File ktls-utils-0.10+33.g311d943.obscpio of Package ktls-utils
07070100000000000041ED000000000000000000000002671A556200000000000000000000000000000000000000000000002400000000ktls-utils-0.10+33.g311d943/.github07070100000001000041ED000000000000000000000002671A556200000000000000000000000000000000000000000000002E00000000ktls-utils-0.10+33.g311d943/.github/workflows07070100000002000081A4000000000000000000000001671A5562000002C2000000000000000000000000000000000000003B00000000ktls-utils-0.10+33.g311d943/.github/workflows/makefile.ymlname: Multi-platform CI
on: [ push, pull_request, workflow_dispatch ]
jobs:
build:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
platform:
- linux/amd64
- linux/arm/v6
- linux/arm/v7
- linux/arm64
steps:
- uses: actions/checkout@v4
- name: Install dependencies
run: |
sudo apt-get update
sudo apt-get -y install gnutls-dev libkeyutils-dev libnl-3-dev libnl-genl-3-dev
- name: Configure
run: |
./autogen.sh
./configure --with-systemd
- name: Build
run: make
- name: Check
run: make check
- name: Distcheck
run: make distcheck
07070100000003000081A4000000000000000000000001671A55620000011A000000000000000000000000000000000000002700000000ktls-utils-0.10+33.g311d943/.gitignore*.swp
*.o
autom4te.cache/
configure.ac~
configure
configure~
cscope.*
Makefile
Makefile.in
.deps/
aclocal.m4
compile
config.h
config.h.in
config.h.in~
config.guess
config.log
config.status
config.sub
cov-int/
depcomp
install-sh
missing
ktls-utils-*.tar.gz
ktls-utils-*.tgz
stamp-h1
07070100000004000081A4000000000000000000000001671A5562000000B8000000000000000000000000000000000000002400000000ktls-utils-0.10+33.g311d943/AUTHORSChuck Lever <chuck.lever@oracle.com>
Dr. Hannes Reinecke <hare@suse.de>
Benjamin Coddington <bcodding@redhat.com>
Olga Kornievskaia <aglo@netapp.com>
Scott Mayhew <smayhew@redhat.com>
07070100000005000081A4000000000000000000000001671A556200000D5E000000000000000000000000000000000000002C00000000ktls-utils-0.10+33.g311d943/CONTRIBUTING.md# Contributing Guidelines
Thank you for your interest in contributing to our project!
Whether it's a bug report, new feature, correction, or additional
documentation, we greatly value feedback and contributions from
the open source community.
Please read through this document before submitting an issue or pull
request to ensure we have all the necessary information to
effectively respond to your bug report or contribution.
An old-school developer's mailing list is available. See
[lists.linux.dev](https://subspace.kernel.org/lists.linux.dev.html)
for links to subscribe to <kernel-tls-handshake@lists.linux.dev> or
to access archived threads.
## Opening issues
We welcome you to use the GitHub issue tracker to report bugs or
suggest features.
When filing an issue, please check existing open or recently closed
issues to make sure somebody else hasn't already reported the
issue. Please try to include as much information as you can.
Details like these are incredibly useful:
* A reproducible test case or series of steps
* The version of our code being used
* Any modifications you've made relevant to the bug
* Anything unusual about your environment or deployment
If you think you've found a security
vulnerability, do not raise a GitHub issue and follow the instructions in our
[security policy](./SECURITY.md).
## Contributing code
We welcome your code contributions. Before submitting code via a pull request,
you will need to have signed the [Oracle Contributor Agreement][OCA] (OCA) and
your commits need to include the following line using the name and e-mail
address you used to sign the OCA:
```text
Signed-off-by: Your Name <you@example.org>
```
This can be automatically added to pull requests by committing with `--sign-off`
or `-s`, e.g.
```text
git commit --signoff
```
Only pull requests from committers that can be verified as having signed the OCA
can be accepted.
## Pull request process
Contributions via pull requests are much appreciated.
Before sending us a pull request, please ensure that:
1. You open an issue to discuss any significant work - we would hate
for your time to be wasted.
2. You check existing open, and recently merged, pull requests to make
sure someone else hasn't addressed the problem already.
To send us a pull request, please:
1. Fork the repository.
2. Modify the source. Focus on the specific change you are
contributing. If you also reformat all the code, it will
be hard for us to review on your change.
3. Ensure local tests pass.
4. Commit to your fork using concise commit messages.
5. Send us a pull request, answering any default questions in the pull
request interface.
6. Pay attention to any automated CI failures reported in the pull
request and stay involved in the conversation.
GitHub provides additional document on
[forking a repository](https://help.github.com/articles/fork-a-repo/) and
[creating a pull request](https://help.github.com/articles/creating-a-pull-request/).
## Licensing
See the [COPYING](COPYING) file for our project's licensing. We will
ask you to confirm the licensing of your contribution.
## Code of conduct
Follow the [Golden Rule](https://en.wikipedia.org/wiki/Golden_Rule). If you'd
like more specific guidelines, see the [Contributor Covenant Code of Conduct][COC].
[OCA]: https://oca.opensource.oracle.com
[COC]: https://www.contributor-covenant.org/version/1/4/code-of-conduct/
07070100000006000081A4000000000000000000000001671A55620000464A000000000000000000000000000000000000002400000000ktls-utils-0.10+33.g311d943/COPYING GNU GENERAL PUBLIC LICENSE
Version 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc.
51 Franklin Street, Fifth Floor, Boston, MA 02110-1335 USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The licenses for most software are designed to take away your
freedom to share and change it. By contrast, the GNU General Public
License is intended to guarantee your freedom to share and change free
software--to make sure the software is free for all its users. This
General Public License applies to most of the Free Software
Foundation's software and to any other program whose authors commit to
using it. (Some other Free Software Foundation software is covered by
the GNU Library General Public License instead.) You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
this service if you wish), that you receive source code or can get it
if you want it, that you can change the software or use pieces of it
in new free programs; and that you know you can do these things.
To protect your rights, we need to make restrictions that forbid
anyone to deny you these rights or to ask you to surrender the rights.
These restrictions translate to certain responsibilities for you if you
distribute copies of the software, or if you modify it.
For example, if you distribute copies of such a program, whether
gratis or for a fee, you must give the recipients all the rights that
you have. You must make sure that they, too, receive or can get the
source code. And you must show them these terms so they know their
rights.
We protect your rights with two steps: (1) copyright the software, and
(2) offer you this license which gives you legal permission to copy,
distribute and/or modify the software.
Also, for each author's protection and ours, we want to make certain
that everyone understands that there is no warranty for this free
software. If the software is modified by someone else and passed on, we
want its recipients to know that what they have is not the original, so
that any problems introduced by others will not reflect on the original
authors' reputations.
Finally, any free program is threatened constantly by software
patents. We wish to avoid the danger that redistributors of a free
program will individually obtain patent licenses, in effect making the
program proprietary. To prevent this, we have made it clear that any
patent must be licensed for everyone's free use or not licensed at all.
The precise terms and conditions for copying, distribution and
modification follow.
GNU GENERAL PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. This License applies to any program or other work which contains
a notice placed by the copyright holder saying it may be distributed
under the terms of this General Public License. The "Program", below,
refers to any such program or work, and a "work based on the Program"
means either the Program or any derivative work under copyright law:
that is to say, a work containing the Program or a portion of it,
either verbatim or with modifications and/or translated into another
language. (Hereinafter, translation is included without limitation in
the term "modification".) Each licensee is addressed as "you".
Activities other than copying, distribution and modification are not
covered by this License; they are outside its scope. The act of
running the Program is not restricted, and the output from the Program
is covered only if its contents constitute a work based on the
Program (independent of having been made by running the Program).
Whether that is true depends on what the Program does.
1. You may copy and distribute verbatim copies of the Program's
source code as you receive it, in any medium, provided that you
conspicuously and appropriately publish on each copy an appropriate
copyright notice and disclaimer of warranty; keep intact all the
notices that refer to this License and to the absence of any warranty;
and give any other recipients of the Program a copy of this License
along with the Program.
You may charge a fee for the physical act of transferring a copy, and
you may at your option offer warranty protection in exchange for a fee.
2. You may modify your copy or copies of the Program or any portion
of it, thus forming a work based on the Program, and copy and
distribute such modifications or work under the terms of Section 1
above, provided that you also meet all of these conditions:
a) You must cause the modified files to carry prominent notices
stating that you changed the files and the date of any change.
b) You must cause any work that you distribute or publish, that in
whole or in part contains or is derived from the Program or any
part thereof, to be licensed as a whole at no charge to all third
parties under the terms of this License.
c) If the modified program normally reads commands interactively
when run, you must cause it, when started running for such
interactive use in the most ordinary way, to print or display an
announcement including an appropriate copyright notice and a
notice that there is no warranty (or else, saying that you provide
a warranty) and that users may redistribute the program under
these conditions, and telling the user how to view a copy of this
License. (Exception: if the Program itself is interactive but
does not normally print such an announcement, your work based on
the Program is not required to print an announcement.)
These requirements apply to the modified work as a whole. If
identifiable sections of that work are not derived from the Program,
and can be reasonably considered independent and separate works in
themselves, then this License, and its terms, do not apply to those
sections when you distribute them as separate works. But when you
distribute the same sections as part of a whole which is a work based
on the Program, the distribution of the whole must be on the terms of
this License, whose permissions for other licensees extend to the
entire whole, and thus to each and every part regardless of who wrote it.
Thus, it is not the intent of this section to claim rights or contest
your rights to work written entirely by you; rather, the intent is to
exercise the right to control the distribution of derivative or
collective works based on the Program.
In addition, mere aggregation of another work not based on the Program
with the Program (or with a work based on the Program) on a volume of
a storage or distribution medium does not bring the other work under
the scope of this License.
3. You may copy and distribute the Program (or a work based on it,
under Section 2) in object code or executable form under the terms of
Sections 1 and 2 above provided that you also do one of the following:
a) Accompany it with the complete corresponding machine-readable
source code, which must be distributed under the terms of Sections
1 and 2 above on a medium customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three
years, to give any third party, for a charge no more than your
cost of physically performing source distribution, a complete
machine-readable copy of the corresponding source code, to be
distributed under the terms of Sections 1 and 2 above on a medium
customarily used for software interchange; or,
c) Accompany it with the information you received as to the offer
to distribute corresponding source code. (This alternative is
allowed only for noncommercial distribution and only if you
received the program in object code or executable form with such
an offer, in accord with Subsection b above.)
The source code for a work means the preferred form of the work for
making modifications to it. For an executable work, complete source
code means all the source code for all modules it contains, plus any
associated interface definition files, plus the scripts used to
control compilation and installation of the executable. However, as a
special exception, the source code distributed need not include
anything that is normally distributed (in either source or binary
form) with the major components (compiler, kernel, and so on) of the
operating system on which the executable runs, unless that component
itself accompanies the executable.
If distribution of executable or object code is made by offering
access to copy from a designated place, then offering equivalent
access to copy the source code from the same place counts as
distribution of the source code, even though third parties are not
compelled to copy the source along with the object code.
4. You may not copy, modify, sublicense, or distribute the Program
except as expressly provided under this License. Any attempt
otherwise to copy, modify, sublicense or distribute the Program is
void, and will automatically terminate your rights under this License.
However, parties who have received copies, or rights, from you under
this License will not have their licenses terminated so long as such
parties remain in full compliance.
5. You are not required to accept this License, since you have not
signed it. However, nothing else grants you permission to modify or
distribute the Program or its derivative works. These actions are
prohibited by law if you do not accept this License. Therefore, by
modifying or distributing the Program (or any work based on the
Program), you indicate your acceptance of this License to do so, and
all its terms and conditions for copying, distributing or modifying
the Program or works based on it.
6. Each time you redistribute the Program (or any work based on the
Program), the recipient automatically receives a license from the
original licensor to copy, distribute or modify the Program subject to
these terms and conditions. You may not impose any further
restrictions on the recipients' exercise of the rights granted herein.
You are not responsible for enforcing compliance by third parties to
this License.
7. If, as a consequence of a court judgment or allegation of patent
infringement or for any other reason (not limited to patent issues),
conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot
distribute so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you
may not distribute the Program at all. For example, if a patent
license would not permit royalty-free redistribution of the Program by
all those who receive copies directly or indirectly through you, then
the only way you could satisfy both it and this License would be to
refrain entirely from distribution of the Program.
If any portion of this section is held invalid or unenforceable under
any particular circumstance, the balance of the section is intended to
apply and the section as a whole is intended to apply in other
circumstances.
It is not the purpose of this section to induce you to infringe any
patents or other property right claims or to contest validity of any
such claims; this section has the sole purpose of protecting the
integrity of the free software distribution system, which is
implemented by public license practices. Many people have made
generous contributions to the wide range of software distributed
through that system in reliance on consistent application of that
system; it is up to the author/donor to decide if he or she is willing
to distribute software through any other system and a licensee cannot
impose that choice.
This section is intended to make thoroughly clear what is believed to
be a consequence of the rest of this License.
8. If the distribution and/or use of the Program is restricted in
certain countries either by patents or by copyrighted interfaces, the
original copyright holder who places the Program under this License
may add an explicit geographical distribution limitation excluding
those countries, so that distribution is permitted only in or among
countries not thus excluded. In such case, this License incorporates
the limitation as if written in the body of this License.
9. The Free Software Foundation may publish revised and/or new versions
of the General Public License from time to time. Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the Program
specifies a version number of this License which applies to it and "any
later version", you have the option of following the terms and conditions
either of that version or of any later version published by the Free
Software Foundation. If the Program does not specify a version number of
this License, you may choose any version ever published by the Free Software
Foundation.
10. If you wish to incorporate parts of the Program into other free
programs whose distribution conditions are different, write to the author
to ask for permission. For software which is copyrighted by the Free
Software Foundation, write to the Free Software Foundation; we sometimes
make exceptions for this. Our decision will be guided by the two goals
of preserving the free status of all derivatives of our free software and
of promoting the sharing and reuse of software generally.
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
REPAIR OR CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it
free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest
to attach them to the start of each source file to most effectively
convey the exclusion of warranty; and each file should have at least
the "copyright" line and a pointer to where the full notice is found.
<one line to give the program's name and a brief idea of what it does.>
Copyright (C) <year> <name of author>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335 USA
Also add information on how to contact you by electronic and paper mail.
If the program is interactive, make it output a short notice like this
when it starts in an interactive mode:
Gnomovision version 69, Copyright (C) year name of author
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
This is free software, and you are welcome to redistribute it
under certain conditions; type `show c' for details.
The hypothetical commands `show w' and `show c' should show the appropriate
parts of the General Public License. Of course, the commands you use may
be called something other than `show w' and `show c'; they could even be
mouse-clicks or menu items--whatever suits your program.
You should also get your employer (if you work as a programmer) or your
school, if any, to sign a "copyright disclaimer" for the program, if
necessary. Here is a sample; alter the names:
Yoyodyne, Inc., hereby disclaims all copyright interest in the program
`Gnomovision' (which makes passes at compilers) written by James Hacker.
<signature of Ty Coon>, 1 April 1989
Ty Coon, President of Vice
This General Public License does not permit incorporating your program into
proprietary programs. If your program is a subroutine library, you may
consider it more useful to permit linking proprietary applications with the
library. If this is what you want to do, use the GNU Library General
Public License instead of this License.
07070100000007000081A4000000000000000000000001671A5562000008FA000000000000000000000000000000000000002600000000ktls-utils-0.10+33.g311d943/ChangeLogChange Log - In newest-release-first order
ktls-utils 0.11 - 2024-06-05
* Add support for chained certs
* Move to-do items to the GitHub issue tracker
* Fix minor bugs
ktls-utils 0.10 - 2023-09-21
* Fix Server Name Indicator support (IP addresses)
* Add tlshd.conf option to provide specific trust chain
* Reorganize tlshd.conf
* Fix numerous bugs reported by packagers
ktls-utils 0.9 - 2023-05-01
* Cipher negotiaion now conforms with distro security policies
* Improve Server Name Indicator support
* Disable Nagle during handshakes
* Send TLS Alerts on handshake errors
ktls-utils 0.8 - 2023-04-05
* Replace the listen-based upcall mechanism with netlink
* Implement server-side handshake support
* Implement x.509 certificate verification
* Implement keyring-based exchange of authentication material
ktls-utils 0.7 - 2022-11-10
* Remove the -n command line option
* Support client-side peer authentication
* Support upcall API changes in v6.0 prototype kernel
* Add /etc/tlshd.conf with support for default cert and private key
ktls-utils 0.6 - 2022-05-27
* Update value of SOL_TLSH constant for kernel v5.18
* Fix gnutls_transport_is_ktls_enabled()
* Avoid zombie children
* Report peer certificate verification failures
* Split the debug command-line option
ktls-utils 0.5 - 2022-04-11
* Fix retrieval of TLSH_PRIORITIES
* Refactor keyring code
* Sketch in x.509 client authentication support
* Re-license request from Oracle CorpArch
* Enable thorough static code checking
* Enable compilation with older versions of GnuTLS
ktls-utils 0.4 - 2022-03-04
* Add date and time to build version strings
* Document FIPS mode in tlshd(8)
* Initial support for PSK handshakes
* Initial support for SM4_GCM and SM4_CCM ciphers
* Support SOL_TLSH socket options
ktls-utils 0.3 - 2022-02-25
* Tell server not to send New Session tickets
* Document SSLKEYLOGFILE in tlshd(8)
* Move kTLS-specific code to src/tlshd/ktls.c
* Suggested logic to distinguish between PSK and x.509
* Check for existence of keyutils.h
ktls-utils 0.2 - 2022-02-08
* Replace OpenSSL with GnuTLS
* AF_TLSH kernel API has been simplified
* Fixes to get TLS handshake working
* More syslog helpers
* Added sample systemd unit
ktls-utils 0.1 - 2021-12-13
* Initial code base
07070100000008000081A4000000000000000000000001671A556200003EBB000000000000000000000000000000000000002400000000ktls-utils-0.10+33.g311d943/INSTALLNormal instructions for building ktls-utils
*******************************************
$ ./autogen.sh
$ ./configure --with-systemd
$ make
# make install
# systemctl daemon-reload
# systemctl enable --now tlshd
Additional configuration information is provided in the generic
instructions below.
Installation Instructions
*************************
Copyright (C) 1994-1996, 1999-2002, 2004-2013 Free Software Foundation,
Inc.
Copying and distribution of this file, with or without modification,
are permitted in any medium without royalty provided the copyright
notice and this notice are preserved. This file is offered as-is,
without warranty of any kind.
Basic Installation
==================
Briefly, the shell command `./configure && make && make install'
should configure, build, and install this package. The following
more-detailed instructions are generic; see the `README' file for
instructions specific to this package. Some packages provide this
`INSTALL' file but do not implement all of the features documented
below. The lack of an optional feature in a given package is not
necessarily a bug. More recommendations for GNU packages can be found
in *note Makefile Conventions: (standards)Makefile Conventions.
The `configure' shell script attempts to guess correct values for
various system-dependent variables used during compilation. It uses
those values to create a `Makefile' in each directory of the package.
It may also create one or more `.h' files containing system-dependent
definitions. Finally, it creates a shell script `config.status' that
you can run in the future to recreate the current configuration, and a
file `config.log' containing compiler output (useful mainly for
debugging `configure').
It can also use an optional file (typically called `config.cache'
and enabled with `--cache-file=config.cache' or simply `-C') that saves
the results of its tests to speed up reconfiguring. Caching is
disabled by default to prevent problems with accidental use of stale
cache files.
If you need to do unusual things to compile the package, please try
to figure out how `configure' could check whether to do them, and mail
diffs or instructions to the address given in the `README' so they can
be considered for the next release. If you are using the cache, and at
some point `config.cache' contains results you don't want to keep, you
may remove or edit it.
The file `configure.ac' (or `configure.in') is used to create
`configure' by a program called `autoconf'. You need `configure.ac' if
you want to change it or regenerate `configure' using a newer version
of `autoconf'.
The simplest way to compile this package is:
1. `cd' to the directory containing the package's source code and type
`./configure' to configure the package for your system.
Running `configure' might take a while. While running, it prints
some messages telling which features it is checking for.
2. Type `make' to compile the package.
3. Optionally, type `make check' to run any self-tests that come with
the package, generally using the just-built uninstalled binaries.
4. Type `make install' to install the programs and any data files and
documentation. When installing into a prefix owned by root, it is
recommended that the package be configured and built as a regular
user, and only the `make install' phase executed with root
privileges.
5. Optionally, type `make installcheck' to repeat any self-tests, but
this time using the binaries in their final installed location.
This target does not install anything. Running this target as a
regular user, particularly if the prior `make install' required
root privileges, verifies that the installation completed
correctly.
6. You can remove the program binaries and object files from the
source code directory by typing `make clean'. To also remove the
files that `configure' created (so you can compile the package for
a different kind of computer), type `make distclean'. There is
also a `make maintainer-clean' target, but that is intended mainly
for the package's developers. If you use it, you may have to get
all sorts of other programs in order to regenerate files that came
with the distribution.
7. Often, you can also type `make uninstall' to remove the installed
files again. In practice, not all packages have tested that
uninstallation works correctly, even though it is required by the
GNU Coding Standards.
8. Some packages, particularly those that use Automake, provide `make
distcheck', which can by used by developers to test that all other
targets like `make install' and `make uninstall' work correctly.
This target is generally not run by end users.
Compilers and Options
=====================
Some systems require unusual options for compilation or linking that
the `configure' script does not know about. Run `./configure --help'
for details on some of the pertinent environment variables.
You can give `configure' initial values for configuration parameters
by setting variables in the command line or in the environment. Here
is an example:
./configure CC=c99 CFLAGS=-g LIBS=-lposix
*Note Defining Variables::, for more details.
Compiling For Multiple Architectures
====================================
You can compile the package for more than one kind of computer at the
same time, by placing the object files for each architecture in their
own directory. To do this, you can use GNU `make'. `cd' to the
directory where you want the object files and executables to go and run
the `configure' script. `configure' automatically checks for the
source code in the directory that `configure' is in and in `..'. This
is known as a "VPATH" build.
With a non-GNU `make', it is safer to compile the package for one
architecture at a time in the source code directory. After you have
installed the package for one architecture, use `make distclean' before
reconfiguring for another architecture.
On MacOS X 10.5 and later systems, you can create libraries and
executables that work on multiple system types--known as "fat" or
"universal" binaries--by specifying multiple `-arch' options to the
compiler but only a single `-arch' option to the preprocessor. Like
this:
./configure CC="gcc -arch i386 -arch x86_64 -arch ppc -arch ppc64" \
CXX="g++ -arch i386 -arch x86_64 -arch ppc -arch ppc64" \
CPP="gcc -E" CXXCPP="g++ -E"
This is not guaranteed to produce working output in all cases, you
may have to build one architecture at a time and combine the results
using the `lipo' tool if you have problems.
Installation Names
==================
By default, `make install' installs the package's commands under
`/usr/local/bin', include files under `/usr/local/include', etc. You
can specify an installation prefix other than `/usr/local' by giving
`configure' the option `--prefix=PREFIX', where PREFIX must be an
absolute file name.
You can specify separate installation prefixes for
architecture-specific files and architecture-independent files. If you
pass the option `--exec-prefix=PREFIX' to `configure', the package uses
PREFIX as the prefix for installing programs and libraries.
Documentation and other data files still use the regular prefix.
In addition, if you use an unusual directory layout you can give
options like `--bindir=DIR' to specify different values for particular
kinds of files. Run `configure --help' for a list of the directories
you can set and what kinds of files go in them. In general, the
default for these options is expressed in terms of `${prefix}', so that
specifying just `--prefix' will affect all of the other directory
specifications that were not explicitly provided.
The most portable way to affect installation locations is to pass the
correct locations to `configure'; however, many packages provide one or
both of the following shortcuts of passing variable assignments to the
`make install' command line to change installation locations without
having to reconfigure or recompile.
The first method involves providing an override variable for each
affected directory. For example, `make install
prefix=/alternate/directory' will choose an alternate location for all
directory configuration variables that were expressed in terms of
`${prefix}'. Any directories that were specified during `configure',
but not in terms of `${prefix}', must each be overridden at install
time for the entire installation to be relocated. The approach of
makefile variable overrides for each directory variable is required by
the GNU Coding Standards, and ideally causes no recompilation.
However, some platforms have known limitations with the semantics of
shared libraries that end up requiring recompilation when using this
method, particularly noticeable in packages that use GNU Libtool.
The second method involves providing the `DESTDIR' variable. For
example, `make install DESTDIR=/alternate/directory' will prepend
`/alternate/directory' before all installation names. The approach of
`DESTDIR' overrides is not required by the GNU Coding Standards, and
does not work on platforms that have drive letters. On the other hand,
it does better at avoiding recompilation issues, and works well even
when some directory options were not specified in terms of `${prefix}'
at `configure' time.
Optional Features
=================
If the package supports it, you can cause programs to be installed
with an extra prefix or suffix on their names by giving `configure' the
option `--program-prefix=PREFIX' or `--program-suffix=SUFFIX'.
Some packages pay attention to `--enable-FEATURE' options to
`configure', where FEATURE indicates an optional part of the package.
They may also pay attention to `--with-PACKAGE' options, where PACKAGE
is something like `gnu-as' or `x' (for the X Window System). The
`README' should mention any `--enable-' and `--with-' options that the
package recognizes.
For packages that use the X Window System, `configure' can usually
find the X include and library files automatically, but if it doesn't,
you can use the `configure' options `--x-includes=DIR' and
`--x-libraries=DIR' to specify their locations.
Some packages offer the ability to configure how verbose the
execution of `make' will be. For these packages, running `./configure
--enable-silent-rules' sets the default to minimal output, which can be
overridden with `make V=1'; while running `./configure
--disable-silent-rules' sets the default to verbose, which can be
overridden with `make V=0'.
Particular systems
==================
On HP-UX, the default C compiler is not ANSI C compatible. If GNU
CC is not installed, it is recommended to use the following options in
order to use an ANSI C compiler:
./configure CC="cc -Ae -D_XOPEN_SOURCE=500"
and if that doesn't work, install pre-built binaries of GCC for HP-UX.
HP-UX `make' updates targets which have the same time stamps as
their prerequisites, which makes it generally unusable when shipped
generated files such as `configure' are involved. Use GNU `make'
instead.
On OSF/1 a.k.a. Tru64, some versions of the default C compiler cannot
parse its `<wchar.h>' header file. The option `-nodtk' can be used as
a workaround. If GNU CC is not installed, it is therefore recommended
to try
./configure CC="cc"
and if that doesn't work, try
./configure CC="cc -nodtk"
On Solaris, don't put `/usr/ucb' early in your `PATH'. This
directory contains several dysfunctional programs; working variants of
these programs are available in `/usr/bin'. So, if you need `/usr/ucb'
in your `PATH', put it _after_ `/usr/bin'.
