Re: Potential kTLS issue with TLS-PSK, GnuTLS + Rawhide - how to debug it?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Nov 25, 2022 at 01:43:18PM +0100, Alexander Sosedkin wrote:
> On Fri, Nov 25, 2022 at 1:14 PM Richard W.M. Jones <rjones@xxxxxxxxxx> wrote:
> >
> > Hi Daiki & Frantisek,
> >
> > There's a new error that is appearing in the libnbd test suite when
> > testing TLS-PSK.  Regular TLS (with X.509 certs) works fine.  It seems
> > to have started since I upgraded the kernel on my machine from 5.19.0 ->
> > 6.1.0, and I think it is related to kTLS.
> >
> > You may be able to reproduce it fairly easily in Fedora Rawhide, or in
> > Fedora 37 by upgrading the kernel, nbdkit and libnbd to Rawhide versions.
> >
> >   $ uname -a
> >   Linux pick.home.annexia.org 6.1.0-0.rc6.46.fc38.x86_64 #1 SMP PREEMPT_DYNAMIC Mon Nov 21 16:07:44 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
> >
> >   $ nbdkit --version
> >   nbdkit 1.33.3 (nbdkit-1.33.3-1.fc38)
> >   $ nbdinfo --version
> >   nbdinfo 1.15.7
> >   libnbd 1.15.7
> >
> > To reproduce it:
> >
> >   $ psktool -u bob -p keys.psk
> >   Generating a random key for user 'bob'
> >   Key stored to keys.psk
> >
> >   $ nbdkit --tls=require --tls-psk=keys.psk null \
> >            --run 'nbdinfo "nbds://bob@localhost/?tls-psk-file=keys.psk" '
> >   nbdkit: null[1]: error: gnutls_record_recv: Error in the pull function.
> >   nbdkit: null[1]: error: reading option: conn->recv: Input/output error
> >   nbdinfo: nbd_connect_uri: gnutls_record_recv: Error in the pull function.
> >
> > For lots more debugging, use this command instead:
> >
> >   $ nbdkit -fv --tls=require --tls-psk=keys.psk \
> >                -D nbdkit.tls.log=99 -D nbdkit.tls.session=1 null \
> >                --run 'LIBNBD_DEBUG=1 nbdinfo "nbds://bob@localhost/?tls-psk-file=keys.psk" '
> >
> > The reason I believe it is related to kTLS is because if I do:
> >
> >   # modprobe -r tls
> >
> > then the error goes away.  Loading the module makes the error appear
> > again.  (Note that the module appears to be loaded on boot, so this
> > error will happen for all Rawhide users unless they take special
> > action.)
> >
> > Are there ways to debug kTLS?  It seems like there is no kernel output
> > related to the above failure.
> >
> > Are there ways to override GnuTLS automatic detection of kTLS, to
> > temporarily disable it, even when the kernel module is loaded?
> 
> For disabling KTLS, try putting
> ```
> [global]
> ktls = false
> ```
> into `/etc/crypto-policies/local.d/gnutls-no-ktls.config`,
> and follow up with an `update-crypto-policies --set`.

Aha!  Actually I already have:

$ cat /etc/crypto-policies/local.d/gnutls-ktls.config 
[global]
ktls = true

which I must have added a while back and forgotten about.

Removing that file disables kTLS.  So in fact what I said above isn't
right - this will not affect Rawhide users unless they also enable
kTLS explicitly, which is good to know.

Still interested in debugging the kTLS problem.

I've been having a look at straces, and what's interesting is that the
client sends and the server receives the cleartext message
successfully (as we would expect because the kernel is doing the
encryption and decryption below the socket level), but something
(GnuTLS?) believes that there was a socket error, even though there
isn't one.

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
Fedora Windows cross-compiler. Compile Windows programs, test, and
build Windows installers. Over 100 libraries supported.
http://fedoraproject.org/wiki/MinGW
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux