From c94e6c1df7ac6f5daaa1713650388ca5c580b072 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Mon, 14 Apr 2025 18:18:12 +0900 Subject: [PATCH] Update gnutls-3.8.9-cli-earlydata.patch to the upstream version Resolves: RHEL-83590 Signed-off-by: Daiki Ueno --- gnutls-3.8.9-cli-earlydata.patch | 303 ++++++++++++++++--------------- gnutls.spec | 2 +- 2 files changed, 153 insertions(+), 152 deletions(-) diff --git a/gnutls-3.8.9-cli-earlydata.patch b/gnutls-3.8.9-cli-earlydata.patch index b9862fa..783c5b1 100644 --- a/gnutls-3.8.9-cli-earlydata.patch +++ b/gnutls-3.8.9-cli-earlydata.patch @@ -1,57 +1,7 @@ -From 0db562fdec5a6dfdd5ec120988b873f1da80aade Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Sun, 16 Feb 2025 08:57:08 +0900 -Subject: [PATCH 1/3] gnutls_record_set_max_early_data_size: make it callable - from client - -Since commit 9a7ce5a74cbef069394f677c0c79af2c876546db, -max_early_data_size is initialized as 0 on the client side, and set -only after receiving NewSessionTicket. There are, however, no ways to -preserve the max_early_data_size value across multiple calls to -gnutls_init. This patch allows the client to set the negotiated -max_early_data_size in the second session, through -gnutls_record_set_max_early_data_size. - -Signed-off-by: Daiki Ueno ---- - lib/ext/early_data.c | 9 +++------ - 1 file changed, 3 insertions(+), 6 deletions(-) - -diff --git a/lib/ext/early_data.c b/lib/ext/early_data.c -index d53b9f4d77..5bcf3a391e 100644 ---- a/lib/ext/early_data.c -+++ b/lib/ext/early_data.c -@@ -124,7 +124,8 @@ size_t gnutls_record_get_max_early_data_size(gnutls_session_t session) - * This function sets the maximum early data size in this connection. - * This property can only be set to servers. The client may be - * provided with the maximum allowed size through the "early_data" -- * extension of the NewSessionTicket handshake message. -+ * extension of the NewSessionTicket handshake message, which can be -+ * obtained with gnutls_record_get_max_early_data_size(). - * - * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, - * otherwise a negative error code is returned. -@@ -133,11 +134,7 @@ size_t gnutls_record_get_max_early_data_size(gnutls_session_t session) - **/ - int gnutls_record_set_max_early_data_size(gnutls_session_t session, size_t size) - { -- if (session->security_parameters.entity == GNUTLS_CLIENT) -- return GNUTLS_E_INVALID_REQUEST; -- -- /* Reject zero as well, as it is useless. */ -- if (size == 0 || size > UINT32_MAX) -+ if (size > UINT32_MAX) - return GNUTLS_E_INVALID_REQUEST; - - session->security_parameters.max_early_data_size = (uint32_t)size; --- -2.48.1 - - -From b8c6d896acc267b3dc00d2ac7c9f8a7f60329d28 Mon Sep 17 00:00:00 2001 +From 54c06a9cd7bcf8f245cf5f9da760f91939259f69 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Sun, 16 Feb 2025 09:02:46 +0900 -Subject: [PATCH 2/3] serv: fix detection of early data reception +Subject: [PATCH 1/3] serv: fix detection of early data reception Upon success, gnutls_record_recv_early_data returns the amount of data received, so the application should treat positive numbers