Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add TLS support #155

Merged
merged 35 commits into from
Jul 13, 2022
Merged

Add TLS support #155

merged 35 commits into from
Jul 13, 2022

Conversation

danielealbano
Copy link
Owner

This PR contains a number of changes, the vast majority TLS related, although there are some minor fixes for the tests, some general code coverage improvement, some bug fixes for the worker statistics, etc.

The TLS support has been implemented via mbedTLS 2 and TLS is supported up to TLS 1.2, although TLS 1.3 should work it hasn't been fully tested. OpenSSL has been dropped from the build, although it's still needed for sentry, and some code used for the benchmarks (or to better say unused) that was using its big number implementation has been commented out because can't really be ported to openssl and needs rewriting.

The PR also contains the necessary changes to enable the kernel offload (kTLS) if the chosen cipher is supported, this considerably speed up the operations, especially if the network card supports tls offloading (e.g. mellanox connectx 6) or hardware encryption/decryption is supported.

3 new statistics have been introduced:

  • total accepted_tls_connections
  • total active_tls_connections
  • per_minute accepted_tls_connections

A new command line option has been introduced to make easy to enumerate the supported ciphers, it also indicates if kTLS is supported, e.g.

Available TLS cipher suites:

+-----------------------------------------------+-------------+-------------+------------+
| Cipher Suite                                  | Min Version | Max Version | Offloading |
+-----------------------------------------------+-------------+-------------+------------+
| TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256   |     TLS 1.2 |     TLS 1.2 |       kTLS |
| TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256 |     TLS 1.2 |     TLS 1.2 |       kTLS |
| TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256     |     TLS 1.2 |     TLS 1.2 |       kTLS |
| TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384       |     TLS 1.2 |     TLS 1.2 |       kTLS |
| TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384         |     TLS 1.2 |     TLS 1.2 |       kTLS |
| TLS-DHE-RSA-WITH-AES-256-GCM-SHA384           |     TLS 1.2 |     TLS 1.2 |       kTLS |
| TLS-ECDHE-ECDSA-WITH-AES-256-CCM              |     TLS 1.2 |     TLS 1.2 |            |
...
| TLS-PSK-WITH-CAMELLIA-256-CBC-SHA384          |     TLS 1.0 |     TLS 1.2 |            |
| TLS-PSK-WITH-AES-256-CCM-8                    |     TLS 1.2 |     TLS 1.2 |            |
| TLS-PSK-WITH-AES-128-GCM-SHA256               |     TLS 1.2 |     TLS 1.2 |       kTLS |
| TLS-PSK-WITH-AES-128-CCM                      |     TLS 1.2 |     TLS 1.2 |       kTLS |
| TLS-PSK-WITH-AES-128-CBC-SHA256               |     TLS 1.0 |     TLS 1.2 |            |
| TLS-PSK-WITH-AES-128-CBC-SHA                  |     TLS 1.0 |     TLS 1.2 |            |
| TLS-PSK-WITH-CAMELLIA-128-GCM-SHA256          |     TLS 1.2 |     TLS 1.2 |            |
| TLS-PSK-WITH-CAMELLIA-128-CBC-SHA256          |     TLS 1.0 |     TLS 1.2 |            |
| TLS-PSK-WITH-AES-128-CCM-8                    |     TLS 1.2 |     TLS 1.2 |       kTLS |
+-----------------------------------------------+-------------+-------------+------------+

Code coverage is probably not great with this PR, will improve it in separated PRs.