On Haiku, software installed for all users goes in `/boot/common',
not `/usr/local'. It is recommended to use the following options:
./configure --prefix=/boot/common
Specifying the System Type
==========================
There may be some features `configure' cannot figure out
automatically, but needs to determine by the type of machine the package
will run on. Usually, assuming the package is built to be run on the
_same_ architectures, `configure' can figure that out, but if it prints
a message saying it cannot guess the machine type, give it the
`--build=TYPE' option. TYPE can either be a short name for the system
type, such as `sun4', or a canonical name which has the form:
CPU-COMPANY-SYSTEM
where SYSTEM can have one of these forms:
OS
KERNEL-OS
See the file `config.sub' for the possible values of each field. If
`config.sub' isn't included in this package, then this package doesn't
need to know the machine type.
If you are _building_ compiler tools for cross-compiling, you should
use the option `--target=TYPE' to select the type of system they will
produce code for.
If you want to _use_ a cross compiler, that generates code for a
platform different from the build platform, you should specify the
"host" platform (i.e., that on which the generated programs will
eventually be run) with `--host=TYPE'.
Sharing Defaults
================
If you want to set default values for `configure' scripts to share,
you can create a site shell script called `config.site' that gives
default values for variables like `CC', `cache_file', and `prefix'.
`configure' looks for `PREFIX/share/config.site' if it exists, then
`PREFIX/etc/config.site' if it exists. Or, you can set the
`CONFIG_SITE' environment variable to the location of the site script.
A warning: not all `configure' scripts look for a site script.
Defining Variables
==================
Variables not defined in a site shell script can be set in the
environment passed to `configure'. However, some packages may run
configure again during the build, and the customized values of these
variables may be lost. In order to avoid this problem, you should set
them in the `configure' command line, using `VAR=value'. For example:
./configure CC=/usr/local2/bin/gcc
causes the specified `gcc' to be used as the C compiler (unless it is
overridden in the site shell script).
Unfortunately, this technique does not work for `CONFIG_SHELL' due to
an Autoconf limitation. Until the limitation is lifted, you can use
this workaround:
CONFIG_SHELL=/bin/bash ./configure CONFIG_SHELL=/bin/bash
`configure' Invocation
======================
`configure' recognizes the following options to control how it
operates.
`--help'
`-h'
Print a summary of all of the options to `configure', and exit.
`--help=short'
`--help=recursive'
Print a summary of the options unique to this package's
`configure', and exit. The `short' variant lists options used
only in the top level, while the `recursive' variant lists options
also present in any nested packages.
`--version'
`-V'
Print the version of Autoconf used to generate the `configure'
script, and exit.
`--cache-file=FILE'
Enable the cache: use and save the results of the tests in FILE,
traditionally `config.cache'. FILE defaults to `/dev/null' to
disable caching.
`--config-cache'
`-C'
Alias for `--cache-file=config.cache'.
`--quiet'
`--silent'
`-q'
Do not print messages saying which checks are being made. To
suppress all normal output, redirect it to `/dev/null' (any error
messages will still be shown).
`--srcdir=DIR'
Look for the package's source code in directory DIR. Usually
`configure' can determine that directory automatically.
`--prefix=DIR'
Use DIR as the installation prefix. *note Installation Names::
for more details, including other options available for fine-tuning
the installation locations.
`--no-create'
`-n'
Run the configure checks, but stop before creating any output
files.
`configure' also accepts some other, not widely useful, options. Run
`configure --help' for more details.
07070100000009000081A4000000000000000000000001671A55620000464A000000000000000000000000000000000000002800000000ktls-utils-0.10+33.g311d943/LICENSE.txt GNU GENERAL PUBLIC LICENSE
Version 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc.
51 Franklin Street, Fifth Floor, Boston, MA 02110-1335 USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The licenses for most software are designed to take away your
freedom to share and change it. By contrast, the GNU General Public
License is intended to guarantee your freedom to share and change free
software--to make sure the software is free for all its users. This
General Public License applies to most of the Free Software
Foundation's software and to any other program whose authors commit to
using it. (Some other Free Software Foundation software is covered by
the GNU Library General Public License instead.) You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
this service if you wish), that you receive source code or can get it
if you want it, that you can change the software or use pieces of it
in new free programs; and that you know you can do these things.
To protect your rights, we need to make restrictions that forbid
anyone to deny you these rights or to ask you to surrender the rights.
These restrictions translate to certain responsibilities for you if you
distribute copies of the software, or if you modify it.
For example, if you distribute copies of such a program, whether
gratis or for a fee, you must give the recipients all the rights that
you have. You must make sure that they, too, receive or can get the
source code. And you must show them these terms so they know their
rights.
We protect your rights with two steps: (1) copyright the software, and
(2) offer you this license which gives you legal permission to copy,
distribute and/or modify the software.
Also, for each author's protection and ours, we want to make certain
that everyone understands that there is no warranty for this free
software. If the software is modified by someone else and passed on, we
want its recipients to know that what they have is not the original, so
that any problems introduced by others will not reflect on the original
authors' reputations.
Finally, any free program is threatened constantly by software
patents. We wish to avoid the danger that redistributors of a free
program will individually obtain patent licenses, in effect making the
program proprietary. To prevent this, we have made it clear that any
patent must be licensed for everyone's free use or not licensed at all.
The precise terms and conditions for copying, distribution and
modification follow.
GNU GENERAL PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. This License applies to any program or other work which contains
a notice placed by the copyright holder saying it may be distributed
under the terms of this General Public License. The "Program", below,
refers to any such program or work, and a "work based on the Program"
means either the Program or any derivative work under copyright law:
that is to say, a work containing the Program or a portion of it,
either verbatim or with modifications and/or translated into another
language. (Hereinafter, translation is included without limitation in
the term "modification".) Each licensee is addressed as "you".
Activities other than copying, distribution and modification are not
covered by this License; they are outside its scope. The act of
running the Program is not restricted, and the output from the Program
is covered only if its contents constitute a work based on the
Program (independent of having been made by running the Program).
Whether that is true depends on what the Program does.
1. You may copy and distribute verbatim copies of the Program's
source code as you receive it, in any medium, provided that you
conspicuously and appropriately publish on each copy an appropriate
copyright notice and disclaimer of warranty; keep intact all the
notices that refer to this License and to the absence of any warranty;
and give any other recipients of the Program a copy of this License
along with the Program.
You may charge a fee for the physical act of transferring a copy, and
you may at your option offer warranty protection in exchange for a fee.
2. You may modify your copy or copies of the Program or any portion
of it, thus forming a work based on the Program, and copy and
distribute such modifications or work under the terms of Section 1
above, provided that you also meet all of these conditions:
a) You must cause the modified files to carry prominent notices
stating that you changed the files and the date of any change.
b) You must cause any work that you distribute or publish, that in
whole or in part contains or is derived from the Program or any
part thereof, to be licensed as a whole at no charge to all third
parties under the terms of this License.
c) If the modified program normally reads commands interactively
when run, you must cause it, when started running for such
interactive use in the most ordinary way, to print or display an
announcement including an appropriate copyright notice and a
notice that there is no warranty (or else, saying that you provide
a warranty) and that users may redistribute the program under
these conditions, and telling the user how to view a copy of this
License. (Exception: if the Program itself is interactive but
does not normally print such an announcement, your work based on
the Program is not required to print an announcement.)
These requirements apply to the modified work as a whole. If
identifiable sections of that work are not derived from the Program,
and can be reasonably considered independent and separate works in
themselves, then this License, and its terms, do not apply to those
sections when you distribute them as separate works. But when you
distribute the same sections as part of a whole which is a work based
on the Program, the distribution of the whole must be on the terms of
this License, whose permissions for other licensees extend to the
entire whole, and thus to each and every part regardless of who wrote it.
Thus, it is not the intent of this section to claim rights or contest
your rights to work written entirely by you; rather, the intent is to
exercise the right to control the distribution of derivative or
collective works based on the Program.
In addition, mere aggregation of another work not based on the Program
with the Program (or with a work based on the Program) on a volume of
a storage or distribution medium does not bring the other work under
the scope of this License.
3. You may copy and distribute the Program (or a work based on it,
under Section 2) in object code or executable form under the terms of
Sections 1 and 2 above provided that you also do one of the following:
a) Accompany it with the complete corresponding machine-readable
source code, which must be distributed under the terms of Sections
1 and 2 above on a medium customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three
years, to give any third party, for a charge no more than your
cost of physically performing source distribution, a complete
machine-readable copy of the corresponding source code, to be
distributed under the terms of Sections 1 and 2 above on a medium
customarily used for software interchange; or,
c) Accompany it with the information you received as to the offer
to distribute corresponding source code. (This alternative is
allowed only for noncommercial distribution and only if you
received the program in object code or executable form with such
an offer, in accord with Subsection b above.)
The source code for a work means the preferred form of the work for
making modifications to it. For an executable work, complete source
code means all the source code for all modules it contains, plus any
associated interface definition files, plus the scripts used to
control compilation and installation of the executable. However, as a
special exception, the source code distributed need not include
anything that is normally distributed (in either source or binary
form) with the major components (compiler, kernel, and so on) of the
operating system on which the executable runs, unless that component
itself accompanies the executable.
If distribution of executable or object code is made by offering
access to copy from a designated place, then offering equivalent
access to copy the source code from the same place counts as
distribution of the source code, even though third parties are not
compelled to copy the source along with the object code.
4. You may not copy, modify, sublicense, or distribute the Program
except as expressly provided under this License. Any attempt
otherwise to copy, modify, sublicense or distribute the Program is
void, and will automatically terminate your rights under this License.
However, parties who have received copies, or rights, from you under
this License will not have their licenses terminated so long as such
parties remain in full compliance.
5. You are not required to accept this License, since you have not
signed it. However, nothing else grants you permission to modify or
distribute the Program or its derivative works. These actions are
prohibited by law if you do not accept this License. Therefore, by
modifying or distributing the Program (or any work based on the
Program), you indicate your acceptance of this License to do so, and
all its terms and conditions for copying, distributing or modifying
the Program or works based on it.
6. Each time you redistribute the Program (or any work based on the
Program), the recipient automatically receives a license from the
original licensor to copy, distribute or modify the Program subject to
these terms and conditions. You may not impose any further
restrictions on the recipients' exercise of the rights granted herein.
You are not responsible for enforcing compliance by third parties to
this License.
7. If, as a consequence of a court judgment or allegation of patent
infringement or for any other reason (not limited to patent issues),
conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot
distribute so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you
may not distribute the Program at all. For example, if a patent
license would not permit royalty-free redistribution of the Program by
all those who receive copies directly or indirectly through you, then
the only way you could satisfy both it and this License would be to
refrain entirely from distribution of the Program.
If any portion of this section is held invalid or unenforceable under
any particular circumstance, the balance of the section is intended to
apply and the section as a whole is intended to apply in other
circumstances.
It is not the purpose of this section to induce you to infringe any
patents or other property right claims or to contest validity of any
such claims; this section has the sole purpose of protecting the
integrity of the free software distribution system, which is
implemented by public license practices. Many people have made
generous contributions to the wide range of software distributed
through that system in reliance on consistent application of that
system; it is up to the author/donor to decide if he or she is willing
to distribute software through any other system and a licensee cannot
impose that choice.
This section is intended to make thoroughly clear what is believed to
be a consequence of the rest of this License.
8. If the distribution and/or use of the Program is restricted in
certain countries either by patents or by copyrighted interfaces, the
original copyright holder who places the Program under this License
may add an explicit geographical distribution limitation excluding
those countries, so that distribution is permitted only in or among
countries not thus excluded. In such case, this License incorporates
the limitation as if written in the body of this License.
9. The Free Software Foundation may publish revised and/or new versions
of the General Public License from time to time. Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the Program
specifies a version number of this License which applies to it and "any
later version", you have the option of following the terms and conditions
either of that version or of any later version published by the Free
Software Foundation. If the Program does not specify a version number of
this License, you may choose any version ever published by the Free Software
Foundation.
10. If you wish to incorporate parts of the Program into other free
programs whose distribution conditions are different, write to the author
to ask for permission. For software which is copyrighted by the Free
Software Foundation, write to the Free Software Foundation; we sometimes
make exceptions for this. Our decision will be guided by the two goals
of preserving the free status of all derivatives of our free software and
of promoting the sharing and reuse of software generally.
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
REPAIR OR CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it
free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest
to attach them to the start of each source file to most effectively
convey the exclusion of warranty; and each file should have at least
the "copyright" line and a pointer to where the full notice is found.
<one line to give the program's name and a brief idea of what it does.>
Copyright (C) <year> <name of author>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335 USA
Also add information on how to contact you by electronic and paper mail.
If the program is interactive, make it output a short notice like this
when it starts in an interactive mode:
Gnomovision version 69, Copyright (C) year name of author
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
This is free software, and you are welcome to redistribute it
under certain conditions; type `show c' for details.
The hypothetical commands `show w' and `show c' should show the appropriate
parts of the General Public License. Of course, the commands you use may
be called something other than `show w' and `show c'; they could even be
mouse-clicks or menu items--whatever suits your program.
You should also get your employer (if you work as a programmer) or your
school, if any, to sign a "copyright disclaimer" for the program, if
necessary. Here is a sample; alter the names:
Yoyodyne, Inc., hereby disclaims all copyright interest in the program
`Gnomovision' (which makes passes at compilers) written by James Hacker.
<signature of Ty Coon>, 1 April 1989
Ty Coon, President of Vice
This General Public License does not permit incorporating your program into
proprietary programs. If your program is a subroutine library, you may
consider it more useful to permit linking proprietary applications with the
library. If this is what you want to do, use the GNU Library General
Public License instead of this License.
0707010000000A000081A4000000000000000000000001671A556200000380000000000000000000000000000000000000002800000000ktls-utils-0.10+33.g311d943/Makefile.am#
# Copyright (c) 2022 Oracle and/or its affiliates.
#
# ktls-utils is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation; version 2.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
# 02110-1301, USA.
#
AUTOMAKE_OPTIONS = foreign
EXTRA_DIST = autogen.sh CONTRIBUTING.md LICENSE.txt \
README.md SECURITY.md
SUBDIRS = src systemd
MAINTAINERCLEANFILES = Makefile.in cscope.* ktls-utils*.tar.gz
0707010000000B000081A4000000000000000000000001671A556200000080000000000000000000000000000000000000002100000000ktls-utils-0.10+33.g311d943/NEWSktls-utils 0.11 - 2024-06-05
* Add support for chained certs
* Move to-do items to the GitHub issue tracker
* Fix minor bugs
0707010000000C000081A4000000000000000000000001671A55620000057A000000000000000000000000000000000000002300000000ktls-utils-0.10+33.g311d943/README# Release Notes for ktls-utils 1.0.0-pre
In-kernel TLS consumers need a mechanism to perform TLS handshakes
on a connected socket to negotiate TLS session parameters that can
then be programmed into the kernel's TLS record protocol engine.
This package of software provides a TLS handshake user agent that
listens for kernel requests and then materializes a user space
socket endpoint on which to perform these handshakes. The resulting
negotiated session parameters are passed back to the kernel via
standard kTLS socket options.
See [COPYING](COPYING) for the full text of the license under which
this package is released.
## Dependencies
* The local kernel must have net/handshake support and be built with
CONFIG_TLS enabled
* The local build environment requires GnuTLS and keyutils
## Installation
See [NEWS](NEWS) to see what has changed in the latest release,
and see [INSTALL](INSTALL) for build instructions.
## Contributing
This project welcomes contributions from the community.
Before submitting a pull request,
please [review our contribution guide](./CONTRIBUTING.md).
See the GitHub Issue Tracker to review or open to-do items.
## Security
Please consult the [security guide](./SECURITY.md) for our responsible security vulnerability disclosure process
## License
Copyright (c) 2023 Oracle and/or its affiliates.
Released under the GNU GENERAL PUBLIC LICENSE version 2
0707010000000D000081A4000000000000000000000001671A55620000057A000000000000000000000000000000000000002600000000ktls-utils-0.10+33.g311d943/README.md# Release Notes for ktls-utils 1.0.0-pre
In-kernel TLS consumers need a mechanism to perform TLS handshakes
on a connected socket to negotiate TLS session parameters that can
then be programmed into the kernel's TLS record protocol engine.
This package of software provides a TLS handshake user agent that
listens for kernel requests and then materializes a user space
socket endpoint on which to perform these handshakes. The resulting
negotiated session parameters are passed back to the kernel via
standard kTLS socket options.
See [COPYING](COPYING) for the full text of the license under which
this package is released.
## Dependencies
* The local kernel must have net/handshake support and be built with
CONFIG_TLS enabled
* The local build environment requires GnuTLS and keyutils
## Installation
See [NEWS](NEWS) to see what has changed in the latest release,
and see [INSTALL](INSTALL) for build instructions.
## Contributing
This project welcomes contributions from the community.
Before submitting a pull request,
please [review our contribution guide](./CONTRIBUTING.md).
See the GitHub Issue Tracker to review or open to-do items.
## Security
Please consult the [security guide](./SECURITY.md) for our responsible security vulnerability disclosure process
## License
Copyright (c) 2023 Oracle and/or its affiliates.
Released under the GNU GENERAL PUBLIC LICENSE version 2
0707010000000E000081A4000000000000000000000001671A5562000006C9000000000000000000000000000000000000002800000000ktls-utils-0.10+33.g311d943/SECURITY.md# Reporting security vulnerabilities
Oracle values the independent security research community and believes that
responsible disclosure of security vulnerabilities helps us ensure the security
and privacy of all our users.
Please do NOT raise a GitHub Issue to report a security vulnerability. If you
believe you have found a security vulnerability, please submit a report to
[secalert_us@oracle.com][1] preferably with a proof of concept. Please review
some additional information on [how to report security vulnerabilities to Oracle][2].
We encourage people who contact Oracle Security to use email encryption using
[our encryption key][3].
We ask that you do not use other channels or contact the project maintainers
directly.
Non-vulnerability related security issues including ideas for new or improved
security features are welcome on GitHub Issues.
## Security updates, alerts and bulletins
Security updates will be released on a regular cadence. Many of our projects
will typically release security fixes in conjunction with the
Oracle Critical Patch Update program. Additional
information, including past advisories, is available on our [security alerts][4]
page.
## Security-related information
We will provide security related information such as a threat model, considerations
for secure use, or any known security issues in our documentation. Please note
that labs and sample code are intended to demonstrate a concept and may not be
sufficiently hardened for production use.
[1]: mailto:secalert_us@oracle.com
[2]: https://www.oracle.com/corporate/security-practices/assurance/vulnerability/reporting.html
[3]: https://www.oracle.com/security-alerts/encryptionkey.html
[4]: https://www.oracle.com/security-alerts/
0707010000000F000081A4000000000000000000000001671A5562000067A2000000000000000000000000000000000000003100000000ktls-utils-0.10+33.g311d943/THIRD_PARTY_LICENSES GNU LESSER GENERAL PUBLIC LICENSE
Version 2.1, February 1999
Copyright (C) 1991, 1999 Free Software Foundation, Inc.
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
[This is the first released version of the Lesser GPL. It also counts
as the successor of the GNU Library Public License, version 2, hence
the version number 2.1.]
Preamble
The licenses for most software are designed to take away your
freedom to share and change it. By contrast, the GNU General Public
Licenses are intended to guarantee your freedom to share and change
free software--to make sure the software is free for all its users.
This license, the Lesser General Public License, applies to some
specially designated software packages--typically libraries--of the
Free Software Foundation and other authors who decide to use it. You
can use it too, but we suggest you first think carefully about whether
this license or the ordinary General Public License is the better
strategy to use in any particular case, based on the explanations below.
When we speak of free software, we are referring to freedom of use,
not price. Our General Public Licenses are designed to make sure that
you have the freedom to distribute copies of free software (and charge
for this service if you wish); that you receive source code or can get
it if you want it; that you can change the software and use pieces of
it in new free programs; and that you are informed that you can do
these things.
To protect your rights, we need to make restrictions that forbid
distributors to deny you these rights or to ask you to surrender these
rights. These restrictions translate to certain responsibilities for
you if you distribute copies of the library or if you modify it.
For example, if you distribute copies of the library, whether gratis
or for a fee, you must give the recipients all the rights that we gave
you. You must make sure that they, too, receive or can get the source
code. If you link other code with the library, you must provide
complete object files to the recipients, so that they can relink them
with the library after making changes to the library and recompiling
it. And you must show them these terms so they know their rights.
We protect your rights with a two-step method: (1) we copyright the
library, and (2) we offer you this license, which gives you legal
permission to copy, distribute and/or modify the library.
To protect each distributor, we want to make it very clear that
there is no warranty for the free library. Also, if the library is
modified by someone else and passed on, the recipients should know
that what they have is not the original version, so that the original
author's reputation will not be affected by problems that might be
introduced by others.
Finally, software patents pose a constant threat to the existence of
any free program. We wish to make sure that a company cannot
effectively restrict the users of a free program by obtaining a
restrictive license from a patent holder. Therefore, we insist that
any patent license obtained for a version of the library must be
consistent with the full freedom of use specified in this license.
Most GNU software, including some libraries, is covered by the
ordinary GNU General Public License. This license, the GNU Lesser
General Public License, applies to certain designated libraries, and
is quite different from the ordinary General Public License. We use
this license for certain libraries in order to permit linking those
libraries into non-free programs.
When a program is linked with a library, whether statically or using
a shared library, the combination of the two is legally speaking a
combined work, a derivative of the original library. The ordinary
General Public License therefore permits such linking only if the
entire combination fits its criteria of freedom. The Lesser General
Public License permits more lax criteria for linking other code with
the library.
We call this license the "Lesser" General Public License because it
does Less to protect the user's freedom than the ordinary General
Public License. It also provides other free software developers Less
of an advantage over competing non-free programs. These disadvantages
are the reason we use the ordinary General Public License for many
libraries. However, the Lesser license provides advantages in certain
special circumstances.
For example, on rare occasions, there may be a special need to
encourage the widest possible use of a certain library, so that it becomes
a de-facto standard. To achieve this, non-free programs must be
allowed to use the library. A more frequent case is that a free
library does the same job as widely used non-free libraries. In this
case, there is little to gain by limiting the free library to free
software only, so we use the Lesser General Public License.
In other cases, permission to use a particular library in non-free
programs enables a greater number of people to use a large body of
free software. For example, permission to use the GNU C Library in
non-free programs enables many more people to use the whole GNU
operating system, as well as its variant, the GNU/Linux operating
system.
Although the Lesser General Public License is Less protective of the
users' freedom, it does ensure that the user of a program that is
linked with the Library has the freedom and the wherewithal to run
that program using a modified version of the Library.
The precise terms and conditions for copying, distribution and
modification follow. Pay close attention to the difference between a
"work based on the library" and a "work that uses the library". The
former contains code derived from the library, whereas the latter must
be combined with the library in order to run.
GNU LESSER GENERAL PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. This License Agreement applies to any software library or other
program which contains a notice placed by the copyright holder or
other authorized party saying it may be distributed under the terms of
this Lesser General Public License (also called "this License").
Each licensee is addressed as "you".
A "library" means a collection of software functions and/or data
prepared so as to be conveniently linked with application programs
(which use some of those functions and data) to form executables.
The "Library", below, refers to any such software library or work
which has been distributed under these terms. A "work based on the
Library" means either the Library or any derivative work under
copyright law: that is to say, a work containing the Library or a
portion of it, either verbatim or with modifications and/or translated
straightforwardly into another language. (Hereinafter, translation is
included without limitation in the term "modification".)
"Source code" for a work means the preferred form of the work for
making modifications to it. For a library, complete source code means
all the source code for all modules it contains, plus any associated
interface definition files, plus the scripts used to control compilation
and installation of the library.
Activities other than copying, distribution and modification are not
covered by this License; they are outside its scope. The act of
running a program using the Library is not restricted, and output from
such a program is covered only if its contents constitute a work based
on the Library (independent of the use of the Library in a tool for
writing it). Whether that is true depends on what the Library does
and what the program that uses the Library does.
1. You may copy and distribute verbatim copies of the Library's
complete source code as you receive it, in any medium, provided that
you conspicuously and appropriately publish on each copy an
appropriate copyright notice and disclaimer of warranty; keep intact
all the notices that refer to this License and to the absence of any
warranty; and distribute a copy of this License along with the
Library.
You may charge a fee for the physical act of transferring a copy,
and you may at your option offer warranty protection in exchange for a
fee.
2. You may modify your copy or copies of the Library or any portion
of it, thus forming a work based on the Library, and copy and
distribute such modifications or work under the terms of Section 1
above, provided that you also meet all of these conditions:
a) The modified work must itself be a software library.
b) You must cause the files modified to carry prominent notices
stating that you changed the files and the date of any change.
c) You must cause the whole of the work to be licensed at no
charge to all third parties under the terms of this License.
d) If a facility in the modified Library refers to a function or a
table of data to be supplied by an application program that uses
the facility, other than as an argument passed when the facility
is invoked, then you must make a good faith effort to ensure that,
in the event an application does not supply such function or
table, the facility still operates, and performs whatever part of
its purpose remains meaningful.
(For example, a function in a library to compute square roots has
a purpose that is entirely well-defined independent of the
application. Therefore, Subsection 2d requires that any
application-supplied function or table used by this function must
be optional: if the application does not supply it, the square
root function must still compute square roots.)
These requirements apply to the modified work as a whole. If
identifiable sections of that work are not derived from the Library,
and can be reasonably considered independent and separate works in
themselves, then this License, and its terms, do not apply to those
sections when you distribute them as separate works. But when you
distribute the same sections as part of a whole which is a work based
on the Library, the distribution of the whole must be on the terms of
this License, whose permissions for other licensees extend to the
entire whole, and thus to each and every part regardless of who wrote
it.
Thus, it is not the intent of this section to claim rights or contest
your rights to work written entirely by you; rather, the intent is to
exercise the right to control the distribution of derivative or
collective works based on the Library.
In addition, mere aggregation of another work not based on the Library
with the Library (or with a work based on the Library) on a volume of
a storage or distribution medium does not bring the other work under
the scope of this License.
3. You may opt to apply the terms of the ordinary GNU General Public
License instead of this License to a given copy of the Library. To do
this, you must alter all the notices that refer to this License, so
that they refer to the ordinary GNU General Public License, version 2,
instead of to this License. (If a newer version than version 2 of the
ordinary GNU General Public License has appeared, then you can specify
that version instead if you wish.) Do not make any other change in
these notices.
Once this change is made in a given copy, it is irreversible for
that copy, so the ordinary GNU General Public License applies to all
subsequent copies and derivative works made from that copy.
This option is useful when you wish to copy part of the code of
the Library into a program that is not a library.
4. You may copy and distribute the Library (or a portion or
derivative of it, under Section 2) in object code or executable form
under the terms of Sections 1 and 2 above provided that you accompany
it with the complete corresponding machine-readable source code, which
must be distributed under the terms of Sections 1 and 2 above on a
medium customarily used for software interchange.
If distribution of object code is made by offering access to copy
from a designated place, then offering equivalent access to copy the
source code from the same place satisfies the requirement to
distribute the source code, even though third parties are not
compelled to copy the source along with the object code.
5. A program that contains no derivative of any portion of the
Library, but is designed to work with the Library by being compiled or
linked with it, is called a "work that uses the Library". Such a
work, in isolation, is not a derivative work of the Library, and
therefore falls outside the scope of this License.
However, linking a "work that uses the Library" with the Library
creates an executable that is a derivative of the Library (because it
contains portions of the Library), rather than a "work that uses the
library". The executable is therefore covered by this License.
Section 6 states terms for distribution of such executables.
When a "work that uses the Library" uses material from a header file
that is part of the Library, the object code for the work may be a
derivative work of the Library even though the source code is not.
Whether this is true is especially significant if the work can be
linked without the Library, or if the work is itself a library. The
threshold for this to be true is not precisely defined by law.
If such an object file uses only numerical parameters, data
structure layouts and accessors, and small macros and small inline
functions (ten lines or less in length), then the use of the object
file is unrestricted, regardless of whether it is legally a derivative
work. (Executables containing this object code plus portions of the
Library will still fall under Section 6.)
Otherwise, if the work is a derivative of the Library, you may
distribute the object code for the work under the terms of Section 6.
Any executables containing that work also fall under Section 6,
whether or not they are linked directly with the Library itself.
6. As an exception to the Sections above, you may also combine or
link a "work that uses the Library" with the Library to produce a
work containing portions of the Library, and distribute that work
under terms of your choice, provided that the terms permit
modification of the work for the customer's own use and reverse
engineering for debugging such modifications.
You must give prominent notice with each copy of the work that the
Library is used in it and that the Library and its use are covered by
this License. You must supply a copy of this License. If the work
during execution displays copyright notices, you must include the
copyright notice for the Library among them, as well as a reference
directing the user to the copy of this License. Also, you must do one
of these things:
a) Accompany the work with the complete corresponding
machine-readable source code for the Library including whatever
changes were used in the work (which must be distributed under
Sections 1 and 2 above); and, if the work is an executable linked
with the Library, with the complete machine-readable "work that
uses the Library", as object code and/or source code, so that the
user can modify the Library and then relink to produce a modified
executable containing the modified Library. (It is understood
that the user who changes the contents of definitions files in the
Library will not necessarily be able to recompile the application
to use the modified definitions.)
b) Use a suitable shared library mechanism for linking with the
Library. A suitable mechanism is one that (1) uses at run time a
copy of the library already present on the user's computer system,
rather than copying library functions into the executable, and (2)
will operate properly with a modified version of the library, if
the user installs one, as long as the modified version is
interface-compatible with the version that the work was made with.
c) Accompany the work with a written offer, valid for at
least three years, to give the same user the materials
specified in Subsection 6a, above, for a charge no more
than the cost of performing this distribution.
d) If distribution of the work is made by offering access to copy
from a designated place, offer equivalent access to copy the above
specified materials from the same place.
e) Verify that the user has already received a copy of these
materials or that you have already sent this user a copy.
For an executable, the required form of the "work that uses the
Library" must include any data and utility programs needed for
reproducing the executable from it. However, as a special exception,
the materials to be distributed need not include anything that is
normally distributed (in either source or binary form) with the major
components (compiler, kernel, and so on) of the operating system on
which the executable runs, unless that component itself accompanies
the executable.
It may happen that this requirement contradicts the license
restrictions of other proprietary libraries that do not normally
accompany the operating system. Such a contradiction means you cannot
use both them and the Library together in an executable that you
distribute.
7. You may place library facilities that are a work based on the
Library side-by-side in a single library together with other library
facilities not covered by this License, and distribute such a combined
library, provided that the separate distribution of the work based on
the Library and of the other library facilities is otherwise
permitted, and provided that you do these two things:
a) Accompany the combined library with a copy of the same work
based on the Library, uncombined with any other library
facilities. This must be distributed under the terms of the
Sections above.
b) Give prominent notice with the combined library of the fact
that part of it is a work based on the Library, and explaining
where to find the accompanying uncombined form of the same work.
8. You may not copy, modify, sublicense, link with, or distribute
the Library except as expressly provided under this License. Any
attempt otherwise to copy, modify, sublicense, link with, or
distribute the Library is void, and will automatically terminate your
rights under this License. However, parties who have received copies,
or rights, from you under this License will not have their licenses
terminated so long as such parties remain in full compliance.
9. You are not required to accept this License, since you have not
signed it. However, nothing else grants you permission to modify or
distribute the Library or its derivative works. These actions are
prohibited by law if you do not accept this License. Therefore, by
modifying or distributing the Library (or any work based on the
Library), you indicate your acceptance of this License to do so, and
all its terms and conditions for copying, distributing or modifying
the Library or works based on it.
10. Each time you redistribute the Library (or any work based on the
Library), the recipient automatically receives a license from the
original licensor to copy, distribute, link with or modify the Library
subject to these terms and conditions. You may not impose any further
restrictions on the recipients' exercise of the rights granted herein.
You are not responsible for enforcing compliance by third parties with
this License.
11. If, as a consequence of a court judgment or allegation of patent
infringement or for any other reason (not limited to patent issues),
conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot
distribute so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you
may not distribute the Library at all. For example, if a patent
license would not permit royalty-free redistribution of the Library by
all those who receive copies directly or indirectly through you, then
the only way you could satisfy both it and this License would be to
refrain entirely from distribution of the Library.
If any portion of this section is held invalid or unenforceable under any
particular circumstance, the balance of the section is intended to apply,
and the section as a whole is intended to apply in other circumstances.
It is not the purpose of this section to induce you to infringe any
patents or other property right claims or to contest validity of any
such claims; this section has the sole purpose of protecting the
integrity of the free software distribution system which is
implemented by public license practices. Many people have made
generous contributions to the wide range of software distributed
through that system in reliance on consistent application of that
system; it is up to the author/donor to decide if he or she is willing
to distribute software through any other system and a licensee cannot
impose that choice.
This section is intended to make thoroughly clear what is believed to
be a consequence of the rest of this License.
12. If the distribution and/or use of the Library is restricted in
certain countries either by patents or by copyrighted interfaces, the
original copyright holder who places the Library under this License may add
an explicit geographical distribution limitation excluding those countries,
so that distribution is permitted only in or among countries not thus
excluded. In such case, this License incorporates the limitation as if
written in the body of this License.
13. The Free Software Foundation may publish revised and/or new
versions of the Lesser General Public License from time to time.
Such new versions will be similar in spirit to the present version,
but may differ in detail to address new problems or concerns.
Each version is given a distinguishing version number. If the Library
specifies a version number of this License which applies to it and
"any later version", you have the option of following the terms and
conditions either of that version or of any later version published by
the Free Software Foundation. If the Library does not specify a
license version number, you may choose any version ever published by
the Free Software Foundation.
14. If you wish to incorporate parts of the Library into other free
programs whose distribution conditions are incompatible with these,
write to the author to ask for permission. For software which is
copyrighted by the Free Software Foundation, write to the Free
Software Foundation; we sometimes make exceptions for this. Our
decision will be guided by the two goals of preserving the free status
of all derivatives of our free software and of promoting the sharing
and reuse of software generally.
NO WARRANTY
15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO
WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW.
EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR
OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY
KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE
LIBRARY IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME
THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN
WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY
AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU
FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR
CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE
LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING
RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A
FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF
SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES.
END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Libraries
If you develop a new library, and you want it to be of the greatest
possible use to the public, we recommend making it free software that
everyone can redistribute and change. You can do so by permitting
redistribution under these terms (or, alternatively, under the terms of the
ordinary General Public License).
To apply these terms, attach the following notices to the library. It is
safest to attach them to the start of each source file to most effectively
convey the exclusion of warranty; and each file should have at least the
"copyright" line and a pointer to where the full notice is found.
<one line to give the library's name and a brief idea of what it does.>
Copyright (C) <year> <name of author>
This library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
License as published by the Free Software Foundation; either
version 2.1 of the License, or (at your option) any later version.
This library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public
License along with this library; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
Also add information on how to contact you by electronic and paper mail.
You should also get your employer (if you work as a programmer) or your
school, if any, to sign a "copyright disclaimer" for the library, if
necessary. Here is a sample; alter the names:
Yoyodyne, Inc., hereby disclaims all copyright interest in the
library `Frob' (a library for tweaking knobs) written by James Random Hacker.
<signature of Ty Coon>, 1 April 1990
Ty Coon, President of Vice
That's all there is to it!
07070100000010000081ED000000000000000000000001671A556200000407000000000000000000000000000000000000002700000000ktls-utils-0.10+33.g311d943/autogen.sh#!/bin/sh -e
#
# Reset the state of the autotools infrastructure
#
# Copyright (c) 2022 Oracle and/or its affiliates.
#
# ktls-utils is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation; version 2.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
# 02110-1301, USA.
#
GEN="compile config.guess config.sub depcomp install-sh \
missing aclocal.m4 configure config.h.in \
autom4te.cache"
for FILE in $GEN
do
rm -rf $FILE
done
rm -f ktls-utils*.tar.gz
aclocal
autoheader
automake --add-missing --copy --gnu
autoconf
exit 0
07070100000011000081A4000000000000000000000001671A556200000BFF000000000000000000000000000000000000002900000000ktls-utils-0.10+33.g311d943/configure.acdnl Process this file with autoconf to produce a configure script.
dnl
dnl Copyright (c) 2022 Oracle and/or its affiliates.
dnl
dnl ktls-utils is free software; you can redistribute it and/or
dnl modify it under the terms of the GNU General Public License as
dnl published by the Free Software Foundation; version 2.
dnl
dnl This program is distributed in the hope that it will be useful,
dnl but WITHOUT ANY WARRANTY; without even the implied warranty of
dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
dnl General Public License for more details.
dnl
dnl You should have received a copy of the GNU General Public License
dnl along with this program; if not, write to the Free Software
dnl Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
dnl 02110-1301, USA.
dnl
AC_PREREQ([2.69])
AC_INIT([ktls-utils],[1.0.0-pre],[kernel-tls-handshake@lists.linux.dev])
AM_INIT_AUTOMAKE
AM_SILENT_RULES([yes])
AC_CONFIG_SRCDIR([config.h.in])
AC_CONFIG_HEADERS([config.h])
AC_PREFIX_DEFAULT(/usr)
AC_USE_SYSTEM_EXTENSIONS
AC_LANG(C)
AC_PROG_CC
AC_PROG_INSTALL
unitdir=/usr/lib/systemd/system
AC_ARG_WITH(systemd,
[AS_HELP_STRING([--with-systemd@<:@=unit-dir-path@:>@],
[install systemd unit files @<:@Default: no, and path defaults to /usr/lib/systemd/system if not given@:>@])],
if test "$withval" != "no" ; then
use_systemd=1
if test "$withval" != "yes" ; then
unitdir=$withval
fi
else
use_systemd=0
fi
)
AM_CONDITIONAL(INSTALL_SYSTEMD, [test "$use_systemd" = 1])
AC_SUBST(unitdir)
PKG_PROG_PKG_CONFIG([0.9.0])
PKG_CHECK_MODULES([LIBGNUTLS], [gnutls >= 3.3.0])
AC_SUBST([LIBGNUTLS_CFLAGS])
AC_SUBST([LIBGNUTLS_LIBS])
PKG_CHECK_MODULES([LIBKEYUTILS], [libkeyutils])
AC_SUBST([LIBKEYUTILS_CFLAGS])
AC_SUBST([LIBKEYUTILS_LIBS])
PKG_CHECK_MODULES([GLIB], glib-2.0 >= 2.6)
AC_SUBST([GLIB_CFLAGS])
AC_SUBST([GLIB_LIBS])
PKG_CHECK_MODULES([LIBNL3], libnl-3.0 >= 3.1)
AC_SUBST([LIBNL3_CFLAGS])
AC_SUBST([LIBNL3_LIBS])
PKG_CHECK_MODULES([LIBNL_GENL3], libnl-genl-3.0 >= 3.1)
AC_SUBST([LIBNL_GENL3_CFLAGS])
AC_SUBST([LIBNL_GENL3_LIBS])
AC_CHECK_FILE([/usr/include/linux/quic.h],
[AC_CHECK_LIB([gnutls], [gnutls_handshake_set_secret_function],
[AC_DEFINE([HAVE_GNUTLS_QUIC], [1], [Define to 1 if QUIC is found.])])])
AC_CHECK_LIB([gnutls], [gnutls_transport_is_ktls_enabled],
[AC_DEFINE([HAVE_GNUTLS_TRANSPORT_IS_KTLS_ENABLED], [1],
[Define to 1 if you have the gnutls_transport_is_ktls_enabled function.])])
AC_CHECK_LIB([gnutls], [gnutls_protocol_set_enabled],
[AC_DEFINE([HAVE_GNUTLS_PROTOCOL_SET_ENABLED], [1],
[Define to 1 if you have the gnutls_protocol_set_enabled function.])])
AC_CHECK_LIB([gnutls], [gnutls_get_system_config_file],
[AC_DEFINE([HAVE_GNUTLS_GET_SYSTEM_CONFIG_FILE], [1],
[Define to 1 if you have the gnutls_get_system_config_file function.])])
AC_SUBST([AM_CPPFLAGS])
AC_CONFIG_FILES([Makefile src/Makefile src/tlshd/Makefile systemd/Makefile])
AC_OUTPUT
07070100000012000041ED000000000000000000000002671A556200000000000000000000000000000000000000000000002000000000ktls-utils-0.10+33.g311d943/src07070100000013000081A4000000000000000000000001671A5562000002F0000000000000000000000000000000000000002C00000000ktls-utils-0.10+33.g311d943/src/Makefile.am#
# Copyright (c) 2022 Oracle and/or its affiliates.
#
# ktls-utils is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation; version 2.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
# 02110-1301, USA.
#
SUBDIRS = tlshd
MAINTAINERCLEANFILES = Makefile.in
07070100000014000041ED000000000000000000000002671A556200000000000000000000000000000000000000000000002600000000ktls-utils-0.10+33.g311d943/src/tlshd07070100000015000081A4000000000000000000000001671A556200000006000000000000000000000000000000000000003100000000ktls-utils-0.10+33.g311d943/src/tlshd/.gitignoretlshd
07070100000016000081A4000000000000000000000001671A5562000004FD000000000000000000000000000000000000003200000000ktls-utils-0.10+33.g311d943/src/tlshd/Makefile.am#
# Copyright (c) 2022 Oracle and/or its affiliates.
#
# ktls-utils is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation; version 2.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
# 02110-1301, USA.
#
dist_sysconf_DATA = tlshd.conf
man5_MANS = tlshd.conf.man
man8_MANS = tlshd.man
EXTRA_DIST = $(man5_MANS) $(man8_MANS)
sbin_PROGRAMS = tlshd
tlshd_CFLAGS = -Werror -Wall -Wextra $(LIBGNUTLS_CFLAGS) \
$(LIBKEYUTILS_CFLAGS) $(GLIB_CFLAGS) $(LIBNL3_CFLAGS) \
$(LIBNL_GENL3_CFLAGS)
tlshd_SOURCES = client.c config.c handshake.c keyring.c ktls.c log.c \
main.c netlink.c netlink.h server.c tlshd.h quic.c
tlshd_LDADD = $(LIBGNUTLS_LIBS) $(LIBKEYUTILS_LIBS) $(GLIB_LIBS) \
$(LIBNL3_LIBS) $(LIBNL_GENL3_LIBS)
MAINTAINERCLEANFILES = Makefile.in cscope.out
07070100000017000081A4000000000000000000000001671A55620000421E000000000000000000000000000000000000002F00000000ktls-utils-0.10+33.g311d943/src/tlshd/client.c/*
* Perform a TLSv1.3 handshake.
*
* Copyright (c) 2022 Oracle and/or its affiliates.
* Copyright (c) 2022 SUSE LLC.
* Copyright (c) 2024 Red Hat, Inc.
*
* ktls-utils is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License as
* published by the Free Software Foundation; version 2.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
#include "config.h"
#include <sys/types.h>
#include <sys/socket.h>
#include <stdbool.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#include <errno.h>
#include <keyutils.h>
#include <gnutls/gnutls.h>
#include <gnutls/abstract.h>
#include <gnutls/x509.h>
#include <linux/tls.h>
#include <glib.h>
#include "tlshd.h"
#include "netlink.h"
static void tlshd_tls13_client_anon_handshake(struct tlshd_handshake_parms *parms)
{
gnutls_certificate_credentials_t xcred;
gnutls_session_t session;
unsigned int flags;
char *cafile;
int ret;
ret = gnutls_certificate_allocate_credentials(&xcred);
if (ret != GNUTLS_E_SUCCESS) {
tlshd_log_gnutls_error(ret);
return;
}
/*
* Don't reject self-signed server certificates.
*/
gnutls_certificate_set_verify_flags(xcred,
GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2 | GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5);
gnutls_certificate_set_flags(xcred,
GNUTLS_CERTIFICATE_SKIP_KEY_CERT_MATCH | GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK);
if (tlshd_config_get_client_truststore(&cafile)) {
ret = gnutls_certificate_set_x509_trust_file(xcred, cafile,
GNUTLS_X509_FMT_PEM);
free(cafile);
} else
ret = gnutls_certificate_set_x509_system_trust(xcred);
if (ret < 0) {
tlshd_log_gnutls_error(ret);
goto out_free_creds;
}
tlshd_log_debug("System trust: Loaded %d certificate(s).", ret);
flags = GNUTLS_CLIENT;
ret = gnutls_init(&session, flags);
if (ret != GNUTLS_E_SUCCESS) {
tlshd_log_gnutls_error(ret);
goto out_free_creds;
}
gnutls_transport_set_int(session, parms->sockfd);
gnutls_server_name_set(session, GNUTLS_NAME_DNS,
parms->peername, strlen(parms->peername));
gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred);
ret = gnutls_set_default_priority(session);
if (ret != GNUTLS_E_SUCCESS) {
tlshd_log_gnutls_error(ret);
goto out_free_creds;
}
ret = tlshd_gnutls_priority_set(session, parms, 0);
if (ret != GNUTLS_E_SUCCESS) {
tlshd_log_gnutls_error(ret);
goto out_free_creds;
}
gnutls_session_set_verify_cert(session, parms->peername, 0);
tlshd_start_tls_handshake(session, parms);
gnutls_deinit(session);
out_free_creds:
gnutls_certificate_free_credentials(xcred);
}
static gnutls_privkey_t tlshd_privkey;
static unsigned int tlshd_certs_len = TLSHD_MAX_CERTS;
static gnutls_pcert_st tlshd_certs[TLSHD_MAX_CERTS];
/*
* XXX: After this point, tlshd_certs should be deinited on error.
*/
static bool tlshd_x509_client_get_certs(struct tlshd_handshake_parms *parms)
{
if (parms->x509_cert != TLS_NO_CERT)
return tlshd_keyring_get_certs(parms->x509_cert, tlshd_certs,
&tlshd_certs_len);
return tlshd_config_get_client_certs(tlshd_certs, &tlshd_certs_len);
}
/*
* XXX: After this point, tlshd_privkey should be deinited on error.
*/
static bool tlshd_x509_client_get_privkey(struct tlshd_handshake_parms *parms)
{
if (parms->x509_privkey != TLS_NO_PRIVKEY)
return tlshd_keyring_get_privkey(parms->x509_privkey,
&tlshd_privkey);
return tlshd_config_get_client_privkey(&tlshd_privkey);
}
static void tlshd_x509_log_issuers(const gnutls_datum_t *req_ca_rdn, int nreqs)
{
char issuer_dn[256];
size_t len;
int i, ret;
if (nreqs < 1)
return;
tlshd_log_debug("Server's trusted authorities:");
for (i = 0; i < nreqs; i++) {
len = sizeof(issuer_dn);
ret = gnutls_x509_rdn_get(&req_ca_rdn[i], issuer_dn, &len);
if (ret >= 0)
tlshd_log_debug(" [%d]: %s", i, issuer_dn);
}
}
/**
* tlshd_x509_retrieve_key_cb - Initialize client's x.509 identity
*
* Callback function is of type gnutls_certificate_retrieve_function2
*
* Initial implementation based on the cert_callback() function in
* gnutls/doc/examples/ex-cert-select.c.
*
* Sketched-in and untested.
*
* Return values:
* %0: Success; output parameters are set accordingly
* %-1: Failure
*/
static int
tlshd_x509_retrieve_key_cb(gnutls_session_t session,
const gnutls_datum_t *req_ca_rdn, int nreqs,
__attribute__ ((unused)) const gnutls_pk_algorithm_t *pk_algos,
__attribute__ ((unused)) int pk_algos_length,
gnutls_pcert_st **pcert,
unsigned int *pcert_length,
gnutls_privkey_t *privkey)
{
gnutls_certificate_type_t type;
tlshd_x509_log_issuers(req_ca_rdn, nreqs);
type = gnutls_certificate_type_get(session);
if (type != GNUTLS_CRT_X509)
return -1;
*pcert_length = tlshd_certs_len;
*pcert = tlshd_certs;
*privkey = tlshd_privkey;
return 0;
}
/**
* tlshd_client_x509_verify_function - Verify remote's x.509 certificate
* @session: session in the midst of a handshake
* @parms: handshake parameters
*
* Return values:
* %GNUTLS_E_SUCCESS: Incoming certificate has been successfully verified
* %GNUTLS_E_CERTIFICATE_ERROR: certificate verification failed
*/
static int tlshd_client_x509_verify_function(gnutls_session_t session,
struct tlshd_handshake_parms *parms)
{
const gnutls_datum_t *peercerts;
gnutls_certificate_type_t type;
unsigned int i, status;
gnutls_datum_t out;
int ret;
ret = gnutls_certificate_verify_peers3(session, parms->peername,
&status);
if (ret != GNUTLS_E_SUCCESS) {
tlshd_log_gnutls_error(ret);
return GNUTLS_E_CERTIFICATE_ERROR;
}
type = gnutls_certificate_type_get(session);
gnutls_certificate_verification_status_print(status, type, &out, 0);
tlshd_log_debug("%s", out.data);
gnutls_free(out.data);
if (status)
return GNUTLS_E_CERTIFICATE_ERROR;
/* To do: Examine extended key usage information here, if we want
* to get picky. Kernel would have to tell us what to look for
* via a netlink attribute. */
peercerts = gnutls_certificate_get_peers(session,
&parms->num_remote_peerids);
if (!peercerts || parms->num_remote_peerids == 0) {
tlshd_log_debug("The peer cert list is empty.\n");
return GNUTLS_E_CERTIFICATE_ERROR;
}
tlshd_log_debug("The peer offered %u certificate(s).\n",
parms->num_remote_peerids);
if (parms->num_remote_peerids > ARRAY_SIZE(parms->remote_peerid))
parms->num_remote_peerids = ARRAY_SIZE(parms->remote_peerid);
for (i = 0; i < parms->num_remote_peerids; i++) {
gnutls_x509_crt_t cert;
gnutls_x509_crt_init(&cert);
ret = gnutls_x509_crt_import(cert, &peercerts[i],
GNUTLS_X509_FMT_DER);
if (ret != GNUTLS_E_SUCCESS) {
tlshd_log_gnutls_error(ret);
gnutls_x509_crt_deinit(cert);
return GNUTLS_E_CERTIFICATE_ERROR;
}
parms->remote_peerid[i] =
tlshd_keyring_create_cert(cert, parms->peername);
gnutls_x509_crt_deinit(cert);
}
return GNUTLS_E_SUCCESS;
}
static int tlshd_tls13_client_x509_verify_function(gnutls_session_t session)
{
struct tlshd_handshake_parms *parms = gnutls_session_get_ptr(session);
return tlshd_client_x509_verify_function(session, parms);
}
static void tlshd_tls13_client_x509_handshake(struct tlshd_handshake_parms *parms)
{
gnutls_certificate_credentials_t xcred;
gnutls_session_t session;
unsigned int flags;
char *cafile;
int ret;
ret = gnutls_certificate_allocate_credentials(&xcred);
if (ret != GNUTLS_E_SUCCESS) {
tlshd_log_gnutls_error(ret);
return;
}
if (tlshd_config_get_client_truststore(&cafile)) {
ret = gnutls_certificate_set_x509_trust_file(xcred, cafile,
GNUTLS_X509_FMT_PEM);
free(cafile);
} else
ret = gnutls_certificate_set_x509_system_trust(xcred);
if (ret < 0) {
tlshd_log_gnutls_error(ret);
goto out_free_creds;
}
tlshd_log_debug("System trust: Loaded %d certificate(s).", ret);
if (!tlshd_x509_client_get_certs(parms))
goto out_free_creds;
if (!tlshd_x509_client_get_privkey(parms))
goto out_free_creds;
gnutls_certificate_set_retrieve_function2(xcred,
tlshd_x509_retrieve_key_cb);
flags = GNUTLS_CLIENT;
ret = gnutls_init(&session, flags);
if (ret != GNUTLS_E_SUCCESS) {
tlshd_log_gnutls_error(ret);
goto out_free_creds;
}
gnutls_transport_set_int(session, parms->sockfd);
gnutls_session_set_ptr(session, parms);
ret = gnutls_server_name_set(session, GNUTLS_NAME_DNS,
parms->peername, strlen(parms->peername));
if (ret != GNUTLS_E_SUCCESS) {
tlshd_log_gnutls_error(ret);
goto out_free_creds;
}
ret = gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred);
if (ret != GNUTLS_E_SUCCESS) {
tlshd_log_gnutls_error(ret);
goto out_free_creds;
}
ret = tlshd_gnutls_priority_set(session, parms, 0);
if (ret != GNUTLS_E_SUCCESS) {
tlshd_log_gnutls_error(ret);
goto out_free_creds;
}
gnutls_certificate_set_verify_function(xcred,
tlshd_tls13_client_x509_verify_function);
tlshd_start_tls_handshake(session, parms);
gnutls_deinit(session);
out_free_creds:
gnutls_certificate_free_credentials(xcred);
}
static void tlshd_tls13_client_psk_handshake_one(struct tlshd_handshake_parms *parms,
key_serial_t peerid)
{
gnutls_psk_client_credentials_t psk_cred;
gnutls_session_t session;
gnutls_datum_t key;
unsigned int flags;
char *identity;
int ret;
if (!tlshd_keyring_get_psk_username(peerid, &identity)) {
tlshd_log_error("Failed to get key identity");
return;
}
if (!tlshd_keyring_get_psk_key(peerid, &key)) {
tlshd_log_error("Failed to read key");
free(identity);
return;
}
ret = gnutls_psk_allocate_client_credentials(&psk_cred);
if (ret != GNUTLS_E_SUCCESS) {
tlshd_log_gnutls_error(ret);
free(identity);
return;
}
ret = gnutls_psk_set_client_credentials(psk_cred, identity, &key,
GNUTLS_PSK_KEY_RAW);
if (ret != GNUTLS_E_SUCCESS) {
tlshd_log_gnutls_error(ret);
goto out_free_creds;
}
flags = GNUTLS_CLIENT;
ret = gnutls_init(&session, flags);
if (ret != GNUTLS_E_SUCCESS) {
tlshd_log_gnutls_error(ret);
goto out_free_creds;
}
gnutls_transport_set_int(session, parms->sockfd);
gnutls_session_set_ptr(session, parms);
gnutls_credentials_set(session, GNUTLS_CRD_PSK, psk_cred);
ret = tlshd_gnutls_priority_set(session, parms, key.size);
if (ret != GNUTLS_E_SUCCESS) {
tlshd_log_gnutls_error(ret);
goto out_free_creds;
}
tlshd_log_debug("start ClientHello handshake");
tlshd_start_tls_handshake(session, parms);
if (!parms->session_status) {
/* PSK uses the same identity for both client and server */
parms->num_remote_peerids = 1;
parms->remote_peerid[0] = peerid;
}
gnutls_deinit(session);
out_free_creds:
gnutls_psk_free_client_credentials(psk_cred);
free(identity);
}
static void tlshd_tls13_client_psk_handshake(struct tlshd_handshake_parms *parms)
{
unsigned int i;
if (!parms->peerids) {
tlshd_log_error("No key identities");
return;
}
/*
* GnuTLS does not yet support multiple offered PskIdentities.
