ktls: ktls interface and building blocks #3707
Conversation
toidiu
force-pushed
the
ak-ktlsSkeleton
branch
from
09271cc to
641b75b
Compare
toidiu
changed the title
toidiu
force-pushed
the
ak-ktlsSkeleton
branch
from
641b75b to
8212552
Compare
toidiu
force-pushed
the
ak-ktlsSkeleton
branch
2 times, most recently
from
9ee130d to
eca0281
Compare
toidiu
force-pushed
the
ak-ktlsSkeleton
branch
from
eca0281 to
1a2df55
Compare
| */ | ||
| S2N_RESULT s2n_ktls_enable(struct s2n_connection *conn, s2n_ktls_mode mode) | ||
| { | ||
| /* TODO perform managed_send_io and managed_recv_io checks */ |
There was a problem hiding this comment.
Do we need this file at this point in the project? Seems like there's nothing in here that we need yet. What purpose is this function serving?
|
|
||
| #include "utils/s2n_result.h" | ||
|
|
||
| /* --- unstable API --- |
There was a problem hiding this comment.
Who is this comment for? No customer can use these functions, they're not in s2n.h.
| S2N_KTLS_MODE_SEND = 1, | ||
| /* Enable kTLS for the recv socket. */ | ||
| S2N_KTLS_MODE_RECV = 2, | ||
| /* Enable kTLS for both rx and tx socket. */ |
There was a problem hiding this comment.
This is an annoying nit, but be consistent with whatever you want to call these sockets.
| /* Enable kTLS for both rx and tx socket. */ | |
| /* Enable kTLS for both send and recv socket. */ |
| S2N_KTLS_MODE_DUPLEX = 3, | ||
| } s2n_ktls_mode; | ||
|
|
||
| int s2n_config_ktls_enable(struct s2n_config *config, s2n_ktls_mode ktls_mode); |
There was a problem hiding this comment.
| int s2n_config_ktls_enable(struct s2n_config *config, s2n_ktls_mode ktls_mode); | |
| int s2n_config_set_ktls_mode(struct s2n_config *config, s2n_ktls_mode ktls_mode); |
I feel like this is more in line with how s2n-tls names functions in this file.
| if (ktls_mode == S2N_KTLS_MODE_DISABLED) { | ||
| return config->ktls_mode_requested == S2N_KTLS_MODE_DISABLED; | ||
| } | ||
| return config->ktls_mode_requested & ktls_mode; |
There was a problem hiding this comment.
Okay maybe I don't fully understand the purpose of this function, but if it's to tell the user which mode is set, why not just:
int s2n_config_get_ktls_mode(struct s2n_config *config, s2n_ktls_mode *ktls_mode)
{
POSIX_ENSURE_REF(config);
*ktls_mode = config->ktls_mode_requested;
return S2N_SUCCESS;
}
| @@ -1067,3 +1070,26 @@ int s2n_config_set_recv_multi_record(struct s2n_config *config, bool enabled) | |||
|
|
|||
| return S2N_SUCCESS; | |||
| } | |||
|
|
|||
| /* Indicates if the connection should attempt to enable kTLS. */ | |||
There was a problem hiding this comment.
Not really sure this comment is accurate. The function enables ktls, it doesn't indicate anything.
| * | ||
| * Note: currently, kTLS cannot be disabled once enabled. | ||
| */ | ||
| S2N_RESULT s2n_connection_mark_ktls_enabled(struct s2n_connection *conn, s2n_ktls_mode ktls_mode) |
There was a problem hiding this comment.
I am confused. Are both of these functions that you've added APIs? Why is only one declared in connection.h?
#3711
Description of changes:
This PR introduces the interface for the kTLS feature. The interface is currently not public but will be release as an unstable feature (see s2n_ktls.h for the public APIs).
There are two concepts which capture the kTLS work flow:
The application requests that kTLS be enabled (on config), but this is not always possible since it requires kernel support and enabling the kTLS kernel module. The library can then attempt to enable kTLS but might not succeed. If successful then we mark kTLS as enabled on the connection and use that to send/recv.
Since, kTLS can be enabled for the Send, Recv or Duplex (both sockets), or Disabled, we introduce
s2n_ktls_mode, which captures the combination of these states.Callouts:
s2n_config_enable: the application is actually requesting kTLS not enabling it. But being on the config I think this is a fine distinction and enable matches GnuTLS apis also.Testing:
Test functionality around comparing and toggling s2n_ktls_mode on the config and connection.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.