From: Chuck Lever <cel@kernel.org>
To: <kernel-tls-handshake@lists.linux.dev>
Cc: Xin Long <lucien.xin@gmail.com>, Chuck Lever <chuck.lever@oracle.com>
Subject: [PATCH v1 13/16] tlshd: Translate kernel-style Doxygen comments in src/tlshd/server.c
Date: Thu, 25 Sep 2025 21:22:02 -0400 [thread overview]
Message-ID: <20250926012207.3642990-14-cel@kernel.org> (raw)
In-Reply-To: <20250926012207.3642990-1-cel@kernel.org>
From: Chuck Lever <chuck.lever@oracle.com>
I started the ktls-utils project using the Linux kernel flavor of
Doxygen commenting which user-space Doxygen does not recognize by
default.
Convert existing comments in server.c to what a normal user space
Doxygen run expects to see. This will enable deployment of an
automatically-generated documentation web site.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
---
src/tlshd/server.c | 203 +++++++++++++++++++++++++++++++++++++++------
1 file changed, 177 insertions(+), 26 deletions(-)
diff --git a/src/tlshd/server.c b/src/tlshd/server.c
index 8bb769ff9f74..ca084a1a754b 100644
--- a/src/tlshd/server.c
+++ b/src/tlshd/server.c
@@ -1,9 +1,13 @@
-/*
- * Perform a TLSv1.3 server-side handshake.
+/**
+ * @file server.c
+ * @brief Perform a TLSv1.3 server-side handshake
*
+ * @copyright
* Copyright (c) 2023 Oracle and/or its affiliates.
* Copyright (c) 2024 Red Hat, Inc.
- *
+ */
+
+/*
* ktls-utils is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License as
* published by the Free Software Foundation; version 2.
@@ -42,13 +46,50 @@
#include "tlshd.h"
#include "netlink.h"
+/**
+ * @var gnutls_privkey_t tlshd_server_pq_privkey
+ * Server peer's post-quantum private key
+ */
static gnutls_privkey_t tlshd_server_pq_privkey;
+
+/**
+ * @var gnutls_privkey_t tlshd_server_privkey
+ * Server peer's RSA private key
+ */
static gnutls_privkey_t tlshd_server_privkey;
+
+/**
+ * @var unsigned int tlshd_server_pq_certs_len
+ * Count of server peer's PQ certificates
+ */
static unsigned int tlshd_server_pq_certs_len = TLSHD_MAX_CERTS;
+
+/**
+ * @var unsigned int tlshd_server_certs_len
+ * Count of server peer's certificates
+ */
static unsigned int tlshd_server_certs_len = TLSHD_MAX_CERTS;
+
+/**
+ * @var gnutls_pcert_st tlshd_server_certs
+ * Server peer's certificates
+ */
static gnutls_pcert_st tlshd_server_certs[TLSHD_MAX_CERTS];
+
+/**
+ * @var gnutls_pk_algorithm_t tlshd_server_pq_pkalg
+ * Server peer certificate's public key algorithms
+ */
static gnutls_pk_algorithm_t tlshd_server_pq_pkalg = GNUTLS_PK_UNKNOWN;
+/**
+ * @brief Retrieve server certificates to be used for ServerHello
+ * @param[in] parms Handshake parameters
+ *
+ * @retval true Server certificates were found. Caller must release
+ * the certificates using tlshd_x509_server_put_certs.
+ * @retval false No usable server certificates were found
+ */
static bool tlshd_x509_server_get_certs(struct tlshd_handshake_parms *parms)
{
if (parms->x509_cert != TLS_NO_CERT)
@@ -61,6 +102,9 @@ static bool tlshd_x509_server_get_certs(struct tlshd_handshake_parms *parms)
&tlshd_server_pq_pkalg);
}
+/**
+ * @brief Release server certificates that were used for ServerHello
+ */
static void tlshd_x509_server_put_certs(void)
{
unsigned int i;
@@ -69,6 +113,14 @@ static void tlshd_x509_server_put_certs(void)
gnutls_pcert_deinit(&tlshd_server_certs[i]);
}
+/**
+ * @brief Retrieve the private key to be used for ServerHello
+ * @param[in] parms Handshake parameters
+ *
+ * @retval true Private key was found. Caller must release the
+ * private key using tlshd_x509_server_put_privkey.