* Retry ClientHello with each identity on the kernel's list.
*/
for (i = 0; i < parms->num_peerids; i++) {
tlshd_tls13_client_psk_handshake_one(parms, parms->peerids[i]);
if (parms->session_status != EACCES)
break;
}
}
/**
* tlshd_tls13_clienthello_handshake - send a TLSv1.3 ClientHello
* @parms: handshake parameters
*
*/
void tlshd_tls13_clienthello_handshake(struct tlshd_handshake_parms *parms)
{
switch (parms->auth_mode) {
case HANDSHAKE_AUTH_UNAUTH:
tlshd_tls13_client_anon_handshake(parms);
break;
case HANDSHAKE_AUTH_X509:
tlshd_tls13_client_x509_handshake(parms);
break;
case HANDSHAKE_AUTH_PSK:
tlshd_tls13_client_psk_handshake(parms);
break;
default:
tlshd_log_debug("Unrecognized auth mode (%d)",
parms->auth_mode);
}
}
#ifdef HAVE_GNUTLS_QUIC
static int tlshd_quic_client_x509_verify_function(gnutls_session_t session)
{
struct tlshd_quic_conn *conn = gnutls_session_get_ptr(session);
return tlshd_client_x509_verify_function(session, conn->parms);
}
#define TLSHD_QUIC_NO_CERT_AUTH 3
static int tlshd_quic_client_set_x509_session(struct tlshd_quic_conn *conn)
{
struct tlshd_handshake_parms *parms = conn->parms;
gnutls_certificate_credentials_t cred;
gnutls_session_t session;
int ret = -EINVAL;
char *cafile;
if (conn->cert_req != TLSHD_QUIC_NO_CERT_AUTH) {
if (!tlshd_x509_client_get_certs(parms) || !tlshd_x509_client_get_privkey(parms)) {
tlshd_log_error("cert/privkey get error %d", -ret);
return ret;
}
}
ret = gnutls_certificate_allocate_credentials(&cred);
if (ret)
goto err;
if (tlshd_config_get_client_truststore(&cafile)) {
ret = gnutls_certificate_set_x509_trust_file(cred, cafile, GNUTLS_X509_FMT_PEM);
free(cafile);
} else
ret = gnutls_certificate_set_x509_system_trust(cred);
if (ret < 0)
goto err_cred;
tlshd_log_debug("System trust: Loaded %d certificate(s).", ret);
if (conn->cert_req == TLSHD_QUIC_NO_CERT_AUTH) {
gnutls_certificate_set_verify_flags(cred, GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2 |
GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5);
gnutls_certificate_set_flags(cred, GNUTLS_CERTIFICATE_SKIP_KEY_CERT_MATCH |
GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK);
} else {
gnutls_certificate_set_verify_function(cred,
tlshd_quic_client_x509_verify_function);
gnutls_certificate_set_retrieve_function2(cred, tlshd_x509_retrieve_key_cb);
}
ret = gnutls_init(&session, GNUTLS_CLIENT |
GNUTLS_ENABLE_EARLY_DATA | GNUTLS_NO_END_OF_EARLY_DATA);
if (ret)
goto err_cred;
gnutls_session_set_ptr(session, conn);
if (conn->ticket_len) {
ret = gnutls_session_set_data(session, conn->ticket, conn->ticket_len);
if (ret)
goto err_session;
}
ret = gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, cred);
if (ret)
goto err_session;
if (parms->peername) {
ret = gnutls_server_name_set(session, GNUTLS_NAME_DNS,
parms->peername, strlen(parms->peername));
if (ret)
goto err_session;
}
conn->session = session;
return 0;
err_session:
gnutls_deinit(session);
err_cred:
gnutls_certificate_free_credentials(cred);
err:
tlshd_log_gnutls_error(ret);
return ret;
}
static int tlshd_quic_client_set_anon_session(struct tlshd_quic_conn *conn)
{
conn->cert_req = TLSHD_QUIC_NO_CERT_AUTH;
return tlshd_quic_client_set_x509_session(conn);
}
static int tlshd_quic_client_set_psk_session(struct tlshd_quic_conn *conn)
{
key_serial_t peerid = conn->parms->peerids[0];
gnutls_psk_client_credentials_t cred;
gnutls_session_t session;
char *identity = NULL;
gnutls_datum_t key;
int ret = -EINVAL;
if (!tlshd_keyring_get_psk_username(peerid, &identity) ||
!tlshd_keyring_get_psk_key(peerid, &key)) {
free(identity);
tlshd_log_error("identity/key get error %d", -ret);
return ret;
}
ret = gnutls_psk_allocate_client_credentials(&cred);
if (ret)
goto err;
ret = gnutls_psk_set_client_credentials(cred, identity, &key, GNUTLS_PSK_KEY_RAW);
if (ret)
goto err_cred;
ret = gnutls_init(&session, GNUTLS_CLIENT);
if (ret)
goto err_cred;
gnutls_session_set_ptr(session, conn);
ret = gnutls_credentials_set(session, GNUTLS_CRD_PSK, cred);
if (ret)
goto err_session;
conn->session = session;
return 0;
err_session:
gnutls_deinit(session);
err_cred:
gnutls_psk_free_client_credentials(cred);
err:
free(identity);
tlshd_log_gnutls_error(ret);
return ret;
}
/**
* tlshd_quic_clienthello_handshake - send a QUIC Client Initial
* @parms: handshake parameters
*
*/
void tlshd_quic_clienthello_handshake(struct tlshd_handshake_parms *parms)
{
struct tlshd_quic_conn *conn;
int ret;
ret = tlshd_quic_conn_create(&conn, parms);
if (ret) {
parms->session_status = -ret;
return gnutls_global_deinit();
}
switch (parms->auth_mode) {
case HANDSHAKE_AUTH_UNAUTH:
ret = tlshd_quic_client_set_anon_session(conn);
break;
case HANDSHAKE_AUTH_X509:
ret = tlshd_quic_client_set_x509_session(conn);
break;
case HANDSHAKE_AUTH_PSK:
ret = tlshd_quic_client_set_psk_session(conn);
break;
default:
ret = -EINVAL;
tlshd_log_debug("Unrecognized auth mode (%d)", parms->auth_mode);
}
if (ret) {
conn->errcode = -ret;
goto out;
}
tlshd_quic_start_handshake(conn);
out:
parms->session_status = conn->errcode;
tlshd_quic_conn_destroy(conn);
}
#else
void tlshd_quic_clienthello_handshake(struct tlshd_handshake_parms *parms)
{
tlshd_log_debug("QUIC handshake is not enabled (%d)", parms->auth_mode);
parms->session_status = EOPNOTSUPP;
}
#endif
07070100000018000081A4000000000000000000000001671A556200002C25000000000000000000000000000000000000002F00000000ktls-utils-0.10+33.g311d943/src/tlshd/config.c/*
* Parse tlshd's config file.
*
* Copyright (c) 2022 Oracle and/or its affiliates.
*
* ktls-utils is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License as
* published by the Free Software Foundation; version 2.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
#include "config.h"
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <stdbool.h>
#include <unistd.h>
#include <stdlib.h>
#include <stdio.h>
#include <fcntl.h>
#include <errno.h>
#include <string.h>
#include <libgen.h>
#include <keyutils.h>
#include <gnutls/gnutls.h>
#include <gnutls/abstract.h>
#include <netlink/netlink.h>
#include <glib.h>
#include "tlshd.h"
static GKeyFile *tlshd_configuration;
/**
* tlshd_config_init - Read tlshd's config file
* @pathname: Pathname to config file
*
* Return values:
* %true: Config file read successfully
* %false: Unable to read config file
*/
bool tlshd_config_init(const gchar *pathname)
{
gchar **keyrings;
gsize i, length;
GError *error;
gint tmp;
tlshd_configuration = g_key_file_new();
error = NULL;
if (!g_key_file_load_from_file(tlshd_configuration, pathname,
G_KEY_FILE_KEEP_COMMENTS,
&error)) {
tlshd_log_gerror("Failed to load config file", error);
g_error_free(error);
return false;
}
/*
* These calls return zero if the key isn't present or the
* specified key value is invalid.
*/
tlshd_debug = g_key_file_get_integer(tlshd_configuration, "debug",
"loglevel", NULL);
tlshd_tls_debug = g_key_file_get_integer(tlshd_configuration,
"debug", "tls", NULL);
nl_debug = g_key_file_get_integer(tlshd_configuration, "debug",
"nl", NULL);
tmp = g_key_file_get_integer(tlshd_configuration, "debug",
"delay_done", NULL);
tlshd_delay_done = tmp > 0 ? tmp : 0;
keyrings = g_key_file_get_string_list(tlshd_configuration,
"authenticate",
"keyrings", &length, NULL);
if (keyrings) {
for (i = 0; i < length; i++) {
if (!strcmp(keyrings[i], ".nvme"))
continue;
tlshd_keyring_link_session(keyrings[i]);
}
g_strfreev(keyrings);
}
/*
* Always link the default nvme subsystem keyring into the
* session.
*/
tlshd_keyring_link_session(".nvme");
return true;
}
void tlshd_config_shutdown(void)
{
g_key_file_free(tlshd_configuration);
}
/*
* Expected file attributes
*/
#define TLSHD_OWNER 0 /* root */
#define TLSHD_CERT_MODE (S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH)
#define TLSHD_PRIVKEY_MODE (S_IRUSR|S_IWUSR)
/*
* On success, caller must release buffer returned in @data by calling free(3)
*/
static bool tlshd_config_read_datum(const char *pathname, gnutls_datum_t *data,
uid_t owner, mode_t mode)
{
struct stat statbuf;
unsigned int size;
void *buf;
bool ret;
int fd;
ret = false;
fd = open(pathname, O_RDONLY);
if (fd == -1) {
tlshd_log_perror("open");
goto out;
}
if (fstat(fd, &statbuf)) {
tlshd_log_perror("stat");
goto out_close;
}
if (statbuf.st_size < 0 || statbuf.st_size > INT_MAX) {
tlshd_log_error("Bad config file size: %lld", statbuf.st_size);
goto out_close;
}
size = (unsigned int)statbuf.st_size;
if (statbuf.st_uid != owner)
tlshd_log_notice("File %s: expected owner %u",
pathname, owner);
if ((statbuf.st_mode & ALLPERMS) != mode)
tlshd_log_notice("File %s: expected mode %o",
pathname, mode);
buf = malloc(size);
if (!buf) {
errno = ENOMEM;
tlshd_log_perror("malloc");
goto out_close;
}
if (read(fd, buf, size) == -1) {
tlshd_log_perror("read");
free(buf);
goto out_close;
}
data->data = buf;
data->size = size;
ret = true;
out_close:
close(fd);
out:
return ret;
}
/**
* tlshd_config_get_client_truststore - Get truststore for ClientHello from .conf
* @bundle: OUT: pathname to truststore
*
* Return values:
* %false: pathname not retrieved
* %true: pathname retrieved successfully; caller must free @bundle using free(3)
*/
bool tlshd_config_get_client_truststore(char **bundle)
{
GError *error = NULL;
gchar *pathname;
pathname = g_key_file_get_string(tlshd_configuration, "authenticate.client",
"x509.truststore", &error);
if (!pathname) {
g_error_free(error);
return false;
} else if (access(pathname, F_OK)) {
tlshd_log_debug("client x509.truststore pathname \"%s\" is not accessible", pathname);
g_free(pathname);
return false;
}
*bundle = strdup(pathname);
g_free(pathname);
if (!*bundle)
return false;
tlshd_log_debug("Client x.509 truststore is %s", *bundle);
return true;
}
/**
* tlshd_config_get_client_certs - Get certs for ClientHello from .conf
* @certs: OUT: in-memory certificates
* @certs_len: IN: maximum number of certs to get, OUT: number of certs found
*
* Return values:
* %true: certificate retrieved successfully
* %false: certificate not retrieved
*/
bool tlshd_config_get_client_certs(gnutls_pcert_st *certs,
unsigned int *certs_len)
{
GError *error = NULL;
gnutls_datum_t data;
gchar *pathname;
int ret;
pathname = g_key_file_get_string(tlshd_configuration, "authenticate.client",
"x509.certificate", &error);
if (!pathname) {
g_error_free(error);
return false;
} else if (access(pathname, F_OK)) {
tlshd_log_debug("client x509.certificate pathname \"%s\" is not accessible", pathname);
g_free(pathname);
return false;
}
if (!tlshd_config_read_datum(pathname, &data, TLSHD_OWNER,
TLSHD_CERT_MODE)) {
g_free(pathname);
return false;
}
/* Config file supports only PEM-encoded certificates */
ret = gnutls_pcert_list_import_x509_raw(certs, certs_len, &data,
GNUTLS_X509_FMT_PEM, 0);
free(data.data);
if (ret != GNUTLS_E_SUCCESS) {
tlshd_log_gnutls_error(ret);
g_free(pathname);
return false;
}
tlshd_log_debug("Retrieved %u x.509 client certificate(s) from %s",
*certs_len, pathname);
g_free(pathname);
return true;
}
/**
* tlshd_config_get_client_privkey - Get private key for ClientHello from .conf
* @privkey: OUT: in-memory private key
*
* Return values:
* %true: private key retrieved successfully
* %false: private key not retrieved
*/
bool tlshd_config_get_client_privkey(gnutls_privkey_t *privkey)
{
GError *error = NULL;
gnutls_datum_t data;
gchar *pathname;
int ret;
pathname = g_key_file_get_string(tlshd_configuration, "authenticate.client",
"x509.private_key", &error);
if (!pathname) {
g_error_free(error);
return false;
} else if (access(pathname, F_OK)) {
tlshd_log_debug("client x509.private_key pathname \"%s\" is not accessible", pathname);
g_free(pathname);
return false;
}
if (!tlshd_config_read_datum(pathname, &data, TLSHD_OWNER,
TLSHD_PRIVKEY_MODE)) {
g_free(pathname);
return false;
}
ret = gnutls_privkey_init(privkey);
if (ret != GNUTLS_E_SUCCESS) {
tlshd_log_gnutls_error(ret);
free(data.data);
g_free(pathname);
return false;
}
/* Config file supports only PEM-encoded keys */
ret = gnutls_privkey_import_x509_raw(*privkey, &data,
GNUTLS_X509_FMT_PEM, NULL, 0);
free(data.data);
if (ret != GNUTLS_E_SUCCESS) {
tlshd_log_gnutls_error(ret);
g_free(pathname);
return false;
}
tlshd_log_debug("Retrieved private key from %s", pathname);
g_free(pathname);
return true;
}
/**
* tlshd_config_get_server_truststore - Get truststore for ServerHello from .conf
* @bundle: OUT: pathname to truststore
*
* Return values:
* %false: pathname not retrieved
* %true: pathname retrieved successfully; caller must free @bundle using free(3)
*/
bool tlshd_config_get_server_truststore(char **bundle)
{
GError *error = NULL;
gchar *pathname;
pathname = g_key_file_get_string(tlshd_configuration, "authenticate.server",
"x509.truststore", &error);
if (!pathname) {
g_error_free(error);
return false;
} else if (access(pathname, F_OK)) {
tlshd_log_debug("server x509.truststore pathname \"%s\" is not accessible", pathname);
g_free(pathname);
return false;
}
*bundle = strdup(pathname);
g_free(pathname);
if (!*bundle)
return false;
tlshd_log_debug("Server x.509 truststore is %s", *bundle);
return true;
}
/**
* tlshd_config_get_server_certs - Get certs for ServerHello from .conf
* @certs: OUT: in-memory certificates
* @certs_len: IN: maximum number of certs to get, OUT: number of certs found
*
* Return values:
* %true: certificate retrieved successfully
* %false: certificate not retrieved
*/
bool tlshd_config_get_server_certs(gnutls_pcert_st *certs,
unsigned int *certs_len)
{
GError *error = NULL;
gnutls_datum_t data;
gchar *pathname;
int ret;
pathname = g_key_file_get_string(tlshd_configuration, "authenticate.server",
"x509.certificate", &error);
if (!pathname) {
g_error_free(error);
return false;
} else if (access(pathname, F_OK)) {
tlshd_log_debug("server x509.certificate pathname \"%s\" is not accessible", pathname);
g_free(pathname);
return false;
}
if (!tlshd_config_read_datum(pathname, &data, TLSHD_OWNER,
TLSHD_CERT_MODE)) {
g_free(pathname);
return false;
}
/* Config file supports only PEM-encoded certificates */
ret = gnutls_pcert_list_import_x509_raw(certs, certs_len, &data,
GNUTLS_X509_FMT_PEM, 0);
free(data.data);
if (ret != GNUTLS_E_SUCCESS) {
tlshd_log_gnutls_error(ret);
g_free(pathname);
return false;
}
tlshd_log_debug("Retrieved %u x.509 server certificate(s) from %s",
*certs_len, pathname);
g_free(pathname);
return true;
}
/**
* tlshd_config_get_server_privkey - Get private key for ServerHello from .conf
* @privkey: OUT: in-memory private key
*
* Return values:
* %true: private key retrieved successfully
* %false: private key not retrieved
*/
bool tlshd_config_get_server_privkey(gnutls_privkey_t *privkey)
{
GError *error = NULL;
gnutls_datum_t data;
gchar *pathname;
int ret;
pathname = g_key_file_get_string(tlshd_configuration, "authenticate.server",
"x509.private_key", &error);
if (!pathname) {
g_error_free(error);
return false;
} else if (access(pathname, F_OK)) {
tlshd_log_debug("server x509.privkey pathname \"%s\" is not accessible", pathname);
g_free(pathname);
return false;
}
if (!tlshd_config_read_datum(pathname, &data, TLSHD_OWNER,
TLSHD_PRIVKEY_MODE)) {
g_free(pathname);
return false;
}
ret = gnutls_privkey_init(privkey);
if (ret != GNUTLS_E_SUCCESS) {
tlshd_log_gnutls_error(ret);
free(data.data);
g_free(pathname);
return false;
}
/* Config file supports only PEM-encoded keys */
ret = gnutls_privkey_import_x509_raw(*privkey, &data,
GNUTLS_X509_FMT_PEM, NULL, 0);
free(data.data);
if (ret != GNUTLS_E_SUCCESS) {
tlshd_log_gnutls_error(ret);
g_free(pathname);
return false;
}
tlshd_log_debug("Retrieved private key from %s", pathname);
g_free(pathname);
return true;
}
07070100000019000081A4000000000000000000000001671A55620000117F000000000000000000000000000000000000003200000000ktls-utils-0.10+33.g311d943/src/tlshd/handshake.c/*
* Service a request for a TLS handshake on behalf of an
* in-kernel TLS consumer.
*
* Copyright (c) 2022 Oracle and/or its affiliates.
*
* ktls-utils is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License as
* published by the Free Software Foundation; version 2.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
#include "config.h"
#include <sys/types.h>
#include <sys/socket.h>
#include <stdbool.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#include <errno.h>
#include <netinet/tcp.h>
#include <netdb.h>
#include <keyutils.h>
#include <gnutls/gnutls.h>
#include <gnutls/abstract.h>
#include <glib.h>
#include "tlshd.h"
#include "netlink.h"
static void tlshd_set_nagle(gnutls_session_t session, int val)
{
int ret;
ret = setsockopt(gnutls_transport_get_int(session),
IPPROTO_TCP, TCP_NODELAY, &val, sizeof(val));
if (ret < 0)
tlshd_log_perror("setsockopt (NODELAY)");
}
static void tlshd_save_nagle(gnutls_session_t session, int *saved)
{
socklen_t len;
int ret;
len = sizeof(*saved);
ret = getsockopt(gnutls_transport_get_int(session),
IPPROTO_TCP, TCP_NODELAY, saved, &len);
if (ret < 0) {
tlshd_log_perror("getsockopt (NODELAY)");
saved = 0;
return;
}
tlshd_set_nagle(session, 1);
}
/**
* tlshd_start_tls_handshake - Drive the handshake interaction
* @session: TLS session to initialize
* @parms: handshake parameters
*
*/
void tlshd_start_tls_handshake(gnutls_session_t session,
struct tlshd_handshake_parms *parms)
{
int saved, ret;
char *desc;
gnutls_handshake_set_timeout(session, parms->timeout_ms);
tlshd_save_nagle(session, &saved);
do {
ret = gnutls_handshake(session);
} while (ret < 0 && !gnutls_error_is_fatal(ret));
tlshd_set_nagle(session, saved);
if (ret < 0) {
switch (ret) {
case GNUTLS_E_CERTIFICATE_VERIFICATION_ERROR:
tlshd_log_cert_verification_error(session);
break;
default:
tlshd_log_gnutls_error(ret);
}
parms->session_status = EACCES;
return;
}
desc = gnutls_session_get_desc(session);
tlshd_log_debug("Session description: %s", desc);
gnutls_free(desc);
parms->session_status = tlshd_initialize_ktls(session);
}
/**
* tlshd_service_socket - Service a kernel socket needing a key operation
*
*/
void tlshd_service_socket(void)
{
struct tlshd_handshake_parms parms;
int ret;
if (tlshd_genl_get_handshake_parms(&parms) != 0)
goto out;
ret = gnutls_global_init();
if (ret != GNUTLS_E_SUCCESS) {
tlshd_log_gnutls_error(ret);
goto out;
}
if (tlshd_tls_debug)
gnutls_global_set_log_level(tlshd_tls_debug);
gnutls_global_set_log_function(tlshd_gnutls_log_func);
gnutls_global_set_audit_log_function(tlshd_gnutls_audit_func);
#ifdef HAVE_GNUTLS_GET_SYSTEM_CONFIG_FILE
tlshd_log_debug("System config file: %s",
gnutls_get_system_config_file());
#endif
switch (parms.handshake_type) {
case HANDSHAKE_MSG_TYPE_CLIENTHELLO:
switch (parms.ip_proto) {
case IPPROTO_TCP:
tlshd_tls13_clienthello_handshake(&parms);
break;
#ifdef HAVE_GNUTLS_QUIC
case IPPROTO_QUIC:
tlshd_quic_clienthello_handshake(&parms);
break;
#endif
default:
tlshd_log_debug("Unsupported ip_proto (%d)", parms.ip_proto);
parms.session_status = EOPNOTSUPP;
}
break;
case HANDSHAKE_MSG_TYPE_SERVERHELLO:
switch (parms.ip_proto) {
case IPPROTO_TCP:
tlshd_tls13_serverhello_handshake(&parms);
break;
#ifdef HAVE_GNUTLS_QUIC
case IPPROTO_QUIC:
tlshd_quic_serverhello_handshake(&parms);
break;
#endif
default:
tlshd_log_debug("Unsupported ip_proto (%d)", parms.ip_proto);
parms.session_status = EOPNOTSUPP;
}
break;
default:
tlshd_log_debug("Unrecognized handshake type (%d)",
parms.handshake_type);
}
gnutls_global_deinit();
out:
tlshd_genl_done(&parms);
free(parms.peerids);
if (parms.session_status) {
tlshd_log_failure(parms.peername, parms.peeraddr,
parms.peeraddr_len);
return;
}
tlshd_log_success(parms.peername, parms.peeraddr, parms.peeraddr_len);
}
0707010000001A000081A4000000000000000000000001671A556200001B75000000000000000000000000000000000000003000000000ktls-utils-0.10+33.g311d943/src/tlshd/keyring.c/*
* Scrape authentication information from kernel keyring.
*
* Copyright (c) 2022 Oracle and/or its affiliates.
*
* ktls-utils is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License as
* published by the Free Software Foundation; version 2.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
#include "config.h"
#include <sys/types.h>
#include <sys/socket.h>
#include <stdbool.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#include <errno.h>
#include <netdb.h>
#include <keyutils.h>
#include <gnutls/gnutls.h>
#include <gnutls/abstract.h>
#include <glib.h>
#include "tlshd.h"
/**
* tlshd_keyring_get_psk_username - Retrieve username for PSK handshake
* @serial: Key serial number to look up
* @username: On success, filled in with NUL-terminated user name
*
* Caller must use gnutls_free() to free @username when finished.
*
* Return values:
* %true: Success; @username has been initialized
* %false: Failure
*/
bool tlshd_keyring_get_psk_username(key_serial_t serial, char **username)
{
char *ptr, *psk_name;
int ret;
ret = keyctl_describe_alloc(serial, &psk_name);
if (ret < 0) {
tlshd_log_perror("keyctl_describe_alloc");
tlshd_log_debug("Failed to describe key %08x.", serial);
return false;
}
ptr = strrchr(psk_name, ';');
if (!ptr)
ptr = psk_name;
else
ptr++;
*username = gnutls_malloc(strlen(ptr) + 1);
if (!*username) {
tlshd_log_error("Failed to allocate TLS psk identity.");
free(psk_name);
return false;
}
tlshd_log_debug("Using psk identity %s\n", ptr);
strcpy(*username, ptr);
free(psk_name);
return true;
}
/**
* tlshd_keyring_get_psk_key - Retrieve pre-shared key for PSK handshake
* @serial: Key serial number to look up
* @key: On success, filled in with pre-shared key
*
* Caller must use free() to free @key->data when finished.
*
* Return values:
* %true: Success; @key has been initialized
* %false: Failure
*/
bool tlshd_keyring_get_psk_key(key_serial_t serial, gnutls_datum_t *key)
{
void *tmp;
int ret;
key->data = NULL;
key->size = 0;
ret = keyctl_read_alloc(serial, &tmp);
if (ret < 0) {
tlshd_log_perror("keyctl_read_alloc");
tlshd_log_error("Failed to read TLS psk data.");
return false;
}
key->data = tmp;
key->size = (unsigned int)ret;
return true;
}
/**
* tlshd_keyring_get_privkey - Retrieve privkey for x.509 handshake
* @serial: Key serial number to look up
* @privkey: On success, filled in with a private key
*
* Caller must use gnutls_privkey_deinit() to free @privkey when finished.
*
* Return values:
* %true: Success; @privkey has been initialized
* %false: Failure
*/
bool tlshd_keyring_get_privkey(key_serial_t serial, gnutls_privkey_t *privkey)
{
gnutls_datum_t data;
void *tmp;
int ret;
ret = keyctl_read_alloc(serial, &tmp);
if (ret < 0) {
tlshd_log_perror("keyctl_read_alloc");
tlshd_log_error("Failed to read TLS x.509 private key.");
return false;
}
data.data = tmp;
data.size = (unsigned int)ret;
ret = gnutls_privkey_init(privkey);
if (ret != GNUTLS_E_SUCCESS) {
tlshd_log_gnutls_error(ret);
free(tmp);
return false;
}
/* Handshake upcall passes only DER-encoded keys */
ret = gnutls_privkey_import_x509_raw(*privkey, &data, GNUTLS_X509_FMT_DER,
NULL, 0);
free(tmp);
if (ret != GNUTLS_E_SUCCESS) {
tlshd_log_gnutls_error(ret);
return false;
}
tlshd_log_debug("Retrieved private key");
return true;
}
/**
* tlshd_keyring_get_certs - Retrieve certs for x.509 handshake
* @serial: Key serial number to look up
* @certs: On success, filled in with certificates
* @certs_len: IN: maximum number of certs to get, OUT: number of certs found
*
* Caller must use gnutls_pcert_deinit() to free @cert when finished.
*
* Return values:
* %true: Success; @cert has been initialized
* %false: Failure
*/
bool tlshd_keyring_get_certs(key_serial_t serial, gnutls_pcert_st *certs,
unsigned int *certs_len)
{
gnutls_datum_t data;
void *tmp;
int ret;
if (*certs_len == 0) {
tlshd_log_error("tlshd_keyring_get_cert called with zero array.");
return false;
}
ret = keyctl_read_alloc(serial, &tmp);
if (ret < 0) {
tlshd_log_perror("keyctl_read_alloc");
tlshd_log_error("Failed to read TLS x.509 certificate.");
return false;
}
data.data = tmp;
data.size = (unsigned int)ret;
/* Handshake upcall passes only DER-encoded certificates */
ret = gnutls_pcert_import_x509_raw(certs, &data,
GNUTLS_X509_FMT_DER, 0);
free(tmp);
if (ret != GNUTLS_E_SUCCESS) {
tlshd_log_gnutls_error(ret);
return false;
}
*certs_len = 1;
tlshd_log_debug("Retrieved %u x.509 certificate(s) from keyring",
*certs_len);
return true;
}
/**
* tlshd_keyring_create_cert - Create key containing peer's certificate
* @cert: Initialized x.509 certificate
* @peername: hostname of the remote peer
*
* Returns a positive key serial number on success; otherwise
* TLS_NO_PEERID.
*/
key_serial_t tlshd_keyring_create_cert(gnutls_x509_crt_t cert,
const char *peername)
{
key_serial_t serial = TLS_NO_PEERID;
char description[NI_MAXHOST + 10];
gnutls_datum_t out;
int len, ret;
len = snprintf(description, sizeof(description) - 1,
"TLS x509 %s", peername);
if (len < 0 || (size_t)len >= sizeof(description)) {
tlshd_log_error("Failed to construct key description.");
goto out;
}
ret = gnutls_x509_crt_export2(cert, GNUTLS_X509_FMT_DER, &out);
if (ret != GNUTLS_E_SUCCESS) {
tlshd_log_gnutls_error(ret);
goto out;
}
serial = add_key("asymmetric", description, out.data, out.size,
KEY_SPEC_USER_KEYRING);
if (serial == -1) {
tlshd_log_perror("add_key");
serial = TLS_NO_PEERID;
}
gnutls_free(out.data);
out:
return serial;
}
/**
* tlshd_keyring_link_session - Link a keyring into the session keyring
* @serial: serial number of the keyring to be linked
*
* Returns 0 on success and -1 on error.
*/
int tlshd_keyring_link_session(const char *keyring)
{
key_serial_t serial;
long ret;
if (!keyring) {
tlshd_log_error("No keyring specified");
errno = -EINVAL;
return -1;
}
serial = find_key_by_type_and_desc("keyring", keyring, 0);
if (!serial) {
tlshd_log_debug("Failed to lookup keyring '%s'\n",
keyring);
errno = -ENOKEY;
return -1;
}
ret = keyctl_link(serial, KEY_SPEC_SESSION_KEYRING);
if (ret < 0) {
tlshd_log_debug("Failed to link keyring %s (%lx) error %d\n",
keyring, serial, errno);
return -1;
}
tlshd_log_debug("Keyring '%s' linked into our session keyring.\n", keyring);
return 0;
}
0707010000001B000081A4000000000000000000000001671A556200003C4D000000000000000000000000000000000000002D00000000ktls-utils-0.10+33.g311d943/src/tlshd/ktls.c/*
* Initialize a kTLS socket. In some cases initialization might
* be handled by the TLS library.
*
* Copyright (c) 2022 Oracle and/or its affiliates.
*
* ktls-utils is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License as
* published by the Free Software Foundation; version 2.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
#include "config.h"
#include <sys/types.h>
#include <sys/socket.h>
#include <stdbool.h>
#include <string.h>
#include <errno.h>
#include <netinet/tcp.h>
#include <keyutils.h>
#include <gnutls/gnutls.h>
#include <gnutls/socket.h>
#include <gnutls/abstract.h>
#include <linux/tls.h>
#include <glib.h>
#include "tlshd.h"
#include "netlink.h"
static char *tlshd_string_concat(char *str1, const char *str2)
{
size_t len = 0;
char *result;
if (!str1 && !str2)
return NULL;
if (str1)
len += strlen(str1);
if (str2)
len += strlen(str2);
result = malloc(len + 1);
if (result) {
result[0] = '\0';
if (str1)
strcat(result, str1);
if (str2)
strcat(result, str2);
}
free(str1);
return result;
}
#ifdef HAVE_GNUTLS_TRANSPORT_IS_KTLS_ENABLED
static bool tlshd_is_ktls_enabled(gnutls_session_t session, unsigned read)
{
int ret;
ret = gnutls_transport_is_ktls_enabled(session);
if (ret == GNUTLS_E_UNIMPLEMENTED_FEATURE)
return false;
if (read) {
if (!(ret & GNUTLS_KTLS_RECV))
return false;
tlshd_log_debug("Library has enabled receive kTLS for this session.");
} else {
if (!(ret & GNUTLS_KTLS_SEND))
return false;
tlshd_log_debug("Library has enabled send kTLS for this session.");
}
return true;
}
#else
static bool tlshd_is_ktls_enabled(__attribute__ ((unused)) gnutls_session_t session,
__attribute__ ((unused)) unsigned read)
{
return false;
}
#endif
static bool tlshd_setsockopt(int sock, unsigned read, const void *info,
socklen_t infolen)
{
int ret;
ret = setsockopt(sock, SOL_TLS, read ? TLS_RX : TLS_TX, info, infolen);
if (!ret)
return true;
switch (errno) {
case EBADF:
case ENOTSOCK:
tlshd_log_error("The kernel's socket file descriptor is no longer valid.");
break;
case EINVAL:
case ENOENT:
case ENOPROTOOPT:
tlshd_log_error("The kernel does not support the requested algorithm.");
break;
default:
tlshd_log_perror("setsockopt");
}
return false;
}
#if defined(TLS_CIPHER_AES_GCM_128)
static bool tlshd_set_aes_gcm128_info(gnutls_session_t session, int sock,
unsigned read)
{
struct tls12_crypto_info_aes_gcm_128 info = {
.info.version = TLS_1_3_VERSION,
.info.cipher_type = TLS_CIPHER_AES_GCM_128,
};
unsigned char seq_number[8];
gnutls_datum_t cipher_key;
gnutls_datum_t mac_key;
gnutls_datum_t iv;
int ret;
if (tlshd_is_ktls_enabled(session, read))
return true;
ret = gnutls_record_get_state(session, read, &mac_key, &iv,
&cipher_key, seq_number);
if (ret != GNUTLS_E_SUCCESS) {
tlshd_log_gnutls_error(ret);
return false;
}
/* TLSv1.2 generates iv in the kernel */
if (gnutls_protocol_get_version(session) == GNUTLS_TLS1_2) {
info.info.version = TLS_1_2_VERSION;
memcpy(info.iv, seq_number, TLS_CIPHER_AES_GCM_128_IV_SIZE);
} else
memcpy(info.iv, iv.data + TLS_CIPHER_AES_GCM_128_SALT_SIZE,
TLS_CIPHER_AES_GCM_128_IV_SIZE);
memcpy(info.salt, iv.data, TLS_CIPHER_AES_GCM_128_SALT_SIZE);
memcpy(info.key, cipher_key.data, TLS_CIPHER_AES_GCM_128_KEY_SIZE);
memcpy(info.rec_seq, seq_number, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
return tlshd_setsockopt(sock, read, &info, sizeof(info));
}
#endif
#if defined(TLS_CIPHER_AES_GCM_256)
static bool tlshd_set_aes_gcm256_info(gnutls_session_t session, int sock,
unsigned read)
{
struct tls12_crypto_info_aes_gcm_256 info = {
.info.version = TLS_1_3_VERSION,
.info.cipher_type = TLS_CIPHER_AES_GCM_256,
};
unsigned char seq_number[8];
gnutls_datum_t cipher_key;
gnutls_datum_t mac_key;
gnutls_datum_t iv;
int ret;
if (tlshd_is_ktls_enabled(session, read))
return true;
ret = gnutls_record_get_state(session, read, &mac_key, &iv,
&cipher_key, seq_number);
if (ret != GNUTLS_E_SUCCESS) {
tlshd_log_gnutls_error(ret);
return false;
}
/* TLSv1.2 generates iv in the kernel */
if (gnutls_protocol_get_version(session) == GNUTLS_TLS1_2) {
info.info.version = TLS_1_2_VERSION;
memcpy(info.iv, seq_number, TLS_CIPHER_AES_GCM_256_IV_SIZE);
} else
memcpy(info.iv, iv.data + TLS_CIPHER_AES_GCM_256_SALT_SIZE,
TLS_CIPHER_AES_GCM_256_IV_SIZE);
memcpy(info.salt, iv.data, TLS_CIPHER_AES_GCM_256_SALT_SIZE);
memcpy(info.key, cipher_key.data, TLS_CIPHER_AES_GCM_256_KEY_SIZE);
memcpy(info.rec_seq, seq_number, TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
return tlshd_setsockopt(sock, read, &info, sizeof(info));
}
#endif
#if defined(TLS_CIPHER_AES_CCM_128)
static bool tlshd_set_aes_ccm128_info(gnutls_session_t session, int sock,
unsigned read)
{
struct tls12_crypto_info_aes_ccm_128 info = {
.info.version = TLS_1_3_VERSION,
.info.cipher_type = TLS_CIPHER_AES_CCM_128,
};
unsigned char seq_number[8];
gnutls_datum_t cipher_key;
gnutls_datum_t mac_key;
gnutls_datum_t iv;
int ret;
if (tlshd_is_ktls_enabled(session, read))
return true;
ret = gnutls_record_get_state(session, read, &mac_key, &iv,
&cipher_key, seq_number);
if (ret != GNUTLS_E_SUCCESS) {
tlshd_log_gnutls_error(ret);
return false;
}
/* TLSv1.2 generates iv in the kernel */
if (gnutls_protocol_get_version(session) == GNUTLS_TLS1_2) {
info.info.version = TLS_1_2_VERSION;
memcpy(info.iv, seq_number, TLS_CIPHER_AES_CCM_128_IV_SIZE);
} else
memcpy(info.iv, iv.data + TLS_CIPHER_AES_CCM_128_SALT_SIZE,
TLS_CIPHER_AES_CCM_128_IV_SIZE);
memcpy(info.salt, iv.data, TLS_CIPHER_AES_CCM_128_SALT_SIZE);
memcpy(info.key, cipher_key.data, TLS_CIPHER_AES_CCM_128_KEY_SIZE);
memcpy(info.rec_seq, seq_number, TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
return tlshd_setsockopt(sock, read, &info, sizeof(info));
}
#endif
#if defined(TLS_CIPHER_CHACHA20_POLY1305)
static bool tlshd_set_chacha20_poly1305_info(gnutls_session_t session, int sock,
unsigned read)
{
struct tls12_crypto_info_chacha20_poly1305 info = {
.info.version = TLS_1_3_VERSION,
.info.cipher_type = TLS_CIPHER_CHACHA20_POLY1305,
};
unsigned char seq_number[8];
gnutls_datum_t cipher_key;
gnutls_datum_t mac_key;
gnutls_datum_t iv;
int ret;
if (tlshd_is_ktls_enabled(session, read))
return true;
ret = gnutls_record_get_state(session, read, &mac_key, &iv,
&cipher_key, seq_number);
if (ret != GNUTLS_E_SUCCESS) {
tlshd_log_gnutls_error(ret);
return false;
}
if (gnutls_protocol_get_version(session) == GNUTLS_TLS1_2)
info.info.version = TLS_1_2_VERSION;
memcpy(info.iv, iv.data, TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE);
memcpy(info.key, cipher_key.data, TLS_CIPHER_CHACHA20_POLY1305_KEY_SIZE);
memcpy(info.rec_seq, seq_number, TLS_CIPHER_CHACHA20_POLY1305_REC_SEQ_SIZE);
return tlshd_setsockopt(sock, read, &info, sizeof(info));
}
#endif
/**
* tlshd_initialize_ktls - Initialize socket for use by kTLS
* @session: TLS session descriptor
*
* Returns zero on success, or a positive errno value.
*/
unsigned int tlshd_initialize_ktls(gnutls_session_t session)
{
int sockin, sockout;
if (setsockopt(gnutls_transport_get_int(session), SOL_TCP, TCP_ULP,
"tls", sizeof("tls")) == -1) {
tlshd_log_perror("setsockopt(TLS_ULP)");
return EIO;
}
gnutls_transport_get_int2(session, &sockin, &sockout);
switch (gnutls_cipher_get(session)) {
#if defined(TLS_CIPHER_AES_GCM_128)
case GNUTLS_CIPHER_AES_128_GCM:
return tlshd_set_aes_gcm128_info(session, sockout, 0) &&
tlshd_set_aes_gcm128_info(session, sockin, 1) ? 0 : EIO;
#endif
#if defined(TLS_CIPHER_AES_GCM_256)
case GNUTLS_CIPHER_AES_256_GCM:
return tlshd_set_aes_gcm256_info(session, sockout, 0) &&
tlshd_set_aes_gcm256_info(session, sockin, 1) ? 0 : EIO;
#endif
#if defined(TLS_CIPHER_AES_CCM_128)
case GNUTLS_CIPHER_AES_128_CCM:
return tlshd_set_aes_ccm128_info(session, sockout, 0) &&
tlshd_set_aes_ccm128_info(session, sockin, 1) ? 0 : EIO;
#endif
#if defined(TLS_CIPHER_CHACHA20_POLY1305)
case GNUTLS_CIPHER_CHACHA20_POLY1305:
return tlshd_set_chacha20_poly1305_info(session, sockout, 0) &&
tlshd_set_chacha20_poly1305_info(session, sockin, 1) ? 0 : EIO;
#endif
default:
tlshd_log_error("tlshd does not support the requested cipher.");
}
return EIO;
}
static char *tlshd_cipher_string_emit(char *pstring, unsigned int cipher)
{
switch (cipher) {
#if defined(TLS_CIPHER_CHACHA20_POLY1305)
case GNUTLS_CIPHER_CHACHA20_POLY1305:
return tlshd_string_concat(pstring, ":+CHACHA20-POLY1305");
#endif
#if defined(TLS_CIPHER_AES_GCM_256)
case GNUTLS_CIPHER_AES_256_GCM:
return tlshd_string_concat(pstring, ":+AES-256-GCM");
#endif
#if defined(TLS_CIPHER_AES_GCM_128)
case GNUTLS_CIPHER_AES_128_GCM:
return tlshd_string_concat(pstring, ":+AES-128-GCM");
#endif
#if defined(TLS_CIPHER_AES_CCM_128)
case GNUTLS_CIPHER_AES_128_CCM:
return tlshd_string_concat(pstring, ":+AES-128-CCM");
#endif
}
return pstring;
}
static gnutls_priority_t tlshd_gnutls_priority_x509;
static gnutls_priority_t tlshd_gnutls_priority_psk;
static gnutls_priority_t tlshd_gnutls_priority_psk_sha256;
static gnutls_priority_t tlshd_gnutls_priority_psk_sha384;
/**
* tlshd_gnutls_priority_init - Initialize GnuTLS priority caches
*
*/
int tlshd_gnutls_priority_init(void)
{
const unsigned int *ciphers;
gnutls_priority_t pcache;
const char *errpos;
char *pstring, *pstring_sha256, *pstring_sha384;
int ret, i;
/* Retrieve the system default priority settings */
ret = gnutls_priority_init(&pcache, NULL, &errpos);
if (ret != GNUTLS_E_SUCCESS) {
tlshd_log_gnutls_error(ret);
return -EIO;
}
ret = gnutls_priority_cipher_list(pcache, &ciphers);
gnutls_priority_deinit(pcache);
if (ret < 0) {
tlshd_log_gnutls_error(ret);
return -EIO;
}
pstring = strdup("SECURE256:+SECURE128:-COMP-ALL");
if (!pstring)
return -ENOMEM;
/* All kernel TLS consumers require TLS v1.3 or newer. */
pstring = tlshd_string_concat(pstring, ":-VERS-ALL:+VERS-TLS1.3:%NO_TICKETS");
if (!pstring)
return -ENOMEM;
/*
* Handshakes must negotiate only ciphers that are supported
* by kTLS. The list below contains the ciphers that are
* common to both kTLS and GnuTLS (Linux v6.2, GnuTLS 3.8.0).
*
* The resulting list is ordered by local system priority.
*/
pstring = tlshd_string_concat(pstring, ":-CIPHER-ALL");
if (!pstring)
return -ENOMEM;
pstring_sha256 = strdup(pstring);
if (!pstring_sha256) {
free(pstring);
return -ENOMEM;
}
pstring_sha384 = strdup(pstring);
if (!pstring_sha384) {
free(pstring_sha256);
free(pstring);
return -ENOMEM;
}
for (i = 0; i < ret; ++i) {
bool skip_sha256 = false;
bool skip_sha384 = false;
pstring = tlshd_cipher_string_emit(pstring, ciphers[i]);
if (!pstring) {
free(pstring_sha256);
free(pstring_sha384);
return -ENOMEM;
}
if (ciphers[i] == GNUTLS_CIPHER_AES_256_GCM)
skip_sha256 = true;
if (ciphers[i] == GNUTLS_CIPHER_AES_128_GCM)
skip_sha384 = true;
if (ciphers[i] == GNUTLS_CIPHER_AES_128_CCM)
skip_sha384 = true;
if (ciphers[i] == GNUTLS_CIPHER_CHACHA20_POLY1305)
skip_sha256 = true;
if (!skip_sha256) {
pstring_sha256 = tlshd_cipher_string_emit(pstring_sha256, ciphers[i]);
if (!pstring_sha256) {
free(pstring_sha384);
free(pstring);
return -ENOMEM;
}
}
if (!skip_sha384) {
pstring_sha384 = tlshd_cipher_string_emit(pstring_sha384, ciphers[i]);
if (!pstring_sha384) {
free(pstring_sha256);
free(pstring);
return -ENOMEM;
}
}
}
tlshd_log_debug("x.509 priority string: %s\n", pstring);
ret = gnutls_priority_init(&tlshd_gnutls_priority_x509, pstring, &errpos);
if (ret != GNUTLS_E_SUCCESS) {
free(pstring_sha256);
free(pstring_sha384);
free(pstring);
tlshd_log_gnutls_error(ret);
return -EIO;
}
pstring = tlshd_string_concat(pstring, ":+PSK:+DHE-PSK:+ECDHE-PSK");
if (!pstring) {
free(pstring_sha256);
free(pstring_sha384);
gnutls_priority_deinit(tlshd_gnutls_priority_x509);
return -ENOMEM;
}
tlshd_log_debug("PSK priority string: %s\n", pstring);
ret = gnutls_priority_init(&tlshd_gnutls_priority_psk, pstring, &errpos);
if (ret != GNUTLS_E_SUCCESS) {
free(pstring_sha256);
free(pstring_sha384);
free(pstring);
gnutls_priority_deinit(tlshd_gnutls_priority_x509);
tlshd_log_gnutls_error(ret);
return -EIO;
}
free(pstring);
pstring = tlshd_string_concat(pstring_sha256, ":+DHE-PSK:+ECDHE-PSK");
if (!pstring) {
free(pstring_sha384);
gnutls_priority_deinit(tlshd_gnutls_priority_psk);
gnutls_priority_deinit(tlshd_gnutls_priority_x509);
return -ENOMEM;
}
tlshd_log_debug("PSK SHA256 priority string: %s\n", pstring);
ret = gnutls_priority_init(&tlshd_gnutls_priority_psk_sha256,
pstring, &errpos);
if (ret != GNUTLS_E_SUCCESS) {
free(pstring);
free(pstring_sha384);
gnutls_priority_deinit(tlshd_gnutls_priority_psk);
gnutls_priority_deinit(tlshd_gnutls_priority_x509);
tlshd_log_gnutls_error(ret);
return -EIO;
}
free(pstring);
pstring = tlshd_string_concat(pstring_sha384, ":+DHE-PSK:+ECDHE-PSK");
if (!pstring) {
gnutls_priority_deinit(tlshd_gnutls_priority_psk_sha256);
gnutls_priority_deinit(tlshd_gnutls_priority_psk);
gnutls_priority_deinit(tlshd_gnutls_priority_x509);
tlshd_log_gnutls_error(ret);
return -EIO;
}
tlshd_log_debug("PSK SHA384 priority string: %s\n", pstring);
ret = gnutls_priority_init(&tlshd_gnutls_priority_psk_sha384,
pstring, &errpos);
if (ret != GNUTLS_E_SUCCESS) {
free(pstring);
gnutls_priority_deinit(tlshd_gnutls_priority_psk_sha256);
gnutls_priority_deinit(tlshd_gnutls_priority_psk);
gnutls_priority_deinit(tlshd_gnutls_priority_x509);
tlshd_log_gnutls_error(ret);
return -EIO;
}
free(pstring);
return 0;
}
/**
* tlshd_gnutls_priority_set - Initialize priorities per-session
* @session: session to initialize
* @parms: handshake parameters
* @psk_len: size of pre-shared key in bytes, or zero
*
* Returns GNUTLS_E_SUCCESS on success, otherwise an error code.
*/
int tlshd_gnutls_priority_set(gnutls_session_t session,
struct tlshd_handshake_parms *parms,
unsigned int psk_len)
{
gnutls_priority_t priority = tlshd_gnutls_priority_x509;
if (parms->auth_mode == HANDSHAKE_AUTH_PSK) {
if (psk_len == 32)
priority = tlshd_gnutls_priority_psk_sha256;
else if (psk_len == 48)
priority = tlshd_gnutls_priority_psk_sha384;
else
priority = tlshd_gnutls_priority_psk;
}
return gnutls_priority_set(session, priority);
}
/**
* tlshd_gnutls_priority_deinit - Free GnuTLS priority caches
*
*/
void tlshd_gnutls_priority_deinit(void)
{
gnutls_priority_deinit(tlshd_gnutls_priority_x509);
gnutls_priority_deinit(tlshd_gnutls_priority_psk);
gnutls_priority_deinit(tlshd_gnutls_priority_psk_sha256);
gnutls_priority_deinit(tlshd_gnutls_priority_psk_sha384);
}
0707010000001C000081A4000000000000000000000001671A556200001A55000000000000000000000000000000000000002C00000000ktls-utils-0.10+33.g311d943/src/tlshd/log.c/*
* Record audit and debugging information in the system log.
*
* Copyright (c) 2022 Oracle and/or its affiliates.
*
* ktls-utils is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License as
* published by the Free Software Foundation; version 2.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
#include "config.h"
#include <stdbool.h>
#include <unistd.h>
#include <string.h>
#include <syslog.h>
#include <stdarg.h>
#include <errno.h>
#include <sys/socket.h>
#include <netdb.h>
#include <keyutils.h>
#include <gnutls/gnutls.h>
#include <gnutls/abstract.h>
#include <netlink/errno.h>
#include <glib.h>
#include "tlshd.h"
int tlshd_debug;
int tlshd_tls_debug;
int tlshd_stderr;
/**
* tlshd_log_success - Emit "handshake successful" notification
* @hostname: peer's DNS name
* @sap: peer's IP address
* @salen: length of IP address
*
*/
void tlshd_log_success(const char *hostname, const struct sockaddr *sap,
socklen_t salen)
{
char buf[NI_MAXHOST];
getnameinfo(sap, salen, buf, sizeof(buf), NULL, 0, NI_NUMERICHOST);
syslog(LOG_INFO, "Handshake with %s (%s) was successful\n",
hostname, buf);
}
/**
* tlshd_log_failure - Emit "handshake failed" notification
* @hostname: peer's DNS name
* @sap: peer's IP address
* @salen: length of IP address
*
*/
void tlshd_log_failure(const char *hostname, const struct sockaddr *sap,
socklen_t salen)
{
if (salen) {
char buf[NI_MAXHOST];
getnameinfo(sap, salen, buf, sizeof(buf), NULL, 0, NI_NUMERICHOST);
syslog(LOG_ERR, "Handshake with '%s' (%s) failed\n",
hostname, buf);
} else
syslog(LOG_ERR, "Handshake request failed\n");
}
/**
* tlshd_log_debug - Emit a debugging notification
* @fmt - printf-style format string
*
*/
void tlshd_log_debug(const char *fmt, ...)
{
va_list args;
if (!tlshd_debug)
return;
va_start(args, fmt);
vsyslog(LOG_DEBUG, fmt, args);
va_end(args);
}
/**
* tlshd_log_error - Emit a generic error notification
* @fmt - printf-style format string
*
*/
void tlshd_log_error(const char *fmt, ...)
{
va_list args;
va_start(args, fmt);
vsyslog(LOG_ERR, fmt, args);
va_end(args);
}
/**
* tlshd_log_notice - Emit a generic warning
* @fmt - printf-style format string
*
*/
void tlshd_log_notice(const char *fmt, ...)
{
va_list args;
va_start(args, fmt);
vsyslog(LOG_NOTICE, fmt, args);
va_end(args);
}
/**
* tlshd_log_perror - Emit "system call failed" notification
* @sap: remote address to log
*
*/
void tlshd_log_perror(const char *prefix)
{
syslog(LOG_NOTICE, "%s: %s\n", prefix, strerror(errno));
}
/**
* tlshd_log_gai_error - Emit "getaddr/nameinfo failed" notification
* @error: error code returned by getaddrinfo(3) or getnameinfo(3)
*
*/
void tlshd_log_gai_error(int error)
{
syslog(LOG_NOTICE, "%s\n", gai_strerror(error));
}
struct tlshd_cert_status_bit {
unsigned int bit;
char *name;
};
static const struct tlshd_cert_status_bit tlshd_cert_status_names[] = {
/* { GNUTLS_CERT_INVALID, "invalid" }, */
{ GNUTLS_CERT_REVOKED, "revoked" },
{ GNUTLS_CERT_SIGNER_NOT_FOUND, "signer not found" },
{ GNUTLS_CERT_SIGNER_NOT_CA, "signer not CA" },
{ GNUTLS_CERT_INSECURE_ALGORITHM, "uses insecure algorithm" },
{ GNUTLS_CERT_NOT_ACTIVATED, "not activated" },
{ GNUTLS_CERT_EXPIRED, "expired" },
{ GNUTLS_CERT_SIGNATURE_FAILURE, "signature failure" },
{ GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED, "revocation data superseded" },
{ GNUTLS_CERT_UNEXPECTED_OWNER, "owner unexpected" },
{ GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE, "revocation data issued in the future" },
{ GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE, "signer constraints failure" },
{ GNUTLS_CERT_MISMATCH, "mismatch" },
{ GNUTLS_CERT_PURPOSE_MISMATCH, "purpose mismatch" },
{ GNUTLS_CERT_MISSING_OCSP_STATUS, "has missing OCSP status" },
{ GNUTLS_CERT_INVALID_OCSP_STATUS, "has invalid OCSP status" },
{ GNUTLS_CERT_UNKNOWN_CRIT_EXTENSIONS, "has unknown crit extensions" },
{ 0, NULL }
};
/**
* tlshd_log_cert_verification_error - Report a failed certificate verification
* @session: Session with a failed handshake
*
*/
void tlshd_log_cert_verification_error(gnutls_session_t session)
{
unsigned int status;
int i;
status = gnutls_session_get_verify_cert_status(session);
for (i = 0; tlshd_cert_status_names[i].name; i++)
if (status & tlshd_cert_status_names[i].bit)
syslog(LOG_ERR, "Certificate %s.\n",
tlshd_cert_status_names[i].name);
}
/**
* tlshd_log_gnutls_error - Emit "library call failed" notification
* @error: GnuTLS error code to log
*
*/
void tlshd_log_gnutls_error(int error)
{
syslog(LOG_NOTICE, "gnutls: %s (%d)\n", gnutls_strerror(error), error);
}
/**
* tlshd_gnutls_log_func - Library callback function to log a message
* @level: log level
* @msg: message to log
*
*/
void tlshd_gnutls_log_func(int level, const char *msg)
{
syslog(LOG_DEBUG, "gnutls(%d): %s", level, msg);
}
/**
* tlshd_gnutls_audit_func - Library callback function to log an audit message
* @session: controlling GnuTLS session
* @msg: message to log
*
*/
void tlshd_gnutls_audit_func(__attribute__ ((unused)) gnutls_session_t session,
const char *msg)
{
syslog(LOG_INFO, "audit: %s", msg);
}
/**
* tlshd_log_gerror - Emit glib2 "library call failed" notification
* @msg: message to log
* @error: error information
*
*/
void tlshd_log_gerror(const char *msg, GError *error)
{
syslog(LOG_ERR, "%s: %s", msg, error->message);
}
/**
* tlshd_log_nl_error - Log a netlink error
* @msg: message to log
* @err: error number
*
*/
void tlshd_log_nl_error(const char *msg, int err)
{
syslog(LOG_ERR, "%s: %s", msg, nl_geterror(err));
}
/**
* tlshd_log_init - Initialize audit logging
* @progname: NUL-terminated string containing program name
*
*/
void tlshd_log_init(const char *progname)
{
int option;
option = LOG_NDELAY | LOG_PID;
if (tlshd_stderr)
option |= LOG_PERROR;
openlog(progname, option, LOG_AUTH);
syslog(LOG_NOTICE, "Built from " PACKAGE_STRING " on " __DATE__ " " __TIME__);
}
/**
* tlshd_log_shutdown - Log a tlshd shutdown notice
*
*/
void tlshd_log_shutdown(void)
{
syslog(LOG_NOTICE, "Shutting down.");
}
/**
* tlshd_log_close - Release audit logging resources
*
*/
void tlshd_log_close(void)
{
closelog();
}
0707010000001D000081A4000000000000000000000001671A556200000B3B000000000000000000000000000000000000002D00000000ktls-utils-0.10+33.g311d943/src/tlshd/main.c/*
* Handle a request for a TLS handshake on behalf of an
* in-kernel TLS consumer.
*
* Copyright (c) 2022 - 2023 Oracle and/or its affiliates.
*
* ktls-utils is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License as
* published by the Free Software Foundation; version 2.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
#include "config.h"
#include <sys/types.h>
#include <sys/socket.h>
#include <stdbool.h>
#include <unistd.h>
#include <stdlib.h>
#include <stdio.h>
#include <errno.h>
#include <poll.h>
#include <string.h>
#include <getopt.h>
#include <signal.h>
#include <libgen.h>
#include <keyutils.h>
#include <netlink/netlink.h>
#include <netlink/socket.h>
#include <netlink/msg.h>
#include <gnutls/gnutls.h>
#include <gnutls/abstract.h>
#include <glib.h>
#include "tlshd.h"
static const char *optstring = "c:hsv";
static const struct option longopts[] = {
{ "config", required_argument, NULL, 'c' },
{ "help", no_argument, NULL, 'h' },
{ "stderr", no_argument, NULL, 's' },
{ "version", no_argument, NULL, 'v' },
{ NULL, 0, NULL, 0 }
};
void usage(char *progname) {
fprintf(stderr, "usage: %s [-chsv]\n", progname);
}
int main(int argc, char **argv)
{
static gchar config_file[PATH_MAX + 1] = "/etc/tlshd.conf";
char *progname;
int c;
size_t len;
tlshd_tls_debug = 0;
progname = basename(argv[0]);
while ((c = getopt_long(argc, argv, optstring, longopts, NULL)) != -1) {
switch (c) {
case 'c':
len = sizeof(config_file) - 1;
if (strlen(optarg) >= len) {
fprintf(stderr, "Invalid config file\n");
return EXIT_FAILURE;
}
strncpy(config_file, optarg, len);
config_file[len] = '\0';
break;
case 's':
tlshd_stderr = 1;
break;
case 'v':
fprintf(stderr, "%s, built from " PACKAGE_STRING
" on " __DATE__ " " __TIME__ "\n",
progname);
return EXIT_SUCCESS;
case 'h':
usage(progname);
return EXIT_SUCCESS;
default:
usage(progname);
return EXIT_FAILURE;
}
}
tlshd_log_init(progname);
if (!tlshd_config_init(config_file)) {
tlshd_log_shutdown();
tlshd_log_close();
return EXIT_FAILURE;
}
if (tlshd_gnutls_priority_init()) {
tlshd_config_shutdown();
tlshd_log_shutdown();
tlshd_log_close();
return EXIT_FAILURE;
}
tlshd_genl_dispatch();
tlshd_gnutls_priority_deinit();
tlshd_config_shutdown();
tlshd_log_shutdown();
tlshd_log_close();
return EXIT_SUCCESS;
}
0707010000001E000081A4000000000000000000000001671A556200002D43000000000000000000000000000000000000003000000000ktls-utils-0.10+33.g311d943/src/tlshd/netlink.c/*
* Netlink operations for tlshd
*
* Copyright (c) 2023 Oracle and/or its affiliates.
*
* ktls-utils is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License as
* published by the Free Software Foundation; version 2.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
#include "config.h"
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/socket.h>
#include <stdbool.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#include <errno.h>
#include <poll.h>
#include <fcntl.h>
#include <keyutils.h>
#include <gnutls/gnutls.h>
#include <gnutls/abstract.h>
#include <gnutls/x509.h>
#include <linux/tls.h>
#include <netlink/netlink.h>
#include <netlink/msg.h>
#include <netlink/genl/genl.h>
#include <netlink/genl/ctrl.h>
#include <netlink/version.h>
#include <glib.h>
#include "tlshd.h"
#include "netlink.h"
unsigned int tlshd_delay_done;
static int tlshd_genl_sock_open(struct nl_sock **sock)
{
struct nl_sock *nls;
int err, ret;
ret = ENOMEM;
nls = nl_socket_alloc();
if (!nls) {
tlshd_log_error("Failed to allocate netlink socket.");
goto out;
}
ret = ENOLINK;
err = genl_connect(nls);
if (err != NLE_SUCCESS) {
tlshd_log_nl_error("genl_connect", err);
nl_socket_free(nls);
goto out;
}
*sock = nls;
ret = 0;
out:
return ret;
}
static void tlshd_genl_sock_close(struct nl_sock *nls)
{
if (!nls)
return;
nl_close(nls);
nl_socket_free(nls);
}
#if LIBNL_VER_NUM >= LIBNL_VER(3,5)
static const struct nla_policy
#else
static struct nla_policy
#endif
tlshd_accept_nl_policy[HANDSHAKE_A_ACCEPT_MAX + 1] = {
[HANDSHAKE_A_ACCEPT_SOCKFD] = { .type = NLA_U32, },
[HANDSHAKE_A_ACCEPT_HANDLER_CLASS] = { .type = NLA_U32, },
[HANDSHAKE_A_ACCEPT_MESSAGE_TYPE] = { .type = NLA_U32, },
[HANDSHAKE_A_ACCEPT_TIMEOUT] = { .type = NLA_U32, },
[HANDSHAKE_A_ACCEPT_AUTH_MODE] = { .type = NLA_U32, },
[HANDSHAKE_A_ACCEPT_PEER_IDENTITY] = { .type = NLA_U32, },
[HANDSHAKE_A_ACCEPT_CERTIFICATE] = { .type = NLA_NESTED, },
[HANDSHAKE_A_ACCEPT_PEERNAME] = { .type = NLA_STRING, },
};
static int tlshd_genl_event_handler(struct nl_msg *msg,
__attribute__ ((unused)) void *arg)
{
struct nlattr *tb[HANDSHAKE_A_ACCEPT_MAX + 1];
int err;
err = genlmsg_parse(nlmsg_hdr(msg), 0, tb, HANDSHAKE_A_ACCEPT_MAX,
tlshd_accept_nl_policy);
if (err < 0) {
tlshd_log_nl_error("genlmsg_parse", err);
return NL_SKIP;
}
if (!tb[HANDSHAKE_A_ACCEPT_HANDLER_CLASS])
return NL_SKIP;
if (nla_get_u32(tb[HANDSHAKE_A_ACCEPT_HANDLER_CLASS]) !=
HANDSHAKE_HANDLER_CLASS_TLSHD)
return NL_SKIP;
if (!fork()) {
/* child */
tlshd_service_socket();
exit(EXIT_SUCCESS);
}
return NL_SKIP;
}
/**
* tlshd_genl_dispatch - handle notification events
*
*/
void tlshd_genl_dispatch(void)
{
struct nl_sock *nls;
int err, mcgrp;
err = tlshd_genl_sock_open(&nls);
if (err)
return;
nl_socket_modify_cb(nls, NL_CB_VALID, NL_CB_CUSTOM,
tlshd_genl_event_handler, NULL);
/* Let the kernel know we are running */
mcgrp = genl_ctrl_resolve_grp(nls, HANDSHAKE_FAMILY_NAME,
HANDSHAKE_MCGRP_TLSHD);
if (mcgrp < 0) {
tlshd_log_error("Kernel handshake service is not available");
goto out_close;
}
err = nl_socket_add_membership(nls, mcgrp);
if (err != NLE_SUCCESS) {
tlshd_log_nl_error("nl_socket_add_membership", err);
goto out_close;
}
if (signal(SIGCHLD, SIG_IGN) == SIG_ERR) {
tlshd_log_perror("signal");
goto out_close;
}
nl_socket_disable_seq_check(nls);
while (true) {
err = nl_recvmsgs_default(nls);
if (err < 0) {
tlshd_log_nl_error("nl_recvmsgs", err);
break;
}
};
out_close:
tlshd_genl_sock_close(nls);
}
static void tlshd_parse_peer_identity(struct tlshd_handshake_parms *parms,
struct nlattr *head)
{
if (!head) {
tlshd_log_debug("No peer identities found\n");
return;
}
parms->num_peerids = 1;
parms->peerids = calloc(parms->num_peerids, sizeof(key_serial_t));
if (!parms->peerids) {
parms->num_peerids = 0;
return;
}
parms->peerids[0] = nla_get_s32(head);
}
#if LIBNL_VER_NUM >= LIBNL_VER(3,5)
static const struct nla_policy
#else
static struct nla_policy
#endif
tlshd_x509_nl_policy[HANDSHAKE_A_X509_MAX + 1] = {
[HANDSHAKE_A_X509_CERT] = { .type = NLA_U32, },
[HANDSHAKE_A_X509_PRIVKEY] = { .type = NLA_U32, },
};
static void tlshd_parse_certificate(struct tlshd_handshake_parms *parms,
struct nlattr *head)
{
struct nlattr *tb[HANDSHAKE_A_X509_MAX + 1];
int err;
if (!head) {
tlshd_log_debug("No certificates found\n");
return;
}
err = nla_parse_nested(tb, HANDSHAKE_A_X509_MAX, head,
tlshd_x509_nl_policy);
if (err < 0)
return;
if (tb[HANDSHAKE_A_X509_CERT])
parms->x509_cert = nla_get_s32(tb[HANDSHAKE_A_X509_CERT]);
if (tb[HANDSHAKE_A_X509_PRIVKEY])
parms->x509_privkey = nla_get_s32(tb[HANDSHAKE_A_X509_PRIVKEY]);
}
static char tlshd_peername[NI_MAXHOST] = "unknown";
static struct sockaddr_storage tlshd_peeraddr = { 0 };
static int tlshd_genl_valid_handler(struct nl_msg *msg, void *arg)
{
struct nlattr *tb[HANDSHAKE_A_ACCEPT_MAX + 1];
struct tlshd_handshake_parms *parms = arg;
char *peername = NULL;
socklen_t optlen;
int err;
tlshd_log_debug("Parsing a valid netlink message\n");
err = genlmsg_parse(nlmsg_hdr(msg), 0, tb, HANDSHAKE_A_ACCEPT_MAX,
tlshd_accept_nl_policy);
if (err < 0) {
tlshd_log_nl_error("genlmsg_parse", err);
return NL_STOP;
}
if (tb[HANDSHAKE_A_ACCEPT_SOCKFD]) {
parms->sockfd = nla_get_s32(tb[HANDSHAKE_A_ACCEPT_SOCKFD]);
if (getpeername(parms->sockfd, parms->peeraddr,
&parms->peeraddr_len) == -1) {
tlshd_log_perror("getpeername");
return NL_STOP;
}
optlen = sizeof(parms->ip_proto);
if (getsockopt(parms->sockfd, SOL_SOCKET, SO_PROTOCOL,
&parms->ip_proto, &optlen) == -1) {
tlshd_log_perror("getsockopt (SO_PROTOCOL)");
return NL_STOP;
}
}
if (tb[HANDSHAKE_A_ACCEPT_MESSAGE_TYPE])
parms->handshake_type = nla_get_u32(tb[HANDSHAKE_A_ACCEPT_MESSAGE_TYPE]);
if (tb[HANDSHAKE_A_ACCEPT_PEERNAME])
peername = nla_get_string(tb[HANDSHAKE_A_ACCEPT_PEERNAME]);
if (tb[HANDSHAKE_A_ACCEPT_TIMEOUT])
parms->timeout_ms = nla_get_u32(tb[HANDSHAKE_A_ACCEPT_TIMEOUT]);
if (tb[HANDSHAKE_A_ACCEPT_AUTH_MODE])
parms->auth_mode = nla_get_u32(tb[HANDSHAKE_A_ACCEPT_AUTH_MODE]);
tlshd_parse_peer_identity(parms, tb[HANDSHAKE_A_ACCEPT_PEER_IDENTITY]);
tlshd_parse_certificate(parms, tb[HANDSHAKE_A_ACCEPT_CERTIFICATE]);
if (peername)
strncpy(tlshd_peername, peername, sizeof(tlshd_peername) - 1);
else {
err = getnameinfo(parms->peeraddr, parms->peeraddr_len,
tlshd_peername, sizeof(tlshd_peername),
NULL, 0, NI_NAMEREQD);
if (err) {
tlshd_log_gai_error(err);
return NL_STOP;
}
}
return NL_SKIP;
}
static const struct tlshd_handshake_parms tlshd_default_handshake_parms = {
.peername = tlshd_peername,
.peeraddr = (struct sockaddr *)&tlshd_peeraddr,
.peeraddr_len = sizeof(tlshd_peeraddr),
.sockfd = -1,
.ip_proto = -1,
.handshake_type = HANDSHAKE_MSG_TYPE_UNSPEC,
.timeout_ms = GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT,
.auth_mode = HANDSHAKE_AUTH_UNSPEC,
.x509_cert = TLS_NO_CERT,
.x509_privkey = TLS_NO_PRIVKEY,
.peerids = NULL,
.num_peerids = 0,
.msg_status = 0,
.session_status = EIO,
.num_remote_peerids = 0,
};
/**
* tlshd_genl_get_handshake_parms - Retrieve handshake parameters
* @parms: buffer to fill in with parameters
*
* Returns 0 if handshake parameters were retrieved successfully.
*
* Otherwise a positive errno is returned, and the content of
* @parms is indeterminant.
*/
int tlshd_genl_get_handshake_parms(struct tlshd_handshake_parms *parms)
{
int family_id, err, ret;
struct nlmsghdr *hdr;
struct nl_sock *nls;
struct nl_msg *msg;
tlshd_log_debug("Querying the handshake service\n");
*parms = tlshd_default_handshake_parms;
ret = tlshd_genl_sock_open(&nls);
if (ret)
return ret;
ret = ESRCH;
family_id = genl_ctrl_resolve(nls, HANDSHAKE_FAMILY_NAME);
if (family_id < 0) {
tlshd_log_error("Failed to resolve netlink service.");
goto out_close;
}
nl_socket_modify_cb(nls, NL_CB_VALID, NL_CB_CUSTOM,
tlshd_genl_valid_handler, parms);
msg = nlmsg_alloc();
if (!msg) {
tlshd_log_error("Failed to allocate message buffer.");
goto out_close;
}
ret = EIO;
hdr = genlmsg_put(msg, NL_AUTO_PORT, NL_AUTO_SEQ, family_id,
0, 0, HANDSHAKE_CMD_ACCEPT, 0);
if (!hdr) {
tlshd_log_error("Failed to set up message header.");
goto out_msgfree;
}
err = nla_put_u32(msg, HANDSHAKE_A_ACCEPT_HANDLER_CLASS,
HANDSHAKE_HANDLER_CLASS_TLSHD);
if (err < 0) {
tlshd_log_nl_error("nla_put handler class", err);
goto out_msgfree;
}
nl_socket_disable_auto_ack(nls);
err = nl_send_auto(nls, msg);
if (err < 0) {
tlshd_log_nl_error("nl_send_auto", err);
goto out_msgfree;
}
ret = EINVAL;
err = nl_recvmsgs_default(nls);
if (err < 0) {
tlshd_log_nl_error("nl_recvmsgs", err);
goto out_msgfree;
}
ret = parms->msg_status;
out_msgfree:
nlmsg_free(msg);
out_close:
tlshd_genl_sock_close(nls);
return ret;
}
static int tlshd_genl_put_remote_peerids(struct nl_msg *msg,
struct tlshd_handshake_parms *parms)
{
unsigned int i;
int err;
for (i = 0; i < parms->num_remote_peerids; i++) {
err = nla_put_s32(msg, HANDSHAKE_A_DONE_REMOTE_AUTH,
parms->remote_peerid[i]);
if (err < 0) {
tlshd_log_nl_error("nla_put peer id", err);
return -1;
}
}
return 0;
}
/**
* tlshd_genl_done - Indicate anon handshake has completed successfully
* @parms: buffer filled in with parameters
*
*/
void tlshd_genl_done(struct tlshd_handshake_parms *parms)
{
struct nlmsghdr *hdr;
struct nl_sock *nls;
struct nl_msg *msg;
int family_id, err;
if (parms->sockfd == -1)
return;
err = tlshd_genl_sock_open(&nls);
if (err)
return;
family_id = genl_ctrl_resolve(nls, HANDSHAKE_FAMILY_NAME);
if (family_id < 0) {
tlshd_log_nl_error("genl_ctrl_resolve", err);
goto out_close;
}
msg = nlmsg_alloc();
if (!msg) {
tlshd_log_error("Failed to allocate message buffer.");
goto out_close;
}
hdr = genlmsg_put(msg, NL_AUTO_PORT, NL_AUTO_SEQ, family_id,
0, 0, HANDSHAKE_CMD_DONE, 0);
if (!hdr) {
tlshd_log_error("Failed to set up message header.");
goto out_free;
}
err = nla_put_u32(msg, HANDSHAKE_A_DONE_STATUS,
parms->session_status);
if (err) {
tlshd_log_nl_error("nla_put sess_status", err);
goto out_free;
}
err = nla_put_s32(msg, HANDSHAKE_A_DONE_SOCKFD, parms->sockfd);
if (err < 0) {
tlshd_log_nl_error("nla_put sockfd", err);
goto out_free;
}
if (parms->session_status)
goto sendit;
err = tlshd_genl_put_remote_peerids(msg, parms);
if (err < 0)
goto out_free;
sendit:
if (tlshd_delay_done) {
/* Undocumented tlshd.conf parameter:
* delay DONE downcall by N seconds */
tlshd_log_debug("delaying %d second(s)", tlshd_delay_done);
sleep(tlshd_delay_done);
}
nl_socket_disable_auto_ack(nls);
err = nl_send_auto(nls, msg);
if (err < 0) {
tlshd_log_nl_error("nl_send_auto", err);
goto out_free;
}
out_free:
nlmsg_free(msg);
out_close:
tlshd_genl_sock_close(nls);
}
0707010000001F000081A4000000000000000000000001671A55620000067D000000000000000000000000000000000000003000000000ktls-utils-0.10+33.g311d943/src/tlshd/netlink.h/* SPDX-License-Identifier: ((GPL-2.0 WITH Linux-syscall-note) OR BSD-3-Clause) */
/* Do not edit directly, auto-generated from: */
/* Documentation/netlink/specs/handshake.yaml */
/* YNL-GEN uapi header */
#ifndef _UAPI_LINUX_HANDSHAKE_H
#define _UAPI_LINUX_HANDSHAKE_H
#define HANDSHAKE_FAMILY_NAME "handshake"
#define HANDSHAKE_FAMILY_VERSION 1
enum handshake_handler_class {
HANDSHAKE_HANDLER_CLASS_NONE,
HANDSHAKE_HANDLER_CLASS_TLSHD,
HANDSHAKE_HANDLER_CLASS_MAX,
};
enum handshake_msg_type {
HANDSHAKE_MSG_TYPE_UNSPEC,
HANDSHAKE_MSG_TYPE_CLIENTHELLO,
HANDSHAKE_MSG_TYPE_SERVERHELLO,
};
enum handshake_auth {
HANDSHAKE_AUTH_UNSPEC,
HANDSHAKE_AUTH_UNAUTH,
HANDSHAKE_AUTH_PSK,
HANDSHAKE_AUTH_X509,
};
enum {
HANDSHAKE_A_X509_CERT = 1,
HANDSHAKE_A_X509_PRIVKEY,
__HANDSHAKE_A_X509_MAX,
HANDSHAKE_A_X509_MAX = (__HANDSHAKE_A_X509_MAX - 1)
};
enum {
HANDSHAKE_A_ACCEPT_SOCKFD = 1,
HANDSHAKE_A_ACCEPT_HANDLER_CLASS,
HANDSHAKE_A_ACCEPT_MESSAGE_TYPE,
HANDSHAKE_A_ACCEPT_TIMEOUT,
HANDSHAKE_A_ACCEPT_AUTH_MODE,
HANDSHAKE_A_ACCEPT_PEER_IDENTITY,
HANDSHAKE_A_ACCEPT_CERTIFICATE,
HANDSHAKE_A_ACCEPT_PEERNAME,
__HANDSHAKE_A_ACCEPT_MAX,
HANDSHAKE_A_ACCEPT_MAX = (__HANDSHAKE_A_ACCEPT_MAX - 1)
};
enum {
HANDSHAKE_A_DONE_STATUS = 1,
HANDSHAKE_A_DONE_SOCKFD,
HANDSHAKE_A_DONE_REMOTE_AUTH,
__HANDSHAKE_A_DONE_MAX,
HANDSHAKE_A_DONE_MAX = (__HANDSHAKE_A_DONE_MAX - 1)
};
enum {
HANDSHAKE_CMD_READY = 1,
HANDSHAKE_CMD_ACCEPT,
HANDSHAKE_CMD_DONE,
__HANDSHAKE_CMD_MAX,
HANDSHAKE_CMD_MAX = (__HANDSHAKE_CMD_MAX - 1)
};
#define HANDSHAKE_MCGRP_NONE "none"
#define HANDSHAKE_MCGRP_TLSHD "tlshd"
#endif /* _UAPI_LINUX_HANDSHAKE_H */
07070100000020000081A4000000000000000000000001671A5562000040FD000000000000000000000000000000000000002D00000000ktls-utils-0.10+33.g311d943/src/tlshd/quic.c/*
* Perform a QUIC server or client side handshake.
*
* Copyright (c) 2024 Red Hat, Inc.
