system config disable KTLS

author Frantisek Krenzelok <krenzelok.frantisek@gmail.com>

Fri, 18 Mar 2022 10:37:10 +0000 (11:37 +0100)

committer Frantisek Krenzelok <krenzelok.frantisek@gmail.com>

Tue, 29 Mar 2022 10:13:55 +0000 (12:13 +0200)
author Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
Fri, 18 Mar 2022 10:37:10 +0000 (11:37 +0100)
committer Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
Tue, 29 Mar 2022 10:13:55 +0000 (12:13 +0200)
diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h

index 26d2373c80c7718e65615bcbbde903bfa66a63ff..fd04a42613407111c04c5b38e56cb5c4623e206c 100644 (file)
--- a/lib/gnutls_int.h
+++ b/lib/gnutls_int.h
@@ -1643,4 +1643,6 @@ get_certificate_type(gnutls_session_t session,
  
  extern unsigned int _gnutls_global_version;
  
+bool _gnutls_config_is_ktls_disabled(void);
+
  #endif /* GNUTLS_LIB_GNUTLS_INT_H */
diff --git a/lib/handshake.c b/lib/handshake.c

index 44c4cc3402f8b46895f6af4720bb51b1a0291047..f3edbbdacb3ecb8f82bf0c1d8469a9973e7fa4f6 100644 (file)
--- a/lib/handshake.c
+++ b/lib/handshake.c
@@ -2813,8 +2813,10 @@ int gnutls_handshake(gnutls_session_t session)
         const version_entry_st *vers = get_version(session);
         int ret;
  
+       session->internals.ktls_enabled = 0;
  #ifdef ENABLE_KTLS
-       _gnutls_ktls_enable(session);
+       if (_gnutls_config_is_ktls_disabled() == false)
+               _gnutls_ktls_enable(session);
  #endif
  
         if (unlikely(session->internals.initial_negotiation_completed)) {
@@ -2913,11 +2915,9 @@ int gnutls_handshake(gnutls_session_t session)
         }
  
  #ifdef ENABLE_KTLS
-       if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_RECV) || IS_KTLS_ENABLED(session, GNUTLS_KTLS_SEND)) {
+       if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_DUPLEX)) {
                 _gnutls_ktls_set_keys(session);
         }
-#else
-       session->internals.ktls_enabled = 0;
  #endif
  
         return 0;
diff --git a/lib/includes/gnutls/socket.h b/lib/includes/gnutls/socket.h

index 8c21b9a38232ded5bb0cee54979db3197e6aa026..4df7bb2e0f7a98bbbffdee1a0b4cb551eebae820 100644 (file)
--- a/lib/includes/gnutls/socket.h
+++ b/lib/includes/gnutls/socket.h
@@ -54,6 +54,7 @@ typedef enum {
         GNUTLS_KTLS_DUPLEX = GNUTLS_KTLS_RECV | GNUTLS_KTLS_SEND,
  } gnutls_transport_ktls_enable_flags_t;
  
+
  gnutls_transport_ktls_enable_flags_t
  gnutls_transport_is_ktls_enabled(gnutls_session_t session);
  
diff --git a/lib/priority.c b/lib/priority.c

index 71424012452a52ac6be92bb2dac83068b5f759c3..34bf3d2950fe406effaffc1fef6972088f866dfc 100644 (file)
--- a/lib/priority.c
+++ b/lib/priority.c
@@ -1017,6 +1017,7 @@ static void dummy_func(gnutls_priority_t c)
  
  struct cfg {
         bool allowlisting;
+       bool ktls_disabled;
  
         name_val_array_t priority_strings;
         char *priority_string;
@@ -1129,6 +1130,7 @@ cfg_steal(struct cfg *dst, struct cfg *src)
         src->default_priority_string = NULL;
  
         dst->allowlisting = src->allowlisting;
+       dst->ktls_disabled = src->ktls_disabled;
         memcpy(dst->ciphers, src->ciphers, sizeof(src->ciphers));
         memcpy(dst->macs, src->macs, sizeof(src->macs));
         memcpy(dst->groups, src->groups, sizeof(src->groups));
@@ -1254,6 +1256,16 @@ static int global_ini_handler(void *ctx, const char *section, const char *name,
                                 if (fail_on_invalid_config)
                                         return 0;
                         }
+               } else if (c_strcasecmp(name, "ktls") == 0) {
+                       p = clear_spaces(value, str);
+                       if (c_strcasecmp(p, "false") == 0) {
+                               cfg->ktls_disabled = true;
+                       } else {
+                               _gnutls_debug_log("cfg: unknown ktls mode %s\n",
+                                       p);
+                               if (fail_on_invalid_config)
+                                       return 0;
+                       }
                 } else {
                         _gnutls_debug_log("unknown parameter %s\n", name);
                         if (fail_on_invalid_config)
@@ -3467,3 +3479,7 @@ gnutls_priority_string_list(unsigned iter, unsigned int flags)
         }
         return NULL;
  }
+
+bool _gnutls_config_is_ktls_disabled(void){
+       return system_wide_config.ktls_disabled;
+}
diff --git a/lib/system/ktls.c b/lib/system/ktls.c

index 92c5b36073c4a6e9703de2d4a708ee08f3a50f15..b9f7a73fb58cad53529baa5e71a81100bfbb3a3c 100644 (file)
--- a/lib/system/ktls.c
+++ b/lib/system/ktls.c
@@ -57,7 +57,6 @@ gnutls_transport_is_ktls_enabled(gnutls_session_t session){
  void _gnutls_ktls_enable(gnutls_session_t session)
  {
         int sockin, sockout;
-       session->internals.ktls_enabled = 0;
         gnutls_transport_get_int2(session, &sockin, &sockout);
  
         if (setsockopt(sockin, SOL_TCP, TCP_ULP, "tls", sizeof ("tls")) == 0)
author	Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
	Fri, 18 Mar 2022 10:37:10 +0000 (11:37 +0100)
committer	Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
	Tue, 29 Mar 2022 10:13:55 +0000 (12:13 +0200)
lib/gnutls_int.h		patch \| blob \| blame \| history
lib/handshake.c		patch \| blob \| blame \| history
lib/includes/gnutls/socket.h		patch \| blob \| blame \| history
lib/priority.c		patch \| blob \| blame \| history
lib/system/ktls.c		patch \| blob \| blame \| history