Closes #152

@danielealbano
Add new TLS settings (certificate_path and private_key_path under net…
fc5d861 
…work -> protocols -> tls)
@danielealbano
Add mbedtls as dependency
d922d38
@danielealbano
Extend the simple_file_io support unit to make it able to check if a …
520efd3 
…file exists or not
@danielealbano
Refactor network_receive to work on plain char* buffers and implement…
675e2b0 
… network_receive_to_buffer to operate on the internal buffer structs
@danielealbano
Update the existing protocols (redis and prometheus) to use network_r…
f8f98c8 
…eceive_to_buffer
@danielealbano
Add initial basic TLS support layer
84f7ec8
@danielealbano
Add a set of properties to the network_channel for tls
4fefa86
@danielealbano
Initial build from source doc update
d40175c
@danielealbano
Fix log message style in simple_file_io.c
7629352
@danielealbano
Rework the TLS support to fix the handshake, fix the accept/receive/s…
52e7931 
…end/close and add support for select-able cipher suites and min/max tls versions
@danielealbano
Fix TLS initialization, add an option to print out the supported list…
6cbbd8d 
… of tls ciphers
@danielealbano
Fix network_receive name after refactoring
28b960d
@danielealbano
Add support for various TLS related config parameters and update the …
4d9b0ba 
…example config file
@danielealbano
Style fix
b241096
@danielealbano
Drop openssl
30a1246
@danielealbano
Fix memory deallocation, cipher_suite is part of network_tls_config, …
369721d 
…is not allocated on its own
@danielealbano
Inform the user if ktls is available or not
ee26ba1
@danielealbano
Fix a bug in the logger of cyaml that was incorrecting removing a cha…
1227e24 
…racter from the line ending that wasn't a new line
@danielealbano
Fix kTLS support, add tls-related stats and expose them in the promet…
c480c37 
…heus module, improve tls management, add a command line option to list the supported tls ciphers, the min/max version and if they are supported by ktls, way too many other things
@danielealbano
Improve / expand testing
8abb7bc
@danielealbano
Add default list of ciphers supported by ktls to the example config
7083953
@danielealbano
Update build from source documentation
74e6197
@danielealbano
Update docker files
e432e15
@danielealbano
Fix configuration, tls on the bindings can only be enabled if the tls…
dfdb426 
… configuration is present
@danielealbano
Fix a small bug in the port searcher used in the tests
ed56c8a
@danielealbano
Improve socket management in for the network_io_common_tls tests
38ae0cf
@danielealbano
Update the documentation
b99c0ee
@danielealbano danielealbano added bug Something isn't working enhancement New feature or request labels Jul 12, 2022
@danielealbano danielealbano added this to the v0.2 milestone Jul 12, 2022
@danielealbano danielealbano self-assigned this Jul 12, 2022
@danielealbano danielealbano linked an issue Jul 12, 2022 that may be closed by this pull request
Add TLS support #152
Closed
@codecov
Copy link

codecov bot commented Jul 12, 2022
edited
Loading

Codecov Report

Merging #155 (0d65210) into main (64f0b88) will decrease coverage by 3.07%.
The diff coverage is 51.90%.

@@            Coverage Diff             @@
##             main     #155      +/-   ##
==========================================
- Coverage   81.04%   77.97%   -3.08%     
==========================================
  Files          88       92       +4     
  Lines        5514     6130     +616     
==========================================
+ Hits         4469     4780     +311     
- Misses       1045     1350     +305
Impacted Files Coverage Δ
src/config_cyaml_schema.c 100.00% <ø> (ø)
src/log/sink/log_sink_file.c 42.85% <0.00%> (ø)
src/network/io/network_io_common.c 94.07% <ø> (-0.08%) ⬇️
src/program.c 26.33% <0.00%> (-2.92%) ⬇️
src/program_arguments.c 92.98% <0.00%> (-5.17%) ⬇️
src/network/channel/network_channel_tls.c 1.24% <1.24%> (ø)
src/worker/network/worker_network_iouring_op.c 69.67% <18.51%> (-9.87%) ⬇️
src/worker/network/worker_network_op.c 70.96% <43.85%> (-15.18%) ⬇️
src/network/network_tls.c 72.22% <72.22%> (ø)
src/worker/worker.c 81.17% <81.81%> (-0.19%) ⬇️
... and 14 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 64f0b88...0d65210. Read the comment docs.

@lgtm-com
Copy link
Contributor

lgtm-com bot commented Jul 12, 2022

This pull request introduces 2 alerts when merging 18b725c into 64f0b88 - view on LGTM.com

new alerts:

  • 1 for Expression has no effect
  • 1 for Missing return statement

@lgtm-com
Copy link
Contributor

lgtm-com bot commented Jul 13, 2022

This pull request introduces 1 alert when merging 0d65210 into 64f0b88 - view on LGTM.com

new alerts:

  • 1 for Expression has no effect

@danielealbano danielealbano merged commit 40e43cd into main Jul 13, 2022
@danielealbano danielealbano deleted the 152-add-tls-support branch July 13, 2022 06:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@danielealbano danielealbano

Labels
bug Something isn't working enhancement New feature or request
Projects
None yet
Milestone
v0.2
Development

Successfully merging this pull request may close these issues.

Add TLS support
1 participant
@danielealbano