desc(session);
|
|
||||||
@@ -646,6 +647,15 @@ int print_info(gnutls_session_t session, int verbose, int flags)
|
|
||||||
|
|
||||||
print_channel_bindings(session, verbose);
|
|
||||||
|
|
||||||
+ ktls_flags = gnutls_transport_is_ktls_enabled(session);
|
|
||||||
+ if (ktls_flags != 0) {
|
|
||||||
+ log_msg(stdout, "- KTLS: %s\n",
|
|
||||||
+ (ktls_flags & GNUTLS_KTLS_DUPLEX) == GNUTLS_KTLS_DUPLEX ? "send, recv" :
|
|
||||||
+ (ktls_flags & GNUTLS_KTLS_SEND) == GNUTLS_KTLS_SEND ? "send" :
|
|
||||||
+ (ktls_flags & GNUTLS_KTLS_RECV) == GNUTLS_KTLS_RECV ? "recv" :
|
|
||||||
+ "unknown");
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
fflush(stdout);
|
|
||||||
|
|
||||||
return 0;
|
|
||||||
--
|
|
||||||
2.38.1
|
|
||||||
|
|
||||||
|
|
||||||
From aefd7319c0b7b2410d06238246b7755b289e4837 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Daiki Ueno <ueno@gnu.org>
|
|
||||||
Date: Mon, 28 Nov 2022 12:15:26 +0900
|
|
||||||
Subject: [PATCH 3/3] priority: accept "ktls = false" in configuration file
|
|
||||||
|
|
||||||
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
||||||
---
|
|
||||||
lib/priority.c | 2 ++
|
|
||||||
1 file changed, 2 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/lib/priority.c b/lib/priority.c
|
|
||||||
index 97831e63b..6266bb571 100644
|
|
||||||
--- a/lib/priority.c
|
|
||||||
+++ b/lib/priority.c
|
|
||||||
@@ -1548,6 +1548,8 @@ static int global_ini_handler(void *ctx, const char *section, const char *name,
|
|
||||||
p = clear_spaces(value, str);
|
|
||||||
if (c_strcasecmp(p, "true") == 0) {
|
|
||||||
cfg->ktls_enabled = true;
|
|
||||||
+ } else if (c_strcasecmp(p, "false") == 0) {
|
|
||||||
+ cfg->ktls_enabled = false;
|
|
||||||
} else {
|
|
||||||
_gnutls_debug_log("cfg: unknown ktls mode %s\n",
|
|
||||||
p);
|
|
||||||
--
|
|
||||||
2.38.1
|
|
||||||
|
|
84
gnutls.spec
84
gnutls.spec
@ -12,21 +12,16 @@ sha256sum:close()
|
|||||||
print(string.sub(hash, 0, 16))
|
print(string.sub(hash, 0, 16))
|
||||||
}
|
}
|
||||||
|
|
||||||
|
%global with_srp 0%{?fedora} < 38
|
||||||
|
|
||||||
%global with_mingw 0
|
%global with_mingw 0
|
||||||
%if 0%{?fedora}
|
%if 0%{?fedora}
|
||||||
%global with_mingw 0%{!?_without_mingw:1}
|
%global with_mingw 0%{!?_without_mingw:1}
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
Version: 3.7.8
|
Version: 3.8.0
|
||||||
Release: %{?autorelease}%{!?autorelease:1%{?dist}}
|
Release: %{?autorelease}%{!?autorelease:1%{?dist}}
|
||||||
Patch: gnutls-3.7.8-gcc_analyzer-suppress_warnings.patch
|
|
||||||
Patch: gnutls-3.2.7-rpath.patch
|
Patch: gnutls-3.2.7-rpath.patch
|
||||||
Patch: gnutls-3.6.7-no-now-guile.patch
|
|
||||||
|
|
||||||
Patch: gnutls-3.7.8-ktls_key_update.patch
|
|
||||||
Patch: gnutls-3.7.8-ktls_add_ciphersuites.patch
|
|
||||||
Patch: gnutls-3.7.8-ktls_minor_fixes.patch
|
|
||||||
