ktls: config socket ULP

error/s2n_errno.c

@@ -290,6 +290,11 @@ static const char *no_such_error = "Internal s2n error";
     ERR_ENTRY(S2N_ERR_INTERNAL_LIBCRYPTO_ERROR, "An internal error has occurred in the libcrypto API") \
     ERR_ENTRY(S2N_ERR_NO_RENEGOTIATION, "Only secure, server-initiated renegotiation is supported") \
     ERR_ENTRY(S2N_ERR_APP_DATA_BLOCKED, "Blocked on application data during handshake") \
+    ERR_ENTRY(S2N_ERR_KTLS_MANAGED_IO, "kTLS cannot be enabled while custom I/O is configured for the connection")  \
+    ERR_ENTRY(S2N_ERR_HANDSHAKE_NOT_COMPLETE, "Operation is only allowed after the handshake is complete") \
+    ERR_ENTRY(S2N_ERR_KTLS_UNSUPPORTED_PLATFORM, "kTLS is unsupported on this platform") \
+    ERR_ENTRY(S2N_ERR_KTLS_UNSUPPORTED_CONN, "kTLS is unsupported for this connection") \
+    ERR_ENTRY(S2N_ERR_KTLS_ULP, "An error occurred when attempting to configure the socket for kTLS. Ensure the 'tls' kernel module is enabled.")  \
     ERR_ENTRY(S2N_ERR_ATOMIC, "Atomic operations in this environment would require locking") \
     /* clang-format on */
 

error/s2n_errno.h

@@ -306,6 +306,11 @@ typedef enum {
     S2N_ERR_SECRET_SCHEDULE_STATE,
     S2N_ERR_CERT_OWNERSHIP,
     S2N_ERR_INTERNAL_LIBCRYPTO_ERROR,
+    S2N_ERR_HANDSHAKE_NOT_COMPLETE,
+    S2N_ERR_KTLS_MANAGED_IO,
+    S2N_ERR_KTLS_UNSUPPORTED_PLATFORM,
+    S2N_ERR_KTLS_UNSUPPORTED_CONN,
+    S2N_ERR_KTLS_ULP,
     S2N_ERR_ATOMIC,
     S2N_ERR_T_USAGE_END,
 } s2n_error;

tests/testlib/s2n_connection_test_utils.c

@@ -332,3 +332,12 @@ S2N_RESULT s2n_set_all_mutually_supported_groups(struct s2n_connection *conn)
 
     return S2N_RESULT_OK;
 }
+
+S2N_RESULT s2n_skip_handshake(struct s2n_connection *conn)
+{
+    conn->handshake.handshake_type = NEGOTIATED | FULL_HANDSHAKE;
+    while (!s2n_handshake_is_complete(conn)) {
+        conn->handshake.message_number++;
+    }
+    return S2N_RESULT_OK;
+}

tests/testlib/s2n_testlib.h

@@ -75,6 +75,7 @@ int s2n_connection_allow_response_extension(struct s2n_connection *conn, uint16_
 int s2n_connection_allow_all_response_extensions(struct s2n_connection *conn);
 int s2n_connection_set_all_protocol_versions(struct s2n_connection *conn, uint8_t version);
 S2N_RESULT s2n_set_all_mutually_supported_groups(struct s2n_connection *conn);
+S2N_RESULT s2n_skip_handshake(struct s2n_connection *conn);
 
 S2N_RESULT s2n_connection_set_secrets(struct s2n_connection *conn);
 

tests/unit/s2n_ktls_test.c

@@ -13,14 +13,58 @@
  * permissions and limitations under the License.
  */
 
-#include "crypto/s2n_cipher.h"
+#include "tls/s2n_ktls.h"
+
 #include "s2n_test.h"
+#include "testlib/s2n_testlib.h"
+
+S2N_RESULT s2n_ktls_retrieve_file_descriptor(struct s2n_connection *conn, s2n_ktls_mode ktls_mode, int *fd);
+
+/* set kTLS supported cipher */
+struct s2n_cipher ktls_temp_supported_cipher = {
+    .ktls_supported = true,
+};
+struct s2n_record_algorithm ktls_temp_supported_record_alg = {
+    .cipher = &ktls_temp_supported_cipher,
+};
+struct s2n_cipher_suite ktls_temp_supported_cipher_suite = {
+    .record_alg = &ktls_temp_supported_record_alg,
+};
+
+S2N_RESULT s2n_test_configure_connection_for_ktls(struct s2n_connection *conn)
+{
+    RESULT_ENSURE_REF(conn);
+
+    /* config I/O */
+    RESULT_GUARD_POSIX(s2n_connection_set_write_fd(conn, 1));
+    RESULT_GUARD_POSIX(s2n_connection_set_read_fd(conn, 1));
+    conn->ktls_send_enabled = false;
+    conn->ktls_recv_enabled = false;
+
+    /* configure connection so that the handshake is complete */
+    conn->secure->cipher_suite = &ktls_temp_supported_cipher_suite;
+    conn->actual_protocol_version = S2N_TLS12;
+    RESULT_GUARD(s2n_skip_handshake(conn));
+
+    return S2N_RESULT_OK;
+}
 
 int main(int argc, char **argv)
 {
     BEGIN_TEST();
 
