diff options
| author | Frantisek Krenzelok <krenzelok.frantisek@gmail.com> | 2022-10-31 12:17:43 +0100 |
|---|---|---|
| committer | Frantisek Krenzelok <krenzelok.frantisek@gmail.com> | 2022-11-30 11:22:07 +0100 |
| commit | 7eee718718ca72edb778d35eba52949b197dd9ad (patch) | |
| tree | 07a4e04c03848a3936381df86fe1dcbf22158a4e | |
| parent | d4c1e95e2ad73a2db005a5a75b953d2120c3172b (diff) | |
| download | gnutls-fix/ktls_fallback.tar.gz | |
KTLS: Invalidate session on ktls errorfix/ktls_fallback
We invalidate the session if an KTLS related error occurs after it was
initialized i.e. keys were set on the interfaces.
As of now this only affects key_update() which should be fixed via a
kernel patch. Thus future fallback mechanism implementation is not likely
as that would require yet another kernel patch.
Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
| -rw-r--r-- | lib/handshake.c | 1 | ||||
| -rw-r--r-- | lib/tls13/key_update.c | 17 |
2 files changed, 12 insertions, 6 deletions
diff --git a/lib/handshake.c b/lib/handshake.c index 14bcdea56a..044b70e2a8 100644 --- a/lib/handshake.c +++ b/lib/handshake.c @@ -2926,6 +2926,7 @@ int gnutls_handshake(gnutls_session_t session) if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_DUPLEX)) { ret = _gnutls_ktls_set_keys(session, GNUTLS_KTLS_DUPLEX); if (ret < 0) { + /* no need to invalidate the session as keys were not set */ session->internals.ktls_enabled = 0; _gnutls_audit_log(session, "disabling KTLS: failed to set keys\n"); diff --git a/lib/tls13/key_update.c b/lib/tls13/key_update.c index acfda41290..e366093887 100644 --- a/lib/tls13/key_update.c +++ b/lib/tls13/key_update.c @@ -38,13 +38,15 @@ * because KTLS most likely doesn't support key update. */ #define SET_KTLS_KEYS(session, interface)\ -{\ - if(_gnutls_ktls_set_keys(session, interface) < 0) {\ +if(_gnutls_ktls_set_keys(session, interface) < 0) {\ session->internals.ktls_enabled = 0;\ - _gnutls_audit_log(session, \ - "disabling KTLS: couldn't update keys\n");\ - }\ -} + session->internals.invalid_connection = true;\ + _gnutls_audit_log(session,\ + "disabling KTLS: couldn't update keys\n");\ + _gnutls_audit_log(session,\ + "invalidating session: No ktls fallback mechanism\n");\ + ret = GNUTLS_E_INTERNAL_ERROR;\ +}\ static int update_keys(gnutls_session_t session, hs_stage_t stage) { @@ -64,6 +66,9 @@ static int update_keys(gnutls_session_t session, hs_stage_t stage) * write keys */ if (session->internals.recv_state == RECV_STATE_EARLY_START) { ret = _tls13_write_connection_state_init(session, stage); + if (ret < 0) + return gnutls_assert_val(ret); + if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_SEND)) SET_KTLS_KEYS(session, GNUTLS_KTLS_SEND) } else { |