ktls-utils (1.1.0-1)
[PTS] [DDPO]
NEW: VCS has unreleased changes: 1.2.0-1 > 1.1.0-1
- Git: https://salsa.debian.org/kernel-team/ktls-utils.git
-
- Branch: debian/latest
- Path: debian/changelog
- Repo size: 643072
- Browser: https://salsa.debian.org/kernel-team/ktls-utils
- Last scan: 2025-07-17 21:07:06+00
- Next scan: 2025-07-24 01:09:00+00
- CI pipeline status: success
- Debian changelog in Git:
ktls-utils (1.2.0-1) UNRELEASED; urgency=medium
* New upstream version
* d/tests: Add test case for NFS with TLS
* Revert "tlshd: Add a SIGINT handler"
* Revert "tlshd: Do not return remote peer IDs for x.509 handshakes"
-- Ben Hutchings <benh@debian.org> Thu, 17 Jul 2025 21:41:22 +0200
- This branch is 50 commits ahead of tag ktls-utils-1.2.0
- Git log:
commit 583fb2b7e2d64e5ec3910a9400f712999338982c
Author: Ben Hutchings <benh@debian.org>
Date: Thu Jul 17 22:26:31 2025 +0200
Revert "tlshd: Do not return remote peer IDs for x.509 handshakes"
This upstream change reuslted in broken NFS mounts on Linux 6.12
(mount succeeds but all operations return EPERM). Revert it for now.
commit 1c30404ad994a71caa843edf57c698a9bcf9e184
Author: Ben Hutchings <benh@debian.org>
Date: Thu Jul 17 17:50:09 2025 +0200
Revert "tlshd: Add a SIGINT handler"
This upstream change added a broken signal handler.
commit e822c2259e2163ca1bcb188dac66969df3bc6f66
Author: Ben Hutchings <benh@debian.org>
Date: Thu Jul 17 22:20:53 2025 +0200
d/changelog: Update for version 1.2.0
commit 9ae9fa61ad48116bb9ac64643ea262ecdbbdf96f
Merge: 1e4da0c 6d296ef
Author: Ben Hutchings <benh@debian.org>
Date: Thu Jul 17 22:20:43 2025 +0200
Merge tag 'ktls-utils-1.2.0' into debian/latest
ktls-utils 1.2.0 2025-07-11
* Implement Certificate Revocation Lists
* Add a default keyring for NFS consumers
* Improvements to error reporting and logging
* Manage per-session resources more effectively
commit 1e4da0c91effd44d1abe14ad4973b94f4a7432cf
Author: Ben Hutchings <benh@debian.org>
Date: Thu Jul 17 20:12:59 2025 +0200
d/tests: Add test case for NFS with TLS
commit 49e5b85c82cd0876347ee29beb03b1cd083de5e1
Author: Ben Hutchings <ben@decadent.org.uk>
Date: Thu Jun 19 01:09:46 2025 +0200
Prepare to release ktls-utils (1.1.0-1)
commit 0a4fd718f33b5ed075076be949a2fd8528c623e1
Author: Ben Hutchings <ben@decadent.org.uk>
Date: Mon Jun 2 21:29:39 2025 +0200
d/changelog, d/patches: Update for version 1.1.0
- Drop "tlshd: fix a regression for certificate verification"
which was included in this release
- Refresh "configure: Disable currently broken QUIC implementation"
and delete reference to one bug that is now closed
commit e091b077c84e6f3ee8b831a9f83345e04003719e
Merge: b09b60d 8e93cc2
Author: Ben Hutchings <ben@decadent.org.uk>
Date: Mon Jun 2 21:26:12 2025 +0200
Merge tag 'ktls-utils-1.1.0' into debian/latest
ktls-utils 1.1.0 2025-06-02
* Return to the old release process
* Update the contribution process
* Accept alternate keyrings during handshake upcall
* Initial support for building ktls-utils with MUSL
commit b09b60d242ff19131a3e22b462c4809d8e6bbb81
Author: Ben Hutchings <ben@decadent.org.uk>
Date: Mon Jun 2 21:19:50 2025 +0200
Revert "d/watch: Disable tag signature check as recent tags were not signed"
This reverts commit 1384808e8f003a76c142271e5917b63a1e785546.
Upstream has decided to use signed tags again.
commit 6a318a7ea85f9c3fa04b1eb64ee28acc2dc4cc4c
Author: Ben Hutchings <ben@decadent.org.uk>
Date: Mon Jun 2 21:23:11 2025 +0200
d/upstream/signing-key.asc: Update expired signing key
The signing key expired, but was not used for the 1.0 release or
release candidates.
Since the 1.1 release is signed, import an updated version of the
signing key with no expiry.
commit 846dadfcf8e239c9ad41316c42edd1976a77c978
Author: Ben Hutchings <ben@decadent.org.uk>
Date: Mon Jun 2 21:17:33 2025 +0200
Revert "d/watch: Update upstream tag regex"
This reverts commit eade95f2866732cd4072dbd982ea3d99a6393bc7. After
further discussion, upstream has decided to revert to the previous
tag format.
commit eade95f2866732cd4072dbd982ea3d99a6393bc7
Author: Ben Hutchings <ben@decadent.org.uk>
Date: Thu May 29 22:39:55 2025 +0200
d/watch: Update upstream tag regex
As discussed in <https://github.com/oracle/ktls-utils/issues/104>,
the upstream tag prefix has changed from 'ktls-utils-' to 'v'.
commit 4a62afeac3013411434d1419f9156045f1035c09
Author: Ben Hutchings <ben@decadent.org.uk>
Date: Sun May 25 22:55:34 2025 +0200
Prepare to release ktls-utils (1.0.0-1)
commit f17f9325eb01ede014b6b3b78da9321209508e3f
Author: Ben Hutchings <ben@decadent.org.uk>
Date: Sun May 25 17:37:19 2025 +0200
README.Debian: Update for changes to kernel and ktls-utils
The kernel now supports TLS handshake upcalls for NVMe (both roles).
Update the list of users accordingly.
The ktls-utils developers no longer describe it as experimental, but
it still has limited validation of client certificates. Update the
warning text and link to the specific upstream issue.
commit bb4926512b4512998847ecab97c0b14f7b37f763
Author: Ben Hutchings <ben@decadent.org.uk>
Date: Sun May 25 17:25:30 2025 +0200
Apply upstream fix for certificate validation error reporting
Replace my patch with the commit from upstream.
commit a7a6a7a1173377bf674528fe03a4979dbdd3cd9a
Author: Ben Hutchings <ben@decadent.org.uk>
Date: Mon May 19 22:54:56 2025 +0200
configure: configure: Disable use of GnuTLS API not yet accepted upstream
commit 2578130f83d127d95472e2c9b9ae04ab55a8b5e1
Author: Ben Hutchings <ben@decadent.org.uk>
Date: Mon May 19 22:40:02 2025 +0200
quic: Disable currently broken implementation
commit 129e1ca20619b4604a5e68e8490c757daa0ad9b9
Author: Ben Hutchings <ben@decadent.org.uk>
Date: Mon May 19 22:20:00 2025 +0200
handshake: Fix reporting of certificate validation error
commit c7646a17d97758ac8449f24964c93f22e4024556
Author: Ben Hutchings <ben@decadent.org.uk>
Date: Mon May 19 20:17:45 2025 +0200
d/changelog: Update for new upstream version
commit 9da9c69bc29402b5c0ad16f4835523daed0d30de
Merge: 1384808 c787cd2
Author: Ben Hutchings <ben@decadent.org.uk>
Date: Mon May 19 20:16:38 2025 +0200
Merge tag 'ktls-utils-1.0.0' into debian/latest
commit 1384808e8f003a76c142271e5917b63a1e785546
Author: Ben Hutchings <ben@decadent.org.uk>
Date: Mon May 19 20:16:26 2025 +0200
d/watch: Disable tag signature check as recent tags were not signed
commit 2526c2a6d87abe3a0e3b2e7ea02ea03ad7f5f0a9
Author: Ben Hutchings <ben@decadent.org.uk>
Date: Wed Jul 10 23:33:15 2024 +0200
d/changelog: Update for 0.11
commit 787ddac4984e9f2c6796798abad0b0d281fd6699
Merge: 60d51ce 11c3a8a
Author: Ben Hutchings <ben@decadent.org.uk>
Date: Wed Jul 10 22:32:13 2024 +0200
Merge commit '11c3a8a532ef2e96b01aae94ced317d613ab57c7' into debian/latest
I wanted to merge ktls-utils-0.11, but that points to a commit that
got rebased and is no longer on the main branch. This merges the
rebased commit which has identical content.
commit 60d51cefed5f5fe296b82ac3804cf5806cb2ef2d
Author: Ben Hutchings <ben@decadent.org.uk>
Date: Wed May 15 13:20:16 2024 +0200
Prepare to release ktls-utils (0.10-1).