-    /* ktls_supported ciphers */
+    if (!s2n_ktls_is_supported_on_platform()) {
+        DEFER_CLEANUP(struct s2n_connection *server_conn = s2n_connection_new(S2N_SERVER),
+                s2n_connection_ptr_free);
+        EXPECT_OK(s2n_test_configure_connection_for_ktls(server_conn));
+
+        EXPECT_FAILURE_WITH_ERRNO(s2n_connection_ktls_enable_send(server_conn), S2N_ERR_KTLS_UNSUPPORTED_PLATFORM);
+        EXPECT_FAILURE_WITH_ERRNO(s2n_connection_ktls_enable_recv(server_conn), S2N_ERR_KTLS_UNSUPPORTED_PLATFORM);
+
+        END_TEST();
+    }
+
+    /* Test ktls_supported ciphers */
     {
         struct s2n_cipher cipher = s2n_aes128_gcm;
         EXPECT_TRUE(cipher.ktls_supported);
@@ -38,5 +82,149 @@ int main(int argc, char **argv)
         EXPECT_FALSE(cipher.ktls_supported);
     };
 
+    /* Test s2n_ktls_retrieve_file_descriptor */
+    {
+        DEFER_CLEANUP(struct s2n_connection *server_conn = s2n_connection_new(S2N_SERVER),
+                s2n_connection_ptr_free);
+        int write_fd_orig = 1;
+        int read_fd_orig = 2;
+        int fd_ret = 0;
+
+        EXPECT_SUCCESS(s2n_connection_set_write_fd(server_conn, write_fd_orig));
+        EXPECT_OK(s2n_ktls_retrieve_file_descriptor(server_conn, S2N_KTLS_MODE_SEND, &fd_ret));
+        EXPECT_EQUAL(write_fd_orig, fd_ret);
+
+        EXPECT_SUCCESS(s2n_connection_set_read_fd(server_conn, read_fd_orig));
+        EXPECT_OK(s2n_ktls_retrieve_file_descriptor(server_conn, S2N_KTLS_MODE_RECV, &fd_ret));
+        EXPECT_EQUAL(read_fd_orig, fd_ret);
+    };
+
+    /* Test s2n_connection_ktls_enable_recv/send */
+    {
+        /* Success case */
+        {
+            DEFER_CLEANUP(struct s2n_connection *server_conn = s2n_connection_new(S2N_SERVER),
+                    s2n_connection_ptr_free);
+            EXPECT_OK(s2n_test_configure_connection_for_ktls(server_conn));
+
+            EXPECT_SUCCESS(s2n_connection_ktls_enable_send(server_conn));
+            EXPECT_TRUE(server_conn->ktls_send_enabled);
+            EXPECT_SUCCESS(s2n_connection_ktls_enable_recv(server_conn));
+            EXPECT_TRUE(server_conn->ktls_recv_enabled);
+        };
+
+        /* Noop if kTLS is already enabled */
+        {
+            DEFER_CLEANUP(struct s2n_connection *server_conn = s2n_connection_new(S2N_SERVER),
+                    s2n_connection_ptr_free);
+            EXPECT_OK(s2n_test_configure_connection_for_ktls(server_conn));
+
+            server_conn->ktls_send_enabled = true;
+            EXPECT_SUCCESS(s2n_connection_ktls_enable_send(server_conn));
+
+            server_conn->ktls_recv_enabled = true;
+            EXPECT_SUCCESS(s2n_connection_ktls_enable_recv(server_conn));
+        };
+
+        /* Fail if handshake is not complete */
+        {
+            DEFER_CLEANUP(struct s2n_connection *server_conn = s2n_connection_new(S2N_SERVER),
+                    s2n_connection_ptr_free);
+            EXPECT_OK(s2n_test_configure_connection_for_ktls(server_conn));
+            server_conn->handshake.message_number = 0;
+
+            EXPECT_FAILURE_WITH_ERRNO(s2n_connection_ktls_enable_send(server_conn), S2N_ERR_HANDSHAKE_NOT_COMPLETE);
+            EXPECT_FAILURE_WITH_ERRNO(s2n_connection_ktls_enable_recv(server_conn), S2N_ERR_HANDSHAKE_NOT_COMPLETE);
+        };
+
+        /* Fail if unsupported protocols */
+        {
+            DEFER_CLEANUP(struct s2n_connection *server_conn = s2n_connection_new(S2N_SERVER),
+                    s2n_connection_ptr_free);
+            EXPECT_OK(s2n_test_configure_connection_for_ktls(server_conn));
+
+            server_conn->actual_protocol_version = S2N_TLS13;
+            EXPECT_FAILURE_WITH_ERRNO(s2n_connection_ktls_enable_send(server_conn), S2N_ERR_KTLS_UNSUPPORTED_CONN);
+
+            server_conn->actual_protocol_version = S2N_TLS11;
+            EXPECT_FAILURE_WITH_ERRNO(s2n_connection_ktls_enable_send(server_conn), S2N_ERR_KTLS_UNSUPPORTED_CONN);
+        };
+
+        /* Fail if unsupported ciphers */
+        {
+            /* set kTLS unsupported cipher */
+            struct s2n_cipher ktls_temp_unsupported_cipher = {
+                .ktls_supported = false,
