| |
@@ -0,0 +1,957 @@
|
| |
+ From c83b9ecbe8e7e5442867281236d8c9e1bd227204 Mon Sep 17 00:00:00 2001
|
| |
+ From: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
|
| |
+ Date: Tue, 2 Aug 2022 15:00:50 +0200
|
| |
+ Subject: [PATCH 1/7] KTLS: set key on specific interfaces
|
| |
+
|
| |
+ It is now possible to set key on specific interface.
|
| |
+ If interface given is not ktls enabled then it will be ignored.
|
| |
+
|
| |
+ Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
|
| |
+ ---
|
| |
+ lib/handshake.c | 2 +-
|
| |
+ lib/system/ktls.c | 12 +++++++-----
|
| |
+ lib/system/ktls.h | 7 ++++++-
|
| |
+ 3 files changed, 14 insertions(+), 7 deletions(-)
|
| |
+
|
| |
+ diff --git a/lib/handshake.c b/lib/handshake.c
|
| |
+ index 21edc5ece..cb2bc3ae9 100644
|
| |
+ --- a/lib/handshake.c
|
| |
+ +++ b/lib/handshake.c
|
| |
+ @@ -2924,7 +2924,7 @@ int gnutls_handshake(gnutls_session_t session)
|
| |
+
|
| |
+ #ifdef ENABLE_KTLS
|
| |
+ if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_DUPLEX)) {
|
| |
+ - _gnutls_ktls_set_keys(session);
|
| |
+ + _gnutls_ktls_set_keys(session, GNUTLS_KTLS_DUPLEX);
|
| |
+ }
|
| |
+ #endif
|
| |
+
|
| |
+ diff --git a/lib/system/ktls.c b/lib/system/ktls.c
|
| |
+ index ddf27fac7..70b9b9b3a 100644
|
| |
+ --- a/lib/system/ktls.c
|
| |
+ +++ b/lib/system/ktls.c
|
| |
+ @@ -80,7 +80,7 @@ void _gnutls_ktls_enable(gnutls_session_t session)
|
| |
+ }
|
| |
+ }
|
| |
+
|
| |
+ -int _gnutls_ktls_set_keys(gnutls_session_t session)
|
| |
+ +int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable_flags_t in)
|
| |
+ {
|
| |
+ gnutls_cipher_algorithm_t cipher = gnutls_cipher_get(session);
|
| |
+ gnutls_datum_t mac_key;
|
| |
+ @@ -107,7 +107,9 @@ int _gnutls_ktls_set_keys(gnutls_session_t session)
|
| |
+ return ret;
|
| |
+ }
|
| |
+
|
| |
+ - if(session->internals.ktls_enabled & GNUTLS_KTLS_RECV){
|
| |
+ + in &= session->internals.ktls_enabled;
|
| |
+ +
|
| |
+ + if(in & GNUTLS_KTLS_RECV){
|
| |
+ switch (cipher) {
|
| |
+ case GNUTLS_CIPHER_AES_128_GCM:
|
| |
+ {
|
| |
+ @@ -191,7 +193,7 @@ int _gnutls_ktls_set_keys(gnutls_session_t session)
|
| |
+ return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
|
| |
+ }
|
| |
+
|
| |
+ - if(session->internals.ktls_enabled & GNUTLS_KTLS_SEND){
|
| |
+ + if(in & GNUTLS_KTLS_SEND){
|
| |
+ switch (cipher) {
|
| |
+ case GNUTLS_CIPHER_AES_128_GCM:
|
| |
+ {
|
| |
+ @@ -269,7 +271,7 @@ int _gnutls_ktls_set_keys(gnutls_session_t session)
|
| |
+ }
|
| |
+ }
|
| |
+
|
| |
+ - return 0;
|
| |
+ + return in;
|
| |
+ }
|
| |
+
|
| |
+ ssize_t _gnutls_ktls_send_file(gnutls_session_t session, int fd,
|
| |
+ @@ -465,7 +467,7 @@ gnutls_transport_is_ktls_enabled(gnutls_session_t session) {
|
| |
+ void _gnutls_ktls_enable(gnutls_session_t session) {
|
| |
+ }
|
| |
+
|
| |
+ -int _gnutls_ktls_set_keys(gnutls_session_t session) {
|
| |
+ +int _gnutls_ktls_set_keys(gnutls_session_t sessioni, gnutls_transport_ktls_enable_flags_t in) {
|
| |
+ return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE);
|
| |
+ }
|
| |
+
|
| |
+ diff --git a/lib/system/ktls.h b/lib/system/ktls.h
|
| |
+ index 8a98a8eb8..c8059092d 100644
|
| |
+ --- a/lib/system/ktls.h
|
| |
+ +++ b/lib/system/ktls.h
|
| |
+ @@ -4,14 +4,19 @@
|
| |
+ #include "gnutls_int.h"
|
| |
+
|
| |
+ void _gnutls_ktls_enable(gnutls_session_t session);
|
| |
+ -int _gnutls_ktls_set_keys(gnutls_session_t session);
|
| |
+ +
|
| |
+ +int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable_flags_t in);
|
| |
+ +
|
| |
+ ssize_t _gnutls_ktls_send_file(gnutls_session_t session, int fd,
|
| |
+ off_t *offset, size_t count);
|
| |
+ +
|
| |
+ int _gnutls_ktls_send_control_msg(gnutls_session_t session, unsigned char record_type,
|
| |
+ const void *data, size_t data_size);
|
| |
+ #define _gnutls_ktls_send(x, y, z) _gnutls_ktls_send_control_msg(x, GNUTLS_APPLICATION_DATA, y, z);
|
| |
+ +
|
| |
+ int _gnutls_ktls_recv_control_msg(gnutls_session_t session, unsigned char *record_type,
|
| |
+ void *data, size_t data_size);
|
| |
+ +
|
| |
+ int _gnutls_ktls_recv_int(gnutls_session_t session, content_type_t type, void *data, size_t data_size);
|
| |
+ #define _gnutls_ktls_recv(x, y, z) _gnutls_ktls_recv_int(x, GNUTLS_APPLICATION_DATA, y, z)
|
| |
+
|
| |
+ --
|
| |
+ 2.39.0
|
| |
+
|
| |
