Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package ktls-utils for openSUSE:Factory
checked in at 2024-03-22 15:21:04
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/ktls-utils (Old)
and /work/SRC/openSUSE:Factory/.ktls-utils.new.1905 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ktls-utils"
Fri Mar 22 15:21:04 2024 rev:4 rq:1160479 version:0.10+12.gc3923f7
Changes:
--------
--- /work/SRC/openSUSE:Factory/ktls-utils/ktls-utils.changes 2024-03-06
23:04:45.837818491 +0100
+++ /work/SRC/openSUSE:Factory/.ktls-utils.new.1905/ktls-utils.changes
2024-03-22 15:33:26.209211735 +0100
@@ -1,0 +2,8 @@
+Thu Mar 21 21:50:44 UTC 2024 - Martin Wilck <mwi...@suse.com>
+
+- Update to version 0.10+12.gc3923f7:
+ * Rework priority string setting for PSK (bsc#1221437)
+ * config: use 'authenticate' as a section name
+ * server: add missing priority setting (gh#oracle/ktls-utils#49)
+
+-------------------------------------------------------------------
Old:
----
ktls-utils-0.10+9.gf28f084.obscpio
New:
----
ktls-utils-0.10+12.gc3923f7.obscpio
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ ktls-utils.spec ++++++
--- /var/tmp/diff_new_pack.8bZUYP/_old 2024-03-22 15:33:26.721230556 +0100
+++ /var/tmp/diff_new_pack.8bZUYP/_new 2024-03-22 15:33:26.721230556 +0100
@@ -17,7 +17,7 @@
Name: ktls-utils
-Version: 0.10+9.gf28f084
+Version: 0.10+12.gc3923f7
Release: 0
Summary: Agent for performing handshakes for kernel TLS sockets
License: GPL-2.0-only
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.8bZUYP/_old 2024-03-22 15:33:26.757231880 +0100
+++ /var/tmp/diff_new_pack.8bZUYP/_new 2024-03-22 15:33:26.757231880 +0100
@@ -3,6 +3,6 @@
<param
name="url">https://github.com/oracle/ktls-utils.git</param>
<param
name="changesrevision">198ff00ba28cb97cdab6e49a7422cce331fde198</param></service><service
name="tar_scm">
<param
name="url">https://github.com/openSUSE/ktls-utils.git</param>
- <param
name="changesrevision">f28f084fda537f82d99ca3a8f6e45638f95870e8</param></service></servicedata>
+ <param
name="changesrevision">c3923f76ec7bf8fe5218ca719a5dc2adef67a733</param></service></servicedata>
(No newline at EOF)
++++++ ktls-utils-0.10+9.gf28f084.obscpio ->
ktls-utils-0.10+12.gc3923f7.obscpio ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/ktls-utils-0.10+9.gf28f084/src/tlshd/client.c
new/ktls-utils-0.10+12.gc3923f7/src/tlshd/client.c
--- old/ktls-utils-0.10+9.gf28f084/src/tlshd/client.c 2024-02-20
16:57:26.000000000 +0100
+++ new/ktls-utils-0.10+12.gc3923f7/src/tlshd/client.c 2024-03-21
14:47:22.000000000 +0100
@@ -95,7 +95,7 @@
goto out_free_creds;
}
- ret = tlshd_gnutls_priority_set(session, parms);
+ ret = tlshd_gnutls_priority_set(session, parms, 0);
if (ret != GNUTLS_E_SUCCESS) {
tlshd_log_gnutls_error(ret);
goto out_free_creds;
@@ -315,7 +315,7 @@
tlshd_log_gnutls_error(ret);
goto out_free_creds;
}
- ret = tlshd_gnutls_priority_set(session, parms);
+ ret = tlshd_gnutls_priority_set(session, parms, 0);
if (ret != GNUTLS_E_SUCCESS) {
tlshd_log_gnutls_error(ret);
goto out_free_creds;
@@ -376,13 +376,7 @@
gnutls_session_set_ptr(session, parms);
gnutls_credentials_set(session, GNUTLS_CRD_PSK, psk_cred);
- ret = tlshd_gnutls_priority_set(session, parms);
- if (ret != GNUTLS_E_SUCCESS) {
- tlshd_log_gnutls_error(ret);
- goto out_free_creds;
- }
-
- ret = tlshd_gnutls_priority_restrict(session, key.size);
+ ret = tlshd_gnutls_priority_set(session, parms, key.size);
if (ret != GNUTLS_E_SUCCESS) {
tlshd_log_gnutls_error(ret);