*
* ktls-utils is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License as
* published by the Free Software Foundation; version 2.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
#include <gnutls/abstract.h>
#include <sys/socket.h>
#include <linux/tls.h>
#include <keyutils.h>
#include <stdbool.h>
#include <unistd.h>
#include <glib.h>
#include "config.h"
#include "tlshd.h"
#ifdef HAVE_GNUTLS_QUIC
static void quic_timer_handler(union sigval arg)
{
struct tlshd_quic_conn *conn = arg.sival_ptr;
tlshd_log_error("conn timeout error %d", ETIMEDOUT);
conn->errcode = ETIMEDOUT;
}
static int quic_conn_setup_timer(struct tlshd_quic_conn *conn)
{
uint64_t msec = conn->parms->timeout_ms;
struct itimerspec its = {};
struct sigevent sev = {};
sev.sigev_notify = SIGEV_THREAD;
sev.sigev_notify_function = quic_timer_handler;
sev.sigev_value.sival_ptr = conn;
if (timer_create(CLOCK_REALTIME, &sev, &conn->timer)) {
tlshd_log_error("timer creation error %d", errno);
return -1;
}
its.it_value.tv_sec = msec / 1000;
its.it_value.tv_nsec = (msec % 1000) * 1000000;
if (timer_settime(conn->timer, 0, &its, NULL)) {
tlshd_log_error("timer setup error %d", errno);
return -1;
}
return 0;
}
static void quic_conn_delete_timer(struct tlshd_quic_conn *conn)
{
timer_delete(conn->timer);
}
static uint32_t quic_get_tls_cipher_type(gnutls_cipher_algorithm_t cipher)
{
switch (cipher) {
case GNUTLS_CIPHER_AES_128_GCM:
return TLS_CIPHER_AES_GCM_128;
case GNUTLS_CIPHER_AES_128_CCM:
return TLS_CIPHER_AES_CCM_128;
case GNUTLS_CIPHER_AES_256_GCM:
return TLS_CIPHER_AES_GCM_256;
case GNUTLS_CIPHER_CHACHA20_POLY1305:
return TLS_CIPHER_CHACHA20_POLY1305;
default:
tlshd_log_notice("%s: %d", __func__, cipher);
return 0;
}
}
static enum quic_crypto_level quic_get_crypto_level(gnutls_record_encryption_level_t level)
{
switch (level) {
case GNUTLS_ENCRYPTION_LEVEL_INITIAL:
return QUIC_CRYPTO_INITIAL;
case GNUTLS_ENCRYPTION_LEVEL_HANDSHAKE:
return QUIC_CRYPTO_HANDSHAKE;
case GNUTLS_ENCRYPTION_LEVEL_APPLICATION:
return QUIC_CRYPTO_APP;
case GNUTLS_ENCRYPTION_LEVEL_EARLY:
return QUIC_CRYPTO_EARLY;
default:
tlshd_log_notice("%s: %d", __func__, level);
return QUIC_CRYPTO_MAX;
}
}
static int quic_secret_func(gnutls_session_t session, gnutls_record_encryption_level_t level,
const void *rx_secret, const void *tx_secret, size_t secretlen)
{
struct tlshd_quic_conn *conn = gnutls_session_get_ptr(session);
gnutls_cipher_algorithm_t type = gnutls_cipher_get(session);
struct quic_crypto_secret secret = {};
int sockfd, ret, len = sizeof(secret);
if (conn->completed)
return 0;
if (level == GNUTLS_ENCRYPTION_LEVEL_EARLY)
type = gnutls_early_cipher_get(session);
sockfd = conn->parms->sockfd;
secret.level = quic_get_crypto_level(level);
secret.type = quic_get_tls_cipher_type(type);
if (tx_secret) {
secret.send = 1;
memcpy(secret.secret, tx_secret, secretlen);
if (setsockopt(sockfd, SOL_QUIC, QUIC_SOCKOPT_CRYPTO_SECRET, &secret, len)) {
tlshd_log_error("socket setsockopt tx secret error %d %u", errno, level);
return -1;
}
}
if (rx_secret) {
secret.send = 0;
memcpy(secret.secret, rx_secret, secretlen);
if (setsockopt(sockfd, SOL_QUIC, QUIC_SOCKOPT_CRYPTO_SECRET, &secret, len)) {
tlshd_log_error("socket setsockopt rx secret error %d %u", errno, level);
return -1;
}
if (secret.level == QUIC_CRYPTO_APP) {
if (conn->is_serv) {
ret = gnutls_session_ticket_send(session, 1, 0);
if (ret) {
tlshd_log_gnutls_error(ret);
return ret;
}
}
conn->completed = 1;
}
}
tlshd_log_debug(" Secret func: %u %u %u", secret.level, !!tx_secret, !!rx_secret);
return 0;
}
static int quic_alert_read_func(gnutls_session_t session,
gnutls_record_encryption_level_t gtls_level,
gnutls_alert_level_t alert_level,
gnutls_alert_description_t alert_desc)
{
tlshd_log_notice("%s: %u %u %u %u", __func__,
!!session, gtls_level, alert_level, alert_desc);
return 0;
}
static int quic_tp_recv_func(gnutls_session_t session, const uint8_t *buf, size_t len)
{
struct tlshd_quic_conn *conn = gnutls_session_get_ptr(session);
int sockfd = conn->parms->sockfd;
if (setsockopt(sockfd, SOL_QUIC, QUIC_SOCKOPT_TRANSPORT_PARAM_EXT, buf, len)) {
tlshd_log_error("socket setsockopt transport_param_ext error %d", errno);
return -1;
}
return 0;
}
static int quic_tp_send_func(gnutls_session_t session, gnutls_buffer_t extdata)
{
struct tlshd_quic_conn *conn = gnutls_session_get_ptr(session);
int ret, sockfd = conn->parms->sockfd;
uint8_t buf[256];
unsigned int len;
len = sizeof(buf);
if (getsockopt(sockfd, SOL_QUIC, QUIC_SOCKOPT_TRANSPORT_PARAM_EXT, buf, &len)) {
tlshd_log_error("socket getsockopt transport_param_ext error %d", errno);
return -1;
}
ret = gnutls_buffer_append_data(extdata, buf, len);
if (ret) {
tlshd_log_gnutls_error(ret);
return ret;
}
return 0;
}
static int quic_read_func(gnutls_session_t session, gnutls_record_encryption_level_t level,
gnutls_handshake_description_t htype, const void *data, size_t datalen)
{
struct tlshd_quic_conn *conn = gnutls_session_get_ptr(session);
struct tlshd_quic_msg *msg;
uint32_t len = datalen;
if (htype == GNUTLS_HANDSHAKE_KEY_UPDATE)
return 0;
msg = malloc(sizeof(*msg));
if (!msg) {
tlshd_log_debug("msg malloc error %d", ENOMEM);
return -1;
}
memset(msg, 0, sizeof(*msg));
msg->len = len;
memcpy(msg->data, data, msg->len);
msg->level = quic_get_crypto_level(level);
if (!conn->send_list)
conn->send_list = msg;
else
conn->send_last->next = msg;
conn->send_last = msg;
tlshd_log_debug(" Read func: %u %u %u", level, htype, datalen);
return 0;
}
static char quic_priority[] =
"%DISABLE_TLS13_COMPAT_MODE:NORMAL:-VERS-ALL:+VERS-TLS1.3:+PSK:-CIPHER-ALL:+";
static int quic_session_set_priority(gnutls_session_t session, uint32_t cipher)
{
char p[136] = {};
memcpy(p, quic_priority, strlen(quic_priority));
switch (cipher) {
case TLS_CIPHER_AES_GCM_128:
strcat(p, "AES-128-GCM");
break;
case TLS_CIPHER_AES_GCM_256:
strcat(p, "AES-256-GCM");
break;
case TLS_CIPHER_AES_CCM_128:
strcat(p, "AES-128-CCM");
break;
case TLS_CIPHER_CHACHA20_POLY1305:
strcat(p, "CHACHA20-POLY1305");
break;
default:
strcat(p, "AES-128-GCM:+AES-256-GCM:+AES-128-CCM:+CHACHA20-POLY1305");
}
return gnutls_priority_set_direct(session, p, NULL);
}
static int quic_session_set_alpns(gnutls_session_t session, char *alpn_data)
{
gnutls_datum_t alpns[TLSHD_QUIC_MAX_ALPNS_LEN / 2];
char *alpn = strtok(alpn_data, ",");
int count = 0;
while (alpn) {
while (*alpn == ' ')
alpn++;
alpns[count].data = (unsigned char *)alpn;
alpns[count].size = strlen(alpn);
count++;
alpn = strtok(NULL, ",");
}
return gnutls_alpn_set_protocols(session, alpns, count, GNUTLS_ALPN_MANDATORY);
}
static gnutls_record_encryption_level_t quic_get_encryption_level(uint8_t level)
{
switch (level) {
case QUIC_CRYPTO_INITIAL:
return GNUTLS_ENCRYPTION_LEVEL_INITIAL;
case QUIC_CRYPTO_HANDSHAKE:
return GNUTLS_ENCRYPTION_LEVEL_HANDSHAKE;
case QUIC_CRYPTO_APP:
return GNUTLS_ENCRYPTION_LEVEL_APPLICATION;
case QUIC_CRYPTO_EARLY:
return GNUTLS_ENCRYPTION_LEVEL_EARLY;
default:
tlshd_log_notice("%s: %d", __func__, level);
return GNUTLS_ENCRYPTION_LEVEL_APPLICATION + 1;
}
}
static int quic_conn_get_config(struct tlshd_quic_conn *conn)
{
int sockfd = conn->parms->sockfd;
struct quic_config config = {};
unsigned int len;
len = sizeof(conn->alpns);
if (getsockopt(sockfd, SOL_QUIC, QUIC_SOCKOPT_ALPN, conn->alpns, &len)) {
tlshd_log_error("socket getsockopt alpn error %d", errno);
return -1;
}
len = sizeof(conn->ticket);
if (getsockopt(sockfd, SOL_QUIC, QUIC_SOCKOPT_SESSION_TICKET, conn->ticket, &len)) {
tlshd_log_error("socket getsockopt session ticket error %d", errno);
return -1;
}
conn->ticket_len = len;
len = sizeof(config);
if (getsockopt(sockfd, SOL_QUIC, QUIC_SOCKOPT_CONFIG, &config, &len)) {
tlshd_log_error("socket getsockopt config error %d", errno);
return -1;
}
conn->recv_ticket = config.receive_session_ticket;
conn->cert_req = config.certificate_request;
conn->cipher = config.payload_cipher_type;
return 0;
}
static int quic_handshake_sendmsg(int sockfd, struct tlshd_quic_msg *msg)
{
char outcmsg[CMSG_SPACE(sizeof(struct quic_handshake_info))];
struct quic_handshake_info *info;
struct msghdr outmsg;
struct cmsghdr *cmsg;
struct iovec iov;
int flags = 0;
outmsg.msg_name = NULL;
outmsg.msg_namelen = 0;
outmsg.msg_iov = &iov;
iov.iov_base = (void *)msg->data;
iov.iov_len = msg->len;
outmsg.msg_iovlen = 1;
outmsg.msg_control = outcmsg;
outmsg.msg_controllen = sizeof(outcmsg);
outmsg.msg_flags = 0;
if (msg->next)
flags = MSG_MORE;
cmsg = CMSG_FIRSTHDR(&outmsg);
cmsg->cmsg_level = IPPROTO_QUIC;
cmsg->cmsg_type = QUIC_HANDSHAKE_INFO;
cmsg->cmsg_len = CMSG_LEN(sizeof(*info));
info = (struct quic_handshake_info *)CMSG_DATA(cmsg);
info->crypto_level = msg->level;
return sendmsg(sockfd, &outmsg, flags);
}
static int quic_handshake_recvmsg(int sockfd, struct tlshd_quic_msg *msg)
{
char incmsg[CMSG_SPACE(sizeof(struct quic_handshake_info))];
struct quic_handshake_info info;
struct cmsghdr *cmsg = NULL;
struct msghdr inmsg;
struct iovec iov;
int ret;
msg->len = 0;
memset(&inmsg, 0, sizeof(inmsg));
iov.iov_base = msg->data;
iov.iov_len = sizeof(msg->data);
inmsg.msg_name = NULL;
inmsg.msg_namelen = 0;
inmsg.msg_iov = &iov;
inmsg.msg_iovlen = 1;
inmsg.msg_control = incmsg;
inmsg.msg_controllen = sizeof(incmsg);
ret = recvmsg(sockfd, &inmsg, MSG_DONTWAIT);
if (ret < 0)
return ret;
msg->len = ret;
for (cmsg = CMSG_FIRSTHDR(&inmsg); cmsg != NULL; cmsg = CMSG_NXTHDR(&inmsg, cmsg))
if (IPPROTO_QUIC == cmsg->cmsg_level && QUIC_HANDSHAKE_INFO == cmsg->cmsg_type)
break;
if (cmsg) {
memcpy(&info, CMSG_DATA(cmsg), sizeof(info));
msg->level = info.crypto_level;
}
return ret;
}
static int quic_handshake_completed(struct tlshd_quic_conn *conn)
{
return conn->completed || conn->errcode;
}
static int quic_handshake_crypto_data(struct tlshd_quic_conn *conn, uint8_t level,
const uint8_t *data, size_t datalen)
{
gnutls_session_t session = conn->session;
int ret;
level = quic_get_encryption_level(level);
if (datalen > 0) {
ret = gnutls_handshake_write(session, level, data, datalen);
if (ret != 0) {
if (!gnutls_error_is_fatal(ret))
return 0;
goto err;
}
}
ret = gnutls_handshake(session);
if (ret < 0) {
if (!gnutls_error_is_fatal(ret))
return 0;
goto err;
}
return 0;
err:
gnutls_alert_send_appropriate(session, ret);
tlshd_log_gnutls_error(ret);
return ret;
}
/**
* tlshd_quic_conn_create - Create a context for QUIC handshake
* @conn_p: pointer to accept the QUIC handshake context created
* @parms: handshake parameters
*
* Returns: %0 on success, or a negative error code
*/
int tlshd_quic_conn_create(struct tlshd_quic_conn **conn_p, struct tlshd_handshake_parms *parms)
{
struct tlshd_quic_conn *conn;
int ret;
conn = malloc(sizeof(*conn));
if (!conn) {
tlshd_log_error("conn malloc error %d", ENOMEM);
return -ENOMEM;
}
memset(conn, 0, sizeof(*conn));
conn->parms = parms;
if (quic_conn_get_config(conn)) {
ret = -errno;
goto err;
}
if (quic_conn_setup_timer(conn)) {
ret = -errno;
goto err;
}
*conn_p = conn;
return 0;
err:
tlshd_quic_conn_destroy(conn);
return ret;
}
/**
* tlshd_quic_conn_destroy - Destroy a context for QUIC handshake
* @conn: QUIC handshake context to destroy
*
*/
void tlshd_quic_conn_destroy(struct tlshd_quic_conn *conn)
{
struct tlshd_quic_msg *msg = conn->send_list;
while (msg) {
conn->send_list = msg->next;
free(msg);
msg = conn->send_list;
}
quic_conn_delete_timer(conn);
gnutls_deinit(conn->session);
free(conn);
}
#define QUIC_TLSEXT_TP_PARAM 0x39u
static int tlshd_quic_session_configure(struct tlshd_quic_conn *conn)
{
gnutls_session_t session = conn->session;
int ret;
ret = quic_session_set_priority(session, conn->cipher);
if (ret)
return ret;
if (conn->alpns[0]) {
ret = quic_session_set_alpns(session, conn->alpns);
if (ret)
return ret;
}
gnutls_handshake_set_secret_function(session, quic_secret_func);
gnutls_handshake_set_read_function(session, quic_read_func);
gnutls_alert_set_read_function(session, quic_alert_read_func);
return gnutls_session_ext_register(
session, "QUIC Transport Parameters", QUIC_TLSEXT_TP_PARAM,
GNUTLS_EXT_TLS, quic_tp_recv_func, quic_tp_send_func, NULL, NULL, NULL,
GNUTLS_EXT_FLAG_TLS | GNUTLS_EXT_FLAG_CLIENT_HELLO | GNUTLS_EXT_FLAG_EE);
}
static void tlshd_quic_recv_session_ticket(struct tlshd_quic_conn *conn)
{
gnutls_session_t session = conn->session;
int i, ret, sockfd = conn->parms->sockfd;
unsigned int len;
size_t size;
if (conn->is_serv || !conn->recv_ticket)
return;
for (i = 0; i < 10 * conn->recv_ticket; i++) { /* wait and try for conn->recv_ticket secs */
len = sizeof(conn->ticket);
ret = getsockopt(sockfd, SOL_QUIC, QUIC_SOCKOPT_SESSION_TICKET, conn->ticket, &len);
if (ret) {
tlshd_log_error("socket getsockopt session ticket error %d", errno);
conn->errcode = errno;
return;
}
if (len)
break;
usleep(100000);
}
if (i == 10 * conn->recv_ticket)
return;
/* process new session ticket msg and get the generated session data */
ret = quic_handshake_crypto_data(conn, QUIC_CRYPTO_APP, conn->ticket, len);
if (ret) {
conn->errcode = -ret;
return;
}
size = sizeof(conn->ticket);
ret = gnutls_session_get_data(session, conn->ticket, &size);
if (ret) {
tlshd_log_gnutls_error(ret);
conn->errcode = -ret;
return;
}
/* set it back to kernel for session resumption of next connection */
len = size;
ret = setsockopt(sockfd, SOL_QUIC, QUIC_SOCKOPT_SESSION_TICKET, conn->ticket, len);
if (ret) {
tlshd_log_error("socket setsockopt session ticket error %d %u", errno, len);
conn->errcode = errno;
}
}
/**
* tlshd_quic_start_handshake - Drive the handshake interaction
* @conn: QUIC handshake context
*
*/
void tlshd_quic_start_handshake(struct tlshd_quic_conn *conn)
{
int ret, sockfd = conn->parms->sockfd;
struct timeval tv = {1, 0};
struct tlshd_quic_msg *msg;
fd_set readfds;
FD_ZERO(&readfds);
FD_SET(sockfd, &readfds);
ret = tlshd_quic_session_configure(conn);
if (ret) {
tlshd_log_gnutls_error(ret);
conn->errcode = -ret;
return;
}
if (!conn->is_serv) {
ret = quic_handshake_crypto_data(conn, QUIC_CRYPTO_INITIAL, NULL, 0);
if (ret) {
conn->errcode = -ret;
return;
}
msg = conn->send_list;
while (msg) {
tlshd_log_debug("< Handshake SEND: %d %d", msg->len, msg->level);
ret = quic_handshake_sendmsg(sockfd, msg);
if (ret < 0) {
tlshd_log_error("socket sendmsg error %d", errno);
conn->errcode = errno;
return;
}
conn->send_list = msg->next;
free(msg);
msg = conn->send_list;
}
}
while (!quic_handshake_completed(conn)) {
ret = select(sockfd + 1, &readfds, NULL, NULL, &tv);
if (ret < 0) {
conn->errcode = errno;
return tlshd_log_error("socket select error %d", errno);
}
msg = &conn->recv_msg;
while (!quic_handshake_completed(conn)) {
ret = quic_handshake_recvmsg(sockfd, msg);
if (ret <= 0) {
if (errno == EAGAIN || errno == EWOULDBLOCK)
break;
conn->errcode = errno;
return tlshd_log_error("socket recvmsg error %d", errno);
}
tlshd_log_debug("> Handshake RECV: %u %u", msg->len, msg->level);
ret = quic_handshake_crypto_data(conn, msg->level, msg->data, msg->len);
if (ret) {
conn->errcode = -ret;
return;
}
}
msg = conn->send_list;
while (msg) {
tlshd_log_debug("< Handshake SEND: %u %u", msg->len, msg->level);
ret = quic_handshake_sendmsg(sockfd, msg);
if (ret < 0) {
conn->errcode = errno;
return tlshd_log_error("socket sendmsg error %d", errno);
}
conn->send_list = msg->next;
free(msg);
msg = conn->send_list;
}
}
tlshd_quic_recv_session_ticket(conn);
}
#endif
07070100000021000081A4000000000000000000000001671A55620000425B000000000000000000000000000000000000002F00000000ktls-utils-0.10+33.g311d943/src/tlshd/server.c/*
* Perform a TLSv1.3 server-side handshake.
*
* Copyright (c) 2023 Oracle and/or its affiliates.
* Copyright (c) 2024 Red Hat, Inc.
*
* ktls-utils is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License as
* published by the Free Software Foundation; version 2.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
#include "config.h"
#include <sys/types.h>
#include <sys/socket.h>
#include <stdbool.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#include <errno.h>
#include <keyutils.h>
#include <gnutls/gnutls.h>
#include <gnutls/abstract.h>
#include <gnutls/x509.h>
#include <linux/tls.h>
#include <glib.h>
#include "tlshd.h"
#include "netlink.h"
static gnutls_privkey_t tlshd_server_privkey;
static unsigned int tlshd_server_certs_len = TLSHD_MAX_CERTS;
static gnutls_pcert_st tlshd_server_certs[TLSHD_MAX_CERTS];
/*
* XXX: After this point, tlshd_server_certs should be deinited on error.
*/
static bool tlshd_x509_server_get_certs(struct tlshd_handshake_parms *parms)
{
if (parms->x509_cert != TLS_NO_CERT)
return tlshd_keyring_get_certs(parms->x509_cert,
tlshd_server_certs,
&tlshd_server_certs_len);
return tlshd_config_get_server_certs(tlshd_server_certs,
&tlshd_server_certs_len);
}
/*
* XXX: After this point, tlshd_server_privkey should be deinited on error.
*/
static bool tlshd_x509_server_get_privkey(struct tlshd_handshake_parms *parms)
{
if (parms->x509_privkey != TLS_NO_PRIVKEY)
return tlshd_keyring_get_privkey(parms->x509_privkey,
&tlshd_server_privkey);
return tlshd_config_get_server_privkey(&tlshd_server_privkey);
}
static void tlshd_x509_log_issuers(const gnutls_datum_t *req_ca_rdn, int nreqs)
{
char issuer_dn[256];
size_t len;
int i, ret;
if (nreqs < 1)
return;
tlshd_log_debug("Server's trusted authorities:");
for (i = 0; i < nreqs; i++) {
len = sizeof(issuer_dn);
ret = gnutls_x509_rdn_get(&req_ca_rdn[i], issuer_dn, &len);
if (ret >= 0)
tlshd_log_debug(" [%d]: %s", i, issuer_dn);
}
}
/**
* tlshd_x509_retrieve_key_cb - Initialize client's x.509 identity
*
* Callback function is of type gnutls_certificate_retrieve_function2
*
* Initial implementation based on the cert_callback() function in
* gnutls/doc/examples/ex-cert-select.c.
*
* Sketched-in and untested.
*
* Return values:
* %0: Success; output parameters are set accordingly
* %-1: Failure
*/
static int
tlshd_x509_retrieve_key_cb(gnutls_session_t session,
const gnutls_datum_t *req_ca_rdn, int nreqs,
__attribute__ ((unused)) const gnutls_pk_algorithm_t *pk_algos,
__attribute__ ((unused)) int pk_algos_length,
gnutls_pcert_st **pcert,
unsigned int *pcert_length,
gnutls_privkey_t *privkey)
{
gnutls_certificate_type_t type;
tlshd_x509_log_issuers(req_ca_rdn, nreqs);
type = gnutls_certificate_type_get(session);
if (type != GNUTLS_CRT_X509)
return -1;
*pcert_length = tlshd_server_certs_len;
*pcert = tlshd_server_certs;
*privkey = tlshd_server_privkey;
return 0;
}
/**
* tlshd_server_x509_verify_function - Verify remote's x.509 certificate
* @session: session in the midst of a handshake
* @parms: handshake parameters
*
* A return value of %GNUTLS_E_SUCCESS indicates that the TLS session
* has been allowed to continue. tlshd either sets the peerid array if
* the presented certificate has been successfully verified, or the
* peerid array is left empty if no peer information was available to
* perform verification. The kernel consumer can apply a security policy
* based on this information.
*
* A return value of %GNUTLS_E_CERTIFICATE_ERROR means that certificate
* verification failed. The server sends an ALERT to the client.
*/
static int tlshd_server_x509_verify_function(gnutls_session_t session,
struct tlshd_handshake_parms *parms)
{
const gnutls_datum_t *peercerts;
gnutls_certificate_type_t type;
unsigned int i, status;
gnutls_datum_t out;
int ret;
ret = gnutls_certificate_verify_peers3(session, NULL, &status);
switch (ret) {
case GNUTLS_E_SUCCESS:
break;
case GNUTLS_E_NO_CERTIFICATE_FOUND:
tlshd_log_debug("The peer offered no certificate.");
return GNUTLS_E_SUCCESS;
default:
tlshd_log_gnutls_error(ret);
goto certificate_error;
}
type = gnutls_certificate_type_get(session);
gnutls_certificate_verification_status_print(status, type, &out, 0);
tlshd_log_debug("%s", out.data);
gnutls_free(out.data);
if (status)
goto certificate_error;
/* To do: Examine extended key usage information here, if we want
* to get picky. Kernel would have to tell us what to look for
* via a netlink attribute. */
peercerts = gnutls_certificate_get_peers(session,
&parms->num_remote_peerids);
if (!peercerts || parms->num_remote_peerids == 0) {
tlshd_log_debug("The peer cert list is empty.");
goto certificate_error;
}
tlshd_log_debug("The peer offered %u certificate(s).",
parms->num_remote_peerids);
if (parms->num_remote_peerids > ARRAY_SIZE(parms->remote_peerid))
parms->num_remote_peerids = ARRAY_SIZE(parms->remote_peerid);
for (i = 0; i < parms->num_remote_peerids; i++) {
gnutls_x509_crt_t cert;
gnutls_x509_crt_init(&cert);
ret = gnutls_x509_crt_import(cert, &peercerts[i],
GNUTLS_X509_FMT_DER);
if (ret != GNUTLS_E_SUCCESS) {
tlshd_log_gnutls_error(ret);
gnutls_x509_crt_deinit(cert);
return GNUTLS_E_CERTIFICATE_ERROR;
}
parms->remote_peerid[i] =
tlshd_keyring_create_cert(cert, parms->peername);
gnutls_x509_crt_deinit(cert);
}
return GNUTLS_E_SUCCESS;
certificate_error:
gnutls_alert_send(session, GNUTLS_AL_FATAL, GNUTLS_A_ACCESS_DENIED);
return GNUTLS_E_CERTIFICATE_ERROR;
}
static int tlshd_tls13_server_x509_verify_function(gnutls_session_t session)
{
struct tlshd_handshake_parms *parms = gnutls_session_get_ptr(session);
return tlshd_server_x509_verify_function(session, parms);
}
static void tlshd_tls13_server_x509_handshake(struct tlshd_handshake_parms *parms)
{
gnutls_certificate_credentials_t xcred;
gnutls_session_t session;
char *cafile;
int ret;
ret = gnutls_certificate_allocate_credentials(&xcred);
if (ret != GNUTLS_E_SUCCESS) {
tlshd_log_gnutls_error(ret);
return;
}
if (tlshd_config_get_server_truststore(&cafile)) {
ret = gnutls_certificate_set_x509_trust_file(xcred, cafile,
GNUTLS_X509_FMT_PEM);
free(cafile);
} else
ret = gnutls_certificate_set_x509_system_trust(xcred);
if (ret < 0) {
tlshd_log_gnutls_error(ret);
goto out_free_creds;
}
tlshd_log_debug("System trust: Loaded %d certificate(s).", ret);
if (!tlshd_x509_server_get_certs(parms)) {
goto out_free_creds;
}
if (!tlshd_x509_server_get_privkey(parms)) {
goto out_free_creds;
}
gnutls_certificate_set_retrieve_function2(xcred,
tlshd_x509_retrieve_key_cb);
ret = gnutls_init(&session, GNUTLS_SERVER);
if (ret != GNUTLS_E_SUCCESS) {
tlshd_log_gnutls_error(ret);
goto out_free_creds;
}
gnutls_transport_set_int(session, parms->sockfd);
gnutls_session_set_ptr(session, parms);
ret = gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred);
if (ret != GNUTLS_E_SUCCESS) {
tlshd_log_gnutls_error(ret);
goto out_free_creds;
}
gnutls_certificate_set_verify_function(xcred,
tlshd_tls13_server_x509_verify_function);
gnutls_certificate_server_set_request(session, GNUTLS_CERT_REQUEST);
ret = tlshd_gnutls_priority_set(session, parms, 0);
if (ret) {
tlshd_log_gnutls_error(ret);
goto out_free_creds;
}
tlshd_start_tls_handshake(session, parms);
gnutls_deinit(session);
out_free_creds:
gnutls_certificate_free_credentials(xcred);
}
/**
* tlshd_server_psk_cb - Validate remote's username
* @session: session in the midst of a handshake
* @username: remote's username
* @key: PSK matching @username
*
* Searches for a key with description @username in the session
* keyring, and stores the PSK data in @key if found.