+
|
| |
+ From f8c71030151e3a0d397e9712541236f1a76434a3 Mon Sep 17 00:00:00 2001
|
| |
+ From: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
|
| |
+ Date: Tue, 2 Aug 2022 13:35:39 +0200
|
| |
+ Subject: [PATCH 2/7] KTLS: set new keys for keyupdate
|
| |
+
|
| |
+ set new keys durring gnutls_session_key_update()
|
| |
+ setting keys
|
| |
+
|
| |
+ Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
|
| |
+ ---
|
| |
+ lib/tls13/key_update.c | 9 +++++++++
|
| |
+ 1 file changed, 9 insertions(+)
|
| |
+
|
| |
+ diff --git a/lib/tls13/key_update.c b/lib/tls13/key_update.c
|
| |
+ index c6f6e0aa1..10c0a9110 100644
|
| |
+ --- a/lib/tls13/key_update.c
|
| |
+ +++ b/lib/tls13/key_update.c
|
| |
+ @@ -27,6 +27,7 @@
|
| |
+ #include "mem.h"
|
| |
+ #include "mbuffers.h"
|
| |
+ #include "secrets.h"
|
| |
+ +#include "system/ktls.h"
|
| |
+
|
| |
+ #define KEY_UPDATES_WINDOW 1000
|
| |
+ #define KEY_UPDATES_PER_WINDOW 8
|
| |
+ @@ -49,8 +50,16 @@ static int update_keys(gnutls_session_t session, hs_stage_t stage)
|
| |
+ * write keys */
|
| |
+ if (session->internals.recv_state == RECV_STATE_EARLY_START) {
|
| |
+ ret = _tls13_write_connection_state_init(session, stage);
|
| |
+ + if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_SEND))
|
| |
+ + ret = _gnutls_ktls_set_keys(session, GNUTLS_KTLS_SEND);
|
| |
+ } else {
|
| |
+ ret = _tls13_connection_state_init(session, stage);
|
| |
+ +
|
| |
+ + if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_SEND) && stage == STAGE_UPD_OURS)
|
| |
+ + ret = _gnutls_ktls_set_keys(session, GNUTLS_KTLS_SEND);
|
| |
+ + else if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_RECV) && stage == STAGE_UPD_PEERS)
|
| |
+ + ret = _gnutls_ktls_set_keys(session, GNUTLS_KTLS_RECV);
|
| |
+ +
|
| |
+ }
|
| |
+ if (ret < 0)
|
| |
+ return gnutls_assert_val(ret);
|
| |
+ --
|
| |
+ 2.39.0
|
| |
+
|
| |
+
|
| |
+ From b93af37d972e02b095e14d4209bf5d5520a4893c Mon Sep 17 00:00:00 2001
|
| |
+ From: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
|
| |
+ Date: Wed, 3 Aug 2022 14:20:35 +0200
|
| |
+ Subject: [PATCH 3/7] KTLS: send update key request
|
| |
+
|
| |
+ Set hanshake send function after interface initialization
|
| |
+ TODO: handel setting function differently
|
| |
+
|
| |
+ Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
|
| |
+ ---
|
| |
+ lib/record.c | 23 ++++++++++++++++-------
|
| |
+ lib/system/ktls.c | 21 +++++++++++++++++++++
|
| |
+ lib/system/ktls.h | 5 +++++
|
| |
+ 3 files changed, 42 insertions(+), 7 deletions(-)
|
| |
+
|
| |
+ diff --git a/lib/record.c b/lib/record.c
|
| |
+ index fd24acaf1..aad128e1f 100644
|
| |
+ --- a/lib/record.c
|
| |
+ +++ b/lib/record.c
|
| |
+ @@ -2065,11 +2065,17 @@ gnutls_record_send2(gnutls_session_t session, const void *data,
|
| |
+ session->internals.rsend_state = RECORD_SEND_KEY_UPDATE_3;
|
| |
+ FALLTHROUGH;
|
| |
+ case RECORD_SEND_KEY_UPDATE_3:
|
| |
+ - ret = _gnutls_send_int(session, GNUTLS_APPLICATION_DATA,
|
| |
+ - -1, EPOCH_WRITE_CURRENT,
|
| |
+ - session->internals.record_key_update_buffer.data,
|
| |
+ - session->internals.record_key_update_buffer.length,
|
| |
+ - MBUFFER_FLUSH);
|
| |
+ + if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_SEND)) {
|
| |
+ + return _gnutls_ktls_send(session,
|
| |
+ + session->internals.record_key_update_buffer.data,
|
| |
+ + session->internals.record_key_update_buffer.length);
|
| |
+ + } else {
|
| |
+ + ret = _gnutls_send_int(session, GNUTLS_APPLICATION_DATA,
|
| |
+ + -1, EPOCH_WRITE_CURRENT,
|
| |
+ + session->internals.record_key_update_buffer.data,
|
| |
+ + session->internals.record_key_update_buffer.length,
|
| |
+ + MBUFFER_FLUSH);
|
| |
+ + }
|
| |
+ _gnutls_buffer_clear(&session->internals.record_key_update_buffer);
|
| |
+ session->internals.rsend_state = RECORD_SEND_NORMAL;
|
| |
+ if (ret < 0)
|
| |
+ @@ -2494,8 +2500,11 @@ gnutls_handshake_write(gnutls_session_t session,
|
| |
+ return gnutls_assert_val(0);
|
| |
+
|
| |
+ /* When using this, the outgoing handshake messages should
|
| |
+ - * also be handled manually */
|
| |
+ - if (!session->internals.h_read_func)
|
| |
+ + * also be handled manually unless KTLS is enabled exclusively
|
| |
+ + * in GNUTLS_KTLS_RECV mode in which case the outgoing messages
|
| |
+ + * are handled by GnuTLS.