+ * @retval false No usable private key was found
+ */
static bool tlshd_x509_server_get_privkey(struct tlshd_handshake_parms *parms)
{
if (parms->x509_privkey != TLS_NO_PRIVKEY)
@@ -79,12 +131,20 @@ static bool tlshd_x509_server_get_privkey(struct tlshd_handshake_parms *parms)
&tlshd_server_privkey);
}
+/**
+ * @brief Release the private key that was used for ServerHello
+ */
static void tlshd_x509_server_put_privkey(void)
{
gnutls_privkey_deinit(tlshd_server_pq_privkey);
gnutls_privkey_deinit(tlshd_server_privkey);
}
+/**
+ * @brief Audit trust chain of incoming client certificate
+ * @param[in] req_ca_rdn
+ * @param[in] nreqs
+ */
static void tlshd_x509_log_issuers(const gnutls_datum_t *req_ca_rdn, int nreqs)
{
char issuer_dn[256];
@@ -107,7 +167,18 @@ static void tlshd_x509_log_issuers(const gnutls_datum_t *req_ca_rdn, int nreqs)
}
/**
- * tlshd_x509_retrieve_key_cb - Initialize client's x.509 identity
+ * @brief Initialize the server peer's x.509 identity
+ * @param[in] session session in the midst of a handshake
+ * @param[in] req_ca_rdn
+ * @param[in] nreqs
+ * @param[in] pk_algos
+ * @param[in] pk_algos_length
+ * @param[out] pcert
+ * @param[out] pcert_length
+ * @param[out] privkey
+ *
+ * @retval 0 Success; output parameters are set accordingly
+ * @retval -1 Failure
*
* Callback function is of type gnutls_certificate_retrieve_function2
*
@@ -115,10 +186,6 @@ static void tlshd_x509_log_issuers(const gnutls_datum_t *req_ca_rdn, int nreqs)
* gnutls/doc/examples/ex-cert-select.c.
*
* Sketched-in and untested.
- *
- * Return values:
- * %0: Success; output parameters are set accordingly
- * %-1: Failure
*/
static int
tlshd_x509_retrieve_key_cb(gnutls_session_t session,
@@ -197,6 +264,13 @@ tlshd_x509_retrieve_key_cb(gnutls_session_t session,
return 0;
}
+/**
+ * @brief Initialize server-side trust store
+ * @param[out] cred Trust store to initialize
+ *
+ * @returns a GnuTLS error code. Caller must release credentials
+ * using gnutls_certificate_free_credentials(3).
+ */
static int tlshd_server_get_truststore(gnutls_certificate_credentials_t cred)
{
char *pathname;
@@ -227,9 +301,9 @@ static int tlshd_server_get_truststore(gnutls_certificate_credentials_t cred)
}
/**
- * tlshd_server_x509_verify_function - Verify remote's x.509 certificate
- * @session: session in the midst of a handshake
- * @parms: handshake parameters
+ * @brief Verify remote's x.509 certificate
+ * @param[in] session Session in the midst of a handshake
+ * @param[in] parms Handshake parameters
*
* A return value of %GNUTLS_E_SUCCESS indicates that the TLS session
* has been allowed to continue. tlshd either sets the peerid array if
@@ -299,6 +373,13 @@ certificate_error:
return GNUTLS_E_CERTIFICATE_ERROR;
}
+/**
+ * @brief Verify a remote peer's x.509 certificate (TLSv1.3)
+ * @param[in] session session in the midst of a handshake
+ *
+ * @retval GNUTLS_E_SUCCESS Certificate has been successfully verified
+ * @retval GNUTLS_E_CERTIFICATE_ERROR Certificate verification failed
+ */
static int tlshd_tls13_server_x509_verify_function(gnutls_session_t session)
{
struct tlshd_handshake_parms *parms = gnutls_session_get_ptr(session);
@@ -306,6 +387,10 @@ static int tlshd_tls13_server_x509_verify_function(gnutls_session_t session)
return tlshd_server_x509_verify_function(session, parms);
}
+/**
+ * @brief Process an x.509-based TLS handshake with a server certificate
+ * @param[in] parms Handshake parameters
+ */
static void tlshd_tls13_server_x509_handshake(struct tlshd_handshake_parms *parms)
{
gnutls_certificate_credentials_t xcred;
@@ -386,17 +471,16 @@ out_free_creds:
}
/**
- * tlshd_server_psk_cb - Validate remote's username
- * @session: session in the midst of a handshake
- * @username: remote's username
- * @key: PSK matching @username
+ * @brief Validate the remote peer's username
+ * @param[in] session Session in the midst of a handshake
+ * @param[in] username Remote peer's username
+ * @param[in] key PSK matching "username"
*
- * Searches for a key with description @username in the session
- * keyring, and stores the PSK data in @key if found.
