KTLS additional ciphersuites
Key update supported for patched kernels [1] Configuration option `ktls = false` [2] following ciphersuites are now supported: [3] * TLS_AES_128_CCM_SHA256 * TLS_CHACHA20_POLY1305_SHA256 Ivalidate session on KTLS error as there is no way to recover and new sockets as well as session have to be created. [4] [1] https://gitlab.com/gnutls/gnutls/-/merge_requests/1625 [2] https://gitlab.com/gnutls/gnutls/-/merge_requests/1673/diffs?commit_id=aefd7319c0b7b2410d06238246b7755b289e4837 [3] https://gitlab.com/gnutls/gnutls/-/merge_requests/1676 [4] https://gitlab.com/gnutls/gnutls/-/merge_requests/1664 Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
This commit is contained in:
parent
d401f95817
commit
c1f8e66db2
273
gnutls-3.7.8-ktls_add_ciphersuites.patch
Normal file
273
gnutls-3.7.8-ktls_add_ciphersuites.patch
Normal file
@ -0,0 +1,273 @@
|
|||||||
|
From 4380f347b2fff4af10537930400b68df61bee442 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
|
||||||
|
Date: Thu, 1 Dec 2022 15:37:33 +0100
|
||||||
|
Subject: [PATCH 1/2] KTLS: add ciphersuites
|
||||||
|
|
||||||
|
* TLS_AES_128_CCM_SHA256
|
||||||
|
* TLS_CHACHA20_POLY1305_SHA256
|
||||||
|
|
||||||
|
Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
|
||||||
|
---
|
||||||
|
lib/system/ktls.c | 159 ++++++++++++++++++++++++++++++++++++++++++++--
|
||||||
|
1 file changed, 153 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/system/ktls.c b/lib/system/ktls.c
|
||||||
|
index 703775960..792d09ccf 100644
|
||||||
|
--- a/lib/system/ktls.c
|
||||||
|
+++ b/lib/system/ktls.c
|
||||||
|
@@ -86,7 +86,7 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable
|
||||||
|
gnutls_datum_t mac_key;
|
||||||
|
gnutls_datum_t iv;
|
||||||
|
gnutls_datum_t cipher_key;
|
||||||
|
- unsigned char seq_number[8];
|
||||||
|
+ unsigned char seq_number[12];
|
||||||
|
int sockin, sockout;
|
||||||
|
int ret;
|
||||||
|
|
||||||
|
@@ -97,7 +97,9 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable
|
||||||
|
int version = gnutls_protocol_get_version(session);
|
||||||
|
if ((version != GNUTLS_TLS1_3 && version != GNUTLS_TLS1_2) ||
|
||||||
|
(gnutls_cipher_get(session) != GNUTLS_CIPHER_AES_128_GCM &&
|
||||||
|
- gnutls_cipher_get(session) != GNUTLS_CIPHER_AES_256_GCM)) {
|
||||||
|
+ gnutls_cipher_get(session) != GNUTLS_CIPHER_AES_256_GCM &&
|
||||||
|
+ gnutls_cipher_get(session) != GNUTLS_CIPHER_AES_128_CCM &&
|
||||||
|
+ gnutls_cipher_get(session) != GNUTLS_CIPHER_CHACHA20_POLY1305)) {
|
||||||
|
return GNUTLS_E_UNIMPLEMENTED_FEATURE;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -114,7 +116,7 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable
|
||||||
|
case GNUTLS_CIPHER_AES_128_GCM:
|
||||||
|
{
|
||||||
|
struct tls12_crypto_info_aes_gcm_128 crypto_info;
|
||||||
|
- memset(&crypto_info, 0, sizeof(crypto_info));
|
||||||
|
+ memset(&crypto_info, 0, sizeof (crypto_info));
|
||||||
|
|
||||||
|
crypto_info.info.cipher_type = TLS_CIPHER_AES_GCM_128;
|
||||||
|
assert(cipher_key.size == TLS_CIPHER_AES_GCM_128_KEY_SIZE);
|
||||||
|
@@ -150,7 +152,7 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable
|
||||||
|
case GNUTLS_CIPHER_AES_256_GCM:
|
||||||
|
{
|
||||||
|
struct tls12_crypto_info_aes_gcm_256 crypto_info;
|
||||||
|
- memset(&crypto_info, 0, sizeof(crypto_info));
|
||||||
|
+ memset(&crypto_info, 0, sizeof (crypto_info));
|
||||||
|
|
||||||
|
crypto_info.info.cipher_type = TLS_CIPHER_AES_GCM_256;
|
||||||
|
assert (cipher_key.size == TLS_CIPHER_AES_GCM_256_KEY_SIZE);
|
||||||
|
@@ -182,9 +184,83 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable
|
||||||
|
}
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
+ case GNUTLS_CIPHER_AES_128_CCM:
|
||||||
|
+ {
|
||||||
|
+ struct tls12_crypto_info_aes_ccm_128 crypto_info;
|
||||||
|
+ memset(&crypto_info, 0, sizeof (crypto_info));
|
||||||
|
+
|
||||||
|
+ crypto_info.info.cipher_type = TLS_CIPHER_AES_CCM_128;
|
||||||
|
+ assert(cipher_key.size == TLS_CIPHER_AES_CCM_128_KEY_SIZE);
|
||||||
|
+
|
||||||
|
+ /* for TLS 1.2 IV is generated in kernel */
|
||||||
|
+ if (version == GNUTLS_TLS1_2) {
|
||||||
|
+ crypto_info.info.version = TLS_1_2_VERSION;
|
||||||
|
+ memcpy(crypto_info.iv, seq_number, TLS_CIPHER_AES_CCM_128_IV_SIZE);
|
||||||
|
+ } else {
|
||||||
|
+ crypto_info.info.version = TLS_1_3_VERSION;
|
||||||
|
+ assert(iv.size == TLS_CIPHER_AES_CCM_128_SALT_SIZE
|
||||||
|
+ + TLS_CIPHER_AES_CCM_128_IV_SIZE);
|
||||||
|
+
|
||||||
|
+ memcpy(crypto_info.iv, iv.data +
|
||||||
|
+ TLS_CIPHER_AES_CCM_128_SALT_SIZE,
|
||||||
|
+ TLS_CIPHER_AES_CCM_128_IV_SIZE);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ memcpy(crypto_info.salt, iv.data,
|
||||||
|
+ TLS_CIPHER_AES_CCM_128_SALT_SIZE);
|
||||||
|
+ memcpy(crypto_info.rec_seq, seq_number,
|
||||||
|
+ TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
|
||||||
|
+ memcpy(crypto_info.key, cipher_key.data,
|
||||||
|
+ TLS_CIPHER_AES_CCM_128_KEY_SIZE);
|
||||||
|
+
|
||||||
|
+ if (setsockopt (sockin, SOL_TLS, TLS_RX,
|
||||||
|
+ &crypto_info, sizeof (crypto_info))) {
|
||||||
|
+ session->internals.ktls_enabled &= ~GNUTLS_KTLS_RECV;
|
||||||
|
+ return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ break;
|
||||||
|
+ case GNUTLS_CIPHER_CHACHA20_POLY1305:
|
||||||
|
+ {
|
||||||
|
+ struct tls12_crypto_info_chacha20_poly1305 crypto_info;
|
||||||
|
+ memset(&crypto_info, 0, sizeof (crypto_info));
|
||||||
|
+
|
||||||
|
+ crypto_info.info.cipher_type = TLS_CIPHER_CHACHA20_POLY1305;
|
||||||
|
+ assert(cipher_key.size == TLS_CIPHER_CHACHA20_POLY1305_KEY_SIZE);
|
||||||
|
+
|
||||||
|
+ /* for TLS 1.2 IV is generated in kernel */
|
||||||
|
+ if (version == GNUTLS_TLS1_2) {
|
||||||
|
+ crypto_info.info.version = TLS_1_2_VERSION;
|
||||||
|
+ memcpy(crypto_info.iv, seq_number, TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE);
|
||||||
|
+ } else {
|
||||||
|
+ crypto_info.info.version = TLS_1_3_VERSION;
|
||||||
|
+ assert(iv.size == TLS_CIPHER_CHACHA20_POLY1305_SALT_SIZE
|
||||||
|
+ + TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE);
|
||||||
|
+
|
||||||
|
+ memcpy(crypto_info.iv, iv.data +
|
||||||
|
+ TLS_CIPHER_CHACHA20_POLY1305_SALT_SIZE,
|
||||||
|
+ TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ memcpy(crypto_info.salt, iv.data,
|
||||||
|
+ TLS_CIPHER_CHACHA20_POLY1305_SALT_SIZE);
|
||||||
|
+ memcpy(crypto_info.rec_seq, seq_number,
|
||||||
|
+ TLS_CIPHER_CHACHA20_POLY1305_REC_SEQ_SIZE);
|
||||||
|
+ memcpy(crypto_info.key, cipher_key.data,
|
||||||
|
+ TLS_CIPHER_CHACHA20_POLY1305_KEY_SIZE);
|
||||||
|
+
|
||||||
|
+ if (setsockopt (sockin, SOL_TLS, TLS_RX,
|
||||||
|
+ &crypto_info, sizeof (crypto_info))) {
|
||||||
|
+ session->internals.ktls_enabled &= ~GNUTLS_KTLS_RECV;
|
||||||
|
+ return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ break;
|
||||||
|
default:
|
||||||
|
assert(0);
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+
|
||||||
|
}
|
||||||
|
|
||||||
|
ret = gnutls_record_get_state (session, 0, &mac_key, &iv, &cipher_key,
|
||||||
|
@@ -198,7 +274,7 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable
|
||||||
|
case GNUTLS_CIPHER_AES_128_GCM:
|
||||||
|
{
|
||||||
|
struct tls12_crypto_info_aes_gcm_128 crypto_info;
|
||||||
|
- memset(&crypto_info, 0, sizeof(crypto_info));
|
||||||
|
+ memset(&crypto_info, 0, sizeof (crypto_info));
|
||||||
|
|
||||||
|
crypto_info.info.cipher_type = TLS_CIPHER_AES_GCM_128;
|
||||||
|
|
||||||
|
@@ -234,7 +310,7 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable
|
||||||
|
case GNUTLS_CIPHER_AES_256_GCM:
|
||||||
|
{
|
||||||
|
struct tls12_crypto_info_aes_gcm_256 crypto_info;
|
||||||
|
- memset(&crypto_info, 0, sizeof(crypto_info));
|
||||||
|
+ memset(&crypto_info, 0, sizeof (crypto_info));
|
||||||
|
|
||||||
|
crypto_info.info.cipher_type = TLS_CIPHER_AES_GCM_256;
|
||||||
|
assert (cipher_key.size == TLS_CIPHER_AES_GCM_256_KEY_SIZE);
|
||||||
|
