ktls: set keys on socket and enable ktls #4071
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
toidiu
force-pushed
the
ak-ktls0_set_keys
branch
3 times, most recently
from
5dea779 to
b1d343f
Compare
toidiu
force-pushed
the
ak-ktls0_set_keys
branch
from
79c9e9a to
8e80caf
Compare
toidiu
force-pushed
the
ak-ktls0_set_keys
branch
4 times, most recently
from
c43e0d8 to
8d8e9e5
Compare
lrstewart
reviewed
Jul 13, 2023
lrstewart
reviewed
Jul 13, 2023
toidiu
force-pushed
the
ak-ktls0_set_keys
branch
2 times, most recently
from
3457b2c to
3a19041
Compare
lrstewart
reviewed
Jul 17, 2023
toidiu
force-pushed
the
ak-ktls0_set_keys
branch
from
f315b74 to
77a888c
Compare
lrstewart
reviewed
Jul 19, 2023
toidiu
force-pushed
the
ak-ktls0_set_keys
branch
3 times, most recently
from
2b70cf1 to
c42df01
Compare
lrstewart
reviewed
Jul 24, 2023
Comment on lines
+215
to
204
| if (ret < 0) { | ||
| RESULT_BAIL(S2N_ERR_KTLS_ENABLE_CRYPTO); | ||
| } |
There was a problem hiding this comment.
Nit
Suggested change
| if (ret < 0) { | |
| RESULT_BAIL(S2N_ERR_KTLS_ENABLE_CRYPTO); | |
| } | |
| POSIX_ENSURE(ret >= 0, S2N_ERR_KTLS_ENABLE_CRYPTO); |
There was a problem hiding this comment.
I think in this case ENSURE is worse because signage is hard. I would like to keep this as ret < 0 so that next person (me) doesnt have to rethink the logic of >=.
tests/unit/s2n_ktls_test.c
Outdated
Comment on lines
421
to
423
| /* negotiate */ | ||
| EXPECT_SUCCESS(s2n_negotiate_test_server_and_client(server_conn, client_conn)); | ||
| EXPECT_EQUAL(server_conn->actual_protocol_version, S2N_TLS12); |
There was a problem hiding this comment.
This shouldn't be a self-talk test. You're mocking out the inputs to s2n_ktls_init_aes128_gcm_crypto_info anyway. What do you gain from doing the handshake? It does complicate the test setup, forcing you to reuse the same connections for every test case.
An kind of just by definition, a self-talk test for a private method seems like a questionable pattern.
There was a problem hiding this comment.
I was trying to test interactions between the client server but yea that not necessary to test aes_128... can be much simpler by mocking the connection.
toidiu
force-pushed
the
ak-ktls0_set_keys
branch
3 times, most recently
from
8273efe to
29785b0
Compare
lrstewart
approved these changes
Jul 25, 2023
toidiu
force-pushed
the
ak-ktls0_set_keys
branch
from
3a89cc5 to
8d61991
Compare
maddeleine
reviewed
Jul 25, 2023
maddeleine
approved these changes
Jul 25, 2023
toidiu
force-pushed
the
ak-ktls0_set_keys
branch
from
8d61991 to
5c7eb6b
Compare
goatgoose
added a commit
to goatgoose/s2n-tls
that referenced
this pull request
Jul 31, 2023
commit eafb8a2 Author: Sam Clark <[email protected]> Date: Mon Jul 31 18:05:50 2023 -0400 shell -> bash commit 12071b8 Author: Sam Clark <[email protected]> Date: Mon Jul 31 17:59:09 2023 -0400 add ubuntu quickstart back to readme commit 10bf557 Author: Sam Clark <[email protected]> Date: Mon Jul 31 17:52:06 2023 -0400 fixes commit 74adf8d Author: Sam Clark <[email protected]> Date: Mon Jul 31 16:46:19 2023 -0400 fixes commit 0548d07 Author: Sam Clark <[email protected]> Date: Mon Jul 31 16:43:08 2023 -0400 consolidate commit cbe8f2d Author: Sam Clark <[email protected]> Date: Mon Jul 31 14:55:30 2023 -0400 remove old doc sections commit f194321 Author: Sam Clark <[email protected]> Date: Mon Jul 31 12:25:28 2023 -0400 more content commit 882eb1d Author: Sam Clark <[email protected]> Date: Mon Jul 31 09:08:24 2023 -0400 fixes