rpms / gnutls

Clone
Source Code
GIT

Blame SOURCES/gnutls-3.7.6-ktls-fixes.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   e79d4ba7ff6b4d7c5ac04ac2de68cef0ba709c4a
  2.   SOURCES
  3.   gnutls-3.7.6-ktls-fixes.patch
Blob History Raw
e79d4b 
From 7b700dbcd5907944a7dd2f74cd26ad8586cd4bac Mon Sep 17 00:00:00 2001
e79d4b 
From: Daiki Ueno <ueno@gnu.org>
e79d4b 
Date: Tue, 28 Jun 2022 09:37:22 +0900
e79d4b 
Subject: [PATCH 1/3] tests: enable KTLS config while running gnutls_ktls test
e79d4b
e79d4b 
Signed-off-by: Daiki Ueno <ueno@gnu.org>
e79d4b 
---
e79d4b 
 tests/Makefile.am   |  9 +++++----
e79d4b 
 tests/gnutls_ktls.c |  4 ++--
e79d4b 
 tests/ktls.sh       | 46 +++++++++++++++++++++++++++++++++++++++++++++
e79d4b 
 3 files changed, 53 insertions(+), 6 deletions(-)
e79d4b 
 create mode 100755 tests/ktls.sh
e79d4b
e79d4b 
diff --git a/tests/Makefile.am b/tests/Makefile.am
e79d4b 
index 4deeb6462b..cba67e8db8 100644
e79d4b 
--- a/tests/Makefile.am
e79d4b 
+++ b/tests/Makefile.am
e79d4b 
@@ -441,10 +441,6 @@ ctests += x509self x509dn anonself pskself pskself2 dhepskself	\
e79d4b 
 	resume-with-record-size-limit
e79d4b 
 endif
e79d4b
e79d4b 
-if ENABLE_KTLS
e79d4b 
-ctests += gnutls_ktls
e79d4b 
-endif
e79d4b 
-
e79d4b 
 ctests += record-sendfile
e79d4b
e79d4b 
 gc_CPPFLAGS = $(AM_CPPFLAGS) \
e79d4b 
@@ -500,6 +496,11 @@ if ENABLE_TPM2
e79d4b 
 dist_check_SCRIPTS += tpm2.sh
e79d4b 
 endif
e79d4b
e79d4b 
+if ENABLE_KTLS
e79d4b 
+indirect_tests += gnutls_ktls
e79d4b 
+dist_check_SCRIPTS += ktls.sh
e79d4b 
+endif
e79d4b 
+
e79d4b 
 if !WINDOWS
e79d4b
e79d4b 
 #
e79d4b 
diff --git a/tests/gnutls_ktls.c b/tests/gnutls_ktls.c
e79d4b 
index 3966e2b10a..8f9c5fa36e 100644
e79d4b 
--- a/tests/gnutls_ktls.c
e79d4b 
+++ b/tests/gnutls_ktls.c
e79d4b 
@@ -84,7 +84,7 @@ static void client(int fd, const char *prio)
e79d4b
e79d4b 
 	ret = gnutls_transport_is_ktls_enabled(session);
e79d4b 
 	if (!(ret & GNUTLS_KTLS_RECV)){
e79d4b 
-		fail("client: KTLS was not properly inicialized\n");
e79d4b 
+		fail("client: KTLS was not properly initialized\n");
e79d4b 
 		goto end;
e79d4b 
 	}
e79d4b
e79d4b 
@@ -208,7 +208,7 @@ static void server(int fd, const char *prio)
e79d4b
e79d4b 
 	ret = gnutls_transport_is_ktls_enabled(session);
e79d4b 
 	if (!(ret & GNUTLS_KTLS_SEND)){
e79d4b 
-		fail("server: KTLS was not properly inicialized\n");
e79d4b 
+		fail("server: KTLS was not properly initialized\n");
e79d4b 
 		goto end;
e79d4b 
 	}
e79d4b 
 	do {
e79d4b 
diff --git a/tests/ktls.sh b/tests/ktls.sh
e79d4b 
new file mode 100755
e79d4b 
index 0000000000..ba52bd5775
e79d4b 
--- /dev/null
e79d4b 
+++ b/tests/ktls.sh
e79d4b 
@@ -0,0 +1,46 @@
e79d4b 
+#!/bin/sh
e79d4b 
+
e79d4b 
+# Copyright (C) 2022 Red Hat, Inc.