|
| |
+ + */
|
| |
+ + if (!session->internals.h_read_func && !IS_KTLS_ENABLED(session, GNUTLS_KTLS_RECV))
|
| |
+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
|
| |
+
|
| |
+ if (session->internals.initial_negotiation_completed) {
|
| |
+ diff --git a/lib/system/ktls.c b/lib/system/ktls.c
|
| |
+ index 70b9b9b3a..5da0a8069 100644
|
| |
+ --- a/lib/system/ktls.c
|
| |
+ +++ b/lib/system/ktls.c
|
| |
+ @@ -269,6 +269,9 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable
|
| |
+ default:
|
| |
+ assert(0);
|
| |
+ }
|
| |
+ + // set callback for sending handshake messages
|
| |
+ + gnutls_handshake_set_read_function(session,
|
| |
+ + _gnutls_ktls_send_handshake_msg);
|
| |
+ }
|
| |
+
|
| |
+ return in;
|
| |
+ @@ -355,6 +358,15 @@ int _gnutls_ktls_send_control_msg(gnutls_session_t session,
|
| |
+ return data_size;
|
| |
+ }
|
| |
+
|
| |
+ +int _gnutls_ktls_send_handshake_msg(gnutls_session_t session,
|
| |
+ + gnutls_record_encryption_level_t level,
|
| |
+ + gnutls_handshake_description_t htype,
|
| |
+ + const void *data, size_t data_size)
|
| |
+ +{
|
| |
+ + return _gnutls_ktls_send_control_msg(session, GNUTLS_HANDSHAKE,
|
| |
+ + data, data_size);
|
| |
+ +}
|
| |
+ +
|
| |
+ int _gnutls_ktls_recv_control_msg(gnutls_session_t session,
|
| |
+ unsigned char *record_type, void *data, size_t data_size)
|
| |
+ {
|
| |
+ @@ -481,6 +493,15 @@ int _gnutls_ktls_send_control_msg(gnutls_session_t session,
|
| |
+ return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE);
|
| |
+ }
|
| |
+
|
| |
+ +int _gnutls_ktls_send_handshake_msg(gnutls_session_t session,
|
| |
+ + gnutls_record_encryption_level_t level,
|
| |
+ + gnutls_handshake_description_t htype,
|
| |
+ + const void *data, size_t data_size)
|
| |
+ +{
|
| |
+ + (void)level;
|
| |
+ + return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE);
|
| |
+ +}
|
| |
+ +
|
| |
+ int _gnutls_ktls_recv_int(gnutls_session_t session, content_type_t type,
|
| |
+ void *data, size_t data_size) {
|
| |
+ return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE);
|
| |
+ diff --git a/lib/system/ktls.h b/lib/system/ktls.h
|
| |
+ index c8059092d..8d61a49df 100644
|
| |
+ --- a/lib/system/ktls.h
|
| |
+ +++ b/lib/system/ktls.h
|
| |
+ @@ -10,6 +10,11 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable
|
| |
+ ssize_t _gnutls_ktls_send_file(gnutls_session_t session, int fd,
|
| |
+ off_t *offset, size_t count);
|
| |
+
|
| |
+ +int _gnutls_ktls_send_handshake_msg(gnutls_session_t session,
|
| |
+ + gnutls_record_encryption_level_t level,
|
| |
+ + gnutls_handshake_description_t htype,
|
| |
+ + const void *data, size_t data_size);
|
| |
+ +
|
| |
+ int _gnutls_ktls_send_control_msg(gnutls_session_t session, unsigned char record_type,
|
| |
+ const void *data, size_t data_size);
|
| |
+ #define _gnutls_ktls_send(x, y, z) _gnutls_ktls_send_control_msg(x, GNUTLS_APPLICATION_DATA, y, z);
|
| |
+ --
|
| |
+ 2.39.0
|
| |
+
|
| |
+
|
| |
+ From 7128338208d092275ac72785f85019d16951fab9 Mon Sep 17 00:00:00 2001
|
| |
+ From: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
|
| |
+ Date: Mon, 22 Aug 2022 10:50:37 +0200
|
| |
+ Subject: [PATCH 4/7] KTLS: receive key update
|
| |
+
|
| |
+ handle received GNUTLS_HANDSHAKE_KEY_UPDATE set keys accordingly
|
| |
+
|
| |
+ Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
|
| |
+ ---
|
| |
+ lib/system/ktls.c | 8 +++++++-
|
| |
+ 1 file changed, 7 insertions(+), 1 deletion(-)
|
| |
+
|
| |
+ diff --git a/lib/system/ktls.c b/lib/system/ktls.c
|
| |
+ index 5da0a8069..f3cb343ae 100644
|
| |
+ --- a/lib/system/ktls.c
|
| |
+ +++ b/lib/system/ktls.c
|
| |
+ @@ -452,7 +452,13 @@ int _gnutls_ktls_recv_int(gnutls_session_t session, content_type_t type,
|
| |
+ ret = 0;
|
| |
+ break;
|
| |
+ case GNUTLS_HANDSHAKE:
|
| |
+ - // ignore post-handshake messages
|
| |
+ + ret = gnutls_handshake_write(session,
|
| |
+ + GNUTLS_ENCRYPTION_LEVEL_APPLICATION,
|
| |
+ + data, ret);
|
| |
+ +
|
| |
+ + if (ret < 0)
|
| |
+ + return gnutls_assert_val(ret);
|
| |
+ +
|
| |
+ if (type != record_type)
|
| |
+ return GNUTLS_E_AGAIN;
|
| |
+ break;
|
| |
+ --
|
| |
+ 2.39.0
|
| |
+
|
| |
+
|
| |
+ From 14eadde1f2cdfaf858dc2029dac5503e48a49935 Mon Sep 17 00:00:00 2001
|
| |
+ From: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
|
| |
+ Date: Fri, 5 Aug 2022 16:38:02 +0200
|
| |
+ Subject: [PATCH 5/7] KTLS: set write alert callback
|
| |
+
|
| |
+ Use callback for sending alerts.
|
| |
+
|
| |
+ Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
|
| |
+ ---
|
| |
+ lib/alert.c | 13 ++++---------
|
| |
+ lib/system/ktls.c | 15 +++++++++++++++
|
| |
+ lib/system/ktls.h | 5 +++++
|
| |
+ 3 files changed, 24 insertions(+), 9 deletions(-)
|
| |
+
|
| |
+ diff --git a/lib/alert.c b/lib/alert.c
|
| |
+ index 50bd1d3de..fda8cd79f 100644
|
| |
+ --- a/lib/alert.c
|
| |
+ +++ b/lib/alert.c
|
| |
+ @@ -182,15 +182,10 @@ gnutls_alert_send(gnutls_session_t session, gnutls_alert_level_t level,
|
| |
+ return ret;
|
| |
+ }
|
| |
+
|
| |
+ - if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_SEND)) {
|
| |
+ - ret =
|
| |
+ - _gnutls_ktls_send_control_msg(session, GNUTLS_ALERT, data, 2);
|
| |
+ - } else {
|
| |
+ - ret =
|
| |
+ - _gnutls_send_int(session, GNUTLS_ALERT, -1,
|
| |
+ - EPOCH_WRITE_CURRENT, data, 2,
|
| |
+ - MBUFFER_FLUSH);
|
| |
+ - }
|
| |
+ + ret = _gnutls_send_int(session, GNUTLS_ALERT, -1,
|
| |
+ + EPOCH_WRITE_CURRENT, data, 2,
|
| |
+ + MBUFFER_FLUSH);
|
| |
+ +
|
| |
+ return (ret < 0) ? ret : 0;
|
| |
+ }
|
| |
+
|
| |
+ diff --git a/lib/system/ktls.c b/lib/system/ktls.c
|
| |
+ index f3cb343ae..703775960 100644
|
| |
+ --- a/lib/system/ktls.c
|
| |
+ +++ b/lib/system/ktls.c
|
| |
+ @@ -269,9 +269,13 @@ int _gnutls_ktls_set_keys(gnutls_session_t session, gnutls_transport_ktls_enable
|
| |
+ default:
|
| |
+ assert(0);
|
| |
+ }
|
| |
+ +
|
| |
+ // set callback for sending handshake messages
|
| |
+ gnutls_handshake_set_read_function(session,
|
| |
+ _gnutls_ktls_send_handshake_msg);
|
| |
+ +
|
| |
+ + // set callback for sending alert messages
|
| |
+ + gnutls_alert_set_read_function(session, _gnutls_ktls_send_alert_msg);
|
| |
+ }
|
| |
+
|
| |
+ return in;
|
| |
+ @@ -367,6 +371,17 @@ int _gnutls_ktls_send_handshake_msg(gnutls_session_t session,
|
| |
+ data, data_size);
|
| |
+ }
|
| |
+
|
| |
+ +int _gnutls_ktls_send_alert_msg(gnutls_session_t session,
|
| |
+ + gnutls_record_encryption_level_t level,
|
| |
+ + gnutls_alert_level_t alert_level,
|
| |
+ + gnutls_alert_description_t alert_desc)
|
| |
+ +{
|
| |
+ + uint8_t data[2];
|
| |
+ + data[0] = (uint8_t) alert_level;
|
| |
+ + data[1] = (uint8_t) alert_desc;
|
| |
+ + return _gnutls_ktls_send_control_msg(session, GNUTLS_ALERT, data, 2);
|
| |
+ +}
|
| |
+ +
|
| |
+ int _gnutls_ktls_recv_control_msg(gnutls_session_t session,
|
| |
+ unsigned char *record_type, void *data, size_t data_size)
|
| |
+ {
|
| |
+ diff --git a/lib/system/ktls.h b/lib/system/ktls.h
|
| |
+ index 8d61a49df..64e1c9c1c 100644
|
| |
+ --- a/lib/system/ktls.h
|
| |
+ +++ b/lib/system/ktls.h
|
| |
+ @@ -15,6 +15,11 @@ int _gnutls_ktls_send_handshake_msg(gnutls_session_t session,
|
| |
+ gnutls_handshake_description_t htype,
|
| |
+ const void *data, size_t data_size);
|
| |
+
|
| |
+ +int _gnutls_ktls_send_alert_msg(gnutls_session_t session,
|
| |
+ + gnutls_record_encryption_level_t level,
|
| |
+ + gnutls_alert_level_t alert_level,
|
| |
+ + gnutls_alert_description_t alert_desc);
|
| |
+ +
|
| |
+ int _gnutls_ktls_send_control_msg(gnutls_session_t session, unsigned char record_type,
|
| |
+ const void *data, size_t data_size);
|
| |
+ #define _gnutls_ktls_send(x, y, z) _gnutls_ktls_send_control_msg(x, GNUTLS_APPLICATION_DATA, y, z);
|
| |
+ --
|
| |
+ 2.39.0
|
| |
+
|
| |
+
|
| |
+ From 38b8708d66e592c09edf2745c921436f56607a96 Mon Sep 17 00:00:00 2001
|
| |
+ From: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
|
| |
+ Date: Tue, 9 Aug 2022 12:11:16 +0200
|
| |
+ Subject: [PATCH 6/7] KTLS: rekey test
|
| |
+
|
| |
+ Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
|
| |
+ ---
|
| |
+ tests/Makefile.am | 2 +
|
| |
+ tests/ktls_keyupdate.c | 381 ++++++++++++++++++++++++++++++++++++++++
|
| |
+ tests/ktls_keyupdate.sh | 46 +++++
|
| |
+ 3 files changed, 429 insertions(+)
|
| |
+ create mode 100644 tests/ktls_keyupdate.c
|
| |
+ create mode 100755 tests/ktls_keyupdate.sh
|
| |
+
|
| |
+ diff --git a/tests/Makefile.am b/tests/Makefile.am
|
| |
+ index 1122886b3..2d345d478 100644
|
| |
+ --- a/tests/Makefile.am
|
| |
+ +++ b/tests/Makefile.am
|
| |
+ @@ -500,6 +500,8 @@ endif
|
| |
+ if ENABLE_KTLS
|
| |
+ indirect_tests += gnutls_ktls
|
| |
+ dist_check_SCRIPTS += ktls.sh
|
| |
+ +indirect_tests += ktls_keyupdate
|
| |
+ +dist_check_SCRIPTS += ktls_keyupdate.sh
|
| |
+ endif
|
| |
+
|
| |
+ if !WINDOWS
|
| |
+ diff --git a/tests/ktls_keyupdate.c b/tests/ktls_keyupdate.c
|
| |
+ new file mode 100644
|
| |
+ index 000000000..9fbff38ae
|
| |
+ --- /dev/null
|
| |
+ +++ b/tests/ktls_keyupdate.c
|
| |
+ @@ -0,0 +1,381 @@
|
| |
+ +// Copyright (C) 2022 Red Hat, Inc.
|
| |
+ +//
|
| |
+ +// Author: Frantisek Krenzelok
|
| |
+ +//
|
| |
+ +// This file is part of GnuTLS.
|
| |
+ +//
|
| |
+ +// GnuTLS is free software; you can redistribute it and/or modify it
|
| |
+ +// under the terms of the GNU General Public License as published by the
|
| |
+ +// Free Software Foundation; either version 3 of the License, or (at
|
| |
+ +// your option) any later version.
