rpms/gnutls
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Update gnutls-3.8.9-cli-earlydata.patch to the upstream version

Browse Source 
Resolves: RHEL-83590
Signed-off-by: Daiki Ueno <dueno@redhat.com>
This commit is contained in:
Daiki Ueno 2025-04-14 18:18:12 +09:00
parent a3bb1addff
commit c94e6c1df7
2 changed files with 153 additions and 152 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

303
gnutls-3.8.9-cli-earlydata.patch
View File

@ -1,57 +1,7 @@
From 0db562fdec5a6dfdd5ec120988b873f1da80aade Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Sun, 16 Feb 2025 08:57:08 +0900
Subject: [PATCH 1/3] gnutls_record_set_max_early_data_size: make it callable
from client
Since commit 9a7ce5a74cbef069394f677c0c79af2c876546db,
max_early_data_size is initialized as 0 on the client side, and set
only after receiving NewSessionTicket. There are, however, no ways to
preserve the max_early_data_size value across multiple calls to
gnutls_init. This patch allows the client to set the negotiated
max_early_data_size in the second session, through
gnutls_record_set_max_early_data_size.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
lib/ext/early_data.c | 9 +++------
1 file changed, 3 insertions(+), 6 deletions(-)
diff --git a/lib/ext/early_data.c b/lib/ext/early_data.c
index d53b9f4d77..5bcf3a391e 100644
--- a/lib/ext/early_data.c
+++ b/lib/ext/early_data.c
@@ -124,7 +124,8 @@ size_t gnutls_record_get_max_early_data_size(gnutls_session_t session)
* This function sets the maximum early data size in this connection.
* This property can only be set to servers. The client may be
* provided with the maximum allowed size through the "early_data"
- * extension of the NewSessionTicket handshake message.
+ * extension of the NewSessionTicket handshake message, which can be
+ * obtained with gnutls_record_get_max_early_data_size().
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
* otherwise a negative error code is returned.
@@ -133,11 +134,7 @@ size_t gnutls_record_get_max_early_data_size(gnutls_session_t session)
**/
int gnutls_record_set_max_early_data_size(gnutls_session_t session, size_t size)
{
- if (session->security_parameters.entity == GNUTLS_CLIENT)
- return GNUTLS_E_INVALID_REQUEST;
-
- /* Reject zero as well, as it is useless. */
- if (size == 0 || size > UINT32_MAX)
+ if (size > UINT32_MAX)
return GNUTLS_E_INVALID_REQUEST;
session->security_parameters.max_early_data_size = (uint32_t)size;
--
2.48.1
From b8c6d896acc267b3dc00d2ac7c9f8a7f60329d28 Mon Sep 17 00:00:00 2001
From 54c06a9cd7bcf8f245cf5f9da760f91939259f69 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Sun, 16 Feb 2025 09:02:46 +0900
Subject: [PATCH 2/3] serv: fix detection of early data reception
Subject: [PATCH 1/3] serv: fix detection of early data reception
Upon success, gnutls_record_recv_early_data returns the amount of data
received, so the application should treat positive numbers as an
@ -76,120 +26,171 @@ index 17db12c5ca..86008c9523 100644
}
}
--
2.48.1
2.49.0
From 6beabd3aab2990930022c3f77a02b4a5937071d1 Mon Sep 17 00:00:00 2001
From 8c488288ea05a759977dccd4ee4d61610da4dc38 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Sun, 16 Feb 2025 09:04:23 +0900
Subject: [PATCH 3/3] cli: preserve negotiated max_early_data_size across
resumption
Date: Mon, 17 Mar 2025 09:00:44 +0900
Subject: [PATCH 2/3] cli: send early data only after session data is set
Now that max_early_data_size is recorded as part of the stored
resumption data, this needs to be read before attempting to send early
data.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
src/cli.c | 10 ++++++++--
src/socket.c | 13 +++++++++++--
src/socket.h | 11 +++--------
3 files changed, 22 insertions(+), 12 deletions(-)
src/socket.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/src/cli.c b/src/cli.c
