|
|
e79d4b |
From f41151c8a218f255af08362b74cd6ee0dfd45c00 Mon Sep 17 00:00:00 2001
|
|
|
e79d4b |
From: =?UTF-8?q?Franti=C5=A1ek=20Kren=C5=BEelok?=
|
|
|
e79d4b |
<krenzelok.frantisek@gmail.com>
|
|
|
e79d4b |
Date: Tue, 14 Jun 2022 16:16:11 +0200
|
|
|
e79d4b |
Subject: [PATCH] KTLS: disable by default enable by config
|
|
|
e79d4b |
|
|
|
e79d4b |
KTLS will be disabled by default when build with `--enable-ktls` to
|
|
|
e79d4b |
enable it, use config file option `ktls = true` in [global] section.
|
|
|
e79d4b |
|
|
|
e79d4b |
Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
|
|
|
e79d4b |
---
|
|
|
e79d4b |
doc/cha-config.texi | 18 ++++++++----------
|
|
|
e79d4b |
lib/gnutls_int.h | 2 +-
|
|
|
e79d4b |
lib/handshake.c | 2 +-
|
|
|
e79d4b |
lib/priority.c | 12 ++++++------
|
|
|
e79d4b |
4 files changed, 16 insertions(+), 18 deletions(-)
|
|
|
e79d4b |
|
|
|
e79d4b |
diff --git a/doc/cha-config.texi b/doc/cha-config.texi
|
|
|
e79d4b |
index e550f2e4b1..eaab7fd799 100644
|
|
|
e79d4b |
--- a/doc/cha-config.texi
|
|
|
e79d4b |
+++ b/doc/cha-config.texi
|
|
|
e79d4b |
@@ -26,7 +26,7 @@ used can be queried using @funcref{gnutls_get_system_config_file}.
|
|
|
e79d4b |
* Querying for disabled algorithms and protocols::
|
|
|
e79d4b |
* Overriding the parameter verification profile::
|
|
|
e79d4b |
* Overriding the default priority string::
|
|
|
e79d4b |
-* Disabling system/acceleration protocols::
|
|
|
e79d4b |
+* Enabling/Disabling system/acceleration protocols::
|
|
|
e79d4b |
@end menu
|
|
|
e79d4b |
|
|
|
e79d4b |
@node Application-specific priority strings
|
|
|
e79d4b |
@@ -253,16 +253,14 @@ default-priority-string = SECURE128:-VERS-TLS-ALL:+VERS-TLS1.3
|
|
|
e79d4b |
@end example
|
|
|
e79d4b |
|
|
|
e79d4b |
|
|
|
e79d4b |
-@node Disabling system/acceleration protocols
|
|
|
e79d4b |
-@section Disabling system/acceleration protocols
|
|
|
e79d4b |
-When system/acceleration protocol is enabled during build, it is usually
|
|
|
e79d4b |
-enabled by default. The following options can overwrite this behavior
|
|
|
e79d4b |
-system-wide.
|
|
|
e79d4b |
+@node Enabling/Disabling system/acceleration protocols
|
|
|
e79d4b |
+@section Enabling/Disabling system/acceleration protocols
|
|
|
e79d4b |
+The following options can overwrite default behavior of protocols system-wide.
|
|
|
e79d4b |
@example
|
|
|
e79d4b |
[global]
|
|
|
e79d4b |
-ktls = false
|
|
|
e79d4b |
+ktls = true
|
|
|
e79d4b |
|
|
|
e79d4b |
@end example
|
|
|
e79d4b |
-@subsection Disabling KTLS
|
|
|
e79d4b |
-When GnuTLS is build with -–enable-ktls configuration, it uses KTLS by default.
|
|
|
e79d4b |
-This can be overwritten by setting @code{ktls = false} in @code{[global]} section.
|
|
|
e79d4b |
+@subsection Enabling KTLS
|
|
|
e79d4b |
+When GnuTLS is build with -–enable-ktls configuration, KTLS is disabled by default.
|
|
|
e79d4b |
+This can be enabled by setting @code{ktls = true} in @code{[global]} section.
