87 lines
2.7 KiB
Diff
87 lines
2.7 KiB
Diff
From b1faf8da338580679545297236e4bbf824183935 Mon Sep 17 00:00:00 2001
|
|
From: "Richard W.M. Jones" <rjones@redhat.com>
|
|
Date: Mon, 27 Jun 2022 19:17:29 +0100
|
|
Subject: [PATCH] lib: Display kTLS status
|
|
|
|
In debug output, for gnutls builds supporting kTLS (kernel- or
|
|
hardware-accelerated TLS), display the status.
|
|
|
|
Typical output:
|
|
|
|
libnbd: debug: nbd1: nbd_connect_uri: connection is using TLS: cipher AES-256-GCM (256 bits) key exchange ECDHE-RSA mac AEAD (0 bits) kTLS disabled
|
|
(cherry picked from commit 764284e71986081e7a8b6969541aab76d38e35ce)
|
|
---
|
|
configure.ac | 4 +++-
|
|
lib/crypto.c | 26 ++++++++++++++++++++++++--
|
|
2 files changed, 27 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/configure.ac b/configure.ac
|
|
index e89c17c..b2137cc 100644
|
|
--- a/configure.ac
|
|
+++ b/configure.ac
|
|
@@ -175,7 +175,9 @@ AS_IF([test "$GNUTLS_LIBS" != ""],[
|
|
old_LIBS="$LIBS"
|
|
LIBS="$GNUTLS_LIBS $LIBS"
|
|
AC_CHECK_FUNCS([\
|
|
- gnutls_session_set_verify_cert])
|
|
+ gnutls_session_set_verify_cert \
|
|
+ gnutls_transport_is_ktls_enabled \
|
|
+ ])
|
|
LIBS="$old_LIBS"
|
|
])
|
|
|
|
diff --git a/lib/crypto.c b/lib/crypto.c
|
|
index 7eed490..1272888 100644
|
|
--- a/lib/crypto.c
|
|
+++ b/lib/crypto.c
|
|
@@ -28,6 +28,7 @@
|
|
|
|
#ifdef HAVE_GNUTLS
|
|
#include <gnutls/gnutls.h>
|
|
+#include <gnutls/socket.h>
|
|
#endif
|
|
|
|
#include "internal.h"
|
|
@@ -703,15 +704,36 @@ nbd_internal_crypto_debug_tls_enabled (struct nbd_handle *h)
|
|
const gnutls_cipher_algorithm_t cipher = gnutls_cipher_get (session);
|
|
const gnutls_kx_algorithm_t kx = gnutls_kx_get (session);
|
|
const gnutls_mac_algorithm_t mac = gnutls_mac_get (session);
|
|
+#ifdef HAVE_GNUTLS_TRANSPORT_IS_KTLS_ENABLED
|
|
+ const char *ktls_status;
|
|
+ gnutls_transport_ktls_enable_flags_t ktls_enabled;
|
|
+#else
|
|
+ const char *ktls_status = "disabled";
|
|
+#endif
|
|
+
|
|
+#ifdef HAVE_GNUTLS_TRANSPORT_IS_KTLS_ENABLED
|
|
+ ktls_enabled = gnutls_transport_is_ktls_enabled (session);
|
|
+ switch (ktls_enabled) {
|
|
+ case GNUTLS_KTLS_RECV: ktls_status = "enabled receive only"; break;
|
|
+ case GNUTLS_KTLS_SEND: ktls_status = "enabled send only"; break;
|
|
+ case GNUTLS_KTLS_DUPLEX: ktls_status = "enabled"; break;
|
|
+ default:
|
|
+ if ((int) ktls_enabled == 0)
|
|
+ ktls_status = "disabled";
|
|
+ else
|
|
+ ktls_status = "unknown";
|
|
+ }
|
|
+#endif
|
|
|
|
debug (h,
|
|
"connection is using TLS: "
|
|
- "cipher %s (%zu bits) key exchange %s mac %s (%zu bits)",
|
|
+ "cipher %s (%zu bits) key exchange %s mac %s (%zu bits) kTLS %s",
|
|
gnutls_cipher_get_name (cipher),
|
|
8 * gnutls_cipher_get_key_size (cipher),
|
|
gnutls_kx_get_name (kx),
|
|
gnutls_mac_get_name (mac),
|
|
- 8 * gnutls_mac_get_key_size (mac)
|
|
+ 8 * gnutls_mac_get_key_size (mac),
|
|
+ ktls_status
|
|
);
|
|
}
|
|
}
|
|
--
|
|
2.31.1
|
|
|