as an @@ -76,120 +26,171 @@ index 17db12c5ca..86008c9523 100644 } } -- -2.48.1 +2.49.0 -From 6beabd3aab2990930022c3f77a02b4a5937071d1 Mon Sep 17 00:00:00 2001 +From 8c488288ea05a759977dccd4ee4d61610da4dc38 Mon Sep 17 00:00:00 2001 From: Daiki Ueno -Date: Sun, 16 Feb 2025 09:04:23 +0900 -Subject: [PATCH 3/3] cli: preserve negotiated max_early_data_size across - resumption +Date: Mon, 17 Mar 2025 09:00:44 +0900 +Subject: [PATCH 2/3] cli: send early data only after session data is set + +Now that max_early_data_size is recorded as part of the stored +resumption data, this needs to be read before attempting to send early +data. Signed-off-by: Daiki Ueno --- - src/cli.c | 10 ++++++++-- - src/socket.c | 13 +++++++++++-- - src/socket.h | 11 +++-------- - 3 files changed, 22 insertions(+), 12 deletions(-) + src/socket.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) -diff --git a/src/cli.c b/src/cli.c -index 4f53b1a02a..5f7199b9f2 100644 ---- a/src/cli.c -+++ b/src/cli.c -@@ -997,6 +997,7 @@ static int try_resume(socket_st *hd) - int ret, socket_flags = SOCKET_FLAG_DONT_PRINT_ERRORS; - gnutls_datum_t rdata = { NULL, 0 }; - gnutls_datum_t edata = { NULL, 0 }; -+ size_t max_early_data_size = 0; - - if (gnutls_session_is_resumed(hd->session) == 0) { - do { -@@ -1010,6 +1011,11 @@ static int try_resume(socket_st *hd) - GNUTLS_TLS1_3) || - ((gnutls_session_get_flags(hd->session) & - GNUTLS_SFLAGS_SESSION_TICKET))) { -+ max_early_data_size = -+ gnutls_record_get_max_early_data_size( -+ hd->session); -+ log_msg(stdout, "- Max early data size: %zu\n", -+ max_early_data_size); - break; - } - } while (waitresumption); -@@ -1052,7 +1058,7 @@ static int try_resume(socket_st *hd) - - socket_open_int(hd, hostname, service, OPT_ARG(STARTTLS_PROTO), - OPT_ARG(STARTTLS_NAME), socket_flags, CONNECT_MSG, -- &rdata, &edata, NULL, NULL); -+ &rdata, &edata, max_early_data_size, NULL, NULL); - - log_msg(stdout, "- Resume Handshake was completed\n"); - if (gnutls_session_is_resumed(hd->session) != 0) -@@ -1365,7 +1371,7 @@ int main(int argc, char **argv) - - socket_open_int(&hd, hostname, service, OPT_ARG(STARTTLS_PROTO), - OPT_ARG(STARTTLS_NAME), socket_flags, CONNECT_MSG, NULL, -- NULL, server_fp, client_fp); -+ NULL, 0, server_fp, client_fp); - - hd.verbose = verbose; - diff --git a/src/socket.c b/src/socket.c -index 48784b67fa..1b9d35a589 100644 +index 48784b67fa..f32910c239 100644 --- a/src/socket.c +++ b/src/socket.c -@@ -461,8 +461,8 @@ inline static int wrap_pull_timeout_func(gnutls_transport_ptr_t ptr, - void socket_open_int(socket_st *hd, const char *hostname, const char *service, - const char *app_proto, const char *app_hostname, int flags, - const char *msg, gnutls_datum_t *rdata, -- gnutls_datum_t *edata, FILE *server_trace, -- FILE *client_trace) -+ gnutls_datum_t *edata, size_t max_early_data_size, -+ FILE *server_trace, FILE *client_trace) - { - struct addrinfo hints, *res, *ptr; - int sd, err = 0; -@@ -581,6 +581,15 @@ void socket_open_int(socket_st *hd, const char *hostname, const char *service, +@@ -580,6 +580,11 @@ void socket_open_int(socket_st *hd, const char *hostname, const char *service, + } if (hd->session) { ++ if (hd->rdata.data) { ++ gnutls_session_set_data(hd->session, ++ hd->rdata.data, ++ hd->rdata.size); ++ } if (hd->edata.data) { -+ ret = gnutls_record_set_max_early_data_size( -+ hd->session, max_early_data_size); -+ if (ret < 0) { -+ fprintf(stderr, -+ "error setting max early data size to %zu\n", -+ max_early_data_size); -+ close(sd); -+ exit(1); -+ } ret = gnutls_record_send_early_data( hd->session, hd->edata.data, - hd->edata.size); -diff --git a/src/socket.h b/src/socket.h -index 680ca16ade..2696e6f922 100644 ---- a/src/socket.h -+++ b/src/socket.h -@@ -52,17 +52,12 @@ ssize_t socket_send_range(const socket_st *socket, const void *buffer, - void socket_open_int(socket_st *hd, const char *hostname, const char *service, - const char *app_proto, const char *app_hostname, int flags, - const char *msg, gnutls_datum_t *rdata, -- gnutls_datum_t *edata, FILE *server_trace, -- FILE *client_trace); -+ gnutls_datum_t *edata, size_t max_early_data_size, -+ FILE *server_trace, FILE *client_trace); - - #define socket_open(hd, host, service, app_proto, flags, msg, rdata) \ - socket_open_int(hd, host, service, app_proto, NULL, flags, msg, rdata, \ -- NULL, NULL, NULL) -- --#define socket_open2(hd, host, service, app_proto, flags, msg, rdata, edata, \ -- server_trace, client_trace) \ -- socket_open_int(hd, host, service, app_proto, NULL, flags, msg, rdata, \ -- edata, server_trace, client_trace) -+ NULL, 0, NULL, NULL) - - void socket_bye(socket_st *socket, unsigned polite); +@@ -591,11 +596,6 @@ void socket_open_int(socket_st *hd, const char *hostname, const char *service, + exit(1); + } + } +- if (hd->rdata.data) { +- gnutls_session_set_data(hd->session, +- hd->rdata.data, +- hd->rdata.size); +- } + if (client_trace || server_trace) { + hd->server_trace = server_trace; -- -2.48.1 +2.49.0 + + +From 56fa5e1901fe40a97553cf3141a4d205c4286702 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Sun, 16 Feb 2025 09:04:50 +0900 +Subject: [PATCH 3/3] tests: add basic tests for 0-RTT with gnutls-serv and + gnutls-cli + +Signed-off-by: Daiki Ueno +--- + tests/Makefile.am | 2 +- + tests/gnutls-cli-earlydata.sh | 84 +++++++++++++++++++++++++++++++++++ + 2 files changed, 85 insertions(+), 1 deletion(-) + create mode 100755 tests/gnutls-cli-earlydata.sh + +diff --git a/tests/Makefile.am b/tests/Makefile.am +index ec8fd982c5..72926e9da4 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -546,7 +546,7 @@ dist_check_SCRIPTS += fastopen.sh pkgconfig.sh starttls.sh starttls-ftp.sh start + sni-resume.sh ocsp-tests/ocsptool.sh cert-reencoding.sh pkcs7-cat.sh long-crl.sh \ + serv-udp.sh logfile-option.sh gnutls-cli-resume.sh profile-tests.sh \ + server-weak-keys.sh ocsp-tests/ocsp-signer-verify.sh cfg-test.sh \ +- sanity-lib.sh ++ sanity-lib.sh gnutls-cli-earlydata.sh + + if !DISABLE_SYSTEM_CONFIG + dist_check_SCRIPTS += system-override-sig.sh system-override-hash.sh \ +diff --git a/tests/gnutls-cli-earlydata.sh b/tests/gnutls-cli-earlydata.sh +new file mode 100755 +index 0000000000..72763f029f +--- /dev/null ++++ b/tests/gnutls-cli-earlydata.sh +@@ -0,0 +1,84 @@ ++#!