goto out_free_creds;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/ktls-utils-0.10+9.gf28f084/src/tlshd/config.c
new/ktls-utils-0.10+12.gc3923f7/src/tlshd/config.c
--- old/ktls-utils-0.10+9.gf28f084/src/tlshd/config.c 2024-02-20
16:57:26.000000000 +0100
+++ new/ktls-utils-0.10+12.gc3923f7/src/tlshd/config.c 2024-03-21
14:47:22.000000000 +0100
@@ -87,7 +87,7 @@
tlshd_delay_done = tmp > 0 ? tmp : 0;
keyrings = g_key_file_get_string_list(tlshd_configuration,
- "authentication",
+ "authenticate",
"keyrings", &length, NULL);
if (keyrings) {
for (i = 0; i < length; i++) {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/ktls-utils-0.10+9.gf28f084/src/tlshd/ktls.c
new/ktls-utils-0.10+12.gc3923f7/src/tlshd/ktls.c
--- old/ktls-utils-0.10+9.gf28f084/src/tlshd/ktls.c 2024-02-20
16:57:26.000000000 +0100
+++ new/ktls-utils-0.10+12.gc3923f7/src/tlshd/ktls.c 2024-03-21
14:47:22.000000000 +0100
@@ -347,6 +347,8 @@
static gnutls_priority_t tlshd_gnutls_priority_x509;
static gnutls_priority_t tlshd_gnutls_priority_psk;
+static gnutls_priority_t tlshd_gnutls_priority_psk_sha256;
+static gnutls_priority_t tlshd_gnutls_priority_psk_sha384;
/**
* tlshd_gnutls_priority_init - Initialize GnuTLS priority caches
@@ -357,7 +359,7 @@
const unsigned int *ciphers;
gnutls_priority_t pcache;
const char *errpos;
- char *pstring;
+ char *pstring, *pstring_sha256, *pstring_sha384;
int ret, i;
/* Retrieve the system default priority settings */
@@ -393,10 +395,52 @@
pstring = tlshd_string_concat(pstring, ":-CIPHER-ALL");
if (!pstring)
return -ENOMEM;
+ pstring_sha256 = strdup(pstring);
+ if (!pstring_sha256) {
+ free(pstring);
+ return -ENOMEM;
+ }
+ pstring_sha384 = strdup(pstring);
+ if (!pstring_sha384) {
+ free(pstring_sha256);
+ free(pstring);
+ return -ENOMEM;
+ }
+
for (i = 0; i < ret; ++i) {
+ bool skip_sha256 = false;
+ bool skip_sha384 = false;
+
pstring = tlshd_cipher_string_emit(pstring, ciphers[i]);
- if (!pstring)
+ if (!pstring) {
+ free(pstring_sha256);
+ free(pstring_sha384);
return -ENOMEM;
+ }
+ if (ciphers[i] == GNUTLS_CIPHER_AES_256_GCM)
+ skip_sha256 = true;
+ if (ciphers[i] == GNUTLS_CIPHER_AES_128_GCM)
+ skip_sha384 = true;
+ if (ciphers[i] == GNUTLS_CIPHER_AES_128_CCM)
+ skip_sha384 = true;
+ if (ciphers[i] == GNUTLS_CIPHER_CHACHA20_POLY1305)
+ skip_sha256 = true;
+ if (!skip_sha256) {
+ pstring_sha256 =
tlshd_cipher_string_emit(pstring_sha256, ciphers[i]);
+ if (!pstring_sha256) {
+ free(pstring_sha384);
+ free(pstring);
+ return -ENOMEM;
+ }
+ }
+ if (!skip_sha384) {
+ pstring_sha384 =
tlshd_cipher_string_emit(pstring_sha384, ciphers[i]);
+ if (!pstring_sha384) {
+ free(pstring_sha256);
+ free(pstring);
+ return -ENOMEM;
+ }
+ }
}
tlshd_log_debug("x.509 priority string: %s\n", pstring);
@@ -410,6 +454,8 @@
pstring = tlshd_string_concat(pstring, ":+PSK:+DHE-PSK:+ECDHE-PSK");
if (!pstring) {
+ free(pstring_sha256);
+ free(pstring_sha384);
gnutls_priority_deinit(tlshd_gnutls_priority_x509);
return -ENOMEM;
}
@@ -418,6 +464,8 @@
ret = gnutls_priority_init(&tlshd_gnutls_priority_psk, pstring,
&errpos);
if (ret != GNUTLS_E_SUCCESS) {
+ free(pstring_sha256);
+ free(pstring_sha384);
free(pstring);
gnutls_priority_deinit(tlshd_gnutls_priority_x509);
tlshd_log_gnutls_error(ret);
@@ -425,40 +473,55 @@
}
free(pstring);
- return 0;
-}
-/**
- * tlshd_gnutls_priority_restrict - Disable specific hash functions
- * @session: session to initialize
- * @key_size: length of the selected PSK
- *
- * Restrict the set of hash functions to those matching the current
- * PSK key length.