*
* Return values:
* %0: Matching key has been stored in @key
* %-1: Error during lookup, @key is not updated
*/
static int tlshd_server_psk_cb(gnutls_session_t session,
const char *username, gnutls_datum_t *key)
{
struct tlshd_handshake_parms *parms;
key_serial_t psk;
long ret;
parms = gnutls_session_get_ptr(session);
ret = keyctl_search(KEY_SPEC_SESSION_KEYRING,
TLS_DEFAULT_PSK_TYPE, username, 0);
if (ret < 0) {
tlshd_log_error("failed to search '%s' key '%s'",
TLS_DEFAULT_PSK_TYPE, username);
return -1;
}
psk = (key_serial_t)ret;
if (!tlshd_keyring_get_psk_key(psk, key)) {
tlshd_log_error("failed to load key %lu", (unsigned long)psk);
return -1;
}
/* PSK uses the same identity for both client and server */
parms->remote_peerid[0] = psk;
parms->num_remote_peerids = 1;
return 0;
}
static void tlshd_tls13_server_psk_handshake(struct tlshd_handshake_parms *parms)
{
gnutls_psk_server_credentials_t psk_cred;
gnutls_session_t session;
int ret;
ret = gnutls_psk_allocate_server_credentials(&psk_cred);
if (ret != GNUTLS_E_SUCCESS) {
tlshd_log_gnutls_error(ret);
return;
}
gnutls_psk_set_server_credentials_function(psk_cred,
tlshd_server_psk_cb);
ret = gnutls_init(&session, GNUTLS_SERVER);
if (ret != GNUTLS_E_SUCCESS) {
tlshd_log_gnutls_error(ret);
goto out_free_creds;
}
gnutls_transport_set_int(session, parms->sockfd);
gnutls_session_set_ptr(session, parms);
gnutls_credentials_set(session, GNUTLS_CRD_PSK, psk_cred);
ret = tlshd_gnutls_priority_set(session, parms, 0);
if (ret) {
tlshd_log_gnutls_error(ret);
goto out_free_creds;
}
tlshd_start_tls_handshake(session, parms);
gnutls_deinit(session);
out_free_creds:
gnutls_psk_free_server_credentials(psk_cred);
}
/**
* tlshd_tls13_serverhello_handshake - send a TLSv1.3 ServerHello
* @parms: handshake parameters
*
*/
void tlshd_tls13_serverhello_handshake(struct tlshd_handshake_parms *parms)
{
switch (parms->auth_mode) {
case HANDSHAKE_AUTH_X509:
tlshd_tls13_server_x509_handshake(parms);
break;
case HANDSHAKE_AUTH_PSK:
tlshd_tls13_server_psk_handshake(parms);
break;
default:
tlshd_log_debug("Unrecognized auth mode (%d)",
parms->auth_mode);
}
}
#ifdef HAVE_GNUTLS_QUIC
static int tlshd_quic_server_alpn_verify(gnutls_session_t session, unsigned int htype,
unsigned int when, unsigned int incoming,
const gnutls_datum_t *msg)
{
struct tlshd_quic_conn *conn = gnutls_session_get_ptr(session);
gnutls_datum_t alpn = {};
int ret;
if (!conn->alpns[0])
return 0;
ret = gnutls_alpn_get_selected_protocol(session, &alpn);
if (ret) {
tlshd_log_gnutls_error(ret);
return ret;
}
if (setsockopt(conn->parms->sockfd, SOL_QUIC, QUIC_SOCKOPT_ALPN, alpn.data, alpn.size)) {
tlshd_log_error("socket setsockopt alpn error %d %u", errno, alpn.size);
return -1;
}
tlshd_log_debug(" ALPN verify: %u %u %u %u", htype, when, incoming, msg->size);
return 0;
}
static int tlshd_quic_server_anti_replay_db_add_func(void *dbf, time_t exp_time,
const gnutls_datum_t *key,
const gnutls_datum_t *data)
{
tlshd_log_debug(" Anti replay: %u %u %u %u", !!dbf, exp_time, key->size, data->size);
return 0;
}
static gnutls_anti_replay_t tlshd_quic_server_anti_replay;
static int tlshd_quic_server_x509_verify_function(gnutls_session_t session)
{
struct tlshd_quic_conn *conn = gnutls_session_get_ptr(session);
return tlshd_server_x509_verify_function(session, conn->parms);
}
static int tlshd_quic_server_psk_cb(gnutls_session_t session, const char *username,
gnutls_datum_t *key)
{
struct tlshd_quic_conn *conn = gnutls_session_get_ptr(session);
struct tlshd_handshake_parms *parms = conn->parms;
key_serial_t psk;
long ret;
ret = keyctl_search(KEY_SPEC_SESSION_KEYRING, "psk", username, 0);
if (ret >= 0)
goto found;
ret = keyctl_search(KEY_SPEC_SESSION_KEYRING, "user", username, 0);
if (ret < 0) {
tlshd_log_error("key search error %d %s", errno, username);
return -1;
}
found:
psk = (key_serial_t)ret;
if (!tlshd_keyring_get_psk_key(psk, key)) {
tlshd_log_error("key load error %d", errno);
return -1;
}
/* PSK uses the same identity for both client and server */
parms->remote_peerid[0] = psk;
parms->num_remote_peerids = 1;
return 0;
}
static int tlshd_quic_server_set_x509_session(struct tlshd_quic_conn *conn)
{
struct tlshd_handshake_parms *parms = conn->parms;
gnutls_certificate_credentials_t cred;
gnutls_datum_t ticket_key;
gnutls_session_t session;
int ret = -EINVAL;
char *cafile;
if (!tlshd_x509_server_get_certs(parms) || !tlshd_x509_server_get_privkey(parms)) {
tlshd_log_error("cert/privkey get error %d", -ret);
return ret;
}
ret = gnutls_certificate_allocate_credentials(&cred);
if (ret)
goto err;
if (tlshd_config_get_server_truststore(&cafile)) {
ret = gnutls_certificate_set_x509_trust_file(cred, cafile,
GNUTLS_X509_FMT_PEM);
free(cafile);
} else
ret = gnutls_certificate_set_x509_system_trust(cred);
if (ret < 0)
goto err_cred;
tlshd_log_debug("System trust: Loaded %d certificate(s).", ret);
gnutls_certificate_set_retrieve_function2(cred, tlshd_x509_retrieve_key_cb);
gnutls_certificate_set_verify_function(cred, tlshd_quic_server_x509_verify_function);
ret = gnutls_init(&session, GNUTLS_SERVER | GNUTLS_NO_AUTO_SEND_TICKET |
GNUTLS_ENABLE_EARLY_DATA | GNUTLS_NO_END_OF_EARLY_DATA);
if (ret)
goto err_cred;
if (!tlshd_quic_server_anti_replay) {
ret = gnutls_anti_replay_init(&tlshd_quic_server_anti_replay);
if (ret)
goto err_session;
gnutls_anti_replay_set_add_function(tlshd_quic_server_anti_replay,
tlshd_quic_server_anti_replay_db_add_func);
gnutls_anti_replay_set_ptr(tlshd_quic_server_anti_replay, NULL);
}
gnutls_anti_replay_enable(session, tlshd_quic_server_anti_replay);
ret = gnutls_record_set_max_early_data_size(session, 0xffffffffu);
if (ret)
goto err_session;
gnutls_session_set_ptr(session, conn);
ticket_key.data = conn->ticket;
ticket_key.size = conn->ticket_len;
ret = gnutls_session_ticket_enable_server(session, &ticket_key);
if (ret)
goto err_session;
gnutls_handshake_set_hook_function(session, GNUTLS_HANDSHAKE_CLIENT_HELLO,
GNUTLS_HOOK_POST, tlshd_quic_server_alpn_verify);
ret = gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, cred);
if (ret)
goto err_session;
gnutls_certificate_server_set_request(session, conn->cert_req);
conn->is_serv = 1;
conn->session = session;
return 0;
err_session:
gnutls_deinit(session);
err_cred:
gnutls_certificate_free_credentials(cred);
err:
tlshd_log_gnutls_error(ret);
return ret;
}
static int tlshd_quic_server_set_psk_session(struct tlshd_quic_conn *conn)
{
gnutls_psk_server_credentials_t cred;
gnutls_session_t session;
int ret;
ret = gnutls_psk_allocate_server_credentials(&cred);
if (ret)
goto err;
gnutls_psk_set_server_credentials_function(cred, tlshd_quic_server_psk_cb);
ret = gnutls_init(&session, GNUTLS_SERVER | GNUTLS_NO_AUTO_SEND_TICKET);
if (ret)
goto err_cred;
gnutls_session_set_ptr(session, conn);
gnutls_handshake_set_hook_function(session, GNUTLS_HANDSHAKE_CLIENT_HELLO,
GNUTLS_HOOK_POST, tlshd_quic_server_alpn_verify);
ret = gnutls_credentials_set(session, GNUTLS_CRD_PSK, cred);
if (ret)
goto err_session;
conn->is_serv = 1;
conn->session = session;
return 0;
err_session:
gnutls_deinit(session);
err_cred:
gnutls_psk_free_server_credentials(cred);
err:
tlshd_log_gnutls_error(ret);
return ret;
}
/**
* tlshd_quic_serverhello_handshake - send a QUIC Server Initial
* @parms: handshake parameters
*
*/
void tlshd_quic_serverhello_handshake(struct tlshd_handshake_parms *parms)
{
struct tlshd_quic_conn *conn;
int ret;
ret = tlshd_quic_conn_create(&conn, parms);
if (ret) {
parms->session_status = ret;
return gnutls_global_deinit();
}
switch (parms->auth_mode) {
case HANDSHAKE_AUTH_X509:
ret = tlshd_quic_server_set_x509_session(conn);
break;
case HANDSHAKE_AUTH_PSK:
ret = tlshd_quic_server_set_psk_session(conn);
break;
default:
ret = -EINVAL;
tlshd_log_debug("Unrecognized auth mode (%d)", parms->auth_mode);
}
if (ret) {
conn->errcode = -ret;
goto out;
}
tlshd_quic_start_handshake(conn);
out:
parms->session_status = conn->errcode;
tlshd_quic_conn_destroy(conn);
}
#else
void tlshd_quic_serverhello_handshake(struct tlshd_handshake_parms *parms)
{
tlshd_log_debug("QUIC handshake is not enabled (%d)", parms->auth_mode);
parms->session_status = EOPNOTSUPP;
}
#endif
07070100000022000081A4000000000000000000000001671A55620000043A000000000000000000000000000000000000003100000000ktls-utils-0.10+33.g311d943/src/tlshd/tlshd.conf#
# Copyright (c) 2022 Oracle and/or its affiliates.
#
# This file is part of ktls-utils.
#
# ktls-utils is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation; version 2.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
# 02110-1301, USA.
#
# See tlshd.conf(5) for details.
#
[debug]
loglevel=0
tls=0
nl=0
[authenticate]
#keyrings= <keyring>;<keyring>;<keyring>
[authenticate.client]
#x509.truststore= <pathname>
#x509.certificate= <pathname>
#x509.private_key= <pathname>
[authenticate.server]
#x509.truststore= <pathname>
#x509.certificate= <pathname>
#x509.private_key= <pathname>
07070100000023000081A4000000000000000000000001671A556200000E51000000000000000000000000000000000000003500000000ktls-utils-0.10+33.g311d943/src/tlshd/tlshd.conf.man.\"
.\" Copyright (c) 2022 Oracle and/or its affiliates.
.\"
.\" ktls-utils is free software; you can redistribute it and/or
.\" modify it under the terms of the GNU General Public License as
.\" published by the Free Software Foundation; version 2.
.\"
.\" This program is distributed in the hope that it will be useful,
.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
.\" General Public License for more details.
.\"
.\" You should have received a copy of the GNU General Public License
.\" along with this program; if not, write to the Free Software
.\" Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
.\" 02110-1301, USA.
.\"
.\" tlshd.conf(5)
.\"
.\" Copyright (c) 2022 Oracle and/or its affiliates.
.TH tlshd.conf 5 "20 Oct 2022"
.SH NAME
tlshd.conf \- tlshd configuration file
.SH SYNOPSIS
.B /etc/tlshd.conf
.SH DESCRIPTION
The
.B tlshd
program implements a user agent that services TLS handshake requests
on behalf of kernel TLS consumers.
Its configuration file contains information that the program reads
when it starts up.
The file is designed to be human readable and contains a list of keywords
with values that provide various types of information.
The configuration file is considered a trusted source of information.
.P
The
.B tlshd
program reads this file once when it is launched.
Thus changes made in this file take effect only when the
.B tlshd
program is restarted.
If this file does not exist, the
.B tlshd
program exits immediately.
.SH OPTIONS
The configuration file is split into sections.
.P
The
.I [debug]
section specifies debugging settings for the
.B tlshd
program.
In this section, there are three available options:
.TP
.B loglevel
This option specifies an integer which indicates the debug message level.
Zero, the quietest setting, is the default.
.TP
.B tls
This option specifies an integer which indicates the debug message level
for TLS library calls.
Zero, the quietest setting, is the default.
.TP
.B nl
This option specifies an integer which indicates the debug message level
for netlink library calls.
Zero, the quietest setting, is the default.
.P
The
.I [authenticate]
section specifies default authentication material when establishing
TLS sessions.
In this section, there is one available option:
.TP
.B keyrings
This option specifies a semicolon-separated list of auxiliary keyrings
that contain handshake authentication tokens.
.B tlshd
links these keyrings into its session keyring.
The configuration file may specify either a keyring's name or serial number.
The default is to provide no keyring.
.P
And, in this section, there are two subsections:
.I [client]
and
.IR [server] .
The
.B tlshd
program consults the settings in the
.I [client]
subsection when handling the client end of a handshake,
and it consults the settings in the
.I [server]
subsection when handling the server end of a handshake.
.P
In each of these two subsections, there are three available options:
.TP
.B x509.truststore
This option specifies the pathname of a file containing a
PEM-encoded trust store that is to be used to verify a
certificate during a handshake.
If this option is not specified,
.B tlshd
uses the system's trust store.
.TP
.B x509.certificate
This option specifies the pathname of a file containing
a PEM-encoded x.509 certificate that is to be presented during
a handshake request when no other certificate is available.
.TP
.B x509.private_key
This option specifies the pathname of a file containing
a PEM-encoded private key associated with the above certificate.
.SH SEE ALSO
.BR tlshd (8)
.SH AUTHOR
Chuck Lever
07070100000024000081A4000000000000000000000001671A556200001632000000000000000000000000000000000000002E00000000ktls-utils-0.10+33.g311d943/src/tlshd/tlshd.h/*
* Generic definitions and forward declarations for tlshd.
*
* ktls-utils is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License as
* published by the Free Software Foundation; version 2.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
#include <linux/netlink.h>
#define ARRAY_SIZE(a) (sizeof(a) / sizeof((a)[0]))
extern int tlshd_debug;
extern int tlshd_tls_debug;
extern unsigned int tlshd_delay_done;
extern int tlshd_stderr;
struct nl_sock;
struct tlshd_handshake_parms {
char *peername;
struct sockaddr *peeraddr;
socklen_t peeraddr_len;
int sockfd;
int ip_proto;
uint32_t handshake_type;
unsigned int timeout_ms;
uint32_t auth_mode;
key_serial_t x509_cert;
key_serial_t x509_privkey;
key_serial_t *peerids;
unsigned int num_peerids;
int msg_status;
unsigned int session_status;
unsigned int num_remote_peerids;
key_serial_t remote_peerid[10];
};
/* client.c */
extern void tlshd_tls13_clienthello_handshake(struct tlshd_handshake_parms *parms);
extern void tlshd_quic_clienthello_handshake(struct tlshd_handshake_parms *parms);
/* config.c */
bool tlshd_config_init(const gchar *pathname);
void tlshd_config_shutdown(void);
bool tlshd_config_get_client_truststore(char **bundle);
bool tlshd_config_get_client_certs(gnutls_pcert_st *certs,
unsigned int *certs_len);
bool tlshd_config_get_client_privkey(gnutls_privkey_t *privkey);
bool tlshd_config_get_server_truststore(char **bundle);
bool tlshd_config_get_server_certs(gnutls_pcert_st *certs,
unsigned int *certs_len);
bool tlshd_config_get_server_privkey(gnutls_privkey_t *privkey);
/* handshake.c */
extern void tlshd_start_tls_handshake(gnutls_session_t session,
struct tlshd_handshake_parms *parms);
extern void tlshd_service_socket(void);
/* keyring.c */
extern bool tlshd_keyring_get_psk_username(key_serial_t serial,
char **username);
extern bool tlshd_keyring_get_psk_key(key_serial_t serial,
gnutls_datum_t *key);
extern bool tlshd_keyring_get_privkey(key_serial_t serial,
gnutls_privkey_t *privkey);
extern bool tlshd_keyring_get_certs(key_serial_t serial, gnutls_pcert_st *certs,
unsigned int *certs_len);
extern key_serial_t tlshd_keyring_create_cert(gnutls_x509_crt_t cert,
const char *peername);
extern int tlshd_keyring_link_session(const char *keyring);
/* ktls.c */
extern unsigned int tlshd_initialize_ktls(gnutls_session_t session);
extern int tlshd_gnutls_priority_init(void);
extern int tlshd_gnutls_priority_set(gnutls_session_t session,
struct tlshd_handshake_parms *parms,
unsigned int psk_len);
extern void tlshd_gnutls_priority_deinit(void);
/* log.c */
extern void tlshd_log_init(const char *progname);
extern void tlshd_log_shutdown(void);
extern void tlshd_log_close(void);
extern void tlshd_log_success(const char *hostname,
const struct sockaddr *sap, socklen_t salen);
extern void tlshd_log_failure(const char *hostname,
const struct sockaddr *sap, socklen_t salen);
extern void tlshd_log_debug(const char *fmt, ...);
extern void tlshd_log_notice(const char *fmt, ...);
extern void tlshd_log_error(const char *fmt, ...);
extern void tlshd_log_perror(const char *prefix);
extern void tlshd_log_gai_error(int error);
extern void tlshd_log_cert_verification_error(gnutls_session_t session);
extern void tlshd_log_gnutls_error(int error);
extern void tlshd_gnutls_log_func(int level, const char *msg);
extern void tlshd_gnutls_audit_func(gnutls_session_t session, const char *msg);
void tlshd_log_gerror(const char *msg, GError *error);
void tlshd_log_nl_error(const char *msg, int err);
/* netlink.c */
extern void tlshd_genl_dispatch(void);
extern int tlshd_genl_get_handshake_parms(struct tlshd_handshake_parms *parms);
extern void tlshd_genl_done(struct tlshd_handshake_parms *parms);
/* server.c */
extern void tlshd_tls13_serverhello_handshake(struct tlshd_handshake_parms *parms);
extern void tlshd_quic_serverhello_handshake(struct tlshd_handshake_parms *parms);
#ifdef HAVE_GNUTLS_QUIC
#include <linux/quic.h>
#define TLSHD_QUIC_MAX_DATA_LEN 4096
#define TLSHD_QUIC_MAX_ALPNS_LEN 128
struct tlshd_quic_msg {
struct tlshd_quic_msg *next;
uint8_t data[TLSHD_QUIC_MAX_DATA_LEN];
uint32_t len;
uint8_t level;
};
struct tlshd_quic_conn {
struct tlshd_handshake_parms *parms;
char alpns[TLSHD_QUIC_MAX_ALPNS_LEN];
uint8_t ticket[TLSHD_QUIC_MAX_DATA_LEN];
uint32_t ticket_len;
uint32_t cipher;
gnutls_session_t session;
uint8_t recv_ticket:1;
uint8_t completed:1;
uint8_t cert_req:2;
uint8_t is_serv:1;
uint32_t errcode;
timer_t timer;
struct tlshd_quic_msg *send_list;
struct tlshd_quic_msg *send_last;
struct tlshd_quic_msg recv_msg;
};
/* quic.c */
extern int tlshd_quic_conn_create(struct tlshd_quic_conn **conn_p,
struct tlshd_handshake_parms *parms);
extern void tlshd_quic_conn_destroy(struct tlshd_quic_conn *conn);
extern void tlshd_quic_start_handshake(struct tlshd_quic_conn *conn);
#endif
#define TLS_DEFAULT_PRIORITIES (NULL)
#define TLS_DEFAULT_PSK_TYPE "psk"
#define TLS_NO_PEERID (0)
#define TLS_NO_CERT (0)
#define TLS_NO_PRIVKEY (0)
/* Max number of (chained) certs to load */
#define TLSHD_MAX_CERTS 10
07070100000025000081A4000000000000000000000001671A556200000A0D000000000000000000000000000000000000003000000000ktls-utils-0.10+33.g311d943/src/tlshd/tlshd.man.\"
.\" Copyright (c) 2022 Oracle and/or its affiliates.
.\"
.\" ktls-utils is free software; you can redistribute it and/or
.\" modify it under the terms of the GNU General Public License as
.\" published by the Free Software Foundation; version 2.
.\"
.\" This program is distributed in the hope that it will be useful,
.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
.\" General Public License for more details.
.\"
.\" You should have received a copy of the GNU General Public License
.\" along with this program; if not, write to the Free Software
.\" Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
.\" 02110-1301, USA.
.\"
.\" tlshd(8)
.\"
.\" Copyright (c) 2021 Oracle and/or its affiliates.
.TH tlshd 8 "20 Dec 2021"
.SH NAME
tlshd \- TLS handshake for kernel TLS sockets
.SH SYNOPSIS
.BI "/usr/sbin/tlshd [" options "]"
.SH DESCRIPTION
The
.B tlshd
program implements a user agent that services TLS handshake requests
on behalf of kernel TLS consumers.
Using the
.BR accept (2)
system call, it materializes kernel socket endpoints in user space
in order to perform TLS handshakes using a TLS library.
After each handshake completes,
.B tlshd
plants TLS session metadata into the kernel socket to enable
the use of kTLS to secure subsequent communication on that socket.
.SH OPTIONS
.TP
.B \-c " or " \-\-config
When specified this option sets the location for
.BR tlshd 's
config file.
.TP
.B \-h " or " \-\-help
When specified
.B tlshd
displays a help message then exits immediately.
.TP
.B \-s " or " \-\-stderr
When specified this option forces messages to go to both
.I stderr
and the system log.
By default, messages go only to the system log.
.TP
.B \-v " or " \-\-version
When specified
.B tlshd
displays build version information then exits immediately.
.SH ENVIRONMENT VARIABLES
The GnuTLS library provides certain capabilities that can be enabled
by setting environment variables before
.B tlshd
is started.
More information about these variables is available
in GnuTLS library documentation.
.TP
.B SSLKEYLOGFILE
When set, this variable specifies the pathname of a file
to which the GnuTLS library appends
negotiated session keys in the NSS Key Log format.
The NSS Key Log format can be read by wireshark,
enabling decryption of recorded sessions.
.TP
.B GNUTLS_FORCE_FIPS_MODE
When set to `1', this variable forces the TLS library into FIPS mode
if FIPS140-2 support is available.
.SH SEE ALSO
.BR tlshd.conf (5),
.BR ssl (7)
.SH AUTHOR
Chuck Lever
07070100000026000041ED000000000000000000000002671A556200000000000000000000000000000000000000000000002400000000ktls-utils-0.10+33.g311d943/systemd07070100000027000081A4000000000000000000000001671A55620000039A000000000000000000000000000000000000003000000000ktls-utils-0.10+33.g311d943/systemd/Makefile.am#
# Copyright (c) 2022 Oracle and/or its affiliates.
#
# ktls-utils is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation; version 2.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
# 02110-1301, USA.
#
unit_files = tlshd.service
EXTRA_DIST = $(unit_files)
MAINTAINERCLEANFILES = Makefile.in
if INSTALL_SYSTEMD
install-data-hook: $(unit_files)
mkdir -p $(DESTDIR)/$(unitdir)
cp $(unit_files) $(DESTDIR)/$(unitdir)
endif
07070100000028000081A4000000000000000000000001671A5562000000E2000000000000000000000000000000000000003200000000ktls-utils-0.10+33.g311d943/systemd/tlshd.service[Unit]
Description=Handshake service for kernel TLS consumers
Documentation=man:tlshd(8)
DefaultDependencies=no
Before=remote-fs-pre.target
[Service]
Type=simple
ExecStart=/usr/sbin/tlshd
[Install]
WantedBy=remote-fs.target
07070100000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000B00000000TRAILER!!!449 blocks
