Merge branch 'main' into kgarmoe/build-doc

aws · Aug 18, 2023 · 1d46378 · 1d46378
2 parents 72b8723 + 074ff8b
commit 1d46378
Show file tree

Hide file tree

Showing 22 changed files with 1,601 additions and 758 deletions.
diff --git a/bindings/rust/bench/README.md b/bindings/rust/bench/README.md
@@ -45,7 +45,7 @@ To generate flamegraphs, run `cargo bench --bench handshake --bench throughput -
 
 ## Memory benchmarks
 
-To run all memory benchmarks, run `memory/bench-memory.sh`. Graphs of memory usage will be generated in `images/`.
+To run all memory benchmarks, run `scripts/bench-memory.sh`. Graphs of memory usage will be generated in `images/`.
 
 Memory benchmark data is generated using the `memory` binary. Command line arguments can be given to `cargo run` or to the built executable located at `target/release/memory`. The usage is as follows:
 
@@ -88,7 +88,7 @@ Notes:
 - Two sets of parameters for the handshake couldn't be benched before 1.3.40, since security policies that negotiated those policies as their top choice did not exist before then.
 - There is no data from 1.3.30 to 1.3.37 because those versions have a dependency issue that cause the Rust bindings not to build. However, there is data before and after that period, so the performance for those versions can be inferred via interpolation.
 - The improvement in throughput in 1.3.28 was most likely caused by the addition of LTO to the default Rust bindings build. 
-- Since the benches are run over a long time, noise on the machine can cause variability, as seen in the throughput graph.
+- Since the benches are run over a long time, noise on the machine can cause variability, and background processes can cause spikes.
 - The variability can be seen with throughput especially because it is calculated as the inverse of time taken.
 
 ![historical-perf-handshake](images/historical-perf-handshake.svg)

diff --git a/bindings/rust/bench/images/historical-perf-handshake.svg b/bindings/rust/bench/images/historical-perf-handshake.svg
diff --git a/bindings/rust/bench/images/historical-perf-throughput.svg b/bindings/rust/bench/images/historical-perf-throughput.svg
diff --git a/bindings/rust/s2n-tls-sys/templates/Cargo.template b/bindings/rust/s2n-tls-sys/templates/Cargo.template
@@ -1,7 +1,7 @@
 [package]
 name = "s2n-tls-sys"
 description = "A C99 implementation of the TLS/SSL protocols"
-version = "0.0.35"
+version = "0.0.36"
 authors = ["AWS s2n"]
 edition = "2021"
 rust-version = "1.63.0"

diff --git a/bindings/rust/s2n-tls-tokio/Cargo.toml b/bindings/rust/s2n-tls-tokio/Cargo.toml
@@ -1,7 +1,7 @@
 [package]
 name = "s2n-tls-tokio"
 description = "An implementation of TLS streams for Tokio built on top of s2n-tls"
-version = "0.0.35"
+version = "0.0.36"
 authors = ["AWS s2n"]
 edition = "2021"
 rust-version = "1.63.0"
@@ -15,7 +15,7 @@ default = []
 errno = { version = "0.3" }
 libc = { version = "0.2" }
 pin-project-lite = { version = "0.2" }
-s2n-tls = { version = "=0.0.35", path = "../s2n-tls" }
+s2n-tls = { version = "=0.0.36", path = "../s2n-tls" }
 tokio = { version = "1", features = ["net", "time"] }
 
