rpms/gnutls
7
0
Fork 0
Code Issues Pull Requests Releases Activity
c1f8e66db2
gnutls/gnutls-3.7.8-ktls_minor_fixes.patch
Frantisek Krenzelok c1f8e66db2
KTLS additional ciphersuites 
Key update supported for patched kernels [1]

Configuration option `ktls = false` [2]

following ciphersuites are now supported: [3]
* TLS_AES_128_CCM_SHA256
* TLS_CHACHA20_POLY1305_SHA256

Ivalidate session on KTLS error as there is no way to recover and new
sockets as well as session have to be created. [4]

[1] https://gitlab.com/gnutls/gnutls/-/merge_requests/1625
[2] https://gitlab.com/gnutls/gnutls/-/merge_requests/1673/diffs?commit_id=aefd7319c0b7b2410d06238246b7755b289e4837
[3] https://gitlab.com/gnutls/gnutls/-/merge_requests/1676
[4] https://gitlab.com/gnutls/gnutls/-/merge_requests/1664

Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
2023-01-20 19:17:15 +01:00

156 lines
4.7 KiB
Diff
Raw Blame History

From ccf4463f343a9394a22833ee1de7886e459d3c91 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Mon, 28 Nov 2022 12:17:12 +0900
Subject: [PATCH 1/3] includes: move KTLS function definition out of
<gnutls/socket.h>
<gnutls/socket.h> is meant for the functions that depend on
<sys/socket.h>, which is not available on Windows platforms.
As the KTLS API doesn't rely on <sys/socket.h>, move the function and
enum to <gnutls/gnutls.h>.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
lib/includes/gnutls/gnutls.h.in | 21 +++++++++++++++++++++
lib/includes/gnutls/socket.h | 21 ---------------------
2 files changed, 21 insertions(+), 21 deletions(-)
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index 394d465e3..830ce5f95 100644
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -3421,6 +3421,27 @@ int gnutls_fips140_pop_context(void);
int gnutls_fips140_run_self_tests(void);
+/**
+ * gnutls_transport_ktls_enable_flags_t:
+ * @GNUTLS_KTLS_RECV: ktls enabled for recv function.
+ * @GNUTLS_KTLS_SEND: ktls enabled for send function.
+ * @GNUTLS_KTLS_DUPLEX: ktls enabled for both recv and send functions.
+ *
+ * Flag enumeration of ktls enable status for recv and send functions.
+ * This is used by gnutls_transport_is_ktls_enabled().
+ *
+ * Since: 3.7.3
+ */
+typedef enum {
+ GNUTLS_KTLS_RECV = 1 << 0,
+ GNUTLS_KTLS_SEND = 1 << 1,
+ GNUTLS_KTLS_DUPLEX = GNUTLS_KTLS_RECV | GNUTLS_KTLS_SEND,
+} gnutls_transport_ktls_enable_flags_t;
+
+
+gnutls_transport_ktls_enable_flags_t
+gnutls_transport_is_ktls_enabled(gnutls_session_t session);
+
/* Gnutls error codes. The mapping to a TLS alert is also shown in
* comments.
*/
diff --git a/lib/includes/gnutls/socket.h b/lib/includes/gnutls/socket.h
index 4df7bb2e0..64eb19f89 100644
--- a/lib/includes/gnutls/socket.h
+++ b/lib/includes/gnutls/socket.h
@@ -37,27 +37,6 @@ extern "C" {
#endif
/* *INDENT-ON* */
-/**
- * gnutls_transport_ktls_enable_flags_t:
- * @GNUTLS_KTLS_RECV: ktls enabled for recv function.
- * @GNUTLS_KTLS_SEND: ktls enabled for send function.
- * @GNUTLS_KTLS_DUPLEX: ktls enabled for both recv and send functions.
- *
- * Flag enumeration of ktls enable status for recv and send functions.
- * This is used by gnutls_transport_is_ktls_enabled().
- *
- * Since: 3.7.3
- */
-typedef enum {
- GNUTLS_KTLS_RECV = 1 << 0,
- GNUTLS_KTLS_SEND = 1 << 1,
- GNUTLS_KTLS_DUPLEX = GNUTLS_KTLS_RECV | GNUTLS_KTLS_SEND,
-} gnutls_transport_ktls_enable_flags_t;
-
-
-gnutls_transport_ktls_enable_flags_t
-gnutls_transport_is_ktls_enabled(gnutls_session_t session);
-
void gnutls_transport_set_fastopen(gnutls_session_t session,
int fd,
struct sockaddr *connect_addr,
--
2.38.1
From 90b036e82a95f9379d99d5cabd0e33905d1e3ddc Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Mon, 28 Nov 2022 12:13:31 +0900
Subject: [PATCH 2/3] src: print KTLS enablement status in
gnutls-serv/gnutls-cli
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
src/common.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/src/common.c b/src/common.c
index 6d2056f95..d357c7fb8 100644
--- a/src/common.c
+++ b/src/common.c
@@ -498,6 +498,7 @@ int print_info(gnutls_session_t session, int verbose, int flags)
gnutls_datum_t p;
char *desc;
gnutls_protocol_t version;
+ gnutls_transport_ktls_enable_flags_t ktls_flags;
int rc;
desc = gnutls_session_get_desc(session);
@@ -646,6 +647,15 @@ int print_info(gnutls_session_t session, int verbose, int flags)
print_channel_bindings(session, verbose);
+ ktls_flags = gnutls_transport_is_ktls_enabled(session);
+ if (ktls_flags != 0) {
+ log_msg(stdout, "- KTLS: %s\n",
+ (ktls_flags & GNUTLS_KTLS_DUPLEX) == GNUTLS_KTLS_DUPLEX ? "send, recv" :
+ (ktls_flags & GNUTLS_KTLS_SEND) == GNUTLS_KTLS_SEND ? "send" :
+ (ktls_flags & GNUTLS_KTLS_RECV) == GNUTLS_KTLS_RECV ? "recv" :
+ "unknown");
+ }
+
fflush(stdout);
return 0;
--
2.38.1
From aefd7319c0b7b2410d06238246b7755b289e4837 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Mon, 28 Nov 2022 12:15:26 +0900
Subject: [PATCH 3/3] priority: accept "ktls = false" in configuration file
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
lib/priority.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/lib/priority.c b/lib/priority.c
index 97831e63b..6266bb571 100644
--- a/lib/priority.c
+++ b/lib/priority.c
@@ -1548,6 +1548,8 @@ static int global_ini_handler(void *ctx, const char *section, const char *name,
p = clear_spaces(value, str);
if (c_strcasecmp(p, "true") == 0) {
cfg->ktls_enabled = true;
+ } else if (c_strcasecmp(p, "false") == 0) {
+ cfg->ktls_enabled = false;
} else {
_gnutls_debug_log("cfg: unknown ktls mode %s\n",
p);
--
2.38.1
Reference in New Issue View Git Blame Copy Permalink