diff options
author | Frantisek Krenzelok <krenzelok.frantisek@gmail.com> | 2022-03-18 11:37:10 +0100 |
---|---|---|
committer | Frantisek Krenzelok <krenzelok.frantisek@gmail.com> | 2022-03-29 12:13:55 +0200 |
commit | 4b58324309913caf70ae980cc7b3613cb3a51df6 (patch) | |
tree | f21ec571c005bf1b40a8d4c4b17a95dccbeca4e6 | |
parent | 9860846b66e4c698c60a3b343dcb3ba49c77e096 (diff) | |
download | gnutls-4b58324309913caf70ae980cc7b3613cb3a51df6.tar.gz |
system config disable KTLS
Added option for system config `ktls = false` to disable ktls
system-wide
Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
-rw-r--r-- | lib/gnutls_int.h | 2 | ||||
-rw-r--r-- | lib/handshake.c | 8 | ||||
-rw-r--r-- | lib/includes/gnutls/socket.h | 1 | ||||
-rw-r--r-- | lib/priority.c | 16 | ||||
-rw-r--r-- | lib/system/ktls.c | 1 |
5 files changed, 23 insertions, 5 deletions
diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index 26d2373c80..fd04a42613 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -1643,4 +1643,6 @@ get_certificate_type(gnutls_session_t session, extern unsigned int _gnutls_global_version; +bool _gnutls_config_is_ktls_disabled(void); + #endif /* GNUTLS_LIB_GNUTLS_INT_H */ diff --git a/lib/handshake.c b/lib/handshake.c index 44c4cc3402..f3edbbdacb 100644 --- a/lib/handshake.c +++ b/lib/handshake.c @@ -2813,8 +2813,10 @@ int gnutls_handshake(gnutls_session_t session) const version_entry_st *vers = get_version(session); int ret; + session->internals.ktls_enabled = 0; #ifdef ENABLE_KTLS - _gnutls_ktls_enable(session); + if (_gnutls_config_is_ktls_disabled() == false) + _gnutls_ktls_enable(session); #endif if (unlikely(session->internals.initial_negotiation_completed)) { @@ -2913,11 +2915,9 @@ int gnutls_handshake(gnutls_session_t session) } #ifdef ENABLE_KTLS - if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_RECV) || IS_KTLS_ENABLED(session, GNUTLS_KTLS_SEND)) { + if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_DUPLEX)) { _gnutls_ktls_set_keys(session); } -#else - session->internals.ktls_enabled = 0; #endif return 0; diff --git a/lib/includes/gnutls/socket.h b/lib/includes/gnutls/socket.h index 8c21b9a382..4df7bb2e0f 100644 --- a/lib/includes/gnutls/socket.h +++ b/lib/includes/gnutls/socket.h @@ -54,6 +54,7 @@ typedef enum { GNUTLS_KTLS_DUPLEX = GNUTLS_KTLS_RECV | GNUTLS_KTLS_SEND, } gnutls_transport_ktls_enable_flags_t; + gnutls_transport_ktls_enable_flags_t gnutls_transport_is_ktls_enabled(gnutls_session_t session); diff --git a/lib/priority.c b/lib/priority.c index 7142401245..34bf3d2950 100644 --- a/lib/priority.c +++ b/lib/priority.c @@ -1017,6 +1017,7 @@ static void dummy_func(gnutls_priority_t c) struct cfg { bool allowlisting; + bool ktls_disabled; name_val_array_t priority_strings; char *priority_string; @@ -1129,6 +1130,7 @@ cfg_steal(struct cfg *dst, struct cfg *src) src->default_priority_string = NULL; dst->allowlisting = src->allowlisting; + dst->ktls_disabled = src->ktls_disabled; memcpy(dst->ciphers, src->ciphers, sizeof(src->ciphers)); memcpy(dst->macs, src->macs, sizeof(src->macs)); memcpy(dst->groups, src->groups, sizeof(src->groups)); @@ -1254,6 +1256,16 @@ static int global_ini_handler(void *ctx, const char *section, const char *name, if (fail_on_invalid_config) return 0; } + } else if (c_strcasecmp(name, "ktls") == 0) { + p = clear_spaces(value, str); + if (c_strcasecmp(p, "false") == 0) { + cfg->ktls_disabled = true; + } else { + _gnutls_debug_log("cfg: unknown ktls mode %s\n", + p); + if (fail_on_invalid_config) + return 0; + } } else { _gnutls_debug_log("unknown parameter %s\n", name); if (fail_on_invalid_config) @@ -3467,3 +3479,7 @@ gnutls_priority_string_list(unsigned iter, unsigned int flags) } return NULL; } + +bool _gnutls_config_is_ktls_disabled(void){ + return system_wide_config.ktls_disabled; +} diff --git a/lib/system/ktls.c b/lib/system/ktls.c index 92c5b36073..b9f7a73fb5 100644 --- a/lib/system/ktls.c +++ b/lib/system/ktls.c @@ -57,7 +57,6 @@ gnutls_transport_is_ktls_enabled(gnutls_session_t session){ void _gnutls_ktls_enable(gnutls_session_t session) { int sockin, sockout; - session->internals.ktls_enabled = 0; gnutls_transport_get_int2(session, &sockin, &sockout); if (setsockopt(sockin, SOL_TCP, TCP_ULP, "tls", sizeof ("tls")) == 0) |