index 4f53b1a02a..5f7199b9f2 100644
--- a/src/cli.c
+++ b/src/cli.c
@@ -997,6 +997,7 @@ static int try_resume(socket_st *hd)
int ret, socket_flags = SOCKET_FLAG_DONT_PRINT_ERRORS;
gnutls_datum_t rdata = { NULL, 0 };
gnutls_datum_t edata = { NULL, 0 };
+ size_t max_early_data_size = 0;
if (gnutls_session_is_resumed(hd->session) == 0) {
do {
@@ -1010,6 +1011,11 @@ static int try_resume(socket_st *hd)
GNUTLS_TLS1_3) ||
((gnutls_session_get_flags(hd->session) &
GNUTLS_SFLAGS_SESSION_TICKET))) {
+ max_early_data_size =
+ gnutls_record_get_max_early_data_size(
+ hd->session);
+ log_msg(stdout, "- Max early data size: %zu\n",
+ max_early_data_size);
break;
}
} while (waitresumption);
@@ -1052,7 +1058,7 @@ static int try_resume(socket_st *hd)
socket_open_int(hd, hostname, service, OPT_ARG(STARTTLS_PROTO),
OPT_ARG(STARTTLS_NAME), socket_flags, CONNECT_MSG,
- &rdata, &edata, NULL, NULL);
+ &rdata, &edata, max_early_data_size, NULL, NULL);
log_msg(stdout, "- Resume Handshake was completed\n");
if (gnutls_session_is_resumed(hd->session) != 0)
@@ -1365,7 +1371,7 @@ int main(int argc, char **argv)
socket_open_int(&hd, hostname, service, OPT_ARG(STARTTLS_PROTO),
OPT_ARG(STARTTLS_NAME), socket_flags, CONNECT_MSG, NULL,
- NULL, server_fp, client_fp);
+ NULL, 0, server_fp, client_fp);
hd.verbose = verbose;
diff --git a/src/socket.c b/src/socket.c
index 48784b67fa..1b9d35a589 100644
index 48784b67fa..f32910c239 100644
--- a/src/socket.c
+++ b/src/socket.c
@@ -461,8 +461,8 @@ inline static int wrap_pull_timeout_func(gnutls_transport_ptr_t ptr,
void socket_open_int(socket_st *hd, const char *hostname, const char *service,
const char *app_proto, const char *app_hostname, int flags,
const char *msg, gnutls_datum_t *rdata,
- gnutls_datum_t *edata, FILE *server_trace,
- FILE *client_trace)
+ gnutls_datum_t *edata, size_t max_early_data_size,
+ FILE *server_trace, FILE *client_trace)
{
struct addrinfo hints, *res, *ptr;
int sd, err = 0;
@@ -581,6 +581,15 @@ void socket_open_int(socket_st *hd, const char *hostname, const char *service,
@@ -580,6 +580,11 @@ void socket_open_int(socket_st *hd, const char *hostname, const char *service,
}
if (hd->session) {
+ if (hd->rdata.data) {
+ gnutls_session_set_data(hd->session,
+ hd->rdata.data,
+ hd->rdata.size);
+ }
if (hd->edata.data) {
+ ret = gnutls_record_set_max_early_data_size(
+ hd->session, max_early_data_size);
+ if (ret < 0) {
+ fprintf(stderr,
+ "error setting max early data size to %zu\n",
+ max_early_data_size);
+ close(sd);
+ exit(1);
+ }
ret = gnutls_record_send_early_data(
hd->session, hd->edata.data,
hd->edata.size);
diff --git a/src/socket.h b/src/socket.h
index 680ca16ade..2696e6f922 100644
--- a/src/socket.h
+++ b/src/socket.h
@@ -52,17 +52,12 @@ ssize_t socket_send_range(const socket_st *socket, const void *buffer,
void socket_open_int(socket_st *hd, const char *hostname, const char *service,
const char *app_proto, const char *app_hostname, int flags,
const char *msg, gnutls_datum_t *rdata,
- gnutls_datum_t *edata, FILE *server_trace,
- FILE *client_trace);
+ gnutls_datum_t *edata, size_t max_early_data_size,
+ FILE *server_trace, FILE *client_trace);
#define socket_open(hd, host, service, app_proto, flags, msg, rdata) \
socket_open_int(hd, host, service, app_proto, NULL, flags, msg, rdata, \
- NULL, NULL, NULL)
-
-#define socket_open2(hd, host, service, app_proto, flags, msg, rdata, edata, \
- server_trace, client_trace) \
- socket_open_int(hd, host, service, app_proto, NULL, flags, msg, rdata, \
- edata, server_trace, client_trace)
+ NULL, 0, NULL, NULL)
void socket_bye(socket_st *socket, unsigned polite);
@@ -591,11 +596,6 @@ void socket_open_int(socket_st *hd, const char *hostname, const char *service,
exit(1);
}
}
- if (hd->rdata.data) {
- gnutls_session_set_data(hd->session,
- hd->rdata.data,
- hd->rdata.size);
- }