 [dev-dependencies]

diff --git a/bindings/rust/s2n-tls/Cargo.toml b/bindings/rust/s2n-tls/Cargo.toml
@@ -1,7 +1,7 @@
 [package]
 name = "s2n-tls"
 description = "A C99 implementation of the TLS/SSL protocols"
-version = "0.0.35"
+version = "0.0.36"
 authors = ["AWS s2n"]
 edition = "2021"
 rust-version = "1.63.0"
@@ -19,7 +19,7 @@ testing = ["bytes"]
 bytes = { version = "1", optional = true }
 errno = { version = "0.3" }
 libc = "0.2"
-s2n-tls-sys = { version = "=0.0.35", path = "../s2n-tls-sys", features = ["internal"] }
+s2n-tls-sys = { version = "=0.0.36", path = "../s2n-tls-sys", features = ["internal"] }
 pin-project-lite = "0.2"
 hex = "0.4"
 

diff --git a/bindings/rust/s2n-tls/src/config.rs b/bindings/rust/s2n-tls/src/config.rs
@@ -660,6 +660,7 @@ impl Builder {
         if key_len < 16 {
             return Err(Error::INVALID_INPUT);
         }
+        self.enable_session_tickets(true)?;
         unsafe {
             s2n_config_add_ticket_crypto_key(
                 self.as_mut_ptr(),
@@ -672,7 +673,6 @@ impl Builder {
             )
             .into_result()
         }?;
-        self.enable_session_tickets(true)?;
         Ok(self)
     }
 

diff --git a/bindings/rust/s2n-tls/src/testing/resumption.rs b/bindings/rust/s2n-tls/src/testing/resumption.rs
@@ -43,7 +43,6 @@ mod tests {
         // Initialize config for server with a ticket key
         let mut server_config_builder = Builder::new();
         server_config_builder
-            .enable_session_tickets(true)?
             .add_session_ticket_key(&KEYNAME, &KEY, SystemTime::now())?
             .load_pem(keypair.cert(), keypair.key())?;
         let server_config = server_config_builder.build()?;
@@ -123,7 +122,6 @@ mod tests {
         // Initialize config for server with a ticket key
         let mut server_config_builder = Builder::new();
         server_config_builder
-            .enable_session_tickets(true)?
             .add_session_ticket_key(&KEYNAME, &KEY, SystemTime::now())?
             .load_pem(keypair.cert(), keypair.key())?
             .set_security_policy(&security::DEFAULT_TLS13)?;

diff --git a/error/s2n_errno.c b/error/s2n_errno.c
@@ -296,6 +296,7 @@ static const char *no_such_error = "Internal s2n error";
     ERR_ENTRY(S2N_ERR_KTLS_UNSUPPORTED_CONN, "kTLS is unsupported for this connection") \
     ERR_ENTRY(S2N_ERR_KTLS_ULP, "An error occurred when attempting to configure the socket for kTLS. Ensure the 'tls' kernel module is enabled.")  \
     ERR_ENTRY(S2N_ERR_KTLS_ENABLE_CRYPTO, "An error occurred when attempting to enable kTLS on socket.")  \
+    ERR_ENTRY(S2N_ERR_KTLS_BAD_CMSG, "Error handling cmsghdr.")  \
     ERR_ENTRY(S2N_ERR_ATOMIC, "Atomic operations in this environment would require locking") \
     /* clang-format on */
 

diff --git a/error/s2n_errno.h b/error/s2n_errno.h
@@ -312,6 +312,7 @@ typedef enum {
     S2N_ERR_KTLS_UNSUPPORTED_CONN,
     S2N_ERR_KTLS_ULP,
     S2N_ERR_KTLS_ENABLE_CRYPTO,
+    S2N_ERR_KTLS_BAD_CMSG,
     S2N_ERR_ATOMIC,
     S2N_ERR_T_USAGE_END,
 } s2n_error;

diff --git a/nix/shell.sh b/nix/shell.sh
@@ -62,7 +62,7 @@ function integ {
             ctest --test-dir ./build -L integrationv2 --no-tests=error --output-on-failure -R "$test" --verbose
             if [ "$?" -ne 0 ]; then
                echo "Test failed, stopping execution"
-               exit 1
+               return 1
             fi
         done
     fi

diff --git a/tests/features/S2N_KTLS_SUPPORTED.c b/tests/features/S2N_KTLS_SUPPORTED.c
@@ -26,5 +26,8 @@ int main()
     struct tls12_crypto_info_aes_gcm_128 aes_crypto_info;
     struct tls_crypto_info crypto_info;
 
+    int get_record_type = TLS_GET_RECORD_TYPE;
+    int set_record_type = TLS_SET_RECORD_TYPE;
+
     return 0;
 }
diff --git a/tests/testlib/s2n_ktls_test_utils.c b/tests/testlib/s2n_ktls_test_utils.c
@@ -15,9 +15,14 @@
 
 #include "testlib/s2n_ktls_test_utils.h"
 
+S2N_RESULT s2n_ktls_set_control_data(struct msghdr *msg, char *buf, size_t buf_size,
+        int cmsg_type, uint8_t record_type);
+S2N_RESULT s2n_ktls_get_control_data(struct msghdr *msg, int cmsg_type, uint8_t *record_type);
+
 /* Since it is possible to read partial data, we need a way to update the length
  * of the previous record for the mock stuffer IO implementation. */
-static S2N_RESULT s2n_test_ktls_update_prev_header_len(struct s2n_test_ktls_io_stuffer *io_ctx, uint16_t remaining_len)
+static S2N_RESULT s2n_test_ktls_update_prev_header_len(struct s2n_test_ktls_io_stuffer *io_ctx,
+        uint16_t remaining_len)
 {
     RESULT_ENSURE_REF(io_ctx);
     RESULT_ENSURE(remaining_len > 0, S2N_ERR_IO);
@@ -38,19 +43,17 @@ static S2N_RESULT s2n_test_ktls_update_prev_header_len(struct s2n_test_ktls_io_s
 
 ssize_t s2n_test_ktls_sendmsg_io_stuffer(void *io_context, const struct msghdr *msg)
 {
-    POSIX_ENSURE_REF(io_context);
     POSIX_ENSURE_REF(msg);
     POSIX_ENSURE_REF(msg->msg_iov);
 
-    /* Assuming msg_control is uint8_t is a simplification and will not work when we
-     * attempt to test the production s2n_ktls_send implementation. However, setting/parsing
-     * cmsg is critical code and will be added in a separate PR. */
-    uint8_t *record_type = (uint8_t *) msg->msg_control;
-    POSIX_ENSURE_REF(record_type);
     struct s2n_test_ktls_io_stuffer *io_ctx = (struct s2n_test_ktls_io_stuffer *) io_context;
     POSIX_ENSURE_REF(io_ctx);
     io_ctx->sendmsg_invoked_count++;
 
+    uint8_t record_type = 0;
+    struct msghdr msg_to_parse = *msg;
+    POSIX_GUARD_RESULT(s2n_ktls_get_control_data(&msg_to_parse, S2N_TLS_SET_RECORD_TYPE, &record_type));
+
     size_t total_len = 0;
     for (size_t count = 0; count < msg->msg_iovlen; count++) {
         uint8_t *buf = msg->msg_iov[count].iov_base;
@@ -73,7 +76,7 @@ ssize_t s2n_test_ktls_sendmsg_io_stuffer(void *io_context, const struct msghdr *
     }
     if (total_len) {
         /* write record_type and len after some data was written successfully */
-        POSIX_GUARD(s2n_stuffer_write_uint8(&io_ctx->ancillary_buffer, *record_type));
+        POSIX_GUARD(s2n_stuffer_write_uint8(&io_ctx->ancillary_buffer, record_type));
         POSIX_GUARD(s2n_stuffer_write_uint16(&io_ctx->ancillary_buffer, total_len));
     }
 
@@ -87,18 +90,13 @@ ssize_t s2n_test_ktls_sendmsg_io_stuffer(void *io_context, const struct msghdr *
  * are of the same type. */
 ssize_t s2n_test_ktls_recvmsg_io_stuffer(void *io_context, struct msghdr *msg)
 {
-    POSIX_ENSURE_REF(io_context);
     POSIX_ENSURE_REF(msg);
     POSIX_ENSURE_REF(msg->msg_iov);
 