@@ -266,10 +342,81 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable
|
||||||
|
}
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
+ case GNUTLS_CIPHER_AES_128_CCM:
|
||||||
|
+ {
|
||||||
|
+ struct tls12_crypto_info_aes_ccm_128 crypto_info;
|
||||||
|
+ memset(&crypto_info, 0, sizeof (crypto_info));
|
||||||
|
+
|
||||||
|
+ crypto_info.info.cipher_type = TLS_CIPHER_AES_CCM_128;
|
||||||
|
+ assert (cipher_key.size == TLS_CIPHER_AES_CCM_128_KEY_SIZE);
|
||||||
|
+
|
||||||
|
+ /* for TLS 1.2 IV is generated in kernel */
|
||||||
|
+ if (version == GNUTLS_TLS1_2) {
|
||||||
|
+ crypto_info.info.version = TLS_1_2_VERSION;
|
||||||
|
+ memcpy(crypto_info.iv, seq_number, TLS_CIPHER_AES_CCM_128_IV_SIZE);
|
||||||
|
+ } else {
|
||||||
|
+ crypto_info.info.version = TLS_1_3_VERSION;
|
||||||
|
+ assert (iv.size == TLS_CIPHER_AES_CCM_128_SALT_SIZE +
|
||||||
|
+ TLS_CIPHER_AES_CCM_128_IV_SIZE);
|
||||||
|
+
|
||||||
|
+ memcpy (crypto_info.iv, iv.data + TLS_CIPHER_AES_CCM_128_SALT_SIZE,
|
||||||
|
+ TLS_CIPHER_AES_CCM_128_IV_SIZE);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ memcpy (crypto_info.salt, iv.data,
|
||||||
|
+ TLS_CIPHER_AES_CCM_128_SALT_SIZE);
|
||||||
|
+ memcpy (crypto_info.rec_seq, seq_number,
|
||||||
|
+ TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
|
||||||
|
+ memcpy (crypto_info.key, cipher_key.data,
|
||||||
|
+ TLS_CIPHER_AES_CCM_128_KEY_SIZE);
|
||||||
|
+
|
||||||
|
+ if (setsockopt (sockout, SOL_TLS, TLS_TX,
|
||||||
|
+ &crypto_info, sizeof (crypto_info))) {
|
||||||
|
+ session->internals.ktls_enabled &= ~GNUTLS_KTLS_SEND;
|
||||||
|
+ return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ break;
|
||||||
|
+ case GNUTLS_CIPHER_CHACHA20_POLY1305:
|
||||||
|
+ {
|
||||||
|
+ struct tls12_crypto_info_chacha20_poly1305 crypto_info;
|
||||||
|
+ memset(&crypto_info, 0, sizeof (crypto_info));
|
||||||
|
+
|
||||||
|
+ crypto_info.info.cipher_type = TLS_CIPHER_CHACHA20_POLY1305;
|
||||||
|
+ assert (cipher_key.size == TLS_CIPHER_CHACHA20_POLY1305_KEY_SIZE);
|
||||||
|
+
|
||||||
|
+ /* for TLS 1.2 IV is generated in kernel */
|
||||||
|
+ if (version == GNUTLS_TLS1_2) {
|
||||||
|
+ crypto_info.info.version = TLS_1_2_VERSION;
|
||||||
|
+ memcpy(crypto_info.iv, seq_number, TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE);
|
||||||
|
+ } else {
|
||||||
|
+ crypto_info.info.version = TLS_1_3_VERSION;
|
||||||
|
+ assert (iv.size == TLS_CIPHER_CHACHA20_POLY1305_SALT_SIZE +
|
||||||
|
+ TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE);
|
||||||
|
+
|
||||||
|
+ memcpy (crypto_info.iv, iv.data + TLS_CIPHER_CHACHA20_POLY1305_SALT_SIZE,
|
||||||
|
+ TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ memcpy (crypto_info.salt, iv.data,
|
||||||
|
+ TLS_CIPHER_CHACHA20_POLY1305_SALT_SIZE);
|
||||||
|
+ memcpy (crypto_info.rec_seq, seq_number,
|
||||||
|
+ TLS_CIPHER_CHACHA20_POLY1305_REC_SEQ_SIZE);
|
||||||
|
+ memcpy (crypto_info.key, cipher_key.data,
|
||||||
|
+ TLS_CIPHER_CHACHA20_POLY1305_KEY_SIZE);
|
||||||
|
+
|
||||||
|
+ if (setsockopt (sockout, SOL_TLS, TLS_TX,
|
||||||
|
+ &crypto_info, sizeof (crypto_info))) {
|
||||||
|
+ session->internals.ktls_enabled &= ~GNUTLS_KTLS_SEND;
|
||||||
|
+ return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ break;
|
||||||
|
default:
|
||||||
|
assert(0);
|
||||||
|
}
|
||||||
|
|
||||||
|
+
|
||||||
|
// set callback for sending handshake messages
|
||||||
|
gnutls_handshake_set_read_function(session,
|
||||||
|
_gnutls_ktls_send_handshake_msg);
|
||||||
|
--
|
||||||
|
2.38.1
|
||||||
|
|
||||||
|
|
||||||
|
From 24bd0559302f8a7adf9f072f61f2aa03efa664f6 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
|
||||||
|
Date: Fri, 2 Dec 2022 11:07:48 +0100
|
||||||
|
Subject: [PATCH 2/2] KTLS: add ciphersuites (tests)
|
||||||
|
|
||||||
|
Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
|
||||||
|
---
|
||||||
|
tests/gnutls_ktls.c | 4 ++++
|
||||||
|
1 file changed, 4 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/tests/gnutls_ktls.c b/tests/gnutls_ktls.c
|
||||||
|
index 8f9c5fa36..919270778 100644
|
||||||
|
--- a/tests/gnutls_ktls.c
|
||||||
|
+++ b/tests/gnutls_ktls.c
|
||||||
|
@@ -350,8 +350,12 @@ void doit(void)
|
||||||
|
{
|
||||||
|
run("NORMAL:-VERS-ALL:+VERS-TLS1.2:-CIPHER-ALL:+AES-128-GCM");
|
||||||
|
run("NORMAL:-VERS-ALL:+VERS-TLS1.2:-CIPHER-ALL:+AES-256-GCM");
|
||||||
|
+ run("NORMAL:-VERS-ALL:+VERS-TLS1.2:-CIPHER-ALL:+AES-128-CCM");
|
||||||
|
+ run("NORMAL:-VERS-ALL:+VERS-TLS1.2:-CIPHER-ALL:+CHACHA20-POLY1305");
|
||||||
|
run("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-128-GCM");
|
||||||
|
run("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-256-GCM");
|
||||||
|
+ run("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-128-CCM");
|
||||||
|
+ run("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+CHACHA20-POLY1305");
|
||||||
|
}
|
||||||
|
|
||||||
|
#endif /* _WIN32 */
|
||||||
|
--
|
||||||
|
2.38.1
|
||||||
|
|
62
gnutls-3.7.8-ktls_invalidate_session.patch
Normal file
62
gnutls-3.7.8-ktls_invalidate_session.patch
Normal file
@ -0,0 +1,62 @@
|
|||||||
|
From 9533fcbacdb5532425568e3874cfea9f0a9b55d5 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daiki Ueno <ueno@gnu.org>
|
||||||
|
Date: Mon, 28 Nov 2022 11:10:58 +0900
|
||||||
|
Subject: [PATCH 1/2] src: fix memory leak in print_rawpk_info
|
||||||
|
|
||||||
|
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
||||||
|
---
|
||||||
|
src/common.c | 4 +++-
|
||||||
|
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/common.c b/src/common.c
|
||||||
|
index 6d2056f95..20327b41c 100644
|
||||||
|
--- a/src/common.c
|
||||||
|
+++ b/src/common.c
|
||||||
|
@@ -222,7 +222,7 @@ print_rawpk_info(gnutls_session_t session, FILE *out, int flag, int print_cert,
|
||||||
|
if (ret < 0) {
|
||||||
|
fprintf(stderr, "Encoding error: %s\n",
|
||||||
|
gnutls_strerror(ret));
|
||||||
|
- return;
|
||||||
|
+ goto cleanup;
|
||||||
|
}
|
||||||
|
|
||||||
|
log_msg(out, "\n%s\n", (char*)pem.data);
|
||||||
|
@@ -230,6 +230,8 @@ print_rawpk_info(gnutls_session_t session, FILE *out, int flag, int print_cert,
|
||||||
|
gnutls_free(pem.data);
|
||||||
|
}
|
||||||
|
|
||||||
|
+ cleanup:
|
||||||
|
+ gnutls_pcert_deinit(&pk_cert);
|
||||||
|
}
|
||||||
|
|
||||||
|
/* returns false (0) if not verified, or true (1) otherwise
|
||||||
|
--
|
||||||
|
2.38.1
|
||||||
|
|
||||||
|
|
||||||
|
From ceac5211c073ba8dc86fe7cfb25504db33729fa9 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daiki Ueno <ueno@gnu.org>
|
||||||
|
Date: Mon, 28 Nov 2022 11:14:53 +0900
|
||||||
|
Subject: [PATCH 2/2] tests: fix memory leak in resume-with-previous-stek
|
||||||
|
|
||||||
|
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
||||||
|
---
|
||||||
|
tests/resume-with-previous-stek.c | 2 ++
|
||||||
|
1 file changed, 2 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/tests/resume-with-previous-stek.c b/tests/resume-with-previous-stek.c
|
||||||
|
index 94f165627..98aba8d84 100644
|
||||||
|
--- a/tests/resume-with-previous-stek.c
|
||||||
|
+++ b/tests/resume-with-previous-stek.c
|
||||||
|
@@ -127,6 +127,8 @@ static void client(int fd, int *resume, unsigned rounds, const char *prio)
|
||||||
|
|
||||||
|
gnutls_deinit(session);
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ gnutls_free(session_data.data);
|
||||||
|
}
|
||||||
|
|
||||||
|
typedef void (* gnutls_stek_rotation_callback_t) (const gnutls_datum_t *prev_key,
|
||||||
|
--
|
||||||
|
2.38.1
|
||||||
|
|
957
gnutls-3.7.8-ktls_key_update.patch
Normal file
957
gnutls-3.7.8-ktls_key_update.patch
Normal file
@ -0,0 +1,957 @@
|
|||||||
|
From c83b9ecbe8e7e5442867281236d8c9e1bd227204 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
|
||||||
|
Date: Tue, 2 Aug 2022 15:00:50 +0200
|
||||||
|
Subject: [PATCH 1/7] KTLS: set key on specific interfaces
|
||||||
|
|
||||||
|
It is now possible to set key on specific interface.
|
||||||
|
If interface given is not ktls enabled then it will be ignored.
|
||||||
|
|
||||||
|
Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
|
||||||
|
---
|
||||||
|
lib/handshake.c | 2 +-
|
||||||
|
lib/system/ktls.c | 12 +++++++-----
|
||||||
|
lib/system/ktls.h | 7 ++++++-
|
||||||
|
3 files changed, 14 insertions(+), 7 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/handshake.c b/lib/handshake.c
|
||||||
|
index 21edc5ece..cb2bc3ae9 100644
|
||||||
|
--- a/lib/handshake.c
|
||||||
|
+++ b/lib/handshake.c
|
||||||
|
@@ -2924,7 +2924,7 @@ int gnutls_handshake(gnutls_session_t session)
|
||||||
|
|
||||||
|
#ifdef ENABLE_KTLS
|
||||||
|
if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_DUPLEX)) {
|
||||||
|
- _gnutls_ktls_set_keys(session);
|
||||||
|
+ _gnutls_ktls_set_keys(session, GNUTLS_KTLS_DUPLEX);
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
diff --git a/lib/system/ktls.c b/lib/system/ktls.c
|
||||||
|
index ddf27fac7..70b9b9b3a 100644
|
||||||
|
--- a/lib/system/ktls.c
|
||||||
|
+++ b/lib/system/ktls.c
|
||||||
|
@@ -80,7 +80,7 @@ void _gnutls_ktls_enable(gnutls_session_t session)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
-int _gnutls_ktls_set_keys(gnutls_session_t session)
|
||||||
|
+int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable_flags_t in)
|
||||||
|
{
|
||||||
|
gnutls_cipher_algorithm_t cipher = gnutls_cipher_get(session);
|
||||||
|
gnutls_datum_t mac_key;
|
||||||
|
@@ -107,7 +107,9 @@ int _gnutls_ktls_set_keys(gnutls_session_t session)
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if(session->internals.ktls_enabled & GNUTLS_KTLS_RECV){
|
||||||
|
+ in &= session->internals.ktls_enabled;
|
||||||
|
+
|
||||||
|
+ if(in & GNUTLS_KTLS_RECV){
|
||||||
|
switch (cipher) {
|
||||||
|
case GNUTLS_CIPHER_AES_128_GCM:
|
||||||
|
{
|
||||||
|
@@ -191,7 +193,7 @@ int _gnutls_ktls_set_keys(gnutls_session_t session)
|
||||||
|
return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
|
||||||
|
}
|
||||||
|
|
||||||
|
- if(session->internals.ktls_enabled & GNUTLS_KTLS_SEND){
|
||||||
|
+ if(in & GNUTLS_KTLS_SEND){
|
||||||
|
switch (cipher) {
|
||||||
|
case GNUTLS_CIPHER_AES_128_GCM:
|
||||||
|
{
|
||||||
|
@@ -269,7 +271,7 @@ int _gnutls_ktls_set_keys(gnutls_session_t session)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
- return 0;
|
||||||
|
+ return in;
|
||||||
|
}
|
||||||
|
|
||||||
|
ssize_t _gnutls_ktls_send_file(gnutls_session_t session, int fd,
|
||||||
|
@@ -465,7 +467,7 @@ gnutls_transport_is_ktls_enabled(gnutls_session_t session) {
|
||||||
|
void _gnutls_ktls_enable(gnutls_session_t session) {
|
||||||
|
}
|
||||||
|
|
||||||
|
-int _gnutls_ktls_set_keys(gnutls_session_t session) {
|
||||||
|
+int _gnutls_ktls_set_keys(gnutls_session_t sessioni, gnutls_transport_ktls_enable_flags_t in) {
|
||||||
|
return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE);
|
||||||
|
}
|
||||||
|
|
||||||
|
diff --git a/lib/system/ktls.h b/lib/system/ktls.h
|
||||||
|
index 8a98a8eb8..c8059092d 100644
|
||||||
|
--- a/lib/system/ktls.h
|
||||||
|
+++ b/lib/system/ktls.h
|
||||||
|
@@ -4,14 +4,19 @@
|
||||||
|
#include "gnutls_int.h"
|
||||||
|
|
||||||
|
void _gnutls_ktls_enable(gnutls_session_t session);
|
||||||
|
-int _gnutls_ktls_set_keys(gnutls_session_t session);
|
||||||
|
+
|
||||||
|
+int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable_flags_t in);
|
||||||
|
+
|
||||||
|
ssize_t _gnutls_ktls_send_file(gnutls_session_t session, int fd,
|
||||||
|
off_t *offset, size_t count);
|
||||||
|
+
|
||||||
|
int _gnutls_ktls_send_control_msg(gnutls_session_t session, unsigned char record_type,
|
||||||
|
const void *data, size_t data_size);
|
||||||
|
#define _gnutls_ktls_send(x, y, z) _gnutls_ktls_send_control_msg(x, GNUTLS_APPLICATION_DATA, y, z);
|
||||||
|
+
|
||||||
|
int _gnutls_ktls_recv_control_msg(gnutls_session_t session, unsigned char *record_type,
|
||||||
|
void *data, size_t data_size);
|
||||||
|
+
|
||||||
|
int _gnutls_ktls_recv_int(gnutls_session_t session, content_type_t type, void *data, size_t data_size);
|
||||||
|
#define _gnutls_ktls_recv(x, y, z) _gnutls_ktls_recv_int(x, GNUTLS_APPLICATION_DATA, y, z)
|
||||||
|
|
||||||
|
--
|
||||||
|
2.39.0
|
||||||
|
|
||||||
|
|
||||||
|
From f8c71030151e3a0d397e9712541236f1a76434a3 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
|
||||||
|
Date: Tue, 2 Aug 2022 13:35:39 +0200
|
||||||
|
Subject: [PATCH 2/7] KTLS: set new keys for keyupdate
|
||||||
|
|
||||||
|
set new keys durring gnutls_session_key_update()
|
||||||
|
setting keys
|
||||||
|
|
||||||
|
Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
|
||||||
|
---
|
||||||
|
lib/tls13/key_update.c | 9 +++++++++
|
||||||
|
1 file changed, 9 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/lib/tls13/key_update.c b/lib/tls13/key_update.c
|
||||||
|
index c6f6e0aa1..10c0a9110 100644
|
||||||
|
--- a/lib/tls13/key_update.c
|
||||||
|
+++ b/lib/tls13/key_update.c
|
||||||
|
@@ -27,6 +27,7 @@
|
||||||
|
#include "mem.h"
|
||||||
|
#include "mbuffers.h"
|
||||||
|
#include "secrets.h"
|
||||||
|
+#include "system/ktls.h"
|
||||||
|
|
||||||
|
#define KEY_UPDATES_WINDOW 1000
|
||||||
|
#define KEY_UPDATES_PER_WINDOW 8
|
||||||
|
@@ -49,8 +50,16 @@ static int update_keys(gnutls_session_t session, hs_stage_t stage)
|
||||||
|
* write keys */
|
||||||
|
if (session->internals.recv_state == RECV_STATE_EARLY_START) {
|
||||||
|
ret = _tls13_write_connection_state_init(session, stage);
|
||||||
|
+ if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_SEND))
|
||||||
|
+ ret = _gnutls_ktls_set_keys(session, GNUTLS_KTLS_SEND);
|
||||||
|
} else {
|
||||||
|
ret = _tls13_connection_state_init(session, stage);
|
||||||
|
+
|
||||||
|
+ if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_SEND) && stage == STAGE_UPD_OURS)
|
||||||
|
+ ret = _gnutls_ktls_set_keys(session, GNUTLS_KTLS_SEND);
|
||||||
|
+ else if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_RECV) && stage == STAGE_UPD_PEERS)
|
||||||
|
+ ret = _gnutls_ktls_set_keys(session, GNUTLS_KTLS_RECV);
|
||||||
|
+
|
||||||
|
}
|
||||||
|
if (ret < 0)
|
||||||
|
return gnutls_assert_val(ret);
|
||||||
|
--
|
||||||
|
2.39.0
|
||||||
|
|
||||||
|
|
||||||
|
From b93af37d972e02b095e14d4209bf5d5520a4893c Mon Sep 17 00:00:00 2001
|
||||||
|
From: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
|
||||||
|
Date: Wed, 3 Aug 2022 14:20:35 +0200
|
||||||
|
Subject: [PATCH 3/7] KTLS: send update key request
|
||||||
|
|
||||||
|
Set hanshake send function after interface initialization
|
||||||
|
TODO: handel setting function differently
|
||||||
|
|
||||||
|
Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
|
||||||
|
---
|
||||||
|