if (client_trace || server_trace) {
hd->server_trace = server_trace;
--
2.48.1
2.49.0
From 56fa5e1901fe40a97553cf3141a4d205c4286702 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Sun, 16 Feb 2025 09:04:50 +0900
Subject: [PATCH 3/3] tests: add basic tests for 0-RTT with gnutls-serv and
gnutls-cli
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
tests/Makefile.am | 2 +-
tests/gnutls-cli-earlydata.sh | 84 +++++++++++++++++++++++++++++++++++
2 files changed, 85 insertions(+), 1 deletion(-)
create mode 100755 tests/gnutls-cli-earlydata.sh
diff --git a/tests/Makefile.am b/tests/Makefile.am
index ec8fd982c5..72926e9da4 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -546,7 +546,7 @@ dist_check_SCRIPTS += fastopen.sh pkgconfig.sh starttls.sh starttls-ftp.sh start
sni-resume.sh ocsp-tests/ocsptool.sh cert-reencoding.sh pkcs7-cat.sh long-crl.sh \
serv-udp.sh logfile-option.sh gnutls-cli-resume.sh profile-tests.sh \
server-weak-keys.sh ocsp-tests/ocsp-signer-verify.sh cfg-test.sh \
- sanity-lib.sh
+ sanity-lib.sh gnutls-cli-earlydata.sh
if !DISABLE_SYSTEM_CONFIG
dist_check_SCRIPTS += system-override-sig.sh system-override-hash.sh \
diff --git a/tests/gnutls-cli-earlydata.sh b/tests/gnutls-cli-earlydata.sh
new file mode 100755
index 0000000000..72763f029f
--- /dev/null
+++ b/tests/gnutls-cli-earlydata.sh
@@ -0,0 +1,84 @@
+#!/bin/sh
+
+# Copyright (C) 2025 Red Hat, Inc.
+#
+# Author: Daiki Ueno
+#
+# This file is part of GnuTLS.
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this program. If not, see <https://www.gnu.org/licenses/>
+#
+
+: ${srcdir=.}
+: ${SERV=../src/gnutls-serv${EXEEXT}}
+: ${CLI=../src/gnutls-cli${EXEEXT}}
+unset RETCODE
+
+if ! test -x "$SERV"; then
+ exit 77
+fi
+
+if ! test -x "$CLI"; then
+ exit 77
+fi
+
+if test "$WINDIR" != ""; then
+ exit 77
+fi
+
+if test -n "$VALGRIND"; then
+ VALGRIND="${LIBTOOL:-libtool} --mode=execute $VALGRIND --error-exitcode=1"
+fi
+
+SERV="$SERV -q"
+
+. "$srcdir/scripts/common.sh"
+
+: ${ac_cv_sizeof_time_t=8}
+if test "$ac_cv_sizeof_time_t" -ge 8; then
+ ATTIME_VALID="2038-10-12" # almost the pregenerated cert expiration
+else
+ ATTIME_VALID="2030-12-17" # end of epoch 2590 days of validity
+fi
+
+testdir=`create_testdir earlydata`
+KEY="$srcdir/../doc/credentials/x509/key-ecc.pem"
+CERT="$srcdir/../doc/credentials/x509/cert-ecc.pem"
+CACERT="$srcdir/../doc/credentials/x509/ca.pem"
+
+eval "$GETPORT"
+launch_server --echo --x509keyfile "$KEY" --x509certfile "$CERT" --disable-client-cert --earlydata --maxearlydata 1000
+PID=$!
+wait_server "$PID"
+
+echo "This is a test message" > "$testdir/earlydata.txt"
+
+$VALGRIND "$CLI" --attime="$ATTIME_VALID" -p "$PORT" localhost --logfile="$testdir/cli.log" --priority="NORMAL:-VERS-ALL:+VERS-TLS1.3" --x509cafile "$CACERT" --resume --waitresumption --earlydata="$testdir/earlydata.txt" </dev/null >"$testdir/cli.out"
+if test $? -ne 0; then
+ cat "$testdir/cli.log"
+ fail "$PID" "failed to communicate with the server"
+fi
+
+if ! grep "This is a resumed session" "$testdir/cli.log" > /dev/null; then
+ fail "$PID" "session is not resumed"
+fi
+
+if ! cmp "$testdir/earlydata.txt" "$testdir/cli.out" > /dev/null; then
+ fail "$PID" "early data has not been sent back"
+fi
+
+kill "$PID"
+wait
+
+exit 0
--
2.49.0

2
gnutls.spec
View File

@ -32,7 +32,7 @@ Patch: gnutls-3.8.8-tests-ktls-skip-tls12-chachapoly.patch
Patch: gnutls-3.8.9-allow-rsa-pkcs1-encrypt.patch
# upstreamed: https://gitlab.com/gnutls/gnutls/-/merge_requests/1930
Patch: gnutls-3.8.9-limit-shuffle-extensions.patch
# not upstreamed: https://gitlab.com/gnutls/gnutls/-/merge_requests/1936
# upstreamed: https://gitlab.com/gnutls/gnutls/-/merge_requests/1936
Patch: gnutls-3.8.9-cli-earlydata.patch
# upstreamed: https://gitlab.com/gnutls/gnutls/-/merge_requests/1942
Patch: gnutls-3.8.9-leancrypto-init.patch