-    /* Assuming msg_control is uint8_t is a simplification and will not work when we
-     * attempt to test the production s2n_ktls_recv implementation. However, setting/parsing
-     * cmsg is critical code and will be added in a separate PR. */
-    uint8_t *record_type = (uint8_t *) msg->msg_control;
-    POSIX_ENSURE_REF(record_type);
     struct s2n_test_ktls_io_stuffer *io_ctx = (struct s2n_test_ktls_io_stuffer *) io_context;
     POSIX_ENSURE_REF(io_ctx);
     io_ctx->recvmsg_invoked_count++;
+
     uint8_t *buf = msg->msg_iov->iov_base;
     POSIX_ENSURE_REF(buf);
 
@@ -112,10 +110,13 @@ ssize_t s2n_test_ktls_recvmsg_io_stuffer(void *io_context, struct msghdr *msg)
     POSIX_ENSURE_EQ(msg->msg_iovlen, 1);
     size_t size = msg->msg_iov->iov_len;
 
+    uint8_t record_type = 0;
+    POSIX_GUARD(s2n_stuffer_read_uint8(&io_ctx->ancillary_buffer, &record_type));
+    POSIX_GUARD_RESULT(s2n_ktls_set_control_data(msg, msg->msg_control, msg->msg_controllen,
+            S2N_TLS_GET_RECORD_TYPE, record_type));
+
     ssize_t bytes_read = 0;
     while (bytes_read < size) {
-        /* read record_type and number of bytes available in the next record */
-        POSIX_GUARD(s2n_stuffer_read_uint8(&io_ctx->ancillary_buffer, record_type));
         uint16_t n_avail = 0;
         POSIX_GUARD(s2n_stuffer_read_uint16(&io_ctx->ancillary_buffer, &n_avail));
 
@@ -129,6 +130,7 @@ ssize_t s2n_test_ktls_recvmsg_io_stuffer(void *io_context, struct msghdr *msg)
         ssize_t remaining_len = n_avail - n_read;
         if (remaining_len) {
             POSIX_GUARD_RESULT(s2n_test_ktls_update_prev_header_len(io_ctx, remaining_len));
+            break;
         }
 
         /* attempt to read multiple records (must be of the same type) */
@@ -138,17 +140,20 @@ ssize_t s2n_test_ktls_recvmsg_io_stuffer(void *io_context, struct msghdr *msg)
         if (no_more_records) {
             break;
         }
-        bool next_record_different_type = next_record_type != *record_type;
+
+        bool next_record_different_type = next_record_type != record_type;
         if (next_record_different_type) {
             break;
         }
+
+        POSIX_GUARD(s2n_stuffer_skip_read(&io_ctx->ancillary_buffer, sizeof(record_type)));
     }
 
     return bytes_read;
 }
 
-S2N_RESULT s2n_test_init_ktls_io_stuffer(struct s2n_connection *server, struct s2n_connection *client,
-        struct s2n_test_ktls_io_stuffer_pair *io_pair)
+S2N_RESULT s2n_test_init_ktls_io_stuffer(struct s2n_connection *server,
+        struct s2n_connection *client, struct s2n_test_ktls_io_stuffer_pair *io_pair)
 {
     RESULT_ENSURE_REF(server);
     RESULT_ENSURE_REF(client);

diff --git a/tests/testlib/s2n_ktls_test_utils.h b/tests/testlib/s2n_ktls_test_utils.h
@@ -62,6 +62,6 @@ struct s2n_test_ktls_io_stuffer_pair {
 ssize_t s2n_test_ktls_sendmsg_io_stuffer(void *io_context, const struct msghdr *msg);
 ssize_t s2n_test_ktls_recvmsg_io_stuffer(void *io_context, struct msghdr *msg);
 