commit ce37d0e Author: Sam Clark <[email protected]> Date: Mon Jul 31 09:03:45 2023 -0400 fixes commit 011d15f Author: Sam Clark <[email protected]> Date: Sat Jul 29 22:59:51 2023 -0400 cmake consuming commit 7feadc1 Author: Sam Clark <[email protected]> Date: Sat Jul 29 22:27:02 2023 -0400 fixes commit 2914950 Author: Sam Clark <[email protected]> Date: Sat Jul 29 21:34:24 2023 -0400 traditional make commit 02f9841 Author: Sam Clark <[email protected]> Date: Sat Jul 29 19:45:43 2023 -0400 s2n-tls build section commit 86c4983 Author: Sam Clark <[email protected]> Date: Sat Jul 29 11:56:32 2023 -0400 Update build documentation commit ea6d02a Author: Sam Clark <[email protected]> Date: Fri Jul 28 16:49:21 2023 -0400 bindings: release 0.0.35 (aws#4122) commit 35d08ba Author: Justin Zhang <[email protected]> Date: Fri Jul 28 12:31:21 2023 -0700 refactor(bench): separate out client and server connections in benching harness (aws#4113) Enables more better control of connections for benching experiments commit 65e74ca Author: Lindsay Stewart <[email protected]> Date: Wed Jul 26 02:26:40 2023 -0700 Print error for 32bit test (aws#4107) commit b0b253e Author: toidiu <[email protected]> Date: Wed Jul 26 00:30:44 2023 -0700 ktls: set keys on socket and enable ktls (aws#4071) commit 403d5e6 Author: Lindsay Stewart <[email protected]> Date: Tue Jul 25 16:03:09 2023 -0700 Trying to use an invalid ticket should not mutate state (aws#4110) commit bce2b1a Author: James Mayclin <[email protected]> Date: Tue Jul 25 14:44:33 2023 -0700 fix: get_session behavior for TLS 1.3 (aws#4104) commit 6881358 Author: Justin Zhang <[email protected]> Date: Tue Jul 25 10:10:21 2023 -0700 feat(bench): add different certificate signature algorithms to benchmarks (aws#4080) commit aab13d5 Author: Justin Zhang <[email protected]> Date: Mon Jul 24 18:17:30 2023 -0700 feat(bench): add memory bench with valgrind/massif (aws#4081) commit 20b0174 Author: Justin Zhang <[email protected]> Date: Mon Jul 24 13:26:32 2023 -0700 feat(bench): add historical performance benchmark (aws#4083) commit 5cc827d Author: Doug Chapman <[email protected]> Date: Thu Jul 20 11:50:50 2023 -0700 nix: pin corretto version (aws#4103)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description of changes:
The PR retrieves the key material from the connection and sets it on the socket; thus enabling kTLS. Remember since its only possible to enable kTLS after the handshake is complete, and we do not delete the secret material, its possible to re-create the key_material.
At this point all data is encrypted/decrypted by the kernel-tls and therefore it is safe to NULL out the conn->send/recv callbacks.
Call-outs:
Since s2n_ktls_enable... are now destructive operations (offload IO to kernel), I have gated the functions only to tests to prevent accidentally turning the feature on.
Feature probe
This PR also re-enables the kTLS feature probe. This is necessary since we are attempting to retrieve kTLS specific headers from
linux/tls.h. Its possible use probe for these and determine if kTLS should even be supported on the host. The current feature probe is simple since we are only adding support for AES_GCM_128 and TLS1.2. We will probably want atleast one more feature probe for TLS1.3. TBD is if we will want a feature probe for different ciphers.All of these are 2-way decisions so I have kept the name simple for now:
S2N_KTLS_SUPPORTED.Testing:
Unit tests
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.