Patch: gnutls-3.7.8-ktls_invalidate_session.patch
|
|
||||||
|
|
||||||
# Delete only after the kernel has been patched for thested systems
|
# Delete only after the kernel has been patched for thested systems
|
||||||
Patch: gnutls-3.7.8-ktls_disable_keyupdate_test.patch
|
Patch: gnutls-3.7.8-ktls_disable_keyupdate_test.patch
|
||||||
@ -36,13 +31,7 @@ Patch: gnutls-3.7.8-ktls_skip_tls12_chachapoly_test.patch
|
|||||||
|
|
||||||
%bcond_without bootstrap
|
%bcond_without bootstrap
|
||||||
%bcond_without dane
|
%bcond_without dane
|
||||||
%if 0%{?rhel}
|
|
||||||
%bcond_with guile
|
|
||||||
%bcond_without fips
|
%bcond_without fips
|
||||||
%else
|
|
||||||
%bcond_without guile
|
|
||||||
%bcond_without fips
|
|
||||||
%endif
|
|
||||||
%bcond_with tpm12
|
%bcond_with tpm12
|
||||||
%bcond_without tpm2
|
%bcond_without tpm2
|
||||||
%bcond_without gost
|
%bcond_without gost
|
||||||
@ -87,9 +76,6 @@ Recommends: trousers >= 0.3.11.2
|
|||||||
%if %{with dane}
|
%if %{with dane}
|
||||||
BuildRequires: unbound-devel unbound-libs
|
BuildRequires: unbound-devel unbound-libs
|
||||||
%endif
|
%endif
|
||||||
%if %{with guile}
|
|
||||||
BuildRequires: guile22-devel
|
|
||||||
%endif
|
|
||||||
BuildRequires: make gtk-doc
|
BuildRequires: make gtk-doc
|
||||||
|
|
||||||
%if %{with_mingw}
|
%if %{with_mingw}
|
||||||
@ -147,13 +133,6 @@ Summary: A DANE protocol implementation for GnuTLS
|
|||||||
Requires: %{name}%{?_isa} = %{version}-%{release}
|
Requires: %{name}%{?_isa} = %{version}-%{release}
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%if %{with guile}
|
|
||||||
%package guile
|
|
||||||
Summary: Guile bindings for the GNUTLS library
|
|
||||||
Requires: %{name}%{?_isa} = %{version}-%{release}
|
|
||||||
Requires: guile22
|
|
||||||
%endif
|
|
||||||
|
|
||||||
%description
|
%description
|
||||||
GnuTLS is a secure communications library implementing the SSL, TLS and DTLS
|
GnuTLS is a secure communications library implementing the SSL, TLS and DTLS
|
||||||
protocols and technologies around them. It provides a simple C language
|
protocols and technologies around them. It provides a simple C language
|
||||||
@ -197,16 +176,6 @@ This package contains library that implements the DANE protocol for verifying
|
|||||||
TLS certificates through DNSSEC.
|
TLS certificates through DNSSEC.
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%if %{with guile}
|
|
||||||
%description guile
|
|
||||||
GnuTLS is a secure communications library implementing the SSL, TLS and DTLS
|
|
||||||
protocols and technologies around them. It provides a simple C language
|
|
||||||
application programming interface (API) to access the secure communications
|
|
||||||
protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and
|
|
||||||
other required structures.
|
|
||||||
This package contains Guile bindings for the library.
|
|
||||||
%endif
|
|
||||||
|
|
||||||
%if %{with_mingw}
|
%if %{with_mingw}
|
||||||
%package -n mingw32-%{name}
|
%package -n mingw32-%{name}
|
||||||
Summary: MinGW GnuTLS TLS/SSL encryption library
|
Summary: MinGW GnuTLS TLS/SSL encryption library
|
||||||
@ -251,15 +220,6 @@ echo "SYSTEM=NORMAL" >> tests/system.prio
|
|||||||
CCASFLAGS="$CCASFLAGS -Wa,--generate-missing-build-notes=yes"
|
CCASFLAGS="$CCASFLAGS -Wa,--generate-missing-build-notes=yes"
|
||||||
export CCASFLAGS
|
export CCASFLAGS
|
||||||
|
|
||||||
%if %{with guile}
|
|
||||||
# These should be checked by m4/guile.m4 instead of configure.ac
|
|
||||||
# taking into account of _guile_suffix
|
|
||||||
guile_snarf=%{_bindir}/guile-snarf2.2
|
|
||||||
export guile_snarf
|
|
||||||
GUILD=%{_bindir}/guild2.2
|
|
||||||
export GUILD
|
|
||||||
%endif
|
|
||||||
|
|
||||||
%if %{with fips}
|
%if %{with fips}
|
||||||
eval $(sed -n 's/^\(\(NAME\|VERSION_ID\)=.*\)/OS_\1/p' /etc/os-release)
|
eval $(sed -n 's/^\(\(NAME\|VERSION_ID\)=.*\)/OS_\1/p' /etc/os-release)
|
||||||
export FIPS_MODULE_NAME="$OS_NAME ${OS_VERSION_ID%%.*} %name"
|
export FIPS_MODULE_NAME="$OS_NAME ${OS_VERSION_ID%%.*} %name"
|
||||||
@ -278,6 +238,9 @@ pushd native_build
|
|||||||
--enable-gost \
|
--enable-gost \
|
||||||
%else
|
%else
|
||||||
--disable-gost \
|
--disable-gost \
|
||||||
|
%endif
|
||||||
|
%if %{with_srp}
|
||||||
|
--enable-srp-authentication \
|
||||||
%endif
|
%endif
|
||||||
--enable-sha1-support \
|
--enable-sha1-support \
|
||||||
--disable-static \
|
--disable-static \
|
||||||
@ -297,12 +260,6 @@ pushd native_build
|
|||||||
%endif
|
%endif
|
||||||
--enable-ktls \
|
--enable-ktls \
|
||||||
--htmldir=%{_docdir}/manual \
|
--htmldir=%{_docdir}/manual \
|
||||||
%if %{with guile}
|
|
||||||
--enable-guile \
|
|
||||||
--with-guile-extension-dir=%{_libdir}/guile/2.2 \
|
|
||||||
%else
|
|
||||||
--disable-guile \
|
|
||||||
%endif
|
|
||||||
%if %{with dane}
|
%if %{with dane}
|
||||||
--with-unbound-root-key-file=/var/lib/unbound/root.key \
|
--with-unbound-root-key-file=/var/lib/unbound/root.key \
|
||||||
--enable-libdane \
|
--enable-libdane \
|
||||||
@ -324,11 +281,13 @@ popd
|
|||||||
# MinGW does not support CCASFLAGS
|
# MinGW does not support CCASFLAGS
|
||||||
export CCASFLAGS=""
|
export CCASFLAGS=""
|
||||||
%mingw_configure \
|
%mingw_configure \
|
||||||
|
%if %{with_srp}
|
||||||
|
--enable-srp-authentication \
|
||||||
|
%endif
|
||||||
--enable-sha1-support \
|
--enable-sha1-support \
|
||||||
--disable-static \
|
--disable-static \
|
||||||
--disable-openssl-compatibility \
|
--disable-openssl-compatibility \
|
||||||
--disable-non-suiteb-curves \
|
--disable-non-suiteb-curves \
|
||||||
--disable-guile \
|
|
||||||
--disable-libdane \
|
--disable-libdane \
|
||||||
--disable-rpath \
|
--disable-rpath \
|
||||||
--disable-nls \
|
--disable-nls \
|
||||||
@ -348,8 +307,6 @@ pushd native_build
|
|||||||
make -C doc install-html DESTDIR=$RPM_BUILD_ROOT
|
make -C doc install-html DESTDIR=$RPM_BUILD_ROOT
|
||||||
rm -f $RPM_BUILD_ROOT%{_infodir}/dir
|
rm -f $RPM_BUILD_ROOT%{_infodir}/dir
|
||||||
rm -f $RPM_BUILD_ROOT%{_libdir}/*.la
|
rm -f $RPM_BUILD_ROOT%{_libdir}/*.la
|
||||||
rm -f $RPM_BUILD_ROOT%{_libdir}/guile/2.2/guile-gnutls*.a
|
|
||||||
rm -f $RPM_BUILD_ROOT%{_libdir}/guile/2.2/guile-gnutls*.la
|
|
||||||
%if %{without dane}
|
%if %{without dane}
|
||||||
rm -f $RPM_BUILD_ROOT%{_libdir}/pkgconfig/gnutls-dane.pc
|
rm -f $RPM_BUILD_ROOT%{_libdir}/pkgconfig/gnutls-dane.pc
|
||||||
%endif
|
%endif
|
||||||
@ -358,8 +315,10 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/pkgconfig/gnutls-dane.pc
|
|||||||
# doing it twice should be a no-op the second time,
|
# doing it twice should be a no-op the second time,
|
||||||
# and this way we avoid redefining it and missing a future change
|
# and this way we avoid redefining it and missing a future change
|
||||||
%{__spec_install_post}
|
%{__spec_install_post}
|
||||||
./lib/fipshmac "$RPM_BUILD_ROOT%{_libdir}/libgnutls.so.30" > $RPM_BUILD_ROOT%{_libdir}/.gnutls.hmac
|
fname=`basename $RPM_BUILD_ROOT%{_libdir}/libgnutls.so.30.*.*`
|
||||||
sed -i "s^$RPM_BUILD_ROOT/usr^^" $RPM_BUILD_ROOT%{_libdir}/.gnutls.hmac
|
./lib/fipshmac "$RPM_BUILD_ROOT%{_libdir}/libgnutls.so.30" > "$RPM_BUILD_ROOT%{_libdir}/.$fname.hmac"
|
||||||
|
sed -i "s^$RPM_BUILD_ROOT/usr^^" "$RPM_BUILD_ROOT%{_libdir}/.$fname.hmac"
|
||||||
|
ln -s ".$fname.hmac" "$RPM_BUILD_ROOT%{_libdir}/.libgnutls.so.30.hmac"
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%if %{with fips}
|
%if %{with fips}
|
||||||
@ -412,7 +371,7 @@ popd
|
|||||||
%files -f native_build/gnutls.lang
|
%files -f native_build/gnutls.lang
|
||||||
%{_libdir}/libgnutls.so.30*
|
%{_libdir}/libgnutls.so.30*
|
||||||
%if %{with fips}
|
%if %{with fips}
|
||||||
%{_libdir}/.gnutls.hmac
|
%{_libdir}/.libgnutls.so.30*.hmac
|
||||||
%endif
|
%endif
|
||||||
%doc README.md AUTHORS NEWS THANKS
|
%doc README.md AUTHORS NEWS THANKS
|
||||||
%license LICENSE doc/COPYING doc/COPYING.LESSER
|
%license LICENSE doc/COPYING doc/COPYING.LESSER
|
||||||
@ -438,7 +397,9 @@ popd
|
|||||||
%{_bindir}/ocsptool
|
%{_bindir}/ocsptool
|
||||||
%{_bindir}/psktool
|
%{_bindir}/psktool
|
||||||
%{_bindir}/p11tool
|
%{_bindir}/p11tool
|
||||||
|
%if %{with_srp}
|
||||||
%{_bindir}/srptool
|
%{_bindir}/srptool
|
||||||
|
%endif
|
||||||
%if %{with dane}
|
%if %{with dane}
|
||||||
%{_bindir}/danetool
|
%{_bindir}/danetool
|
||||||
%endif
|
%endif
|
||||||
@ -451,15 +412,6 @@ popd
|
|||||||
%{_libdir}/libgnutls-dane.so.*
|
%{_libdir}/libgnutls-dane.so.*
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%if %{with guile}
|
|
||||||
%files guile
|
|
||||||