lib/record.c | 23 ++++++++++++++++-------
|
||||||
|
lib/system/ktls.c | 21 +++++++++++++++++++++
|
||||||
|
lib/system/ktls.h | 5 +++++
|
||||||
|
3 files changed, 42 insertions(+), 7 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/record.c b/lib/record.c
|
||||||
|
index fd24acaf1..aad128e1f 100644
|
||||||
|
--- a/lib/record.c
|
||||||
|
+++ b/lib/record.c
|
||||||
|
@@ -2065,11 +2065,17 @@ gnutls_record_send2(gnutls_session_t session, const void *data,
|
||||||
|
session->internals.rsend_state = RECORD_SEND_KEY_UPDATE_3;
|
||||||
|
FALLTHROUGH;
|
||||||
|
case RECORD_SEND_KEY_UPDATE_3:
|
||||||
|
- ret = _gnutls_send_int(session, GNUTLS_APPLICATION_DATA,
|
||||||
|
- -1, EPOCH_WRITE_CURRENT,
|
||||||
|
- session->internals.record_key_update_buffer.data,
|
||||||
|
- session->internals.record_key_update_buffer.length,
|
||||||
|
- MBUFFER_FLUSH);
|
||||||
|
+ if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_SEND)) {
|
||||||
|
+ return _gnutls_ktls_send(session,
|
||||||
|
+ session->internals.record_key_update_buffer.data,
|
||||||
|
+ session->internals.record_key_update_buffer.length);
|
||||||
|
+ } else {
|
||||||
|
+ ret = _gnutls_send_int(session, GNUTLS_APPLICATION_DATA,
|
||||||
|
+ -1, EPOCH_WRITE_CURRENT,
|
||||||
|
+ session->internals.record_key_update_buffer.data,
|
||||||
|
+ session->internals.record_key_update_buffer.length,
|
||||||
|
+ MBUFFER_FLUSH);
|
||||||
|
+ }
|
||||||
|
_gnutls_buffer_clear(&session->internals.record_key_update_buffer);
|
||||||
|
session->internals.rsend_state = RECORD_SEND_NORMAL;
|
||||||
|
if (ret < 0)
|
||||||
|
@@ -2494,8 +2500,11 @@ gnutls_handshake_write(gnutls_session_t session,
|
||||||
|
return gnutls_assert_val(0);
|
||||||
|
|
||||||
|
/* When using this, the outgoing handshake messages should
|
||||||
|
- * also be handled manually */
|
||||||
|
- if (!session->internals.h_read_func)
|
||||||
|
+ * also be handled manually unless KTLS is enabled exclusively
|
||||||
|
+ * in GNUTLS_KTLS_RECV mode in which case the outgoing messages
|
||||||
|
+ * are handled by GnuTLS.
|
||||||
|
+ */
|
||||||
|
+ if (!session->internals.h_read_func && !IS_KTLS_ENABLED(session, GNUTLS_KTLS_RECV))
|
||||||
|
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
|
||||||
|
|
||||||
|
if (session->internals.initial_negotiation_completed) {
|
||||||
|
diff --git a/lib/system/ktls.c b/lib/system/ktls.c
|
||||||
|
index 70b9b9b3a..5da0a8069 100644
|
||||||
|
--- a/lib/system/ktls.c
|
||||||
|
+++ b/lib/system/ktls.c
|
||||||
|
@@ -269,6 +269,9 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable
|
||||||
|
default:
|
||||||
|
assert(0);
|
||||||
|
}
|
||||||
|
+ // set callback for sending handshake messages
|
||||||
|
+ gnutls_handshake_set_read_function(session,
|
||||||
|
+ _gnutls_ktls_send_handshake_msg);
|
||||||
|
}
|
||||||
|
|
||||||
|
return in;
|
||||||
|
@@ -355,6 +358,15 @@ int _gnutls_ktls_send_control_msg(gnutls_session_t session,
|
||||||
|
return data_size;
|
||||||
|
}
|
||||||
|
|
||||||
|
+int _gnutls_ktls_send_handshake_msg(gnutls_session_t session,
|
||||||
|
+ gnutls_record_encryption_level_t level,
|
||||||
|
+ gnutls_handshake_description_t htype,
|
||||||
|
+ const void *data, size_t data_size)
|
||||||
|
+{
|
||||||
|
+ return _gnutls_ktls_send_control_msg(session, GNUTLS_HANDSHAKE,
|
||||||
|
+ data, data_size);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
int _gnutls_ktls_recv_control_msg(gnutls_session_t session,
|
||||||
|
unsigned char *record_type, void *data, size_t data_size)
|
||||||
|
{
|
||||||
|
@@ -481,6 +493,15 @@ int _gnutls_ktls_send_control_msg(gnutls_session_t session,
|
||||||
|
return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE);
|
||||||
|
}
|
||||||
|
|
||||||
|
+int _gnutls_ktls_send_handshake_msg(gnutls_session_t session,
|
||||||
|
+ gnutls_record_encryption_level_t level,
|
||||||
|
+ gnutls_handshake_description_t htype,
|
||||||
|
+ const void *data, size_t data_size)
|
||||||
|
+{
|
||||||
|
+ (void)level;
|
||||||
|
+ return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
int _gnutls_ktls_recv_int(gnutls_session_t session, content_type_t type,
|
||||||
|
void *data, size_t data_size) {
|
||||||
|
return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE);
|
||||||
|
diff --git a/lib/system/ktls.h b/lib/system/ktls.h
|
||||||
|
index c8059092d..8d61a49df 100644
|
||||||
|
--- a/lib/system/ktls.h
|
||||||
|
+++ b/lib/system/ktls.h
|
||||||
|
@@ -10,6 +10,11 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable
|
||||||
|
ssize_t _gnutls_ktls_send_file(gnutls_session_t session, int fd,
|
||||||
|
off_t *offset, size_t count);
|
||||||
|
|
||||||
|
+int _gnutls_ktls_send_handshake_msg(gnutls_session_t session,
|
||||||
|
+ gnutls_record_encryption_level_t level,
|
||||||
|
+ gnutls_handshake_description_t htype,
|
||||||
|
+ const void *data, size_t data_size);
|
||||||
|
+
|
||||||
|
int _gnutls_ktls_send_control_msg(gnutls_session_t session, unsigned char record_type,
|
||||||
|
const void *data, size_t data_size);
|
||||||
|
#define _gnutls_ktls_send(x, y, z) _gnutls_ktls_send_control_msg(x, GNUTLS_APPLICATION_DATA, y, z);
|
||||||
|
--
|
||||||
|
2.39.0
|
||||||
|
|
||||||
|
|
||||||
|
From 7128338208d092275ac72785f85019d16951fab9 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
|
||||||
|
Date: Mon, 22 Aug 2022 10:50:37 +0200
|
||||||
|
Subject: [PATCH 4/7] KTLS: receive key update
|
||||||
|
|
||||||
|
handle received GNUTLS_HANDSHAKE_KEY_UPDATE set keys accordingly
|
||||||
|
|
||||||
|
Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
|
||||||
|
---
|
||||||
|
lib/system/ktls.c | 8 +++++++-
|
||||||
|
1 file changed, 7 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/lib/system/ktls.c b/lib/system/ktls.c
|
||||||
|
index 5da0a8069..f3cb343ae 100644
|
||||||
|
--- a/lib/system/ktls.c
|
||||||
|
+++ b/lib/system/ktls.c
|
||||||
|
@@ -452,7 +452,13 @@ int _gnutls_ktls_recv_int(gnutls_session_t session, content_type_t type,
|
||||||
|
ret = 0;
|
||||||
|
break;
|
||||||
|
case GNUTLS_HANDSHAKE:
|
||||||
|
- // ignore post-handshake messages
|
||||||
|
+ ret = gnutls_handshake_write(session,
|
||||||
|
+ GNUTLS_ENCRYPTION_LEVEL_APPLICATION,
|
||||||
|
+ data, ret);
|
||||||
|
+
|
||||||
|
+ if (ret < 0)
|
||||||
|
+ return gnutls_assert_val(ret);
|
||||||
|
+
|
||||||
|
if (type != record_type)
|
||||||
|
return GNUTLS_E_AGAIN;
|
||||||
|
break;
|
||||||
|
--
|
||||||
|
2.39.0
|
||||||
|
|
||||||
|
|
||||||
|
From 14eadde1f2cdfaf858dc2029dac5503e48a49935 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
|
||||||
|
Date: Fri, 5 Aug 2022 16:38:02 +0200
|
||||||
|
Subject: [PATCH 5/7] KTLS: set write alert callback
|
||||||
|
|
||||||
|
Use callback for sending alerts.