- *
- * Note: this is function actually does the reverse by disabling
- * the non-matchine SHA functions.
- *
- * Returns GNUTLS_E_SUCCESS on success, otherwise an error code.
- */
-int tlshd_gnutls_priority_restrict(gnutls_session_t session,
- unsigned int key_size)
-{
- const char *err;
- int ret;
+ pstring = tlshd_string_concat(pstring_sha256, ":+DHE-PSK:+ECDHE-PSK");
+ if (!pstring) {
+ free(pstring_sha384);
+ gnutls_priority_deinit(tlshd_gnutls_priority_psk);
+ gnutls_priority_deinit(tlshd_gnutls_priority_x509);
+ return -ENOMEM;
+ }
- if (key_size == 32)
- ret = gnutls_set_default_priority_append(session,
- "-SHA384",
- &err, 0);
- else if (key_size == 48)
- ret = gnutls_set_default_priority_append(session,
- "-SHA256",
- &err, 0);
- else
- ret = GNUTLS_E_UNIMPLEMENTED_FEATURE;
+ tlshd_log_debug("PSK SHA256 priority string: %s\n", pstring);
- return ret;
+ ret = gnutls_priority_init(&tlshd_gnutls_priority_psk_sha256,
+ pstring, &errpos);
+ if (ret != GNUTLS_E_SUCCESS) {
+ free(pstring);
+ free(pstring_sha384);
+ gnutls_priority_deinit(tlshd_gnutls_priority_psk);
+ gnutls_priority_deinit(tlshd_gnutls_priority_x509);
+ tlshd_log_gnutls_error(ret);
+ return -EIO;
+ }
+
+ free(pstring);
+
+ pstring = tlshd_string_concat(pstring_sha384, ":+DHE-PSK:+ECDHE-PSK");
+ if (!pstring) {
+ gnutls_priority_deinit(tlshd_gnutls_priority_psk_sha256);
+ gnutls_priority_deinit(tlshd_gnutls_priority_psk);
+ gnutls_priority_deinit(tlshd_gnutls_priority_x509);
+ tlshd_log_gnutls_error(ret);
+ return -EIO;
+ }
+
+ tlshd_log_debug("PSK SHA384 priority string: %s\n", pstring);
+
+ ret = gnutls_priority_init(&tlshd_gnutls_priority_psk_sha384,
+ pstring, &errpos);
+ if (ret != GNUTLS_E_SUCCESS) {
+ free(pstring);
+ gnutls_priority_deinit(tlshd_gnutls_priority_psk_sha256);
+ gnutls_priority_deinit(tlshd_gnutls_priority_psk);
+ gnutls_priority_deinit(tlshd_gnutls_priority_x509);
+ tlshd_log_gnutls_error(ret);
+ return -EIO;
+ }
+
+ free(pstring);
+
+ return 0;
}
/**
@@ -468,10 +531,21 @@
*
* Returns GNUTLS_E_SUCCESS on success, otherwise an error code.
*/
-int tlshd_gnutls_priority_set(gnutls_session_t session, struct
tlshd_handshake_parms *parms)
+int tlshd_gnutls_priority_set(gnutls_session_t session,
+ struct tlshd_handshake_parms *parms, int psk_len)
{
- return gnutls_priority_set(session, parms->auth_mode ==
HANDSHAKE_AUTH_PSK ?