|
| |
+ +//
|
| |
+ +// GnuTLS is distributed in the hope that it will be useful, but
|
| |
+ +// WITHOUT ANY WARRANTY; without even the implied warranty of
|
| |
+ +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
| |
+ +// General Public License for more details.
|
| |
+ +//
|
| |
+ +// You should have received a copy of the GNU General Public License
|
| |
+ +// along with GnuTLS; if not, write to the Free Software Foundation,
|
| |
+ +// Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
| |
+ +
|
| |
+ +#ifdef HAVE_CONFIG_H
|
| |
+ +#include <config.h>
|
| |
+ +#endif
|
| |
+ +
|
| |
+ +#include <stdio.h>
|
| |
+ +#include <stdlib.h>
|
| |
+ +#include <string.h>
|
| |
+ +#include <sys/types.h>
|
| |
+ +#include <netinet/in.h>
|
| |
+ +#include <sys/socket.h>
|
| |
+ +#include <sys/wait.h>
|
| |
+ +#include <arpa/inet.h>
|
| |
+ +#include <unistd.h>
|
| |
+ +#include <gnutls/gnutls.h>
|
| |
+ +#include <gnutls/crypto.h>
|
| |
+ +#include <gnutls/dtls.h>
|
| |
+ +#include <gnutls/socket.h>
|
| |
+ +#include <signal.h>
|
| |
+ +#include <assert.h>
|
| |
+ +#include <errno.h>
|
| |
+ +
|
| |
+ +#include "cert-common.h"
|
| |
+ +#include "utils.h"
|
| |
+ +
|
| |
+ +#if defined(_WIN32)
|
| |
+ +
|
| |
+ +int main(void)
|
| |
+ +{
|
| |
+ + exit(77);
|
| |
+ +}
|
| |
+ +
|
| |
+ +#else
|
| |
+ +
|
| |
+ +
|
| |
+ +#define MAX_BUF 1024
|
| |
+ +#define MSG "Hello world!"
|
| |
+ +
|
| |
+ +#define HANDSHAKE(session, name, ret)\
|
| |
+ +{\
|
| |
+ + do {\
|
| |
+ + ret = gnutls_handshake(session);\
|
| |
+ + }\
|
| |
+ + while (ret < 0 && gnutls_error_is_fatal(ret) == 0);\
|
| |
+ + if (ret < 0) {\
|
| |
+ + fail("%s: Handshake failed\n", name);\
|
| |
+ + goto end;\
|
| |
+ + }\
|
| |
+ +}
|
| |
+ +
|
| |
+ +#define SEND_MSG(session, name, ret)\
|
| |
+ +{\
|
| |
+ + do {\
|
| |
+ + ret = gnutls_record_send(session, MSG, strlen(MSG)+1);\
|
| |
+ + } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);\
|
| |
+ + if (ret < 0) {\
|
| |
+ + fail("%s: data sending has failed (%s)\n",name,\
|
| |
+ + gnutls_strerror(ret));\
|
| |
+ + goto end;\
|
| |
+ + }\
|
| |
+ +}
|
| |
+ +
|
| |
+ +#define RECV_MSG(session, name, buffer, buffer_len, ret)\
|
| |
+ +{\
|
| |
+ + memset(buffer, 0, sizeof(buffer));\
|
| |
+ + do{\
|
| |
+ + ret = gnutls_record_recv(session, buffer, sizeof(buffer));\
|
| |
+ + }\
|
| |
+ + while(ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);\
|
| |
+ + if (ret == 0) {\
|
| |
+ + success("%s: Peer has closed the TLS connection\n", name);\
|
| |
+ + goto end;\
|
| |
+ + } else if (ret < 0) {\
|
| |
+ + fail("%s: Error -> %s\n", name, gnutls_strerror(ret));\
|
| |
+ + goto end;\
|
| |
+ + }\
|
| |
+ + if(strncmp(buffer, MSG, ret)){\
|
| |
+ + fail("%s: Message doesn't match\n", name);\
|
| |
+ + goto end;\
|
| |
+ + }\
|
| |
+ +}
|
| |
+ +
|
| |
+ +#define KEY_UPDATE(session, name, peer_req, ret)\
|
| |
+ +{\
|
| |
+ + do {\
|
| |
+ + ret = gnutls_session_key_update(session, peer_req);\
|
| |
+ + } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);\
|
| |
+ + if (ret < 0) {\
|
| |
+ + fail("%s: key update has failed (%s)\n", name, \
|
| |
+ + gnutls_strerror(ret));\
|
| |
+ + goto end;\
|
| |
+ + }\
|
| |
+ +}
|
| |
+ +
|
| |
+ +#define CHECK_KTLS_ENABLED(session, ret)\
|
| |
+ +{\
|
| |
+ + ret = gnutls_transport_is_ktls_enabled(session);\
|
| |
+ + if (!(ret & GNUTLS_KTLS_RECV)){\
|
| |
+ + fail("client: KTLS was not properly initialized\n");\
|
| |
+ + goto end;\
|
| |
+ + }\
|
| |
+ +}
|
| |
+ +
|
| |
+ +static void server_log_func(int level, const char *str)
|
| |
+ +{
|
| |
+ + fprintf(stderr, "server|<%d>| %s", level, str);
|
| |
+ +}
|
| |
+ +
|
| |
+ +static void client_log_func(int level, const char *str)
|
| |
+ +{
|
| |
+ + fprintf(stderr, "client|<%d>| %s", level, str);
|
| |
+ +}
|
| |
+ +
|
| |
+ +
|
| |
+ +static void client(int fd, const char *prio, int pipe)
|
| |
+ +{
|
| |
+ + const char *name = "client";
|
| |
+ + int ret;
|
| |
+ + char foo;
|
| |
+ + char buffer[MAX_BUF + 1];
|
| |
+ + gnutls_certificate_credentials_t x509_cred;
|
| |
+ + gnutls_session_t session;
|
| |
+ +
|
| |
+ + global_init();
|
| |
+ +
|
| |
+ + if (debug) {
|
| |
+ + gnutls_global_set_log_function(client_log_func);
|
| |
+ + gnutls_global_set_log_level(7);
|
| |
+ + }
|
| |
+ +
|
| |
+ + gnutls_certificate_allocate_credentials(&x509_cred);
|
| |
+ +
|
| |
+ + gnutls_init(&session, GNUTLS_CLIENT);
|
| |
+ + gnutls_handshake_set_timeout(session, 0);
|
| |
+ +
|
| |
+ + assert(gnutls_priority_set_direct(session, prio, NULL) >= 0);
|
| |
+ +
|
| |
+ + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred);
|
| |
+ +
|
| |
+ + gnutls_transport_set_int(session, fd);
|
| |
+ +
|
| |
+ + HANDSHAKE(session, name, ret);
|
| |
+ +
|
| |
+ + CHECK_KTLS_ENABLED(session, ret)
|
| |
+ +
|
| |
+ + // Test 0: Try sending/receiving data
|
| |
+ + RECV_MSG(session, name, buffer, MAX_BUF+1, ret)
|
| |
+ + SEND_MSG(session, name, ret)
|
| |
+ +
|
| |
+ + CHECK_KTLS_ENABLED(session, ret)
|
| |
+ +
|
| |
+ + // Test 1: Servers does key update
|
| |
+ + read(pipe, &foo, 1);
|
| |
+ + RECV_MSG(session, name, buffer, MAX_BUF+1, ret)
|
| |
+ + SEND_MSG(session, name, ret)
|
| |
+ +
|
| |
+ + CHECK_KTLS_ENABLED(session, ret)
|
| |
+ +
|
| |
+ + // Test 2: Does key update witch request
|
| |
+ + read(pipe, &foo, 1);
|
| |
+ + RECV_MSG(session, name, buffer, MAX_BUF+1, ret)
|
| |
+ + SEND_MSG(session, name, ret)
|
| |
+ +
|
| |
+ + CHECK_KTLS_ENABLED(session, ret)
|
| |
+ +
|
| |
+ + ret = gnutls_bye(session, GNUTLS_SHUT_RDWR);
|
| |
+ + if (ret < 0) {
|
| |
+ + fail("client: error in closing session: %s\n", gnutls_strerror(ret));
|
| |
+ + }
|
| |
+ +
|
| |
+ + ret = 0;
|
| |
+ + end:
|
| |
+ +
|
| |
+ + close(fd);
|
| |
+ +
|
| |
+ + gnutls_deinit(session);
|
| |
+ +
|
| |
+ + gnutls_certificate_free_credentials(x509_cred);
|
| |
+ +
|
| |
+ + gnutls_global_deinit();
|
| |
+ +
|
| |
+ + if (ret != 0)
|
| |
+ + exit(1);
|
| |
+ +}
|
| |
+ +
|
| |
+ +pid_t child;
|
| |
+ +static void terminate(void)
|
| |
+ +{
|
| |
+ + assert(child);
|
| |
+ + kill(child, SIGTERM);
|
| |
+ + exit(1);
|
| |
+ +}
|
| |
+ +
|
| |
+ +static void server(int fd, const char *prio, int pipe)
|
| |
+ +{
|
| |
+ + const char *name = "server";
|
| |
+ + int ret;
|
| |
+ + char bar = 0;
|
| |
+ + char buffer[MAX_BUF + 1];
|
| |
+ + gnutls_certificate_credentials_t x509_cred;
|
| |
+ + gnutls_session_t session;
|
| |
+ +
|
| |
+ + global_init();
|
| |
+ +
|
| |
+ + if (debug) {
|
| |
+ + gnutls_global_set_log_function(server_log_func);
|
| |
+ + gnutls_global_set_log_level(7);
|
| |
+ + }
|
| |
+ +
|
| |
+ + gnutls_certificate_allocate_credentials(&x509_cred);
|
| |
+ + ret = gnutls_certificate_set_x509_key_mem(x509_cred, &server_cert,
|
| |
+ + &server_key,
|
| |
+ + GNUTLS_X509_FMT_PEM);
|
| |
+ + if (ret < 0)
|
| |
+ + exit(1);
|
| |
+ +
|
| |
+ + gnutls_init(&session, GNUTLS_SERVER);
|
| |
+ + gnutls_handshake_set_timeout(session, 0);
|
| |
+ +
|
| |
+ + assert(gnutls_priority_set_direct(session, prio, NULL)>=0);
|
| |
+ +
|
| |
+ + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred);
|
| |
+ +
|
| |
+ + gnutls_transport_set_int(session, fd);
|
| |
+ +
|
| |
+ + HANDSHAKE(session, name, ret)
|
| |
+ +
|
| |
+ + CHECK_KTLS_ENABLED(session, ret)
|
| |
+ +
|
| |
+ + success("Test 0: sending/receiving data\n");
|
| |
+ + SEND_MSG(session, name, ret)
|
| |
+ + RECV_MSG(session, name, buffer, MAX_BUF+1, ret)
|
| |
+ +
|
| |
+ + CHECK_KTLS_ENABLED(session, ret)
|
| |
+ +
|
| |
+ + success("Test 1: server key update without request\n");
|
| |
+ + KEY_UPDATE(session, name, 0, ret)
|
| |
+ + write(pipe, &bar, 1);
|
| |
+ + SEND_MSG(session, name, ret)
|
| |
+ + RECV_MSG(session, name, buffer, MAX_BUF+1, ret)
|
| |
+ +
|
| |
+ + CHECK_KTLS_ENABLED(session, ret)
|
| |
+ +
|
| |
+ + success("Test 2: server key update with request\n");
|
| |
+ + KEY_UPDATE(session, name, GNUTLS_KU_PEER, ret)
|
| |
+ + write(pipe, &bar, 1);
|
| |
+ + SEND_MSG(session, name, ret)
|
| |
+ + RECV_MSG(session, name, buffer, MAX_BUF+1, ret)
|
| |
+ +
|
| |
+ + CHECK_KTLS_ENABLED(session, ret)
|
| |
+ +
|
| |
+ + ret = gnutls_bye(session, GNUTLS_SHUT_RDWR);
|
| |
+ + if (ret < 0) {
|
| |
+ + fail("server: error in closing session: %s\n", gnutls_strerror(ret));
|
| |
+ + }
|
| |
+ +
|
| |
+ + ret = 0;
|
| |
+ +end:
|
| |
+ + close(fd);
|
| |
+ + gnutls_deinit(session);
|
| |
+ +
|
| |
+ + gnutls_certificate_free_credentials(x509_cred);
|
| |
+ +
|
| |
+ + gnutls_global_deinit();
|
| |
+ +
|
| |
+ + if (ret){
|
| |
+ + terminate();
|
| |
+ + }
|
| |
+ +
|
| |
+ + if (debug)
|
| |
+ + success("server: finished\n");
|
| |
+ +}
|
| |
+ +
|
| |
+ +static void ch_handler(int sig)
|
| |
+ +{
|
| |
+ + return;
|
| |
+ +}
|
| |
+ +
|
| |
+ +static void run(const char *prio)
|
| |
+ +{
|
| |
+ + int ret;
|
| |
+ + struct sockaddr_in saddr;
|
| |
+ + socklen_t addrlen;
|
| |
+ + int listener;
|
| |
+ + int fd;
|
| |
+ +
|
| |
+ + int sync_pipe[2]; //used for synchronization
|
| |
+ + pipe(sync_pipe);
|
| |
+ +
|
| |
+ + success("running ktls test with %s\n", prio);
|
| |
+ +
|
| |
+ + signal(SIGCHLD, ch_handler);
|
| |
+ + signal(SIGPIPE, SIG_IGN);
|
| |
+ +
|
| |
+ + listener = socket(AF_INET, SOCK_STREAM, 0);
|
| |
+ + if (listener == -1){
|
| |
+ + fail("error in listener(): %s\n", strerror(errno));
|
| |
+ + }
|
| |
+ +
|
| |
+ + memset(&saddr, 0, sizeof(saddr));
|
| |
+ + saddr.sin_family = AF_INET;
|
| |
+ + saddr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
|
| |
+ + saddr.sin_port = 0;
|
| |
+ +
|
| |
+ + ret = bind(listener, (struct sockaddr*)&saddr, sizeof(saddr));
|
| |
+ + if (ret == -1){
|
| |
+ + fail("error in bind(): %s\n", strerror(errno));
|
| |
+ + }
|
| |
+ +
|
| |
+ + addrlen = sizeof(saddr);
|
| |
+ + ret = getsockname(listener, (struct sockaddr*)&saddr, &addrlen);
|
| |
+ + if (ret == -1){
|
| |
+ + fail("error in getsockname(): %s\n", strerror(errno));
|
| |
+ + }
|
| |
+ +
|
| |
+ + child = fork();
|
| |
+ + if (child < 0) {
|
| |
+ + fail("error in fork(): %s\n", strerror(errno));
|
| |
+ + exit(1);
|
| |
+ + }
|
| |
+ +
|
| |
+ + if (child) {
|
| |
+ + int status;
|
| |
+ + /* parent */
|
| |
+ + ret = listen(listener, 1);
|
| |
+ + if (ret == -1) {
|
| |
+ + fail("error in listen(): %s\n", strerror(errno));
|
| |
+ + }
|
| |
+ +
|
| |
+ + fd = accept(listener, NULL, NULL);
|
| |
+ + if (fd == -1) {
|
| |
+ + fail("error in accept(): %s\n", strerror(errno));
|
| |
+ + }
|
| |
+ +
|
| |
+ + close(sync_pipe[0]);
|
| |
+ + server(fd, prio, sync_pipe[1]);
|
| |
+ +
|
| |
+ + wait(&status);
|
| |
+ + check_wait_status(status);
|
| |
+ + } else {
|
| |
+ + fd = socket(AF_INET, SOCK_STREAM, 0);
|
| |
+ + if (fd == -1){
|
| |
+ + fail("error in socket(): %s\n", strerror(errno));
|
| |
+ + exit(1);
|
| |
+ + }
|
| |
+ +
|
| |
+ + usleep(1000000);
|
| |
+ + connect(fd, (struct sockaddr*)&saddr, addrlen);
|
| |
+ +
|
| |
+ + close(sync_pipe[1]);
|
| |
+ + client(fd, prio, sync_pipe[0]);
|
| |
+ + exit(0);
|
| |
+ + }
|
| |
+ +}
|
| |
+ +
|
| |
+ +void doit(void)
|
| |
+ +{
|
| |
+ + run("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-128-GCM");
|
| |
+ + run("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-256-GCM");
|
| |
+ +}
|
| |
+ +
|
| |
+ +#endif /* _WIN32 */
|
| |
+ diff --git a/tests/ktls_keyupdate.sh b/tests/ktls_keyupdate.sh
|
| |
+ new file mode 100755
|
| |
+ index 000000000..d072acafc
|
| |
+ --- /dev/null
|
| |
+ +++ b/tests/ktls_keyupdate.sh
|
| |
+ @@ -0,0 +1,46 @@
|
| |
+ +#!/bin/sh
|
| |
+ +
|
| |
+ +# Copyright (C) 2022 Red Hat, Inc.
|
| |
+ +#
|
| |
+ +# Author: Daiki Ueno
|
| |
+ +#
|
| |
+ +# This file is part of GnuTLS.
|
| |
+ +#
|
| |
+ +# GnuTLS is free software; you can redistribute it and/or modify it
|
| |
+ +# under the terms of the GNU General Public License as published by the
|
| |
+ +# Free Software Foundation; either version 3 of the License, or (at
|
| |
+ +# your option) any later version.
|
| |
+ +#
|
| |
+ +# GnuTLS is distributed in the hope that it will be useful, but
|
| |
+ +# WITHOUT ANY WARRANTY; without even the implied warranty of
|
| |
+ +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
| |
+ +# General Public License for more details.
|
| |
+ +#
|
| |
+ +# You should have received a copy of the GNU General Public License
|
| |
+ +# along with GnuTLS; if not, write to the Free Software Foundation,
|
| |
+ +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
| |
+ +
|
| |
+ +: ${builddir=.}
|
| |
+ +
|
| |
+ +. "$srcdir/scripts/common.sh"
|
| |
+ +
|
| |
+ +if ! grep '^tls ' /proc/modules 2>&1 /dev/null; then
|
| |
+ + exit 77
|
| |
+ +fi
|
| |
+ +
|
| |
+ +testdir=`create_testdir ktls_keyupdate`
|
| |
+ +
|
| |
+ +cfg="$testdir/config"
|
| |
+ +
|
| |
+ +cat <<EOF > "$cfg"
|
| |
+ +[global]
|
| |
+ +ktls = true
|
| |
+ +EOF
|
| |
+ +
|
| |
+ +GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1 \
|
| |
+ +GNUTLS_SYSTEM_PRIORITY_FILE="$cfg" \
|
| |
+ +"$builddir/ktls_keyupdate" "$@"
|
| |
+ +rc=$?
