Add SetSockOpt definitions related to Linux Kernel TLS.
#2175
Conversation
|
The Linux CI did fail with Should I change my test and all the others to use unique ports? |
Will do.
The documentation is https://docs.kernel.org/networking/tls.html . I'll add comments explaining which setsockopt call each of the structs maps to.
No. The steps of using kTLS are:
|
|
There are a bunch of tests that don't pass under cross. If you're sure that this test failure is cross-induced, you could skip the test in CI by adding |
Yes, that is what I had been battling with. The last commit I pushed finally fixes them. |
|
Hi @Arnavion, we now use the libc dependency from git, rebasing your branch should make things work |
|
Done, and verified with my test program. |
src/sys/socket/sockopt.rs
Outdated
| /// ```ignore,rust | ||
| /// setsockopt(sock, TcpUlp::default(), b"tls\0"); | ||
| /// ``` | ||
| #[cfg(target_os = "linux")] |
There was a problem hiding this comment.
The TCP_ULP and SOL_TCP symbols are defined on Android as well as Linux. So here and elsewhere, you should do
| #[cfg(target_os = "linux")] | |
| #[cfg(linux_android)] |
Those two symbols are also defined on Fuchsia, but stuff like tls12_crypto_info_aes_gcm_128 isn't, so I guess you should leave Fuchsia out.
There was a problem hiding this comment.
The TLS ULP is useless without being able to do TLS_TX and TLS_RX, and I only added all this in libc for linux. Someone who uses Android should extend it to Android.
There was a problem hiding this comment.
Ah, but you're right that there's no harm in enabling other ULPs at least. Done.
test/sys/test_sockopt.rs
Outdated
| // Some architectures running under cross don't support `setsockopt(SOL_TCP, TCP_ULP)` | ||
| // because the cross image is based on Ubuntu 16.04 which predates TCP ULP support | ||
| // (it was added in kernel v4.13 released in 2017). For these architectures, | ||
| // the `setsockopt(SOL_TCP, TCP_ULP, "tls", sizeof("tls"))` call succeeds | ||
| // but the subsequent `setsockopt(SOL_TLS, TLS_TX, ...)` call fails with `ENOPROTOOPT`. | ||
| // It's as if the first `setsockopt` call enabled some other option, not `TCP_ULP`. | ||
| // For example, `strace` says: | ||
| // | ||
| // [pid 813] setsockopt(4, SOL_TCP, 0x1f /* TCP_??? */, [7564404], 4) = 0 | ||
| // | ||
| // It's not clear why `setsockopt(SOL_TCP, TCP_ULP)` succeeds if the container image libc doesn't support it, | ||
| // but in any case we can't run the test on such an architecture, so skip it. | ||
| Err(nix::Error::ENOPROTOOPT) => skip!("TCP ULP are not supported."), |
There was a problem hiding this comment.
It might be simpler to delete this part, and just add #[cfg_attr(qemu, ignore)] to the top of the function.
src/sys/socket/sockopt.rs
Outdated
| /// ... and the `nix` equivalent is: | ||
| /// | ||
| /// ```ignore,rust | ||
| /// setsockopt(sock, TcpUlp::default(), b"tls\0"); |
There was a problem hiding this comment.
I am curious, in the C interface, does this "tls" argument always have the type C string (having a NUL at the end) or it can be some random bytes
There was a problem hiding this comment.
The value is the name of the ULP. You can look at the ones you have available with cat /proc/sys/net/ipv4/tcp_available_ulp.
The string does not need to be NUL-terminated. This is leftover from when I was trying to make the CI work and I thought the lack of NUL terminator might be the reason armv7 was failing. I confirmed from the kernel code that it only copies the user-provided string up to the smaller of user-provided length and 15 bytes (TCP_ULP_NAME_MAX - 1) and adds its own NUL terminator, and it also works without the trailing NUL in my test program.
There was a problem hiding this comment.
Removed the trailing NUL from this example and from the test.
There was a problem hiding this comment.
I confirmed from the kernel code that it only copies the user-provided string up to the smaller of user-provided length and 15 bytes (TCP_ULP_NAME_MAX - 1) and adds its own NUL terminator.
Thanks for digging into the kernel code, do you think it would be great if we could have a comment in the code describing this behavior?
There was a problem hiding this comment.
Thanks for doing it, and you don't need to squash commits as we will do squash merge.
|
@asomers @SteveLauC Ping. |
|
Normally, asomers will maintain Nix on Friday/weekend |
1. kTLS is implemented as a TCP ULP, so add a `SetSockOpt` impl for it. 2. kTLS parameters are pushed to the kernel using `setsockopt(SOL_TLS)`, so add `SetSockOpt` impls for them. Other test fixes: 1. Change `setsockopt` tests to bind to port 0 so that they bind to an unbound port and don't affect each other. 2. Fix `skip!` macro used to skip tests to generate its own block so that it can be used as an expr.
|
@SteveLauC Ping. This has been ready to merge for two weeks now, and I'm tired of fixing all the merge conflicts from the other newer PRs that keep getting merged :) This is also blocking more fixes I want to make to the |
|
Understand, let's merge this! |
kTLS is implemented as a TCP ULP, so add a
SetSockOptimpl for it.kTLS parameters are pushed to the kernel using
setsockopt(SOL_TLS),so add
SetSockOptimpls for them.Other test fixes:
Change
setsockopttests to bind to port 0 so thatthey bind to an unbound port and don't affect each other.
Fix
skip!macro used to skip tests to generate its own block so thatit can be used as an expr.
What does this PR do
Implement additional definitions needed to set up kTLS.
Checklist:
CONTRIBUTING.md