- tlshd_gnutls_priority_psk :
tlshd_gnutls_priority_x509);
+ gnutls_priority_t priority = tlshd_gnutls_priority_x509;
+
+ if (parms->auth_mode == HANDSHAKE_AUTH_PSK) {
+ if (psk_len == 32)
+ priority = tlshd_gnutls_priority_psk_sha256;
+ else if (psk_len == 48)
+ priority = tlshd_gnutls_priority_psk_sha384;
+ else
+ priority = tlshd_gnutls_priority_psk;
+ }
+
+ return gnutls_priority_set(session, priority);
}
/**
@@ -482,4 +556,6 @@
{
gnutls_priority_deinit(tlshd_gnutls_priority_x509);
gnutls_priority_deinit(tlshd_gnutls_priority_psk);
+ gnutls_priority_deinit(tlshd_gnutls_priority_psk_sha256);
+ gnutls_priority_deinit(tlshd_gnutls_priority_psk_sha384);
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/ktls-utils-0.10+9.gf28f084/src/tlshd/server.c
new/ktls-utils-0.10+12.gc3923f7/src/tlshd/server.c
--- old/ktls-utils-0.10+9.gf28f084/src/tlshd/server.c 2024-02-20
16:57:26.000000000 +0100
+++ new/ktls-utils-0.10+12.gc3923f7/src/tlshd/server.c 2024-03-21
14:47:22.000000000 +0100
@@ -258,6 +258,12 @@
tlshd_server_x509_verify_function);
gnutls_certificate_server_set_request(session, GNUTLS_CERT_REQUEST);
+ ret = tlshd_gnutls_priority_set(session, parms, 0);
+ if (ret) {
+ tlshd_log_gnutls_error(ret);
+ goto out_free_creds;
+ }
+
tlshd_start_tls_handshake(session, parms);
gnutls_deinit(session);
@@ -331,6 +337,12 @@
gnutls_credentials_set(session, GNUTLS_CRD_PSK, psk_cred);
+ ret = tlshd_gnutls_priority_set(session, parms, 0);
+ if (ret) {
+ tlshd_log_gnutls_error(ret);
+ goto out_free_creds;
+ }
+
tlshd_start_tls_handshake(session, parms);
gnutls_deinit(session);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/ktls-utils-0.10+9.gf28f084/src/tlshd/tlshd.conf.man
new/ktls-utils-0.10+12.gc3923f7/src/tlshd/tlshd.conf.man
--- old/ktls-utils-0.10+9.gf28f084/src/tlshd/tlshd.conf.man 2024-02-20
16:57:26.000000000 +0100
+++ new/ktls-utils-0.10+12.gc3923f7/src/tlshd/tlshd.conf.man 2024-03-21
14:47:22.000000000 +0100
@@ -68,7 +68,7 @@
Zero, the quietest setting, is the default.
.P
The
-.I [authentication]
+.I [authenticate]
section specifies default authentication material when establishing
TLS sessions.
In this section, there is one available option:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/ktls-utils-0.10+9.gf28f084/src/tlshd/tlshd.h
new/ktls-utils-0.10+12.gc3923f7/src/tlshd/tlshd.h
--- old/ktls-utils-0.10+9.gf28f084/src/tlshd/tlshd.h 2024-02-20
16:57:26.000000000 +0100
+++ new/ktls-utils-0.10+12.gc3923f7/src/tlshd/tlshd.h 2024-03-21
14:47:22.000000000 +0100
@@ -84,9 +84,8 @@
extern unsigned int tlshd_initialize_ktls(gnutls_session_t session);
extern int tlshd_gnutls_priority_init(void);
extern int tlshd_gnutls_priority_set(gnutls_session_t session,
- struct tlshd_handshake_parms *parms);
-extern int tlshd_gnutls_priority_restrict(gnutls_session_t session,
- unsigned int key_len);
+ struct tlshd_handshake_parms *parms,
+ int psk_len);
extern void tlshd_gnutls_priority_deinit(void);
/* log.c */
++++++ ktls-utils.obsinfo ++++++
--- /var/tmp/diff_new_pack.8bZUYP/_old 2024-03-22 15:33:26.865235850 +0100
+++ /var/tmp/diff_new_pack.8bZUYP/_new 2024-03-22 15:33:26.869235998 +0100
@@ -1,5 +1,5 @@
name: ktls-utils
-version: 0.10+9.gf28f084
-mtime: 1708444646
-commit: f28f084fda537f82d99ca3a8f6e45638f95870e8
+version: 0.10+12.gc3923f7
+mtime: 1711028842
+commit: c3923f76ec7bf8fe5218ca719a5dc2adef67a733