+ * Searches for a key with description "username" in the session
+ * keyring, and stores the PSK data in "key" if found.
*
- * Return values:
- * %0: Matching key has been stored in @key
- * %-1: Error during lookup, @key is not updated
+ * @retval 0 Matching key has been stored in "key"
+ * @retval -1 Error during lookup, "key" is not updated
*/
static int tlshd_server_psk_cb(gnutls_session_t session,
const char *username, gnutls_datum_t *key)
@@ -426,6 +510,10 @@ static int tlshd_server_psk_cb(gnutls_session_t session,
return 0;
}
+/**
+ * @brief Process an PSK-based TLS handshake (TLSv1.3)
+ * @param[in] parms Handshake parameters
+ */
static void tlshd_tls13_server_psk_handshake(struct tlshd_handshake_parms *parms)
{
gnutls_psk_server_credentials_t psk_cred;
@@ -471,9 +559,8 @@ out_free_creds:
}
/**
- * tlshd_tls13_serverhello_handshake - send a TLSv1.3 ServerHello
- * @parms: handshake parameters
- *
+ * @brief Send a TLSv1.3 ServerHello
+ * @param[in] parms Handshake parameters
*/
void tlshd_tls13_serverhello_handshake(struct tlshd_handshake_parms *parms)
{
@@ -491,6 +578,17 @@ void tlshd_tls13_serverhello_handshake(struct tlshd_handshake_parms *parms)
}
#ifdef HAVE_GNUTLS_QUIC
+/**
+ * @brief Verify the ALPNs presented by a remote peer
+ * @param[in] session
+ * @param[in] htype
+ * @param[in] when
+ * @param[in] incoming
+ * @param[in] msg
+ *
+ * @retval 0 ALPN verification was successful
+ * @retval -1 ALPN verification failed
+ */
static int tlshd_quic_server_alpn_verify(gnutls_session_t session, unsigned int htype,
unsigned int when, unsigned int incoming,
const gnutls_datum_t *msg)
@@ -515,6 +613,25 @@ static int tlshd_quic_server_alpn_verify(gnutls_session_t session, unsigned int
return 0;
}
+/**
+ * @brief Anti-reply protection
+ * @param[in] dbf
+ * @param[in] exp_time
+ * @param[in] key
+ * @param[in] data
+ *
+ * Currently, tlshd handles each handshake request in a new process
+ * rather than a thread. As a result, it cannot share the
+ * gnutls_anti_replay_t object across processes. This causes 0-RTT
+ * data to be automatically disabled, since
+ * _gnutls_anti_replay_check() fails validation in the absence of a
+ * shared anti-replay context.
+ *
+ * To properly support 0-RTT data, we need to enable sharing of the
+ * gnutls_anti_replay_t object across processes in some way.
+ *
+ * @retval 0 Not a replay
+ */
static int tlshd_quic_server_anti_replay_db_add_func(void *dbf, time_t exp_time,
const gnutls_datum_t *key,
const gnutls_datum_t *data)
@@ -523,8 +640,19 @@ static int tlshd_quic_server_anti_replay_db_add_func(void *dbf, time_t exp_time,
return 0;
}
+/**
+ * @var gnutls_anti_replay_t tlshd_quic_server_anti_replay
+ * Shared anti-replay context
+ */
static gnutls_anti_replay_t tlshd_quic_server_anti_replay;
+/**
+ * @brief Verify a remote peer's x.509 certificate (QUIC)
+ * @param[in] session session in the midst of a handshake
+ *
+ * @retval GNUTLS_E_SUCCESS Certificate has been successfully verified
+ * @retval GNUTLS_E_CERTIFICATE_ERROR Certificate verification failed
+ */
static int tlshd_quic_server_x509_verify_function(gnutls_session_t session)
{
struct tlshd_quic_conn *conn = gnutls_session_get_ptr(session);
@@ -532,6 +660,18 @@ static int tlshd_quic_server_x509_verify_function(gnutls_session_t session)
return tlshd_server_x509_verify_function(session, conn->parms);
}
+/**
+ * @brief Validate the remote peer's username
+ * @param[in] session Session in the midst of a handshake
+ * @param[in] username Remote peer's username
+ * @param[in] key PSK matching "username"
+ *
+ * Searches for a key with description "username" in the session
+ * keyring, and stores the PSK data in "key" if found.