/bin/sh ++ ++# Copyright (C) 2025 Red Hat, Inc. ++# ++# Author: Daiki Ueno ++# ++# This file is part of GnuTLS. ++# ++# GnuTLS is free software; you can redistribute it and/or modify it ++# under the terms of the GNU General Public License as published by the ++# Free Software Foundation; either version 3 of the License, or (at ++# your option) any later version. ++# ++# GnuTLS is distributed in the hope that it will be useful, but ++# WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++# General Public License for more details. ++# ++# You should have received a copy of the GNU Lesser General Public License ++# along with this program. If not, see ++# ++ ++: ${srcdir=.} ++: ${SERV=../src/gnutls-serv${EXEEXT}} ++: ${CLI=../src/gnutls-cli${EXEEXT}} ++unset RETCODE ++ ++if ! test -x "$SERV"; then ++ exit 77 ++fi ++ ++if ! test -x "$CLI"; then ++ exit 77 ++fi ++ ++if test "$WINDIR" != ""; then ++ exit 77 ++fi ++ ++if test -n "$VALGRIND"; then ++ VALGRIND="${LIBTOOL:-libtool} --mode=execute $VALGRIND --error-exitcode=1" ++fi ++ ++SERV="$SERV -q" ++ ++. "$srcdir/scripts/common.sh" ++ ++: ${ac_cv_sizeof_time_t=8} ++if test "$ac_cv_sizeof_time_t" -ge 8; then ++ ATTIME_VALID="2038-10-12" # almost the pregenerated cert expiration ++else ++ ATTIME_VALID="2030-12-17" # end of epoch − 2590 days of validity ++fi ++ ++testdir=`create_testdir earlydata` ++KEY="$srcdir/../doc/credentials/x509/key-ecc.pem" ++CERT="$srcdir/../doc/credentials/x509/cert-ecc.pem" ++CACERT="$srcdir/../doc/credentials/x509/ca.pem" ++ ++eval "$GETPORT" ++launch_server --echo --x509keyfile "$KEY" --x509certfile "$CERT" --disable-client-cert --earlydata --maxearlydata 1000 ++PID=$! ++wait_server "$PID" ++ ++echo "This is a test message" > "$testdir/earlydata.txt" ++ ++$VALGRIND "$CLI" --attime="$ATTIME_VALID" -p "$PORT" localhost --logfile="$testdir/cli.log" --priority="NORMAL:-VERS-ALL:+VERS-TLS1.3" --x509cafile "$CACERT" --resume --waitresumption --earlydata="$testdir/earlydata.txt" "$testdir/cli.out" ++if test $? -ne 0; then ++ cat "$testdir/cli.log" ++ fail "$PID" "failed to communicate with the server" ++fi ++ ++if ! grep "This is a resumed session" "$testdir/cli.log" > /dev/null; then ++ fail "$PID" "session is not resumed" ++fi ++ ++if ! cmp "$testdir/earlydata.txt" "$testdir/cli.out" > /dev/null; then ++ fail "$PID" "early data has not been sent back" ++fi ++ ++kill "$PID" ++wait ++ ++exit 0 +-- +2.49.0 diff --git a/gnutls.spec b/gnutls.spec index 72d2d17..7090793 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -32,7 +32,7 @@ Patch: gnutls-3.8.8-tests-ktls-skip-tls12-chachapoly.patch Patch: gnutls-3.8.9-allow-rsa-pkcs1-encrypt.patch # upstreamed: https://gitlab.com/gnutls/gnutls/-/merge_requests/1930 Patch: gnutls-3.8.9-limit-shuffle-extensions.patch -# not upstreamed: https://gitlab.com/gnutls/gnutls/-/merge_requests/1936 +# upstreamed: https://gitlab.com/gnutls/gnutls/-/merge_requests/1936 Patch: gnutls-3.8.9-cli-earlydata.patch # upstreamed: https://gitlab.com/gnutls/gnutls/-/merge_requests/1942 Patch: gnutls-3.8.9-leancrypto-init.patch