From: Chuck Lever <cel@kernel.org>
To: <kernel-tls-handshake@lists.linux.dev>
Cc: Xin Long <lucien.xin@gmail.com>, Chuck Lever <chuck.lever@oracle.com>
Subject: [PATCH v1 04/16] tlshd: Translate kernel-style Doxygen comments in src/tlshd/client.c
Date: Thu, 25 Sep 2025 21:21:53 -0400 [thread overview]
Message-ID: <20250926012207.3642990-5-cel@kernel.org> (raw)
In-Reply-To: <20250926012207.3642990-1-cel@kernel.org>
From: Chuck Lever <chuck.lever@oracle.com>
I started the ktls-utils project using the Linux kernel flavor of
Doxygen commenting which user-space Doxygen does not recognize by
default.
Convert existing comments in client.c to what a normal user space
Doxygen run expects to see. This will enable deployment of an
automatically-generated documentation web site.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
---
src/tlshd/client.c | 158 +++++++++++++++++++++++++++++++++++++++------
1 file changed, 138 insertions(+), 20 deletions(-)
diff --git a/src/tlshd/client.c b/src/tlshd/client.c
index 3415fddfa0c4..2664ffb18ab3 100644
--- a/src/tlshd/client.c
+++ b/src/tlshd/client.c
@@ -1,10 +1,14 @@
-/*
- * Perform a TLSv1.3 handshake.
+/**
+ * @file client.c
+ * @brief Perform a client-side TLS handshake
*
+ * @copyright
* Copyright (c) 2022 Oracle and/or its affiliates.
* Copyright (c) 2022 SUSE LLC.
* Copyright (c) 2024 Red Hat, Inc.
- *
+ */
+
+/*
* ktls-utils is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License as
* published by the Free Software Foundation; version 2.
@@ -43,6 +47,13 @@
#include "tlshd.h"
#include "netlink.h"
+/**
+ * @brief Initialize client side trust store
+ * @param[out] cred Trust store to initialize
+ *
+ * @returns a GnuTLS error code. Caller must release credentials
+ * using gnutls_certificate_free_credentials(3).
+ */
static int tlshd_client_get_truststore(gnutls_certificate_credentials_t cred)
{
char *pathname;
@@ -74,6 +85,10 @@ static int tlshd_client_get_truststore(gnutls_certificate_credentials_t cred)
return GNUTLS_E_SUCCESS;
}
+/**
+ * @brief Initiate an x.509-based TLS handshake without a client certificate
+ * @param[in] parms Handshake parameters
+ */
static void tlshd_tls13_client_anon_handshake(struct tlshd_handshake_parms *parms)
{
gnutls_certificate_credentials_t xcred;
@@ -134,13 +149,50 @@ out_free_creds:
gnutls_certificate_free_credentials(xcred);
}
+/**
+ * @var gnutls_privkey_t tlshd_pq_privkey
+ * Client peer's post-quantum private key
+ */
static gnutls_privkey_t tlshd_pq_privkey;
+
+/**
+ * @var gnutls_privkey_t tlshd_privkey
+ * Client peer's private key
+ */
static gnutls_privkey_t tlshd_privkey;
+
+/**
+ * @var unsigned int tlshd_pq_certs_len
+ * Count of client peer's post-quantum certificates
+ */
static unsigned int tlshd_pq_certs_len = TLSHD_MAX_CERTS;
+
+/**
+ * @var unsigned int tlshd_certs_len
+ * Count of client peer's certificates
+ */
static unsigned int tlshd_certs_len = TLSHD_MAX_CERTS;
+
+/**
+ * @var gnutls_pcert_st tlshd_certs
+ * Client peer's certificates
+ */
static gnutls_pcert_st tlshd_certs[TLSHD_MAX_CERTS];
+
+/**
+ * @var gnutls_pk_algorithm_t tlshd_pq_pkalg
+ * Client peer certificate's public key algorithms
+ */
static gnutls_pk_algorithm_t tlshd_pq_pkalg = GNUTLS_PK_UNKNOWN;
+/**
+ * @brief Retrieve client certificates to be used for ClientHello
+ * @param[in] parms Handshake parameters
+ *
+ * @retval true Client certificates were found. Caller must release
+ * the certificates using tlshd_x509_client_put_certs.