+ *
+ * @retval 0 Matching key has been stored in "key"
+ * @retval -1 Error during lookup, "key" is not updated
+ */
static int tlshd_quic_server_psk_cb(gnutls_session_t session, const char *username,
gnutls_datum_t *key)
{
@@ -562,6 +702,10 @@ found:
return 0;
}
+/**
+ * @brief Prepare a session for a QUIC server handshake using an x.509 cert
+ * @param[in] conn
+ */
static void tlshd_quic_server_set_x509_session(struct tlshd_quic_conn *conn)
{
struct tlshd_handshake_parms *parms = conn->parms;
@@ -631,6 +775,10 @@ err:
tlshd_log_gnutls_error(ret);
}
+/**
+ * @brief Prepare a session for a QUIC client handshake using a pre-shared key
+ * @param[in] conn
+ */
static void tlshd_quic_server_set_psk_session(struct tlshd_quic_conn *conn)
{
gnutls_psk_server_credentials_t cred;
@@ -665,9 +813,8 @@ err:
}
/**
- * tlshd_quic_serverhello_handshake - send a QUIC Server Initial
- * @parms: handshake parameters
- *
+ * @brief Send a QUIC Server Initial
+ * @param[in] parms Handshake parameters
*/
void tlshd_quic_serverhello_handshake(struct tlshd_handshake_parms *parms)
{
@@ -699,6 +846,10 @@ out:
tlshd_quic_conn_destroy(conn);
}
#else
+/**
+ * @brief Send a QUIC Server Initial
+ * @param[in] parms Handshake parameters
+ */
void tlshd_quic_serverhello_handshake(struct tlshd_handshake_parms *parms)
{
tlshd_log_debug("QUIC handshake is not enabled (%d)", parms->auth_mode);
--
2.51.0
next prev parent reply other threads:[~2025-09-26 1:22 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-26 1:21 [PATCH v1 00/16] Create gh-pages for ktls-utils Chuck Lever
2025-09-26 1:21 ` [PATCH v1 01/16] tlshd: Add kernel's quic.h Chuck Lever
2025-09-26 1:21 ` [PATCH v1 02/16] tlshd: leave session_status as EIO on GnuTLS failure in QUIC session setup Chuck Lever
2025-09-26 1:21 ` [PATCH v1 03/16] tlshd: set conn errcode to EACCES on GnuTLS failure in QUIC handshake Chuck Lever
2025-09-26 1:21 ` [PATCH v1 04/16] tlshd: Translate kernel-style Doxygen comments in src/tlshd/client.c Chuck Lever
2025-09-26 1:21 ` [PATCH v1 05/16] tlshd: Translate kernel-style Doxygen comments in src/tlshd/config.c Chuck Lever
2025-09-26 1:21 ` [PATCH v1 06/16] tlshd: Translate kernel-style Doxygen comments in src/tlshd/handshake.c Chuck Lever
2025-09-26 1:21 ` [PATCH v1 07/16] tlshd: Translate kernel-style Doxygen comments in src/tlshd/keyring.c Chuck Lever
2025-09-26 1:21 ` [PATCH v1 08/16] tlshd: Translate kernel-style Doxygen comments in src/tlshd/ktls.c Chuck Lever
2025-09-26 1:21 ` [PATCH v1 09/16] tlshd: Translate kernel-style Doxygen comments in src/tlshd/log.c Chuck Lever
2025-09-26 1:21 ` [PATCH v1 10/16] tlshd: Translate kernel-style Doxygen comments in src/tlshd/main.c Chuck Lever
2025-09-26 1:22 ` [PATCH v1 11/16] tlshd: Translate kernel-style Doxygen comments in src/tlshd/netlink.c Chuck Lever
2025-09-26 1:22 ` [PATCH v1 12/16] tlshd: Translate kernel-style Doxygen comments in src/tlshd/quic.c Chuck Lever
2025-09-26 1:22 ` Chuck Lever [this message]
2025-09-26 1:22 ` [PATCH v1 14/16] tlshd: Translate kernel-style Doxygen comments in src/tlshd/tlshd.h Chuck Lever
2025-09-26 1:22 ` [PATCH v1 15/16] Build Doxygen web site Chuck Lever
2025-09-26 1:22 ` [PATCH v1 16/16] workflows: Generate gh-pages automatically Chuck Lever
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250926012207.3642990-14-cel@kernel.org \
--to=cel@kernel.org \
--cc=chuck.lever@oracle.com \
--cc=kernel-tls-handshake@lists.linux.dev \
--cc=lucien.xin@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox