Tracking issue: kTLS MVP

[toidiu]

The MVP will include ktls support for TLS1.2 AES_GCM_128. Since TLS1.3 key_update is not support in kTLS a kernel patch is required.

The kTLS feature will initially be released as unstable. kTLS POC:

• ak-ktls0_main
• ak-ktls0_main1

milestone 1

• tls 1.2 MVP (milestone 1)
  • enums and some building blocks (s2n_ktls.h) ktls: s2n_ktls_mode and building blocks #3797
  • cipher suites indicate kTLS support (AES_GCM_128) ktls: add ktls_supported field to s2n_cipher #3806
    • struct s2n_cipher { bool supports_ktls; }
  • rm config.ktls_request. instead enable per connection ktls: rm kTLS request field on config #3816
  • feature probe ktls: feature probe test #3869 ktls: set keys on socket and enable ktls #4071
    • fix kTLS feature probe (linux doesnt expose uapi for kTLS) remove kTLS feature probe #4064
  • enable kTLS (s2n_ktls.c)
    • refactor prf feat: introduce s2n_key_material for handling key material info #4047
      • configure socket ULP/TLS_SW ktls: config socket ULP #4066
        • configure connection and set tx/rx keys ktls: set keys on socket and enable ktls #4071
  • cmsg
    • mock IO send/recvmsg ktls: mock send/recvmsg IO #4109
      • get/set cmsghdr control data kTLS: get and set control data on msghdr #4146
      • sendmsg kTLS: implement sendmsg #4147
      • recvmsg kTLS: implement recvmsg #4154
  • ktls send
    • app ktls: implement s2n_ktls_send for app data  #4162
    • ktls: alert/handshake data #4167
  • ktls recv
    • ktls: recv app data #4168
    • ktls: alert/handshake data #4169
  • ktls + renegotiation: do we want to allow for enabling kTLS if reneg is enabled?
  • self talk AF_INET testing
    • self-talk inet socket ktls: self talk inet socket test #4075
    • ktls self-talk inet testing #4170
  • enable ktls in CI
    • qemu docker image
    • large github hosts with KVM
      • self-talk inet socket /w kTLS
  • expose API to users
  • documentation
    • s2n_connection_get_wire_bytes_in/out are not usable once kTLS is enabled
  • ktls: sendfile support #4171

milestone 1.5

• support AES_GCM_256

milestone 2

• enable TLS1.3 support and ciphers
  • derive keys
  • ciphers
  • send post-handshake
• enable key update (milestone 2)
  • detect key_update kernel patch (feature detection)
  • detect KeyUpdate and rekey connection
  • send KeyUpdate and rekey connection

[toidiu]

notes on FreeBSD specific impl #4153