+            };
+            struct s2n_record_algorithm ktls_temp_unsupported_record_alg = {
+                .cipher = &ktls_temp_unsupported_cipher,
+            };
+            struct s2n_cipher_suite ktls_temp_unsupported_cipher_suite = {
+                .record_alg = &ktls_temp_unsupported_record_alg,
+            };
+
+            DEFER_CLEANUP(struct s2n_connection *server_conn = s2n_connection_new(S2N_SERVER),
+                    s2n_connection_ptr_free);
+            EXPECT_OK(s2n_test_configure_connection_for_ktls(server_conn));
+
+            server_conn->secure->cipher_suite = &ktls_temp_unsupported_cipher_suite;
+            EXPECT_FAILURE_WITH_ERRNO(s2n_connection_ktls_enable_send(server_conn), S2N_ERR_KTLS_UNSUPPORTED_CONN);
+            EXPECT_FAILURE_WITH_ERRNO(s2n_connection_ktls_enable_recv(server_conn), S2N_ERR_KTLS_UNSUPPORTED_CONN);
+        };
+
+        /* Fail if buffers are not drained */
+        {
+            DEFER_CLEANUP(struct s2n_connection *server_conn = s2n_connection_new(S2N_SERVER),
+                    s2n_connection_ptr_free);
+            EXPECT_OK(s2n_test_configure_connection_for_ktls(server_conn));
+
+            uint8_t write_byte = 8;
+            uint8_t read_byte = 0;
+            /* write to conn->out buffer and assert error */
+            EXPECT_SUCCESS(s2n_stuffer_write_uint8(&server_conn->out, write_byte));
+            EXPECT_FAILURE_WITH_ERRNO(s2n_connection_ktls_enable_send(server_conn), S2N_ERR_RECORD_STUFFER_NEEDS_DRAINING);
+            /* drain conn->out buffer and assert success case */
+            EXPECT_SUCCESS(s2n_stuffer_read_bytes(&server_conn->out, &read_byte, 1));
+            EXPECT_SUCCESS(s2n_connection_ktls_enable_send(server_conn));
+
+            /* write to conn->in buffer and assert error */
+            EXPECT_SUCCESS(s2n_stuffer_write_uint8(&server_conn->in, write_byte));
+            EXPECT_FAILURE_WITH_ERRNO(s2n_connection_ktls_enable_recv(server_conn), S2N_ERR_RECORD_STUFFER_NEEDS_DRAINING);
+            /* drain conn->in buffer and assert success case */
+            EXPECT_SUCCESS(s2n_stuffer_read_bytes(&server_conn->in, &read_byte, 1));
+            EXPECT_SUCCESS(s2n_connection_ktls_enable_recv(server_conn));
+        };
+
+        /* Fail if not using managed IO for send */
+        {
+            DEFER_CLEANUP(struct s2n_connection *server_conn = s2n_connection_new(S2N_SERVER),
+                    s2n_connection_ptr_free);
+            EXPECT_OK(s2n_test_configure_connection_for_ktls(server_conn));
+
+            /* expect failure if connection is using custom IO */
+            server_conn->managed_send_io = false;
+            EXPECT_FAILURE_WITH_ERRNO(s2n_connection_ktls_enable_send(server_conn), S2N_ERR_KTLS_MANAGED_IO);
+
+            /* expect success if connection is NOT using custom IO */
+            server_conn->managed_send_io = true;
+            EXPECT_SUCCESS(s2n_connection_ktls_enable_send(server_conn));
+        };
+
+        /* Fail if not using managed IO for recv */
+        {
+            DEFER_CLEANUP(struct s2n_connection *server_conn = s2n_connection_new(S2N_SERVER),
+                    s2n_connection_ptr_free);
+            EXPECT_OK(s2n_test_configure_connection_for_ktls(server_conn));
+
+            /* recv managed io */
+            server_conn->managed_recv_io = false;
+            EXPECT_FAILURE_WITH_ERRNO(s2n_connection_ktls_enable_recv(server_conn), S2N_ERR_KTLS_MANAGED_IO);
+
+            /* expect success if connection is NOT using custom IO */
+            server_conn->managed_recv_io = true;
+            EXPECT_SUCCESS(s2n_connection_ktls_enable_recv(server_conn));
+        };
+    }
+
     END_TEST();
 }

tests/unit/s2n_shutdown_test.c

@@ -21,15 +21,6 @@
 
 #define ALERT_LEN (sizeof(uint16_t))
 
-static S2N_RESULT s2n_skip_handshake(struct s2n_connection *conn)
-{
-    conn->handshake.handshake_type = NEGOTIATED | FULL_HANDSHAKE;
-    while (!s2n_handshake_is_complete(conn)) {
-        conn->handshake.message_number++;
-    }
-    return S2N_RESULT_OK;
-}
-
 int main(int argc, char **argv)
 {
     BEGIN_TEST();