2148442 – Enabling kTLS causes TLS-PSK connections to fail (with fix)

Bug 2148442 - Enabling kTLS causes TLS-PSK connections to fail (with fix)

Summary: Enabling kTLS causes TLS-PSK connections to fail (with fix)

Keywords:
Status:	CLOSED UPSTREAM
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	gnutls
Sub Component:
Version:	38
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Frantisek Krenzelok
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-11-25 14:01 UTC by Richard W.M. Jones
Modified:	2023-03-21 11:40 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2023-03-21 11:40:25 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	FC-667	0	None	None	None	2022-11-25 14:27:43 UTC

Description Richard W.M. Jones 2022-11-25 14:01:00 UTC

Description of problem:

If you enable kTLS and try a TLS-PSK connection it will fail:

$ cat /etc/crypto-policies/local.d/gnutls-ktls.config
[global]
ktls = true

$ psktool -u bob -p keys.psk
Generating a random key for user 'bob'
Key stored to keys.psk

$ nbdkit --tls=require --tls-psk=keys.psk null \
         --run 'nbdinfo "nbds://bob@localhost/?tls-psk-file=keys.psk" '
nbdkit: null[1]: error: gnutls_record_recv: Error in the pull function.
nbdkit: null[1]: error: reading option: conn->recv: Input/output error
nbdinfo: nbd_connect_uri: gnutls_record_recv: Error in the pull function.

It turns out this happens because we are missing an upstream commit:

commit 67843b3a8e28e4c74296caea2d1019065c87afb3
Author: Frantisek Krenzelok <krenzelok.frantisek>
Date:   Mon Sep 5 13:05:17 2022 +0200

    KTLS: fallback to default

    If an error occurs during setting of keys either initial or key update
    then fallback to default mode of operation (disable ktls) and let the
    user know

    Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek>

 lib/handshake.c        |  7 ++++++-
 lib/tls13/key_update.c | 23 +++++++++++++++++++----
 2 files changed, 25 insertions(+), 5 deletions(-)

Version-Release number of selected component (if applicable):

gnutls-3.7.8-9.fc38.x86_64

How reproducible:

100%

Steps to Reproduce:
1. See above.

Additional info:

https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/KX3R7T3AWHESMPL32W72ONA27ERA2B7T/

Comment 1 Richard W.M. Jones 2022-11-25 14:01:21 UTC

(Please assign this bug to me if you would like me to fix it)

Comment 2 Richard W.M. Jones 2022-12-06 09:04:59 UTC

This bug is pretty annoying if, like me, you have kTLS enabled.
If you want me to fix it, please assign it to me, but I don't want
to make changes to your packages without your consent.

Comment 3 Richard W.M. Jones 2023-01-03 12:48:33 UTC

Hi, any movement on this, it's still affecting Fedora.

Comment 4 Frantisek Krenzelok 2023-01-03 12:59:42 UTC

Hey, I have filed a PR [1] but the CI fails. I will try to figure out why asap so we can merge.

[1] https://src.fedoraproject.org/rpms/gnutls/pull-request/68

Comment 5 Frantisek Krenzelok 2023-01-26 20:27:14 UTC

Hey, The bug fixing patch with the latest ktls updates was merged to rawhide.

Comment 6 Ben Cotton 2023-02-07 15:13:11 UTC

This bug appears to have been reported against 'rawhide' during the Fedora Linux 38 development cycle.
Changing version to 38.

Comment 7 Frantisek Krenzelok 2023-03-21 11:40:25 UTC

There has been no issue reported with the Fix, closing the bug as Fixed

Note You need to log in before you can comment on or make changes to this bug.