e79d4b 
+#
e79d4b 
+# Author: Daiki Ueno
e79d4b 
+#
e79d4b 
+# This file is part of GnuTLS.
e79d4b 
+#
e79d4b 
+# GnuTLS is free software; you can redistribute it and/or modify it
e79d4b 
+# under the terms of the GNU General Public License as published by the
e79d4b 
+# Free Software Foundation; either version 3 of the License, or (at
e79d4b 
+# your option) any later version.
e79d4b 
+#
e79d4b 
+# GnuTLS is distributed in the hope that it will be useful, but
e79d4b 
+# WITHOUT ANY WARRANTY; without even the implied warranty of
e79d4b 
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
e79d4b 
+# General Public License for more details.
e79d4b 
+#
e79d4b 
+# You should have received a copy of the GNU General Public License
e79d4b 
+# along with GnuTLS; if not, write to the Free Software Foundation,
e79d4b 
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
e79d4b 
+
e79d4b 
+: ${builddir=.}
e79d4b 
+
e79d4b 
+. "$srcdir/scripts/common.sh"
e79d4b 
+
e79d4b 
+if ! grep '^tls ' /proc/modules 2>1 >& /dev/null; then
e79d4b 
+    exit 77
e79d4b 
+fi
e79d4b 
+
e79d4b 
+testdir=`create_testdir ktls`
e79d4b 
+
e79d4b 
+cfg="$testdir/config"
e79d4b 
+
e79d4b 
+cat <<EOF > "$cfg"
e79d4b 
+[global]
e79d4b 
+ktls = true
e79d4b 
+EOF
e79d4b 
+
e79d4b 
+GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1 \
e79d4b 
+GNUTLS_SYSTEM_PRIORITY_FILE="$cfg" \
e79d4b 
+"$builddir/gnutls_ktls" "$@"
e79d4b 
+rc=$?
e79d4b 
+
e79d4b 
+rm -rf "$testdir"
e79d4b 
+exit $rc
e79d4b 
--
e79d4b 
2.36.1
e79d4b
e79d4b
e79d4b 
From 4a492462535a7f3a831685d3cf420b50ef219511 Mon Sep 17 00:00:00 2001
e79d4b 
From: Daiki Ueno <ueno@gnu.org>
e79d4b 
Date: Tue, 28 Jun 2022 10:23:33 +0900
e79d4b 
Subject: [PATCH 2/3] handshake: do not reset KTLS enablement in
e79d4b 
 gnutls_handshake
e79d4b
e79d4b 
As gnutls_handshake can be repeatedly called upon non-blocking setup,
e79d4b 
we shouldn't try to call setsockopt for KTLS upon every call.
e79d4b
e79d4b 
Signed-off-by: Daiki Ueno <ueno@gnu.org>
e79d4b 
---
e79d4b 
 lib/handshake.c | 12 ++++++------
e79d4b 
 1 file changed, 6 insertions(+), 6 deletions(-)
e79d4b
e79d4b 
diff --git a/lib/handshake.c b/lib/handshake.c
e79d4b 
index 4dd457bf22..3886306eb4 100644
e79d4b 
--- a/lib/handshake.c
e79d4b 
+++ b/lib/handshake.c
e79d4b 
@@ -2813,12 +2813,6 @@ int gnutls_handshake(gnutls_session_t session)
e79d4b 
 	const version_entry_st *vers = get_version(session);
e79d4b 
 	int ret;
e79d4b
e79d4b 
-	session->internals.ktls_enabled = 0;
e79d4b 
-#ifdef ENABLE_KTLS
e79d4b 
-	if (_gnutls_config_is_ktls_enabled() == true)
e79d4b 
-		_gnutls_ktls_enable(session);
e79d4b 
-#endif
e79d4b 
-
e79d4b 
 	if (unlikely(session->internals.initial_negotiation_completed)) {
e79d4b 
 		if (vers->tls13_sem) {
e79d4b 
 			if (session->security_parameters.entity == GNUTLS_CLIENT) {
e79d4b 
@@ -2864,6 +2858,12 @@ int gnutls_handshake(gnutls_session_t session)
e79d4b 
 			end->tv_nsec =
e79d4b 
 				(start->tv_nsec + tmo_ms * 1000000LL) % 1000000000LL;
e79d4b 
 		}
e79d4b 
+
e79d4b 
+#ifdef ENABLE_KTLS
e79d4b 
+		if (_gnutls_config_is_ktls_enabled()) {
e79d4b 
+			_gnutls_ktls_enable(session);
e79d4b 
+		}
e79d4b 
+#endif
e79d4b 
 	}
e79d4b
e79d4b 
 	if (session->internals.recv_state == RECV_STATE_FALSE_START) {
e79d4b 
--
e79d4b 
2.36.1
e79d4b
e79d4b
e79d4b 
From ce13208e13b5dec73993c583d4c64ab7714e4a7a Mon Sep 17 00:00:00 2001
e79d4b 
From: Daiki Ueno <ueno@gnu.org>
e79d4b 
Date: Tue, 28 Jun 2022 10:53:55 +0900
e79d4b 
Subject: [PATCH 3/3] ktls: _gnutls_ktls_enable: fix GNUTLS_KTLS_SEND
e79d4b 
 calculation
e79d4b
e79d4b 
Previously, if the first setsockopt for GNUTLS_KTLS_RECV fails and the
e79d4b 
same socket is used for both sending and receiving, GNUTLS_KTLS_SEND
e79d4b 
was unconditionally set.  This fixes the conditions and also adds more
e79d4b 
logging.
e79d4b
e79d4b 
Signed-off-by: Daiki Ueno <ueno@gnu.org>
e79d4b 
---
e79d4b 
 lib/system/ktls.c | 21 ++++++++++++++++-----
e79d4b 
 1 file changed, 16 insertions(+), 5 deletions(-)
e79d4b
e79d4b 
diff --git a/lib/system/ktls.c b/lib/system/ktls.c
e79d4b 
index b9f7a73fb5..ddf27fac76 100644
e79d4b 
--- a/lib/system/ktls.c
e79d4b 
+++ b/lib/system/ktls.c
e79d4b 
@@ -47,7 +47,7 @@
e79d4b 
 gnutls_transport_ktls_enable_flags_t
e79d4b 
 gnutls_transport_is_ktls_enabled(gnutls_session_t session){
e79d4b 
 	if (unlikely(!session->internals.initial_negotiation_completed)){
e79d4b 
-		_gnutls_debug_log("Initial negotiation is not yet complete");
e79d4b 
+		_gnutls_debug_log("Initial negotiation is not yet complete\n");
e79d4b 
 		return 0;
e79d4b 
 	}
e79d4b
e79d4b 
@@ -57,16 +57,27 @@ gnutls_transport_is_ktls_enabled(gnutls_session_t session){
e79d4b 
 void _gnutls_ktls_enable(gnutls_session_t session)
e79d4b 
 {
e79d4b 
 	int sockin, sockout;
e79d4b 
+
e79d4b 
 	gnutls_transport_get_int2(session, &sockin, &sockout);