|
||||||
|
|
||||||
|
Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
|
||||||
|
---
|
||||||
|
lib/alert.c | 13 ++++---------
|
||||||
|
lib/system/ktls.c | 15 +++++++++++++++
|
||||||
|
lib/system/ktls.h | 5 +++++
|
||||||
|
3 files changed, 24 insertions(+), 9 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/alert.c b/lib/alert.c
|
||||||
|
index 50bd1d3de..fda8cd79f 100644
|
||||||
|
--- a/lib/alert.c
|
||||||
|
+++ b/lib/alert.c
|
||||||
|
@@ -182,15 +182,10 @@ gnutls_alert_send(gnutls_session_t session, gnutls_alert_level_t level,
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_SEND)) {
|
||||||
|
- ret =
|
||||||
|
- _gnutls_ktls_send_control_msg(session, GNUTLS_ALERT, data, 2);
|
||||||
|
- } else {
|
||||||
|
- ret =
|
||||||
|
- _gnutls_send_int(session, GNUTLS_ALERT, -1,
|
||||||
|
- EPOCH_WRITE_CURRENT, data, 2,
|
||||||
|
- MBUFFER_FLUSH);
|
||||||
|
- }
|
||||||
|
+ ret = _gnutls_send_int(session, GNUTLS_ALERT, -1,
|
||||||
|
+ EPOCH_WRITE_CURRENT, data, 2,
|
||||||
|
+ MBUFFER_FLUSH);
|
||||||
|
+
|
||||||
|
return (ret < 0) ? ret : 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
diff --git a/lib/system/ktls.c b/lib/system/ktls.c
|
||||||
|
index f3cb343ae..703775960 100644
|
||||||
|
--- a/lib/system/ktls.c
|
||||||
|
+++ b/lib/system/ktls.c
|
||||||
|
@@ -269,9 +269,13 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable
|
||||||
|
default:
|
||||||
|
assert(0);
|
||||||
|
}
|
||||||
|
+
|
||||||
|
// set callback for sending handshake messages
|
||||||
|
gnutls_handshake_set_read_function(session,
|
||||||
|
_gnutls_ktls_send_handshake_msg);
|
||||||
|
+
|
||||||
|
+ // set callback for sending alert messages
|
||||||
|
+ gnutls_alert_set_read_function(session, _gnutls_ktls_send_alert_msg);
|
||||||
|
}
|
||||||
|
|
||||||
|
return in;
|
||||||
|
@@ -367,6 +371,17 @@ int _gnutls_ktls_send_handshake_msg(gnutls_session_t session,
|
||||||
|
data, data_size);
|
||||||
|
}
|
||||||
|
|
||||||
|
+int _gnutls_ktls_send_alert_msg(gnutls_session_t session,
|
||||||
|
+ gnutls_record_encryption_level_t level,
|
||||||
|
+ gnutls_alert_level_t alert_level,
|
||||||
|
+ gnutls_alert_description_t alert_desc)
|
||||||
|
+{
|
||||||
|
+ uint8_t data[2];
|
||||||
|
+ data[0] = (uint8_t) alert_level;
|
||||||
|
+ data[1] = (uint8_t) alert_desc;
|
||||||
|
+ return _gnutls_ktls_send_control_msg(session, GNUTLS_ALERT, data, 2);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
int _gnutls_ktls_recv_control_msg(gnutls_session_t session,
|
||||||
|
unsigned char *record_type, void *data, size_t data_size)
|
||||||
|
{
|
||||||
|
diff --git a/lib/system/ktls.h b/lib/system/ktls.h
|
||||||
|
index 8d61a49df..64e1c9c1c 100644
|
||||||
|
--- a/lib/system/ktls.h
|
||||||
|
+++ b/lib/system/ktls.h
|
||||||
|
@@ -15,6 +15,11 @@ int _gnutls_ktls_send_handshake_msg(gnutls_session_t session,
|
||||||
|
gnutls_handshake_description_t htype,
|
||||||
|
const void *data, size_t data_size);
|
||||||
|
|
||||||
|
+int _gnutls_ktls_send_alert_msg(gnutls_session_t session,
|
||||||
|
+ gnutls_record_encryption_level_t level,
|
||||||
|
+ gnutls_alert_level_t alert_level,
|
||||||
|
+ gnutls_alert_description_t alert_desc);
|
||||||
|
+
|
||||||
|
int _gnutls_ktls_send_control_msg(gnutls_session_t session, unsigned char record_type,
|
||||||
|
const void *data, size_t data_size);
|
||||||
|
#define _gnutls_ktls_send(x, y, z) _gnutls_ktls_send_control_msg(x, GNUTLS_APPLICATION_DATA, y, z);
|
||||||
|
--
|
||||||
|
2.39.0
|
||||||
|
|
||||||
|
|
||||||
|
From 38b8708d66e592c09edf2745c921436f56607a96 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
|
||||||
|
Date: Tue, 9 Aug 2022 12:11:16 +0200
|
||||||
|
Subject: [PATCH 6/7] KTLS: rekey test
|
||||||
|
|
||||||
|
Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
|
||||||
|
---
|
||||||
|
tests/Makefile.am | 2 +
|
||||||
|
tests/ktls_keyupdate.c | 381 ++++++++++++++++++++++++++++++++++++++++
|
||||||
|
tests/ktls_keyupdate.sh | 46 +++++
|
||||||
|
3 files changed, 429 insertions(+)
|
||||||
|
create mode 100644 tests/ktls_keyupdate.c
|
||||||
|
create mode 100755 tests/ktls_keyupdate.sh
|
||||||
|
|
||||||
|
diff --git a/tests/Makefile.am b/tests/Makefile.am
|
||||||
|
index 1122886b3..2d345d478 100644
|
||||||
|
--- a/tests/Makefile.am
|
||||||
|
+++ b/tests/Makefile.am
|
||||||
|
@@ -500,6 +500,8 @@ endif
|
||||||
|
if ENABLE_KTLS
|
||||||
|
indirect_tests += gnutls_ktls
|
||||||
|
dist_check_SCRIPTS += ktls.sh
|
||||||
|
+indirect_tests += ktls_keyupdate
|
||||||
|
+dist_check_SCRIPTS += ktls_keyupdate.sh
|
||||||
|
endif
|
||||||
|
|
||||||
|
if !WINDOWS
|
||||||
|
diff --git a/tests/ktls_keyupdate.c b/tests/ktls_keyupdate.c
|
||||||
|
new file mode 100644
|
||||||
|
index 000000000..9fbff38ae
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/tests/ktls_keyupdate.c
|
||||||
|
@@ -0,0 +1,381 @@
|
||||||
|
+// Copyright (C) 2022 Red Hat, Inc.
|
||||||
|
+//
|
||||||
|
+// Author: Frantisek Krenzelok
|
||||||
|
+//
|
||||||
|
+// This file is part of GnuTLS.
|
||||||
|
+//
|
||||||
|
+// GnuTLS is free software; you can redistribute it and/or modify it
|
||||||
|
+// under the terms of the GNU General Public License as published by the
|
||||||
|
+// Free Software Foundation; either version 3 of the License, or (at
|
||||||
|
+// your option) any later version.
|
||||||
|
+//
|
||||||
|
+// GnuTLS is distributed in the hope that it will be useful, but
|
||||||
|
+// WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||||
|
+// General Public License for more details.
|
||||||
|
+//
|
||||||
|
+// You should have received a copy of the GNU General Public License
|
||||||
|
+// along with GnuTLS; if not, write to the Free Software Foundation,
|
||||||
|
+// Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
||||||
|
+
|
||||||
|
+#ifdef HAVE_CONFIG_H
|
||||||
|
+#include <config.h>
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
+#include <stdio.h>
|
||||||
|
+#include <stdlib.h>
|
||||||
|
+#include <string.h>
|
||||||
|
+#include <sys/types.h>
|
||||||
|
+#include <netinet/in.h>
|
||||||
|
+#include <sys/socket.h>
|
||||||
|
+#include <sys/wait.h>
|
||||||
|
+#include <arpa/inet.h>
|
||||||
|
+#include <unistd.h>
|
||||||
|
+#include <gnutls/gnutls.h>
|
||||||
|
+#include <gnutls/crypto.h>
|
||||||
|
+#include <gnutls/dtls.h>
|
||||||
|
+#include <gnutls/socket.h>
|
||||||
|
+#include <signal.h>
|
||||||
|
+#include <assert.h>
|
||||||
|
+#include <errno.h>
|
||||||
|
+
|
||||||
|
+#include "cert-common.h"
|
||||||
|
+#include "utils.h"
|
||||||
|
+
|
||||||
|
+#if defined(_WIN32)
|
||||||
|
+
|
||||||
|
+int main(void)
|
||||||
|
+{
|
||||||
|
+ exit(77);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+#else
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+#define MAX_BUF 1024
|
||||||
|
+#define MSG "Hello world!"