-S2N_RESULT s2n_test_init_ktls_io_stuffer(struct s2n_connection *server, struct s2n_connection *client,
-        struct s2n_test_ktls_io_stuffer_pair *io_pair);
+S2N_RESULT s2n_test_init_ktls_io_stuffer(struct s2n_connection *server,
+        struct s2n_connection *client, struct s2n_test_ktls_io_stuffer_pair *io_pair);
 S2N_CLEANUP_RESULT s2n_ktls_io_stuffer_pair_free(struct s2n_test_ktls_io_stuffer_pair *pair);
diff --git a/tests/unit/s2n_ktls_io_test.c b/tests/unit/s2n_ktls_io_test.c
@@ -0,0 +1,78 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * A copy of the License is located at
+ *
+ *  http://aws.amazon.com/apache2.0
+ *
+ * or in the "license" file accompanying this file. This file is distributed
+ * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ * express or implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+#include "s2n_test.h"
+#include "testlib/s2n_testlib.h"
+#include "tls/s2n_ktls.h"
+
+S2N_RESULT s2n_ktls_set_control_data(struct msghdr *msg, char *buf, size_t buf_size,
+        int cmsg_type, uint8_t record_type);
+S2N_RESULT s2n_ktls_get_control_data(struct msghdr *msg, int cmsg_type, uint8_t *record_type);
+
+int main(int argc, char **argv)
+{
+    BEGIN_TEST();
+
+    /* Test s2n_ktls_set_control_data and s2n_ktls_get_control_data */
+    {
+        /* Test: Safety */
+        {
+            struct msghdr msg = { 0 };
+            char buf[100] = { 0 };
+            EXPECT_ERROR_WITH_ERRNO(s2n_ktls_set_control_data(NULL, buf, sizeof(buf), 0, 0),
+                    S2N_ERR_NULL);
+            EXPECT_ERROR_WITH_ERRNO(s2n_ktls_set_control_data(&msg, NULL, sizeof(buf), 0, 0),
+                    S2N_ERR_NULL);
+            EXPECT_ERROR_WITH_ERRNO(s2n_ktls_set_control_data(&msg, buf, 0, 0, 0),
+                    S2N_ERR_NULL);
+
+            uint8_t record_type = 0;
+            EXPECT_ERROR_WITH_ERRNO(s2n_ktls_get_control_data(NULL, 0, &record_type),
+                    S2N_ERR_NULL);
+            EXPECT_ERROR_WITH_ERRNO(s2n_ktls_get_control_data(&msg, 0, NULL),
+                    S2N_ERR_NULL);
+        };
+
+        /* Test: s2n_ktls_set_control_data msg is parseable by s2n_ktls_get_control_data */
+        {
+            const uint8_t set_record_type = 5;
+            struct msghdr msg = { 0 };
+            const int cmsg_type = 11;
+            char buf[100] = { 0 };
+            EXPECT_OK(s2n_ktls_set_control_data(&msg, buf, sizeof(buf), cmsg_type, set_record_type));
+
+            uint8_t get_record_type = 0;
+            EXPECT_OK(s2n_ktls_get_control_data(&msg, cmsg_type, &get_record_type));
+
+            EXPECT_EQUAL(set_record_type, get_record_type);
+        };
+
+        /* Test: s2n_ktls_get_control_data fails with unexpected cmsg_type */
+        {
+            const uint8_t set_record_type = 5;
+            struct msghdr msg = { 0 };
+            const int cmsg_type = 11;
+            char buf[100] = { 0 };
+            EXPECT_OK(s2n_ktls_set_control_data(&msg, buf, sizeof(buf), cmsg_type, set_record_type));
+
+            const int bad_cmsg_type = 99;
+            uint8_t get_record_type = 0;
+            EXPECT_ERROR_WITH_ERRNO(s2n_ktls_get_control_data(&msg, bad_cmsg_type, &get_record_type),
+                    S2N_ERR_KTLS_BAD_CMSG);
+        };
+    };
+
+    END_TEST();
+}