[gnutls-devel] GnuTLS | ktls fallback to userspace (#1420)
Read-only notification of GnuTLS library development activities
gnutls-devel at lists.gnutls.org
Thu Oct 27 03:15:43 CEST 2022
toidiu created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1420
This was originally added as a comment: https://gitlab.com/gnutls/gnutls/-/merge_requests/1625#note_1145092003
Looking at the ktls support for `key_update` code and the feature claims that it supports fallback to userspace TLS if a key_update is received (and kernel patch is not applied). However, having done local testing with ktls in other TLS libraries, I dont think its possible to fallback to userspace and undo the TCP_ULP once it has been enabled and crypto_info has been set.
The current code is setting [`session->internals.ktls_enabled = 0;`](https://gitlab.com/gnutls/gnutls/-/blob/master/lib/tls13/key_update.c#L43) but the socket is still ktls enabled and has the previous encryption keys so from what I can tell there will be double encryption == garbage being sent on the wire.
```
ktls-enabled
plaintext -> ktls -> ciphertext
ktls-disabled
plaintext -> gnutls_encrypt -> ktls -> garbage
```
I might also be a good idea to add a test for the fallback scenario to verify behavior.
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1420
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20221027/63a40bf2/attachment.html>
More information about the Gnutls-devel
mailing list