|
||||||
|
+
|
||||||
|
+#define HANDSHAKE(session, name, ret)\
|
||||||
|
+{\
|
||||||
|
+ do {\
|
||||||
|
+ ret = gnutls_handshake(session);\
|
||||||
|
+ }\
|
||||||
|
+ while (ret < 0 && gnutls_error_is_fatal(ret) == 0);\
|
||||||
|
+ if (ret < 0) {\
|
||||||
|
+ fail("%s: Handshake failed\n", name);\
|
||||||
|
+ goto end;\
|
||||||
|
+ }\
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+#define SEND_MSG(session, name, ret)\
|
||||||
|
+{\
|
||||||
|
+ do {\
|
||||||
|
+ ret = gnutls_record_send(session, MSG, strlen(MSG)+1);\
|
||||||
|
+ } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);\
|
||||||
|
+ if (ret < 0) {\
|
||||||
|
+ fail("%s: data sending has failed (%s)\n",name,\
|
||||||
|
+ gnutls_strerror(ret));\
|
||||||
|
+ goto end;\
|
||||||
|
+ }\
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+#define RECV_MSG(session, name, buffer, buffer_len, ret)\
|
||||||
|
+{\
|
||||||
|
+ memset(buffer, 0, sizeof(buffer));\
|
||||||
|
+ do{\
|
||||||
|
+ ret = gnutls_record_recv(session, buffer, sizeof(buffer));\
|
||||||
|
+ }\
|
||||||
|
+ while(ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);\
|
||||||
|
+ if (ret == 0) {\
|
||||||
|
+ success("%s: Peer has closed the TLS connection\n", name);\
|
||||||
|
+ goto end;\
|
||||||
|
+ } else if (ret < 0) {\
|
||||||
|
+ fail("%s: Error -> %s\n", name, gnutls_strerror(ret));\
|
||||||
|
+ goto end;\
|
||||||
|
+ }\
|
||||||
|
+ if(strncmp(buffer, MSG, ret)){\
|
||||||
|
+ fail("%s: Message doesn't match\n", name);\
|
||||||
|
+ goto end;\
|
||||||
|
+ }\
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+#define KEY_UPDATE(session, name, peer_req, ret)\
|
||||||
|
+{\
|
||||||
|
+ do {\
|
||||||
|
+ ret = gnutls_session_key_update(session, peer_req);\
|
||||||
|
+ } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);\
|
||||||
|
+ if (ret < 0) {\
|
||||||
|
+ fail("%s: key update has failed (%s)\n", name, \
|
||||||
|
+ gnutls_strerror(ret));\
|
||||||
|
+ goto end;\
|
||||||
|
+ }\
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+#define CHECK_KTLS_ENABLED(session, ret)\
|
||||||
|
+{\
|
||||||
|
+ ret = gnutls_transport_is_ktls_enabled(session);\
|
||||||
|
+ if (!(ret & GNUTLS_KTLS_RECV)){\
|
||||||
|
+ fail("client: KTLS was not properly initialized\n");\
|
||||||
|
+ goto end;\
|
||||||
|
+ }\
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static void server_log_func(int level, const char *str)
|
||||||
|
+{
|
||||||
|
+ fprintf(stderr, "server|<%d>| %s", level, str);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static void client_log_func(int level, const char *str)
|
||||||
|
+{
|
||||||
|
+ fprintf(stderr, "client|<%d>| %s", level, str);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+static void client(int fd, const char *prio, int pipe)
|
||||||
|
+{
|
||||||
|
+ const char *name = "client";
|
||||||
|
+ int ret;
|
||||||
|
+ char foo;
|
||||||
|
+ char buffer[MAX_BUF + 1];
|
||||||
|
+ gnutls_certificate_credentials_t x509_cred;
|
||||||
|
+ gnutls_session_t session;
|
||||||
|
+
|
||||||
|
+ global_init();
|
||||||
|
+
|
||||||
|
+ if (debug) {
|
||||||
|
+ gnutls_global_set_log_function(client_log_func);
|
||||||
|
+ gnutls_global_set_log_level(7);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ gnutls_certificate_allocate_credentials(&x509_cred);
|
||||||
|
+
|
||||||
|
+ gnutls_init(&session, GNUTLS_CLIENT);
|
||||||
|
+ gnutls_handshake_set_timeout(session, 0);
|
||||||
|
+
|
||||||
|
+ assert(gnutls_priority_set_direct(session, prio, NULL) >= 0);
|
||||||
|
+
|
||||||
|
+ gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred);
|
||||||
|
+
|
||||||
|
+ gnutls_transport_set_int(session, fd);
|
||||||
|
+
|
||||||
|
+ HANDSHAKE(session, name, ret);
|
||||||
|
+
|
||||||
|
+ CHECK_KTLS_ENABLED(session, ret)
|
||||||
|
+
|
||||||
|
+ // Test 0: Try sending/receiving data
|
||||||
|
+ RECV_MSG(session, name, buffer, MAX_BUF+1, ret)
|
||||||
|
+ SEND_MSG(session, name, ret)
|
||||||
|
+
|
||||||
|
+ CHECK_KTLS_ENABLED(session, ret)
|
||||||
|
+
|
||||||
|
+ // Test 1: Servers does key update
|
||||||
|
+ read(pipe, &foo, 1);
|
||||||
|
+ RECV_MSG(session, name, buffer, MAX_BUF+1, ret)
|
||||||
|
+ SEND_MSG(session, name, ret)
|
||||||
|
+
|
||||||
|
+ CHECK_KTLS_ENABLED(session, ret)
|
||||||
|
+
|
||||||
|
+ // Test 2: Does key update witch request
|
||||||
|
+ read(pipe, &foo, 1);
|
||||||
|
+ RECV_MSG(session, name, buffer, MAX_BUF+1, ret)
|
||||||
|
+ SEND_MSG(session, name, ret)
|
||||||
|
+
|
||||||
|
+ CHECK_KTLS_ENABLED(session, ret)
|
||||||
|
+
|
||||||
|
+ ret = gnutls_bye(session, GNUTLS_SHUT_RDWR);
|
||||||
|
+ if (ret < 0) {
|
||||||
|
+ fail("client: error in closing session: %s\n", gnutls_strerror(ret));
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ ret = 0;
|
||||||
|
+ end:
|
||||||
|
+
|
||||||
|
+ close(fd);
|
||||||
|
+
|
||||||
|
+ gnutls_deinit(session);
|
||||||
|
+
|
||||||
|
+ gnutls_certificate_free_credentials(x509_cred);
|
||||||
|
+
|
||||||
|
+ gnutls_global_deinit();
|
||||||
|
+
|
||||||
|
+ if (ret != 0)
|
||||||
|
+ exit(1);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+pid_t child;
|
||||||
|
+static void terminate(void)
|
||||||
|
+{
|
||||||
|
+ assert(child);
|
||||||
|
+ kill(child, SIGTERM);
|
||||||
|
+ exit(1);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static void server(int fd, const char *prio, int pipe)
|
||||||
|
+{
|
||||||
|
+ const char *name = "server";
|
||||||
|
+ int ret;
|
||||||
|
+ char bar = 0;
|
||||||
|
+ char buffer[MAX_BUF + 1];
|
||||||
|
+ gnutls_certificate_credentials_t x509_cred;
|
||||||
|
+ gnutls_session_t session;
|
||||||
|
+
|
||||||
|
+ global_init();
|
||||||
|
+
|
||||||
|
+ if (debug) {
|
||||||
|
+ gnutls_global_set_log_function(server_log_func);
|
||||||
|
+ gnutls_global_set_log_level(7);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ gnutls_certificate_allocate_credentials(&x509_cred);
|
||||||
|
+ ret = gnutls_certificate_set_x509_key_mem(x509_cred, &server_cert,
|
||||||
|
+ &server_key,
|
||||||
|
+ GNUTLS_X509_FMT_PEM);
|
||||||
|
+ if (ret < 0)
|
||||||
|
+ exit(1);
|
||||||
|
+
|
||||||
|
+ gnutls_init(&session, GNUTLS_SERVER);
|
||||||
|
+ gnutls_handshake_set_timeout(session, 0);
|
||||||
|
+
|
||||||
|
+ assert(gnutls_priority_set_direct(session, prio, NULL)>=0);
|
||||||
|
+
|
||||||
|
+ gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred);
|
||||||
|
+
|
||||||
|
+ gnutls_transport_set_int(session, fd);
|
||||||
|
+
|
||||||
|
+ HANDSHAKE(session, name, ret)
|
||||||
|
+
|
||||||
|
+ CHECK_KTLS_ENABLED(session, ret)
|
||||||
|
+
|
||||||
|
+ success("Test 0: sending/receiving data\n");
|
||||||
|
+ SEND_MSG(session, name, ret)
|
||||||
|
+ RECV_MSG(session, name, buffer, MAX_BUF+1, ret)
|
||||||
|
+
|
||||||
|
+ CHECK_KTLS_ENABLED(session, ret)
|
||||||
|
+
|
||||||
|
+ success("Test 1: server key update without request\n");
|
||||||
|
+ KEY_UPDATE(session, name, 0, ret)
|
||||||
|
+ write(pipe, &bar, 1);
|
||||||
|
+ SEND_MSG(session, name, ret)
|
||||||
|
+ RECV_MSG(session, name, buffer, MAX_BUF+1, ret)
|
||||||
|
+
|
||||||
|
+ CHECK_KTLS_ENABLED(session, ret)
|
||||||
|
+
|
||||||
|
+ success("Test 2: server key update with request\n");
|
||||||
|
+ KEY_UPDATE(session, name, GNUTLS_KU_PEER, ret)
|
||||||
|
+ write(pipe, &bar, 1);
|
||||||
|
+ SEND_MSG(session, name, ret)
|
||||||
|
+ RECV_MSG(session, name, buffer, MAX_BUF+1, ret)
|
||||||
|
+
|
||||||
|
+ CHECK_KTLS_ENABLED(session, ret)
|
||||||
|
+
|
||||||
|
+ ret = gnutls_bye(session, GNUTLS_SHUT_RDWR);
|
||||||
|
+ if (ret < 0) {
|
||||||
|
+ fail("server: error in closing session: %s\n", gnutls_strerror(ret));
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ ret = 0;
|
||||||
|
+end:
|
||||||
|
+ close(fd);
|
||||||
|
+ gnutls_deinit(session);
|
||||||
|
+
|
||||||
|
+ gnutls_certificate_free_credentials(x509_cred);
|
||||||
|
+
|
||||||
|
+ gnutls_global_deinit();
|
||||||
|
+
|
||||||
|
+ if (ret){
|
||||||
|
+ terminate();
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (debug)
|
||||||
|
+ success("server: finished\n");
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static void ch_handler(int sig)
|
||||||
|
+{
|
||||||
|
+ return;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static void run(const char *prio)
|
||||||
|
+{
|
||||||
|
+ int ret;
|
||||||
|
+ struct sockaddr_in saddr;
|
||||||
|
+ socklen_t addrlen;
|
||||||
|
+ int listener;
|
||||||
|
+ int fd;
|
||||||
|
+
|
||||||
|
+ int sync_pipe[2]; //used for synchronization
|
||||||
|
+ pipe(sync_pipe);
|
||||||
|
+
|
||||||
|
+ success("running ktls test with %s\n", prio);
|
||||||
|
+
|
||||||
|
+ signal(SIGCHLD, ch_handler);
|
||||||
|
+ signal(SIGPIPE, SIG_IGN);
|
||||||
|
+
|
||||||
|
+ listener = socket(AF_INET, SOCK_STREAM, 0);
|
||||||
|
+ if (listener == -1){
|
||||||
|
+ fail("error in listener(): %s\n", strerror(errno));
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ memset(&saddr, 0, sizeof(saddr));
|
||||||
|
+ saddr.sin_family = AF_INET;
|
||||||
|
+ saddr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
|
||||||
|
+ saddr.sin_port = 0;
|
||||||
|
+
|
||||||
|
+ ret = bind(listener, (struct sockaddr*)&saddr, sizeof(saddr));
|
||||||
|
+ if (ret == -1){
|
||||||
|
+ fail("error in bind(): %s\n", strerror(errno));
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ addrlen = sizeof(saddr);
|
||||||
|
+ ret = getsockname(listener, (struct sockaddr*)&saddr, &addrlen);
|
||||||
|
+ if (ret == -1){
|
||||||
|
+ fail("error in getsockname(): %s\n", strerror(errno));
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ child = fork();
|
||||||
|
+ if (child < 0) {
|
||||||
|
+ fail("error in fork(): %s\n", strerror(errno));
|
||||||
|
+ exit(1);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (child) {
|
||||||
|
+ int status;
|
||||||
|
+ /* parent */
|
||||||
|
+ ret = listen(listener, 1);
|
||||||
|
+ if (ret == -1) {
|
||||||
|
+ fail("error in listen(): %s\n", strerror(errno));
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ fd = accept(listener, NULL, NULL);
|
||||||
|
+ if (fd == -1) {
|
||||||
|
+ fail("error in accept(): %s\n", strerror(errno));
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ close(sync_pipe[0]);
|
||||||
|
+ server(fd, prio, sync_pipe[1]);
|
||||||
|
+
|
||||||
|
+ wait(&status);
|
||||||
|
+ check_wait_status(status);
|
||||||
|
+ } else {
|
||||||
|
+ fd = socket(AF_INET, SOCK_STREAM, 0);
|
||||||
|
+ if (fd == -1){
|
||||||
|
+ fail("error in socket(): %s\n", strerror(errno));
|
||||||
|
+ exit(1);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ usleep(1000000);
|
||||||
|
+ connect(fd, (struct sockaddr*)&saddr, addrlen);
|
||||||
|
+
|
||||||
|
+ close(sync_pipe[1]);
|
||||||
|
+ client(fd, prio, sync_pipe[0]);
|
||||||
|
+ exit(0);
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+void doit(void)
|
||||||
|
+{
|
||||||
|
+ run("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-128-GCM");
|
||||||
|
+ run("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-256-GCM");
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+#endif /* _WIN32 */
|
||||||
|
diff --git a/tests/ktls_keyupdate.sh b/tests/ktls_keyupdate.sh
|
||||||
|
new file mode 100755
|
||||||
|
index 000000000..d072acafc
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/tests/ktls_keyupdate.sh
|
||||||
|
@@ -0,0 +1,46 @@
|
||||||
|
+#!/bin/sh
|
||||||
|
+
|
||||||
|
+# Copyright (C) 2022 Red Hat, Inc.
|
||||||
|
+#
|
||||||
|
+# Author: Daiki Ueno
|
||||||
|
+#
|
||||||
|
+# This file is part of GnuTLS.
|
||||||
|
+#
|
||||||
|
+# GnuTLS is free software; you can redistribute it and/or modify it
|
||||||
|
+# under the terms of the GNU General Public License as published by the
|
||||||
|
+# Free Software Foundation; either version 3 of the License, or (at
|
||||||
|
+# your option) any later version.
|
||||||
|
+#
|
||||||
|
+# GnuTLS is distributed in the hope that it will be useful, but
|
||||||
|
+# WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||||
|
+# General Public License for more details.
|
||||||
|
+#
|
||||||
|
+# You should have received a copy of the GNU General Public License
|
||||||
|
+# along with GnuTLS; if not, write to the Free Software Foundation,
|
||||||
|
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
||||||
|
+
|
||||||
|
+: ${builddir=.}
|
||||||
|
+
|
||||||
|
+. "$srcdir/scripts/common.sh"
|
||||||
|
+
|
||||||
|
+if ! grep '^tls ' /proc/modules 2>&1 /dev/null; then
|
||||||
|
+ exit 77
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+testdir=`create_testdir ktls_keyupdate`
|
||||||
|
+
|
||||||
|
+cfg="$testdir/config"
|
||||||
|
+
|
||||||
|
+cat <<EOF > "$cfg"
|
||||||
|
+[global]
|
||||||
|
+ktls = true
|
||||||
|
+EOF
|
||||||
|
+
|
||||||
|
+GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1 \
|
||||||
|
+GNUTLS_SYSTEM_PRIORITY_FILE="$cfg" \
|
||||||
|
+"$builddir/ktls_keyupdate" "$@"
|
||||||
|
+rc=$?
|
||||||
|
+
|
||||||
|
+rm -rf "$testdir"
|
||||||
|
+exit $rc
|
||||||
|
--
|
||||||
|
2.39.0
|
||||||
|
|
||||||
|
|
||||||
|
From 67843b3a8e28e4c74296caea2d1019065c87afb3 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
|
||||||
|
Date: Mon, 5 Sep 2022 13:05:17 +0200
|
||||||
|
Subject: [PATCH 7/7] KTLS: fallback to default
|
||||||
|
|
||||||
|
If an error occurs during setting of keys either initial or key update
|
||||||
|
then fallback to default mode of operation (disable ktls) and let the
|
||||||
|
user know
|
||||||
|
|
||||||
|
Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
|
||||||
|
---
|
||||||
|
lib/handshake.c | 7 ++++++-
|
||||||
|
lib/tls13/key_update.c | 23 +++++++++++++++++++----
|
||||||
|
2 files changed, 25 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/handshake.c b/lib/handshake.c
|
||||||
|
index cb2bc3ae9..14bcdea56 100644
|
||||||
|
--- a/lib/handshake.c
|
||||||
|
+++ b/lib/handshake.c
|
||||||
|
@@ -2924,7 +2924,12 @@ int gnutls_handshake(gnutls_session_t session)
|
||||||
|
|
||||||
|
#ifdef ENABLE_KTLS
|
||||||
|
if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_DUPLEX)) {
|
||||||
|
- _gnutls_ktls_set_keys(session, GNUTLS_KTLS_DUPLEX);
|
||||||
|
+ ret = _gnutls_ktls_set_keys(session, GNUTLS_KTLS_DUPLEX);
|
||||||
|
+ if (ret < 0) {
|
||||||
|
+ session->internals.ktls_enabled = 0;
|
||||||
|
+ _gnutls_audit_log(session,
|
||||||
|
+ "disabling KTLS: failed to set keys\n");
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
diff --git a/lib/tls13/key_update.c b/lib/tls13/key_update.c
|
||||||
|
index 10c0a9110..acfda4129 100644
|
||||||
|
--- a/lib/tls13/key_update.c
|
||||||
|
+++ b/lib/tls13/key_update.c
|
||||||
|
@@ -32,6 +32,20 @@
|
||||||
|
#define KEY_UPDATES_WINDOW 1000
|
||||||
|
#define KEY_UPDATES_PER_WINDOW 8
|
||||||
|
|
||||||
|
+/*
|
||||||
|
+ * Sets kTLS keys if enabled.
|
||||||
|
+ * If this operation fails with GNUTLS_E_INTERNAL_ERROR, KTLS is disabled
|
||||||
|
+ * because KTLS most likely doesn't support key update.
|
||||||
|
+ */
|
||||||
|
+#define SET_KTLS_KEYS(session, interface)\
|
||||||
|
+{\
|
||||||
|
+ if(_gnutls_ktls_set_keys(session, interface) < 0) {\
|
||||||
|
+ session->internals.ktls_enabled = 0;\
|
||||||
|
+ _gnutls_audit_log(session, \
|
||||||
|
+ "disabling KTLS: couldn't update keys\n");\
|
||||||
|
+ }\
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static int update_keys(gnutls_session_t session, hs_stage_t stage)
|
||||||
|
{
|
||||||
|
int ret;
|
||||||
|
@@ -51,15 +65,16 @@ static int update_keys(gnutls_session_t session, hs_stage_t stage)
|
||||||
|
if (session->internals.recv_state == RECV_STATE_EARLY_START) {
|
||||||
|
ret = _tls13_write_connection_state_init(session, stage);
|
||||||
|
if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_SEND))
|
||||||
|
- ret = _gnutls_ktls_set_keys(session, GNUTLS_KTLS_SEND);
|
||||||
|
+ SET_KTLS_KEYS(session, GNUTLS_KTLS_SEND)
|
||||||
|
} else {
|
||||||
|
ret = _tls13_connection_state_init(session, stage);
|
||||||
|
+ if (ret < 0)
|
||||||
|
+ return gnutls_assert_val(ret);
|
||||||
|
|
||||||
|
if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_SEND) && stage == STAGE_UPD_OURS)
|
||||||
|
- ret = _gnutls_ktls_set_keys(session, GNUTLS_KTLS_SEND);
|
||||||
|
+ SET_KTLS_KEYS(session, GNUTLS_KTLS_SEND)
|
||||||
|
else if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_RECV) && stage == STAGE_UPD_PEERS)
|
||||||
|
- ret = _gnutls_ktls_set_keys(session, GNUTLS_KTLS_RECV);
|
||||||
|
-
|
||||||
|
+ SET_KTLS_KEYS(session, GNUTLS_KTLS_RECV)
|
||||||
|
}
|
||||||
|
if (ret < 0)
|
||||||
|
return gnutls_assert_val(ret);
|
||||||
|
--
|
||||||
|
2.39.0
|
||||||
|
|
155
gnutls-3.7.8-ktls_minor_fixes.patch
Normal file
155
gnutls-3.7.8-ktls_minor_fixes.patch
Normal file
@ -0,0 +1,155 @@
|
|||||||
|
From ccf4463f343a9394a22833ee1de7886e459d3c91 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daiki Ueno <ueno@gnu.org>
|
||||||
|
Date: Mon, 28 Nov 2022 12:17:12 +0900
|
||||||
|
Subject: [PATCH 1/3] includes: move KTLS function definition out of
|
||||||
|
<gnutls/socket.h>
|
||||||
|
|
||||||
|
<gnutls/socket.h> is meant for the functions that depend on
|
||||||
|
<sys/socket.h>, which is not available on Windows platforms.