|
| |
+ +
|
| |
+ +rm -rf "$testdir"
|
| |
+ +exit $rc
|
| |
+ --
|
| |
+ 2.39.0
|
| |
+
|
| |
+
|
| |
+ From 67843b3a8e28e4c74296caea2d1019065c87afb3 Mon Sep 17 00:00:00 2001
|
| |
+ From: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
|
| |
+ Date: Mon, 5 Sep 2022 13:05:17 +0200
|
| |
+ Subject: [PATCH 7/7] KTLS: fallback to default
|
| |
+
|
| |
+ If an error occurs during setting of keys either initial or key update
|
| |
+ then fallback to default mode of operation (disable ktls) and let the
|
| |
+ user know
|
| |
+
|
| |
+ Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
|
| |
+ ---
|
| |
+ lib/handshake.c | 7 ++++++-
|
| |
+ lib/tls13/key_update.c | 23 +++++++++++++++++++----
|
| |
+ 2 files changed, 25 insertions(+), 5 deletions(-)
|
| |
+
|
| |
+ diff --git a/lib/handshake.c b/lib/handshake.c
|
| |
+ index cb2bc3ae9..14bcdea56 100644
|
| |
+ --- a/lib/handshake.c
|
| |
+ +++ b/lib/handshake.c
|
| |
+ @@ -2924,7 +2924,12 @@ int gnutls_handshake(gnutls_session_t session)
|
| |
+
|
| |
+ #ifdef ENABLE_KTLS
|
| |
+ if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_DUPLEX)) {
|
| |
+ - _gnutls_ktls_set_keys(session, GNUTLS_KTLS_DUPLEX);
|
| |
+ + ret = _gnutls_ktls_set_keys(session, GNUTLS_KTLS_DUPLEX);
|
| |
+ + if (ret < 0) {
|
| |
+ + session->internals.ktls_enabled = 0;
|
| |
+ + _gnutls_audit_log(session,
|
| |
+ + "disabling KTLS: failed to set keys\n");
|
| |
+ + }
|
| |
+ }
|
| |
+ #endif
|
| |
+
|
| |
+ diff --git a/lib/tls13/key_update.c b/lib/tls13/key_update.c
|
| |
+ index 10c0a9110..acfda4129 100644
|
| |
+ --- a/lib/tls13/key_update.c
|
| |
+ +++ b/lib/tls13/key_update.c
|
| |
+ @@ -32,6 +32,20 @@
|
| |
+ #define KEY_UPDATES_WINDOW 1000
|
| |
+ #define KEY_UPDATES_PER_WINDOW 8
|
| |
+
|
| |
+ +/*
|
| |
+ + * Sets kTLS keys if enabled.
|
| |
+ + * If this operation fails with GNUTLS_E_INTERNAL_ERROR, KTLS is disabled
|
| |
+ + * because KTLS most likely doesn't support key update.
|
| |
+ + */
|
| |
+ +#define SET_KTLS_KEYS(session, interface)\
|
| |
+ +{\
|
| |
+ + if(_gnutls_ktls_set_keys(session, interface) < 0) {\
|
| |
+ + session->internals.ktls_enabled = 0;\
|
| |
+ + _gnutls_audit_log(session, \
|
| |
+ + "disabling KTLS: couldn't update keys\n");\
|
| |
+ + }\
|
| |
+ +}
|
| |
+ +
|
| |
+ static int update_keys(gnutls_session_t session, hs_stage_t stage)
|
| |
+ {
|
| |
+ int ret;
|
| |
+ @@ -51,15 +65,16 @@ static int update_keys(gnutls_session_t session, hs_stage_t stage)
|
| |
+ if (session->internals.recv_state == RECV_STATE_EARLY_START) {
|
| |
+ ret = _tls13_write_connection_state_init(session, stage);
|
| |
+ if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_SEND))
|
| |
+ - ret = _gnutls_ktls_set_keys(session, GNUTLS_KTLS_SEND);
|
| |
+ + SET_KTLS_KEYS(session, GNUTLS_KTLS_SEND)
|
| |
+ } else {
|
| |
+ ret = _tls13_connection_state_init(session, stage);
|
| |
+ + if (ret < 0)
|
| |
+ + return gnutls_assert_val(ret);
|
| |
+
|
| |
+ if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_SEND) && stage == STAGE_UPD_OURS)
|
| |
+ - ret = _gnutls_ktls_set_keys(session, GNUTLS_KTLS_SEND);
|
| |
+ + SET_KTLS_KEYS(session, GNUTLS_KTLS_SEND)
|
| |
+ else if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_RECV) && stage == STAGE_UPD_PEERS)
|
| |
+ - ret = _gnutls_ktls_set_keys(session, GNUTLS_KTLS_RECV);
|
| |
+ -
|
| |
+ + SET_KTLS_KEYS(session, GNUTLS_KTLS_RECV)
|
| |
+ }
|
| |
+ if (ret < 0)
|
| |
+ return gnutls_assert_val(ret);
|
| |
+ --
|
| |
+ 2.39.0
|
| |
+
|
| |
fkrenzel
commented 2 years ago
Key update supported for patched kernels [1]
Configuration option
ktls = false[2]Following ciphersuites are now supported: [3]
* TLS_AES_128_CCM_SHA256
* TLS_CHACHA20_POLY1305_SHA256
Ivalidate session on KTLS error as there is no way to recover and new
sockets as well as session have to be created. [4]
Additional patches fixing CI:
* ..ktls_skip_tls12_chachapoly_test.patch [5]
* ..ktls_disable_keyupdate_test.patch (would need kernel patch to work)
[1] https://gitlab.com/gnutls/gnutls/-/merge_requests/1625
[2] https://gitlab.com/gnutls/gnutls/-/merge_requests/1673/diffs?commit_id=aefd7319c0b7b2410d06238246b7755b289e4837
[3] https://gitlab.com/gnutls/gnutls/-/merge_requests/1676
[4] https://gitlab.com/gnutls/gnutls/-/merge_requests/1664
[5] https://gitlab.com/gnutls/gnutls/-/issues/1443