|
|
|
e79d4b |
diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
|
|
|
e79d4b |
index 872188696b..8c7bdaa1db 100644
|
|
|
e79d4b |
--- a/lib/gnutls_int.h
|
|
|
e79d4b |
+++ b/lib/gnutls_int.h
|
|
|
e79d4b |
@@ -1649,6 +1649,6 @@ get_certificate_type(gnutls_session_t session,
|
|
|
e79d4b |
|
|
|
e79d4b |
extern unsigned int _gnutls_global_version;
|
|
|
e79d4b |
|
|
|
e79d4b |
-bool _gnutls_config_is_ktls_disabled(void);
|
|
|
e79d4b |
+bool _gnutls_config_is_ktls_enabled(void);
|
|
|
e79d4b |
|
|
|
e79d4b |
#endif /* GNUTLS_LIB_GNUTLS_INT_H */
|
|
|
e79d4b |
diff --git a/lib/handshake.c b/lib/handshake.c
|
|
|
e79d4b |
index f3edbbdacb..4dd457bf22 100644
|
|
|
e79d4b |
--- a/lib/handshake.c
|
|
|
e79d4b |
+++ b/lib/handshake.c
|
|
|
e79d4b |
@@ -2815,7 +2815,7 @@ int gnutls_handshake(gnutls_session_t session)
|
|
|
e79d4b |
|
|
|
e79d4b |
session->internals.ktls_enabled = 0;
|
|
|
e79d4b |
#ifdef ENABLE_KTLS
|
|
|
e79d4b |
- if (_gnutls_config_is_ktls_disabled() == false)
|
|
|
e79d4b |
+ if (_gnutls_config_is_ktls_enabled() == true)
|
|
|
e79d4b |
_gnutls_ktls_enable(session);
|
|
|
e79d4b |
#endif
|
|
|
e79d4b |
|
|
|
e79d4b |
diff --git a/lib/priority.c b/lib/priority.c
|
|
|
e79d4b |
index 7279c03c88..d163d8169f 100644
|
|
|
e79d4b |
--- a/lib/priority.c
|
|
|
e79d4b |
+++ b/lib/priority.c
|
|
|
e79d4b |
@@ -1027,7 +1027,7 @@ static void dummy_func(gnutls_priority_t c)
|
|
|
e79d4b |
|
|
|
e79d4b |
struct cfg {
|
|
|
e79d4b |
bool allowlisting;
|
|
|
e79d4b |
- bool ktls_disabled;
|
|
|
e79d4b |
+ bool ktls_enabled;
|
|
|
e79d4b |
|
|
|
e79d4b |
name_val_array_t priority_strings;
|
|
|
e79d4b |
char *priority_string;
|
|
|
e79d4b |
@@ -1140,7 +1140,7 @@ cfg_steal(struct cfg *dst, struct cfg *src)
|
|
|
e79d4b |
src->default_priority_string = NULL;
|
|
|
e79d4b |
|
|
|
e79d4b |
dst->allowlisting = src->allowlisting;
|
|
|
e79d4b |
- dst->ktls_disabled = src->ktls_disabled;
|
|
|
e79d4b |
+ dst->ktls_enabled = src->ktls_enabled;
|
|
|
e79d4b |
memcpy(dst->ciphers, src->ciphers, sizeof(src->ciphers));
|
|
|
e79d4b |
memcpy(dst->macs, src->macs, sizeof(src->macs));
|
|
|
e79d4b |
memcpy(dst->groups, src->groups, sizeof(src->groups));
|
|
|
e79d4b |
@@ -1268,8 +1268,8 @@ static int global_ini_handler(void *ctx, const char *section, const char *name,
|
|
|
e79d4b |
}
|
|
|
e79d4b |
} else if (c_strcasecmp(name, "ktls") == 0) {
|
|
|
e79d4b |
p = clear_spaces(value, str);
|
|
|
e79d4b |
- if (c_strcasecmp(p, "false") == 0) {
|
|
|
e79d4b |
- cfg->ktls_disabled = true;
|
|
|
e79d4b |
+ if (c_strcasecmp(p, "true") == 0) {
|
|
|
e79d4b |
+ cfg->ktls_enabled = true;
|
|
|
e79d4b |
} else {
|
|
|
e79d4b |
_gnutls_debug_log("cfg: unknown ktls mode %s\n",
|
|
|
e79d4b |
p);
|
|
|
e79d4b |
@@ -3490,6 +3490,6 @@ gnutls_priority_string_list(unsigned iter, unsigned int flags)
|
|
|
e79d4b |
return NULL;
|
|
|
e79d4b |
}
|
|
|
e79d4b |
|
|
|
e79d4b |
-bool _gnutls_config_is_ktls_disabled(void){
|
|
|
e79d4b |
- return system_wide_config.ktls_disabled;
|
|
|
e79d4b |
+bool _gnutls_config_is_ktls_enabled(void){
|
|
|
e79d4b |
+ return system_wide_config.ktls_enabled;
|
|
|
e79d4b |
}
|
|
|
e79d4b |
--
|
|
|
e79d4b |
2.36.1
|
|
|
e79d4b |
|