+ * @retval false No usable client certificates were found
+ */
static bool tlshd_x509_client_get_certs(struct tlshd_handshake_parms *parms)
{
if (parms->x509_cert != TLS_NO_CERT)
@@ -151,6 +203,9 @@ static bool tlshd_x509_client_get_certs(struct tlshd_handshake_parms *parms)
&tlshd_pq_pkalg);
}
+/**
+ * @brief Release client certificates that were used for ClientHello
+ */
static void tlshd_x509_client_put_certs(void)
{
unsigned int i;
@@ -159,6 +214,14 @@ static void tlshd_x509_client_put_certs(void)
gnutls_pcert_deinit(&tlshd_certs[i]);
}
+/**
+ * @brief Retrieve the private key to be used for ClientHello
+ * @param[in] parms Handshake parameters
+ *
+ * @retval true Private key was found. Caller must release the
+ * private key using tlshd_x509_client_put_privkey.
+ * @retval false No usable private key was found
+ */
static bool tlshd_x509_client_get_privkey(struct tlshd_handshake_parms *parms)
{
if (parms->x509_privkey != TLS_NO_PRIVKEY)
@@ -168,12 +231,20 @@ static bool tlshd_x509_client_get_privkey(struct tlshd_handshake_parms *parms)
&tlshd_privkey);
}
+/**
+ * @brief Release the private key that was used for ClientHello
+ */
static void tlshd_x509_client_put_privkey(void)
{
gnutls_privkey_deinit(tlshd_privkey);
gnutls_privkey_deinit(tlshd_pq_privkey);
}
+/**
+ * @brief Audit trust chain of incoming server certificate
+ * @param[in] req_ca_rdn
+ * @param[in] nreqs
+ */
static void tlshd_x509_log_issuers(const gnutls_datum_t *req_ca_rdn, int nreqs)
{
char issuer_dn[256];
@@ -196,7 +267,18 @@ static void tlshd_x509_log_issuers(const gnutls_datum_t *req_ca_rdn, int nreqs)
}
/**
- * tlshd_x509_retrieve_key_cb - Initialize client's x.509 identity
+ * @brief Initialize the client peer's x.509 identity
+ * @param[in] session session in the midst of a handshake
+ * @param[in] req_ca_rdn
+ * @param[in] nreqs
+ * @param[in] pk_algos
+ * @param[in] pk_algos_length
+ * @param[out] pcert
+ * @param[out] pcert_length
+ * @param[out] privkey
+ *
+ * @retval 0 Success; output parameters are set accordingly
+ * @retval -1 Failure
*
* Callback function is of type gnutls_certificate_retrieve_function2
*
@@ -204,10 +286,6 @@ static void tlshd_x509_log_issuers(const gnutls_datum_t *req_ca_rdn, int nreqs)
* gnutls/doc/examples/ex-cert-select.c.
*
* Sketched-in and untested.
- *
- * Return values:
- * %0: Success; output parameters are set accordingly
- * %-1: Failure
*/
static int
tlshd_x509_retrieve_key_cb(gnutls_session_t session,
@@ -256,13 +334,12 @@ tlshd_x509_retrieve_key_cb(gnutls_session_t session,
}
/**
- * tlshd_client_x509_verify_function - Verify remote's x.509 certificate
- * @session: session in the midst of a handshake
- * @parms: handshake parameters
+ * @brief Verify the remote peer's x.509 certificate
+ * @param[in] session session in the midst of a handshake
+ * @param[in] parms Handshake parameters
*
- * Return values:
- * %GNUTLS_E_SUCCESS: Incoming certificate has been successfully verified
- * %GNUTLS_E_CERTIFICATE_ERROR: certificate verification failed
+ * @retval GNUTLS_E_SUCCESS Certificate has been successfully verified
+ * @retval GNUTLS_E_CERTIFICATE_ERROR Certificate verification failed
*/
static int tlshd_client_x509_verify_function(gnutls_session_t session,
struct tlshd_handshake_parms *parms)
@@ -313,6 +390,13 @@ static int tlshd_client_x509_verify_function(gnutls_session_t session,
return GNUTLS_E_SUCCESS;
}
+/**
+ * @brief Verify the remote peer's x.509 certificate (TLSv1.3)
+ * @param[in] session session in the midst of a handshake
+ *
+ * @retval GNUTLS_E_SUCCESS Certificate has been successfully verified
+ * @retval GNUTLS_E_CERTIFICATE_ERROR Certificate verification failed
+ */
static int tlshd_tls13_client_x509_verify_function(gnutls_session_t session)
{
struct tlshd_handshake_parms *parms = gnutls_session_get_ptr(session);
@@ -320,6 +404,10 @@ static int tlshd_tls13_client_x509_verify_function(gnutls_session_t session)
return tlshd_client_x509_verify_function(session, parms);
}
+/**
+ * @brief Initiate an x.509-based TLS handshake with a client certificate
+ * @param[in] parms Handshake parameters
+ */
static void tlshd_tls13_client_x509_handshake(struct tlshd_handshake_parms *parms)
{
gnutls_certificate_credentials_t xcred;
@@ -384,6 +472,11 @@ out_free_creds:
gnutls_certificate_free_credentials(xcred);
}
+/**
+ * @brief Initiate one PSK-based handshake
+ * @param[in] parms Handshake parameters
+ * @param[in] peerid Serial number of local peer ID to present
+ */
static void tlshd_tls13_client_psk_handshake_one(struct tlshd_handshake_parms *parms,
key_serial_t peerid)
{
@@ -475,6 +568,10 @@ out_free_creds:
free(identity);
}
+/**
+ * @brief Initiate an PSK-based TLS handshake
+ * @param[in] parms Handshake parameters
+ */
static void tlshd_tls13_client_psk_handshake(struct tlshd_handshake_parms *parms)
{
key_serial_t peerid;
@@ -498,9 +595,8 @@ static void tlshd_tls13_client_psk_handshake(struct tlshd_handshake_parms *parms
}
/**
- * tlshd_tls13_clienthello_handshake - send a TLSv1.3 ClientHello
- * @parms: handshake parameters
- *
+ * @brief Send a TLSv1.3 ClientHello
+ * @param[in] parms Handshake parameters
*/
void tlshd_tls13_clienthello_handshake(struct tlshd_handshake_parms *parms)
{
@@ -521,6 +617,13 @@ void tlshd_tls13_clienthello_handshake(struct tlshd_handshake_parms *parms)
}
#ifdef HAVE_GNUTLS_QUIC
+/**
+ * @brief Verify the remote peer's x.509 certificate (QUIC)
+ * @param[in] session session in the midst of a handshake
+ *
+ * @retval GNUTLS_E_SUCCESS Certificate has been successfully verified
+ * @retval GNUTLS_E_CERTIFICATE_ERROR Certificate verification failed
+ */
static int tlshd_quic_client_x509_verify_function(gnutls_session_t session)
{
struct tlshd_quic_conn *conn = gnutls_session_get_ptr(session);
@@ -530,6 +633,10 @@ static int tlshd_quic_client_x509_verify_function(gnutls_session_t session)
#define TLSHD_QUIC_NO_CERT_AUTH 3
+/**
+ * @brief Prepare a session for a QUIC client handshake using an x.509 cert
+ * @param[in] conn
+ */
static void tlshd_quic_client_set_x509_session(struct tlshd_quic_conn *conn)
{
struct tlshd_handshake_parms *parms = conn->parms;
@@ -593,12 +700,20 @@ err:
tlshd_log_gnutls_error(ret);
}
+/**
+ * @brief Prepare a session for a QUIC client handshake using no authentication
+ * @param[in] conn
+ */
static void tlshd_quic_client_set_anon_session(struct tlshd_quic_conn *conn)
{
conn->cert_req = TLSHD_QUIC_NO_CERT_AUTH;
tlshd_quic_client_set_x509_session(conn);
}
+/**
+ * @brief Prepare a session for a QUIC client handshake using a pre-shared key
+ * @param[in] conn
+ */
static void tlshd_quic_client_set_psk_session(struct tlshd_quic_conn *conn)
{
key_serial_t peerid = g_array_index(conn->parms->peerids, key_serial_t, 0);
@@ -642,9 +757,8 @@ err:
}
/**
- * tlshd_quic_clienthello_handshake - send a QUIC Client Initial
- * @parms: handshake parameters
- *
+ * @brief Send a QUIC Client Initial
+ * @param[in] parms Handshake parameters
*/
void tlshd_quic_clienthello_handshake(struct tlshd_handshake_parms *parms)
{
@@ -680,6 +794,10 @@ out:
tlshd_quic_conn_destroy(conn);
}
#else
+/**
+ * @brief Send a QUIC Client Initial
+ * @param[in] parms Handshake parameters
+ */
void tlshd_quic_clienthello_handshake(struct tlshd_handshake_parms *parms)
{
tlshd_log_debug("QUIC handshake is not enabled (%d)", parms->auth_mode);
--
2.51.0
next prev parent reply other threads:[~2025-09-26 1:22 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-26 1:21 [PATCH v1 00/16] Create gh-pages for ktls-utils Chuck Lever
2025-09-26 1:21 ` [PATCH v1 01/16] tlshd: Add kernel's quic.h Chuck Lever
2025-09-26 1:21 ` [PATCH v1 02/16] tlshd: leave session_status as EIO on GnuTLS failure in QUIC session setup Chuck Lever
2025-09-26 1:21 ` [PATCH v1 03/16] tlshd: set conn errcode to EACCES on GnuTLS failure in QUIC handshake Chuck Lever
2025-09-26 1:21 ` Chuck Lever [this message]
2025-09-26 1:21 ` [PATCH v1 05/16] tlshd: Translate kernel-style Doxygen comments in src/tlshd/config.c Chuck Lever
2025-09-26 1:21 ` [PATCH v1 06/16] tlshd: Translate kernel-style Doxygen comments in src/tlshd/handshake.c Chuck Lever
2025-09-26 1:21 ` [PATCH v1 07/16] tlshd: Translate kernel-style Doxygen comments in src/tlshd/keyring.c Chuck Lever
2025-09-26 1:21 ` [PATCH v1 08/16] tlshd: Translate kernel-style Doxygen comments in src/tlshd/ktls.c Chuck Lever
2025-09-26 1:21 ` [PATCH v1 09/16] tlshd: Translate kernel-style Doxygen comments in src/tlshd/log.c Chuck Lever
2025-09-26 1:21 ` [PATCH v1 10/16] tlshd: Translate kernel-style Doxygen comments in src/tlshd/main.c Chuck Lever
2025-09-26 1:22 ` [PATCH v1 11/16] tlshd: Translate kernel-style Doxygen comments in src/tlshd/netlink.c Chuck Lever
2025-09-26 1:22 ` [PATCH v1 12/16] tlshd: Translate kernel-style Doxygen comments in src/tlshd/quic.c Chuck Lever
2025-09-26 1:22 ` [PATCH v1 13/16] tlshd: Translate kernel-style Doxygen comments in src/tlshd/server.c Chuck Lever
2025-09-26 1:22 ` [PATCH v1 14/16] tlshd: Translate kernel-style Doxygen comments in src/tlshd/tlshd.h Chuck Lever
2025-09-26 1:22 ` [PATCH v1 15/16] Build Doxygen web site Chuck Lever
2025-09-26 1:22 ` [PATCH v1 16/16] workflows: Generate gh-pages automatically Chuck Lever
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250926012207.3642990-5-cel@kernel.org \
--to=cel@kernel.org \
--cc=chuck.lever@oracle.com \
--cc=kernel-tls-handshake@lists.linux.dev \
--cc=lucien.xin@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.