commit b720a1642a67002bae0108164e41feb1427e33b8
Author: Ben Hutchings <ben@decadent.org.uk>
Date: Wed May 15 13:18:30 2024 +0200
Update for upstream version 0.10
- Start new changelog entry
- Drop patches that are included in 0.10
commit aec5a681810e4c82bee7128cb7d9e937bfed4fba
Merge: cf12834 5da9cbf
Author: Ben Hutchings <ben@decadent.org.uk>
Date: Wed May 15 13:10:50 2024 +0200
Merge tag 'ktls-utils-0.10' into debian/latest
ktls-utils 0.10 - 2023-09-21
* Fix Server Name Indicator support (IP addresses)
* Add tlshd.conf option to provide specific trust chain
* Reorganize tlshd.conf
* Fix numerous bugs reported by packagers
commit cf128340d4463e7a2c3269f679541f4e5f646f63
Author: Ben Hutchings <ben@decadent.org.uk>
Date: Sat Nov 25 01:36:06 2023 +0000
d/rules: Stop overriding systemd unit directory
For trixie and later releases, /lib will always be a symlink to
/usr/lib and should not be included in packages as a directory.
Use the default installation location for systemd units, which is
/usr/lib/systemd/systemd. Leave a comment in case someone wants to
backport to bookworm or earlier.
commit 3cf3bb5c326a962a63345fd2f031f93ee91a37e4
Author: Ben Hutchings <ben@decadent.org.uk>
Date: Thu Jul 27 01:58:35 2023 +0200
No-change source upload to allow propagation to testing
commit a448f5d846f3b3ceeb2d19cb75d149473ea0c65f
Author: Ben Hutchings <ben@decadent.org.uk>
Date: Mon Jul 24 01:54:48 2023 +0200
Prepare to release ktls-utils (0.9-1).
commit ae55bea31e549c97c34ecc5c34e7e4327f54c785
Author: Ben Hutchings <ben@decadent.org.uk>
Date: Mon Jul 24 01:44:53 2023 +0200
Document use of NFS with ktls-utils
The "in-kernel TLS consumers" are currently only the NFS client and
server, so mention that specifically in the package description.
The nfs-utils manual pages already mention the required "xprtsec"
option, and tlshd.conf has a manual page, but it still took me some
time to understand how exactly to set this up. So add a README.Debian
listing all the steps and some of the current limitations.
commit 85948af567f85bc8d91fe689b67ae540cc85e6b6
Author: Ben Hutchings <ben@decadent.org.uk>
Date: Sat Jul 22 19:47:13 2023 +0200
Cherry-pick fixes from upstream main
- tlshd: fix max config file size comparison
- tlshd-conf.man: Fix man page header
- Fix the --with-systemd command-line option
Drop the patches I wrote.
commit e72d16a0e26e41c3bdea10ece22ccdba56b853b2
Author: Ben Hutchings <ben@decadent.org.uk>
Date: Sat Jul 22 00:12:18 2023 +0200
Fix systemd installation directory
commit e2bef21847956baa72dc54d5155040fc03848bf3
Author: Ben Hutchings <ben@decadent.org.uk>
Date: Sat Jul 22 00:00:14 2023 +0200
Fix heading for tlshd.conf manual page
commit 82da80b7b6c69a4204c7722c8adb25b221fcb6e6
Author: Ben Hutchings <ben@decadent.org.uk>
Date: Fri Jul 21 23:54:25 2023 +0200
Add Salsa CI configuration
commit 6ad1ea805c76201bdb20f8a5264b478e05a295bf
Author: Ben Hutchings <ben@decadent.org.uk>
Date: Fri Jul 21 18:36:37 2023 +0200
Add debian packaging
commit 198ff00ba28cb97cdab6e49a7422cce331fde198
Author: Chuck Lever <chuck.lever@oracle.com>
Date: Tue Apr 25 15:06:48 2023 -0400
Release ktls-utils 0.9
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
commit 1c6d204e6bdd62dc335cc95dd390c9873ef7ba8d
Author: Chuck Lever <chuck.lever@oracle.com>
Date: Wed May 17 10:42:15 2023 -0400
workflows: Replace create-release action
The create-release action has been archived.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
commit 247f2cd6867a3069ee919e7433798a618caf6375
Author: Chuck Lever <chuck.lever@oracle.com>
Date: Wed May 17 09:39:53 2023 -0400
workflows: Enable running the CI workflow manually
At least the Makefile workflow should be allowed to run on demand
for testing or in case the environment has changed.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
commit b586f7d97795b6c9f3b0aae17a1b1a82bbd5933b
Author: Chuck Lever <chuck.lever@oracle.com>
Date: Fri May 12 12:31:44 2023 -0400
tlshd: Reverse DNS lookup of peername
If the peername happens to be an IP address, it needs to be
converted to a domain name before using it for Server Name
Identification.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
commit 7655d96c7ace36618e32eda289271ddb4b9aaa80
Author: Chuck Lever <chuck.lever@oracle.com>
Date: Fri May 12 12:43:42 2023 -0400
tlshd: Move peername/peeraddr preparation
Refactor / clean up: move the peername and peeraddr completely into
the handshake parameters structure.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
commit 0f5b25a0031684ca43c57a152d449badcee20edb
Author: Chuck Lever <chuck.lever@oracle.com>
Date: Fri May 12 12:33:12 2023 -0400
git: ignore Coverity-generated files
The blobs built by a Coverity Scan should not be tracked.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
commit 357f9445c0683c49ba6dd0d05c1fde4ded08875f
Author: Chuck Lever <chuck.lever@oracle.com>
Date: Fri Apr 28 17:00:30 2023 -0400
tlshd: Fix return value type
implicit conversion loses integer precision: 'long' to 'int'
Reported-by: Parfait 10.2 (#2046)
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
commit 4e8df07da20527e0828a0c0cf9aaa7ac5735d8d0
Author: Chuck Lever <chuck.lever@oracle.com>
Date: Fri Apr 28 16:16:04 2023 -0400
tlshd: Fix an implicit sign conversion
implicit conversion changes signedness: 'int' to 'size_t' (aka 'unsigned long')
calloc's first parameter is a size_t, so use an unsigned type for
num_peerids.