|
||||||
|
|
||||||
|
As the KTLS API doesn't rely on <sys/socket.h>, move the function and
|
||||||
|
enum to <gnutls/gnutls.h>.
|
||||||
|
|
||||||
|
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
||||||
|
---
|
||||||
|
lib/includes/gnutls/gnutls.h.in | 21 +++++++++++++++++++++
|
||||||
|
lib/includes/gnutls/socket.h | 21 ---------------------
|
||||||
|
2 files changed, 21 insertions(+), 21 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
|
||||||
|
index 394d465e3..830ce5f95 100644
|
||||||
|
--- a/lib/includes/gnutls/gnutls.h.in
|
||||||
|
+++ b/lib/includes/gnutls/gnutls.h.in
|
||||||
|
@@ -3421,6 +3421,27 @@ int gnutls_fips140_pop_context(void);
|
||||||
|
|
||||||
|
int gnutls_fips140_run_self_tests(void);
|
||||||
|
|
||||||
|
+/**
|
||||||
|
+ * gnutls_transport_ktls_enable_flags_t:
|
||||||
|
+ * @GNUTLS_KTLS_RECV: ktls enabled for recv function.
|
||||||
|
+ * @GNUTLS_KTLS_SEND: ktls enabled for send function.
|
||||||
|
+ * @GNUTLS_KTLS_DUPLEX: ktls enabled for both recv and send functions.
|
||||||
|
+ *
|
||||||
|
+ * Flag enumeration of ktls enable status for recv and send functions.
|
||||||
|
+ * This is used by gnutls_transport_is_ktls_enabled().
|
||||||
|
+ *
|
||||||
|
+ * Since: 3.7.3
|
||||||
|
+ */
|
||||||
|
+typedef enum {
|
||||||
|
+ GNUTLS_KTLS_RECV = 1 << 0,
|
||||||
|
+ GNUTLS_KTLS_SEND = 1 << 1,
|
||||||
|
+ GNUTLS_KTLS_DUPLEX = GNUTLS_KTLS_RECV | GNUTLS_KTLS_SEND,
|
||||||
|
+} gnutls_transport_ktls_enable_flags_t;
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+gnutls_transport_ktls_enable_flags_t
|
||||||
|
+gnutls_transport_is_ktls_enabled(gnutls_session_t session);
|
||||||
|
+
|
||||||
|
/* Gnutls error codes. The mapping to a TLS alert is also shown in
|
||||||
|
* comments.
|
||||||
|
*/
|
||||||
|
diff --git a/lib/includes/gnutls/socket.h b/lib/includes/gnutls/socket.h
|
||||||
|
index 4df7bb2e0..64eb19f89 100644
|
||||||
|
--- a/lib/includes/gnutls/socket.h
|
||||||
|
+++ b/lib/includes/gnutls/socket.h
|
||||||
|
@@ -37,27 +37,6 @@ extern "C" {
|
||||||
|
#endif
|
||||||
|
/* *INDENT-ON* */
|
||||||
|
|
||||||
|
-/**
|
||||||
|
- * gnutls_transport_ktls_enable_flags_t:
|
||||||
|
- * @GNUTLS_KTLS_RECV: ktls enabled for recv function.
|
||||||
|
- * @GNUTLS_KTLS_SEND: ktls enabled for send function.
|
||||||
|
- * @GNUTLS_KTLS_DUPLEX: ktls enabled for both recv and send functions.
|
||||||
|
- *
|
||||||
|
- * Flag enumeration of ktls enable status for recv and send functions.
|
||||||
|
- * This is used by gnutls_transport_is_ktls_enabled().
|
||||||
|
- *
|
||||||
|
- * Since: 3.7.3
|
||||||
|
- */
|
||||||
|
-typedef enum {
|
||||||
|
- GNUTLS_KTLS_RECV = 1 << 0,
|
||||||
|
- GNUTLS_KTLS_SEND = 1 << 1,
|
||||||
|
- GNUTLS_KTLS_DUPLEX = GNUTLS_KTLS_RECV | GNUTLS_KTLS_SEND,
|
||||||
|
-} gnutls_transport_ktls_enable_flags_t;
|
||||||
|
-
|
||||||
|
-
|
||||||
|
-gnutls_transport_ktls_enable_flags_t
|
||||||
|
-gnutls_transport_is_ktls_enabled(gnutls_session_t session);
|
||||||
|
-
|
||||||
|
void gnutls_transport_set_fastopen(gnutls_session_t session,
|
||||||
|
int fd,
|
||||||
|
struct sockaddr *connect_addr,
|
||||||
|
--
|
||||||
|
2.38.1
|
||||||
|
|
||||||
|
|
||||||
|
From 90b036e82a95f9379d99d5cabd0e33905d1e3ddc Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daiki Ueno <ueno@gnu.org>
|
||||||
|
Date: Mon, 28 Nov 2022 12:13:31 +0900
|
||||||
|
Subject: [PATCH 2/3] src: print KTLS enablement status in
|
||||||
|
gnutls-serv/gnutls-cli
|
||||||
|
|
||||||
|
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
||||||
|
---
|
||||||
|
src/common.c | 10 ++++++++++
|
||||||
|
1 file changed, 10 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/common.c b/src/common.c
|
||||||
|
index 6d2056f95..d357c7fb8 100644
|
||||||
|
--- a/src/common.c
|
||||||
|
+++ b/src/common.c
|
||||||
|
@@ -498,6 +498,7 @@ int print_info(gnutls_session_t session, int verbose, int flags)
|
||||||
|
gnutls_datum_t p;
|
||||||
|
char *desc;
|
||||||
|
gnutls_protocol_t version;
|
||||||
|
+ gnutls_transport_ktls_enable_flags_t ktls_flags;
|
||||||
|
int rc;
|
||||||
|
|
||||||
|
desc = gnutls_session_get_desc(session);
|
||||||
|
@@ -646,6 +647,15 @@ int print_info(gnutls_session_t session, int verbose, int flags)
|
||||||
|
|
||||||
|
print_channel_bindings(session, verbose);
|
||||||
|
|
||||||
|
+ ktls_flags = gnutls_transport_is_ktls_enabled(session);
|
||||||
|
+ if (ktls_flags != 0) {
|
||||||
|
+ log_msg(stdout, "- KTLS: %s\n",
|
||||||
|
+ (ktls_flags & GNUTLS_KTLS_DUPLEX) == GNUTLS_KTLS_DUPLEX ? "send, recv" :
|
||||||
|
+ (ktls_flags & GNUTLS_KTLS_SEND) == GNUTLS_KTLS_SEND ? "send" :
|
||||||
|
+ (ktls_flags & GNUTLS_KTLS_RECV) == GNUTLS_KTLS_RECV ? "recv" :
|
||||||
|
+ "unknown");
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
fflush(stdout);
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
--
|
||||||
|
2.38.1
|
||||||
|
|
||||||
|
|
||||||
|
From aefd7319c0b7b2410d06238246b7755b289e4837 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daiki Ueno <ueno@gnu.org>
|
||||||
|
Date: Mon, 28 Nov 2022 12:15:26 +0900
|
||||||
|
Subject: [PATCH 3/3] priority: accept "ktls = false" in configuration file
|
||||||
|
|
||||||
|
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
||||||
|
---
|
||||||
|
lib/priority.c | 2 ++
|
||||||
|
1 file changed, 2 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/lib/priority.c b/lib/priority.c
|
||||||
|
index 97831e63b..6266bb571 100644
|
||||||
|
--- a/lib/priority.c
|
||||||
|
+++ b/lib/priority.c
|
||||||
|
@@ -1548,6 +1548,8 @@ static int global_ini_handler(void *ctx, const char *section, const char *name,
|
||||||
|
p = clear_spaces(value, str);
|
||||||
|
if (c_strcasecmp(p, "true") == 0) {
|
||||||
|
cfg->ktls_enabled = true;
|
||||||
|
+ } else if (c_strcasecmp(p, "false") == 0) {
|
||||||
|
+ cfg->ktls_enabled = false;
|
||||||
|
} else {
|
||||||
|
_gnutls_debug_log("cfg: unknown ktls mode %s\n",
|
||||||
|
p);
|
||||||
|
--
|
||||||
|
2.38.1
|
||||||
|
|
@ -20,8 +20,13 @@ print(string.sub(hash, 0, 16))
|
|||||||
Version: 3.7.8
|
Version: 3.7.8
|
||||||
Release: %{?autorelease}%{!?autorelease:1%{?dist}}
|
Release: %{?autorelease}%{!?autorelease:1%{?dist}}
|
||||||
Patch: gnutls-3.7.8-gcc_analyzer-suppress_warnings.patch
|
Patch: gnutls-3.7.8-gcc_analyzer-suppress_warnings.patch
|
||||||
Patch: gnutls-3.6.7-no-now-guile.patch
|
|
||||||
Patch: gnutls-3.2.7-rpath.patch
|
Patch: gnutls-3.2.7-rpath.patch
|
||||||
|
Patch: gnutls-3.6.7-no-now-guile.patch
|
||||||
|
|
||||||
|
Patch: gnutls-3.7.8-ktls_key_update.patch
|
||||||
|
Patch: gnutls-3.7.8-ktls_add_ciphersuites.patch
|
||||||
|
Patch: gnutls-3.7.8-ktls_minor_fixes.patch
|
||||||
|
Patch: gnutls-3.7.8-ktls_invalidate_session.patch
|
||||||
|
|
||||||
%bcond_without bootstrap
|
%bcond_without bootstrap
|
||||||
%bcond_without dane
|
%bcond_without dane
|
||||||
|
Loading…
Reference in New Issue
Block a user