From: Sheng Mao <shng...@gmail.com>
Enable building ktls by default. Require GnuTLS 3.4.0
for handshake process.
Issue: #326
Signed-off-by: Sheng Mao <shng...@gmail.com>
---
INSTALL | 5 +++++
Makefile | 6 ++++++
Makefile.inc.in | 6 ++++--
configure.ac | 15 +++++++++++++++
4 files changed, 30 insertions(+), 2 deletions(-)
diff --git a/INSTALL b/INSTALL
index 470ceebd..ae244616 100644
--- a/INSTALL
+++ b/INSTALL
@@ -22,6 +22,11 @@ dependencies are not desired.
- libsodium
- libkcapi
+GnuTLS 3.4.0 is needed to enable kernel TLS in btrfs send/receive. OpenSSL
+does not have a similar feature like gnutls_record_get_state (issue #8844).
+GnuTLS handles TLS 1.2/1.3 handshake and passes encryption parameters to
+kernel TLS.
+
Generating documentation:
- asciidoc - text document format tool
diff --git a/Makefile b/Makefile
index 381b630d..2a3212a5 100644
--- a/Makefile
+++ b/Makefile
@@ -96,6 +96,7 @@ CFLAGS = $(SUBST_CFLAGS) \
-I$(TOPDIR) \
-I$(TOPDIR)/libbtrfsutil \
$(CRYPTO_CFLAGS) \
+ $(KTLS_SEND_RECV_FLAGS) \
$(DISABLE_WARNING_FLAGS) \
$(ENABLE_WARNING_FLAGS) \
$(EXTRAWARN_CFLAGS) \
@@ -159,6 +160,11 @@ cmds_objects = cmds/subvolume.o cmds/filesystem.o
cmds/device.o cmds/scrub.o \
cmds/property.o cmds/filesystem-usage.o cmds/inspect-dump-tree.o
\
cmds/inspect-dump-super.o cmds/inspect-tree-stats.o
cmds/filesystem-du.o \
mkfs/common.o check/mode-common.o check/mode-lowmem.o
+
+ifeq ($(KTLS_SEND_RECV),1)
+cmds_objects += common/ktls.o
+endif
+
libbtrfs_objects = common/send-stream.o common/send-utils.o
kernel-lib/rbtree.o btrfs-list.o \
kernel-lib/radix-tree.o common/extent-cache.o
kernel-shared/extent_io.o \
crypto/crc32c.o common/messages.o \
diff --git a/Makefile.inc.in b/Makefile.inc.in
index 9f493371..aede2edd 100644
--- a/Makefile.inc.in
+++ b/Makefile.inc.in
@@ -18,6 +18,8 @@ BUILD_STATIC_LIBRARIES = @BUILD_STATIC_LIBRARIES@
BTRFSCONVERT_EXT2 = @BTRFSCONVERT_EXT2@
BTRFSCONVERT_REISERFS = @BTRFSCONVERT_REISERFS@
BTRFSRESTORE_ZSTD = @BTRFSRESTORE_ZSTD@
+KTLS_SEND_RECV = @KTLS_SEND_RECV@
+KTLS_SEND_RECV_FLAGS = -DKTLS_SEND_RECV=@KTLS_SEND_RECV@
PYTHON_BINDINGS = @PYTHON_BINDINGS@
PYTHON = @PYTHON@
PYTHON_CFLAGS = @PYTHON_CFLAGS@
@@ -28,11 +30,11 @@ SUBST_CFLAGS = @CFLAGS@
SUBST_LDFLAGS = @LDFLAGS@
LIBS_BASE = @UUID_LIBS@ @BLKID_LIBS@ -L. -pthread
-LIBS_COMP = @ZLIB_LIBS@ @LZO2_LIBS@ @ZSTD_LIBS@
+LIBS_COMP = @ZLIB_LIBS@ @LZO2_LIBS@ @ZSTD_LIBS@ @KTLS_LIBS@
LIBS_PYTHON = @PYTHON_LIBS@
LIBS_CRYPTO = @GCRYPT_LIBS@ @SODIUM_LIBS@ @KCAPI_LIBS@
STATIC_LIBS_BASE = @UUID_LIBS_STATIC@ @BLKID_LIBS_STATIC@ -L. -pthread
-STATIC_LIBS_COMP = @ZLIB_LIBS_STATIC@ @LZO2_LIBS_STATIC@ @ZSTD_LIBS_STATIC@
+STATIC_LIBS_COMP = @ZLIB_LIBS_STATIC@ @LZO2_LIBS_STATIC@ @ZSTD_LIBS_STATIC@
@KTLS_LIBS_STATIC@
prefix ?= @prefix@
exec_prefix = @exec_prefix@
diff --git a/configure.ac b/configure.ac
index dd4adedf..f87b24ae 100644
--- a/configure.ac
+++ b/configure.ac
@@ -278,6 +278,21 @@ fi
AS_IF([test "x$enable_zstd" = xyes], [BTRFSRESTORE_ZSTD=1],
[BTRFSRESTORE_ZSTD=0])
AC_SUBST(BTRFSRESTORE_ZSTD)
+dnl Use GnuTLS to handle TLS handshake. OpenSSL cannot provide record state
+dnl to caller and thus cannot handle handshake
+AC_ARG_ENABLE([ktls],
+ AS_HELP_STRING([--disable-ktls], [build without ktls support]),
+ [], [enable_ktls=yes]
+)
+
+if test "x$enable_ktls" = xyes; then
+ PKG_CHECK_MODULES(KTLS, [gnutls >= 3.4.0])
+ PKG_STATIC(KTLS_LIBS_STATIC, [gnutls])
+fi
+
+AS_IF([test "x$enable_ktls" = xyes], [KTLS_SEND_RECV=1], [KTLS_SEND_RECV=0])
+AC_SUBST(KTLS_SEND_RECV)
+
AC_ARG_ENABLE([python],
AS_HELP_STRING([--disable-python], [do not build libbtrfsutil Python
bindings]),
[], [enable_python=$enable_shared]
--
2.29.2