%{_libdir}/guile/2.2/guile-gnutls*.so*
|
|
||||||
%{_libdir}/guile/2.2/site-ccache/gnutls.go
|
|
||||||
%{_libdir}/guile/2.2/site-ccache/gnutls/extra.go
|
|
||||||
%{_datadir}/guile/site/2.2/gnutls.scm
|
|
||||||
%{_datadir}/guile/site/2.2/gnutls/extra.scm
|
|
||||||
%endif
|
|
||||||
|
|
||||||
%if %{with_mingw}
|
%if %{with_mingw}
|
||||||
%files -n mingw32-%{name}
|
%files -n mingw32-%{name}
|
||||||
%license LICENSE doc/COPYING doc/COPYING.LESSER
|
%license LICENSE doc/COPYING doc/COPYING.LESSER
|
||||||
@ -471,7 +423,9 @@ popd
|
|||||||
%{mingw32_bindir}/ocsptool.exe
|
%{mingw32_bindir}/ocsptool.exe
|
||||||
%{mingw32_bindir}/p11tool.exe
|
%{mingw32_bindir}/p11tool.exe
|
||||||
%{mingw32_bindir}/psktool.exe
|
%{mingw32_bindir}/psktool.exe
|
||||||
|
%if %{with_srp}
|
||||||
%{mingw32_bindir}/srptool.exe
|
%{mingw32_bindir}/srptool.exe
|
||||||
|
%endif
|
||||||
%{mingw32_libdir}/libgnutls.dll.a
|
%{mingw32_libdir}/libgnutls.dll.a
|
||||||
%{mingw32_libdir}/libgnutls-30.def
|
%{mingw32_libdir}/libgnutls-30.def
|
||||||
%{mingw32_libdir}/pkgconfig/gnutls.pc
|
%{mingw32_libdir}/pkgconfig/gnutls.pc
|
||||||
@ -487,7 +441,9 @@ popd
|
|||||||
%{mingw64_bindir}/ocsptool.exe
|
%{mingw64_bindir}/ocsptool.exe
|
||||||
%{mingw64_bindir}/p11tool.exe
|
%{mingw64_bindir}/p11tool.exe
|
||||||
%{mingw64_bindir}/psktool.exe
|
%{mingw64_bindir}/psktool.exe
|
||||||
|
%if %{with_srp}
|
||||||
%{mingw64_bindir}/srptool.exe
|
%{mingw64_bindir}/srptool.exe
|
||||||
|
%endif
|
||||||
%{mingw64_libdir}/libgnutls.dll.a
|
%{mingw64_libdir}/libgnutls.dll.a
|
||||||
%{mingw64_libdir}/libgnutls-30.def
|
%{mingw64_libdir}/libgnutls-30.def
|
||||||
%{mingw64_libdir}/pkgconfig/gnutls.pc
|
%{mingw64_libdir}/pkgconfig/gnutls.pc
|
||||||
|
4
sources
4
sources
@ -1,3 +1,3 @@
|
|||||||
SHA512 (gnutls-3.7.8.tar.xz) = 4199bcf7c9e3aab2f52266aadceefc563dfe2d938d0ea1f3ec3be95d66f4a8c8e5494d3a800c03dd02ad386dec1738bd63e1fe0d8b394a2ccfc7d6c6a0cc9359
|
SHA512 (gnutls-3.8.0.tar.xz) = 2507b3133423fdaf90fbd826ccb1142e9ff6fc90fcd5531720218f19ddf0e6bbb8267d23bad35c0954860e5a4179da74823e0c8357db56a14f252e6ec9d59629
|
||||||
SHA512 (gnutls-3.7.8.tar.xz.sig) = cecf9843e8683a278d065b663dc98ac2b5fcad1905ee25333038c93c2289b518c974629367e77e66552ac1c9d122d551616edba35cb0c4204202ec676f1a2db7
|
SHA512 (gnutls-3.8.0.tar.xz.sig) = 9db8db74aa0ebd871287b07b6a8a9f4ce90188633618e669fe07cb8bb314b624c14761f6fe1970e2fbffa87f7c0d6daa4b0fa838bd05f74b8b18cd1b5325c654
|
||||||
SHA512 (gnutls-release-keyring.gpg) = 5c14d83f4f37bd319c652db0d76fc5bb04752fb461bbe853e25b20ffe41d6d14faae6c0bdd0193ac6242975bf1205ce606a9d0082261cc4581fd680abfcdbd4d
|
SHA512 (gnutls-release-keyring.gpg) = 5c14d83f4f37bd319c652db0d76fc5bb04752fb461bbe853e25b20ffe41d6d14faae6c0bdd0193ac6242975bf1205ce606a9d0082261cc4581fd680abfcdbd4d
|
||||||
|
Loading…
Reference in New Issue
Block a user