Reported-by: Parfait 10.2 (#2039)
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
commit f22a1aba373ff68730e971e31cf5325a87eef810
Author: Chuck Lever <chuck.lever@oracle.com>
Date: Fri Apr 28 16:43:45 2023 -0400
tlshd: check return value from signal(3)
Unchecked return value from call to signal. Value
signal(17, ((void (*func)(int32))1)) should be checked to ensure
this function was successful.
Reported-by: Parfait 10.2 (#2038)
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
commit 98f2e6254803ba5e5b811b616a9a6ca023d60ce6
Author: Chuck Lever <chuck.lever@oracle.com>
Date: Fri Apr 28 13:57:27 2023 -0400
tlshd: Replace use of strcat(3) in tlshd_make_priorities_string()
Use of function strcat is deprecated because string lengths cannot
be limited. Consider strlcat() as an alternative. Also see CERT
STR07-C
We recently removed the libbsd-devel dependency, so strlcat(3) is a
bit of a challenge. Thus the goal here is to ensure that strcat(3)
is used in a safe fashion.
Reported-by: Parfait 10.2 (defect group #2037)
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
commit f20e26fab5cc12d65d202716f8e16b94acc1dc21
Author: Chuck Lever <chuck.lever@oracle.com>
Date: Fri Apr 28 16:58:59 2023 -0400
tlshd: Fix return value type
implicit conversion loses integer precision: 'long' to 'int'
Reported-by: Parfait 10.2 (#2036)
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
commit 2d7782fff9585e6e58363f4f3e0c886a4752b170
Author: Chuck Lever <chuck.lever@oracle.com>
Date: Fri Apr 28 16:09:40 2023 -0400
tlshd: Document implicit sign conversion
implicit conversion changes signedness: 'int' to 'unsigned int'
These are all preceded by explicit checks that the value is zero or
greater. Annotate them.
Reported-by: Parfait 10.2 (#2033)
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
commit c9c0cb4e2265dd2f7aa7da17ba462281da732549
Author: Chuck Lever <chuck.lever@oracle.com>
Date: Fri Apr 28 16:05:32 2023 -0400
tlshd: Fix return value of tlshd_initialize_ktls()
implicit conversion changes signedness: 'int' to 'unsigned int'
Note that the session_status field has been unsigned since commit
4e932c62c451 ("tlshd: Set EIO instead of -EACCES on local error").
Reported-by: Parfait 10.2 (#2032)
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
commit 6fc4ec3807f0dc5eb4034686a97018f3fe3c9d91
Author: Chuck Lever <chuck.lever@oracle.com>
Date: Fri Apr 28 13:48:21 2023 -0400
tlshd: Fix implicit type conversions in tlshd_config_read_datum()
implicit conversion changes signedness: '__off_t' (aka 'long') to 'size_t' (aka 'unsigned long')
implicit conversion changes signedness: '__off_t' (aka 'long') to 'size_t' (aka 'unsigned long')
implicit conversion loses integer precision: '__off_t' (aka 'long') to 'unsigned int'
Reported-by: Parfait 10.2 (#2030, #2031)
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
commit 63d49acc83f33dff1f4e2c83223828e5e56a6c34
Author: Chuck Lever <chuck.lever@oracle.com>
Date: Fri Apr 28 16:54:07 2023 -0400
tlshd: Fix an implicit type conversion
implicit conversion loses integer precision: 'long' to 'int'
As far as I can tell, openat2() returns a zero or -1, so this
conversion is harmless. Annotate it.
Reported-by: Parfait 10.2 (#2028)
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>