e79d4b
e79d4b 
-	if (setsockopt(sockin, SOL_TCP, TCP_ULP, "tls", sizeof ("tls")) == 0)
e79d4b 
+	if (setsockopt(sockin, SOL_TCP, TCP_ULP, "tls", sizeof ("tls")) == 0) {
e79d4b 
 		session->internals.ktls_enabled |= GNUTLS_KTLS_RECV;
e79d4b 
+		if (sockin == sockout) {
e79d4b 
+			session->internals.ktls_enabled |= GNUTLS_KTLS_SEND;
e79d4b 
+		}
e79d4b 
+	} else {
e79d4b 
+		_gnutls_record_log("Unable to set TCP_ULP for read socket: %d\n",
e79d4b 
+				   errno);
e79d4b 
+	}
e79d4b
e79d4b 
 	if (sockin != sockout) {
e79d4b 
-		if (setsockopt(sockout, SOL_TCP, TCP_ULP, "tls", sizeof ("tls")) == 0)
e79d4b 
+		if (setsockopt(sockout, SOL_TCP, TCP_ULP, "tls", sizeof ("tls")) == 0) {
e79d4b 
 			session->internals.ktls_enabled |= GNUTLS_KTLS_SEND;
e79d4b 
-	} else
e79d4b 
-		session->internals.ktls_enabled |= GNUTLS_KTLS_SEND;
e79d4b 
+		} else {
e79d4b 
+			_gnutls_record_log("Unable to set TCP_ULP for write socket: %d\n",
e79d4b 
+					   errno);
e79d4b 
+		}
e79d4b 
+	}
e79d4b 
 }
e79d4b
e79d4b 
 int _gnutls_ktls_set_keys(gnutls_session_t session)
e79d4b 
--
e79d4b 
2.36.1
e79d4b
e79d4b 
From 2d3cba6bb21acb40141180298f3924c73c7de8f8 Mon Sep 17 00:00:00 2001
e79d4b 
From: Daiki Ueno <ueno@gnu.org>
e79d4b 
Date: Tue, 26 Jul 2022 11:38:41 +0900
e79d4b 
Subject: [PATCH 1/2] handshake: do not enable KTLS if custom pull/push
e79d4b 
 functions are set
e79d4b
e79d4b 
If gnutls_transport_set_pull_function or
e79d4b 
gnutls_transport_set_push_function is used, we can't assume the
e79d4b 
underlying transport handle is an FD.
e79d4b
e79d4b 
Signed-off-by: Daiki Ueno <ueno@gnu.org>
e79d4b 
---
e79d4b 
 lib/handshake.c | 9 ++++++++-
e79d4b 
 1 file changed, 8 insertions(+), 1 deletion(-)
e79d4b
e79d4b 
diff --git a/lib/handshake.c b/lib/handshake.c
e79d4b 
index 3886306eb4..cf025a84f6 100644
e79d4b 
--- a/lib/handshake.c
e79d4b 
+++ b/lib/handshake.c
e79d4b 
@@ -2861,7 +2861,14 @@ int gnutls_handshake(gnutls_session_t session)
e79d4b
e79d4b 
 #ifdef ENABLE_KTLS
e79d4b 
 		if (_gnutls_config_is_ktls_enabled()) {
e79d4b 
-			_gnutls_ktls_enable(session);
e79d4b 
+			if (session->internals.pull_func ||
e79d4b 
+			    session->internals.push_func) {
e79d4b 
+				_gnutls_audit_log(session,
e79d4b 
+						  "Not enabling KTLS with "
e79d4b 
+						  "custom pull/push function\n");
e79d4b 
+			} else {
e79d4b 
+				_gnutls_ktls_enable(session);
e79d4b 
+			}
e79d4b 
 		}
e79d4b 
 #endif
e79d4b 
 	}
e79d4b 
--
e79d4b 
2.37.1
e79d4b
e79d4b
e79d4b 
From f7160e4fb970b4ba6f96e85e21f8395eae735d95 Mon Sep 17 00:00:00 2001
e79d4b 
From: Daiki Ueno <ueno@gnu.org>
e79d4b 
Date: Tue, 26 Jul 2022 11:39:57 +0900
e79d4b 
Subject: [PATCH 2/2] socket: only set pull/push functions when --save-*-trace
e79d4b 
 is used
e79d4b
e79d4b 
This allows gnutls-cli to use KTLS for the transport, unless either
e79d4b 
--save-client-trace or --save-server-trace is used.
e79d4b
e79d4b 
Signed-off-by: Daiki Ueno <ueno@gnu.org>
e79d4b 
---
e79d4b 
 src/socket.c | 16 ++++++++--------
e79d4b 
 1 file changed, 8 insertions(+), 8 deletions(-)
e79d4b
e79d4b 
diff --git a/src/socket.c b/src/socket.c
e79d4b 
index 39f18dbe18..36ac292700 100644
e79d4b 
--- a/src/socket.c
e79d4b 
+++ b/src/socket.c
e79d4b 
@@ -586,16 +586,16 @@ socket_open2(socket_st * hd, const char *hostname, const char *service,
e79d4b 
 				gnutls_session_set_data(hd->session, hd->rdata.data, hd->rdata.size);
e79d4b 
 			}
e79d4b
e79d4b 
-			if (server_trace)
e79d4b 
+			if (client_trace || server_trace) {
e79d4b 
 				hd->server_trace = server_trace;
e79d4b 
-
e79d4b 
-			if (client_trace)
e79d4b 
 				hd->client_trace = client_trace;
e79d4b 
-
e79d4b 
-			gnutls_transport_set_push_function(hd->session, wrap_push);
e79d4b 
-			gnutls_transport_set_pull_function(hd->session, wrap_pull);
e79d4b 
-			gnutls_transport_set_pull_timeout_function(hd->session, wrap_pull_timeout_func);
e79d4b 
-			gnutls_transport_set_ptr(hd->session, hd);
e79d4b 
+				gnutls_transport_set_push_function(hd->session, wrap_push);
e79d4b 
+				gnutls_transport_set_pull_function(hd->session, wrap_pull);
e79d4b 
+				gnutls_transport_set_pull_timeout_function(hd->session, wrap_pull_timeout_func);
e79d4b 
+				gnutls_transport_set_ptr(hd->session, hd);
e79d4b 
+			} else {
e79d4b 
+				gnutls_transport_set_int(hd->session, hd->fd);
e79d4b 
+			}
e79d4b 
 		}
e79d4b
e79d4b 
 		if (!(flags & SOCKET_FLAG_RAW) && !(flags & SOCKET_FLAG_SKIP_INIT)) {
e79d4b 
--
e79d4b 
2.37.1
e79d4b
e79d4b 
From a5b671fc9105cb5dbe6e6a1c0f39fa787d862076 Mon Sep 17 00:00:00 2001
e79d4b 
From: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
e79d4b 
Date: Fri, 29 Jul 2022 10:38:42 +0200
e79d4b 
Subject: [PATCH] KTLS: hotfix
e79d4b
e79d4b 
session->internals.pull_func is set to system_read during gnutls_init()
e79d4b 
so check for user set pull/push function added in commit mentioned
e79d4b 
bellow will never pass.
e79d4b
e79d4b 
source: 2d3cba6bb21acb40141180298f3924c73c7de8f8
e79d4b
e79d4b 
Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
e79d4b 
---
e79d4b 
 lib/handshake.c | 3 ++-
e79d4b 
 1 file changed, 2 insertions(+), 1 deletion(-)
e79d4b
e79d4b 
diff --git a/lib/handshake.c b/lib/handshake.c
e79d4b 
index cf025a84f6..21edc5ece9 100644
e79d4b 
--- a/lib/handshake.c
e79d4b 
+++ b/lib/handshake.c
e79d4b 
@@ -2861,7 +2861,8 @@ int gnutls_handshake(gnutls_session_t session)
e79d4b
e79d4b 
 #ifdef ENABLE_KTLS
e79d4b 
 		if (_gnutls_config_is_ktls_enabled()) {
e79d4b 
-			if (session->internals.pull_func ||
e79d4b 
+			if ((session->internals.pull_func &&
e79d4b 
+				session->internals.pull_func != system_read) ||
e79d4b 
 			    session->internals.push_func) {
e79d4b 
 				_gnutls_audit_log(session,
e79d4b 
 						  "Not enabling KTLS with "
e79d4b 
--
e79d4b 
2.37.1
e79d4b

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation