librustls: add kTLS support

Add `rustls_connection_ktls_secrets`, which consumes `rustls_connection` to
generate tx and rx secrets for kTLS.  Secrets are borrowed and passed to a
callback.

```c
static rustls_io_result
ktls_secrets_callback(void *userdata,
    const uint8_t *rx_buf, size_t rx_n,
    const uint8_t *tx_buf, size_t tx_n)
{
    int result;
    int fd = *(int*)userdata;

    result = setsockopt(fd, SOL_TCP, TCP_ULP, "tls", 4);
    if (result < 0) return result;

    result = setsockopt(fd, SOL_TLS, TLS_RX, rx_buf, rx_n);
    if (result < 0) return result;

    result = setsockopt(fd, SOL_TLS, TLS_TX, tx_buf, tx_n);
    if (result < 0) return result;

    return 0;
}
```

```c
int fd /* = ... */;
struct rustls_connection * connection /* = ... */;

while (rustls_connection_is_handshaking(connection)) {
    /* process reads and writes */
}

while (rustls_connection_wants_write(connection)) {
    /* flush outbound packets */
}

rustls_result result = rustls_connection_ktls_secrets(connection
    ktls_secrets_callback, &fd);
```

In order to use `rustls_connection_ktls_secrets`, secret extraction must be
enabled via `rustls_*_config_builder_set_enable_secret_extraction`.

Author: pallas

Cargo.lock

@@ -10,7 +10,7 @@ repository = "https://github.com/rustls/rustls-ffi"
 categories = ["network-programming", "cryptography"]
 edition = "2021"
 links = "rustls_ffi"
-rust-version = "1.71"
+rust-version = "1.75"
 
 [features]
 default = ["aws-lc-rs", "prefer-post-quantum"]
@@ -27,6 +27,7 @@ aws-lc-rs = ["rustls/aws-lc-rs", "webpki/aws-lc-rs"]
 cert_compression = ["rustls/brotli", "rustls/zlib"]
 fips = ["rustls/fips", "webpki/aws-lc-rs-fips"]
 prefer-post-quantum = ["aws-lc-rs", "rustls/prefer-post-quantum"]
+ktls = []
 
 [dependencies]
 # Keep in sync with RUSTLS_CRATE_VERSION in build.rs
@@ -36,6 +37,9 @@ libc = { workspace = true }
 log = { workspace = true }
 rustls-platform-verifier = { workspace = true }
 
+[target.'cfg(target_os = "linux")'.dependencies]
+ktls = "6.0.2"
+
 [lib]
 name = "rustls_ffi"
 crate-type = ["lib", "staticlib"]

librustls/Cargo.toml

@@ -41,7 +41,8 @@ include = ["rustls_tls_version"]
 "feature = aws-lc-rs" = "DEFINE_AWS_LC_RS"
 "feature = ring" = "DEFINE_RING"
 "feature = fips" = "DEFINE_FIPS"
+"feature = ktls" = "DEFINE_KTLS"
 
 [parse.expand]
 crates = ["rustls-ffi"]
-features = ["read_buf", "aws-lc-rs", "ring", "fips"]
+features = ["read_buf", "aws-lc-rs", "ring", "fips", "ktls"]

librustls/cbindgen.toml

@@ -25,6 +25,15 @@ option(
     "Whether to enable aws-lc-rs and prefer post-quantum key exchange support"
 )
 
+option(KTLS "Whether to enable kTLS")
+
+if (KTLS AND (APPLE OR WIN32))
+    message(
+        FATAL_ERROR
+        "kTLS is not supported with MacOS or Windows"
+    )
+endif()
+
 option(DYN_LINK "Use dynamic linking for rustls library" OFF)
 
 if(DYN_LINK AND FIPS AND (APPLE OR WIN32))
@@ -54,6 +63,10 @@ if(PREFER_POST_QUANTUM)
     list(APPEND CARGO_FEATURES --features=prefer-post-quantum)
 endif()
 
+if(KTLS)
+    list(APPEND CARGO_FEATURES --features=ktls)
+endif()
+
 # By default w/ Makefile or Ninja generators (e.g. Linux/MacOS CLI)
 # the `CMAKE_BUILD_TYPE` is "" when using the C/C++ project tooling.
 #

librustls/cmake/options.cmake

@@ -54,6 +54,7 @@ pub(crate) struct ClientConfigBuilder {
     cert_resolver: Option<Arc<dyn ResolvesClientCert>>,
     key_log: Option<Arc<dyn KeyLog>>,
     ech_mode: Option<EchMode>,
+    enable_secret_extraction: bool,
 }
 
 impl Default for ClientConfigBuilder {
@@ -72,6 +73,7 @@ impl Default for ClientConfigBuilder {
             cert_resolver: None,
             key_log: None,
             ech_mode: None,
+            enable_secret_extraction: false,
         }
     }
 }
@@ -272,6 +274,18 @@ impl rustls_client_config_builder {
         }
     }
 
+    /// Enable or disable secret extraction, e.g. for kTLS.
+    #[no_mangle]
+    pub extern "C" fn rustls_client_config_builder_set_enable_secret_extraction(
+        config: *mut rustls_client_config_builder,
+        enable: bool,
+    ) {
+        ffi_panic_boundary! {
+            let config = try_mut_from_ptr!(config);
+            config.enable_secret_extraction = enable;
+        }
+    }
+
     /// Provide the configuration a list of certificates where the connection
     /// will select the first one that is compatible with the server's signature
     /// verification capabilities.
@@ -529,6 +543,7 @@ impl rustls_client_config_builder {
             };
             config.alpn_protocols = builder.alpn_protocols;
             config.enable_sni = builder.enable_sni;
+            config.enable_secret_extraction = builder.enable_secret_extraction;
 
             if let Some(key_log) = builder.key_log {
                 config.key_log = key_log;

librustls/src/client.rs

@@ -10,6 +10,8 @@ use rustls::{ClientConnection, ServerConnection};
 use crate::certificate::rustls_certificate;
 use crate::enums::rustls_handshake_kind;
 use crate::error::{map_error, rustls_io_result, rustls_result};
+#[cfg(feature = "ktls")]
+use crate::ffi::try_box_from_ptr;
 use crate::ffi::{
     box_castable, free_box, try_callback, try_mut_from_ptr, try_ref_from_ptr, try_slice,
     try_slice_mut,
@@ -97,6 +99,17 @@ box_castable! {
     pub struct rustls_connection(Connection);
 }
 
+#[cfg(feature = "ktls")]
+pub type rustls_ktls_secrets_callback = Option<
+    unsafe extern "C" fn(
+        userdata: *mut c_void,
+        rx_buf: *const c_void,
+        rx_n: size_t,
+        tx_buf: *const c_void,
+        tx_n: size_t,
+    ) -> rustls_io_result,
+>;
+
 impl rustls_connection {
     /// Set the userdata pointer associated with this connection. This will be passed
     /// to any callbacks invoked by the connection, if you've set up callbacks in the config.
@@ -302,6 +315,47 @@ impl rustls_connection {
         }
     }
 
+    /// Extract secrets and consume connection.  Must not be called twice
+    /// with the same value.  Secrets are borrowed in `callback` and should
+    /// not be retained across calls.  The `userdata` parameter is passed
+    /// through directly to `callback`.  Note that this is distinct from the
+    /// `userdata` parameter set with `rustls_connection_set_userdata`.
+    #[cfg(feature = "ktls")]
+    #[no_mangle]
+    pub extern "C" fn rustls_connection_ktls_secrets(
+        conn: *mut rustls_connection,
+        callback: rustls_ktls_secrets_callback,
+        userdata: *mut c_void,
+    ) -> rustls_result {
+        ffi_panic_boundary! {
+            if conn.is_null() {
+                return rustls_result::NullParameter;
+            }
+            let tls = try_box_from_ptr!(conn).conn;
+            let suite = tls.negotiated_cipher_suite().unwrap();
+            match tls.dangerous_extract_secrets() {
+                Ok(extracted_secrets) => {
+                    let Ok(rx) = ktls::CryptoInfo::from_rustls(suite, extracted_secrets.rx) else {
+                        return rustls_result::HandshakeNotComplete;
+                    };
+                    let Ok(tx) = ktls::CryptoInfo::from_rustls(suite, extracted_secrets.tx) else {
+                        return rustls_result::HandshakeNotComplete;
+                    };
+                    let callback = try_callback!(callback);
+                    let result = unsafe {
+                        callback(userdata, rx.as_ptr(), rx.size(), tx.as_ptr(), tx.size())
+                    };
+                    match result.0 {
+                        0 => rustls_result::Ok,
+                        _ => rustls_result::KtlsUserCallback,
+                    }
+                }
+                Err(rustls::Error::HandshakeNotComplete) => rustls_result::HandshakeNotComplete,
+                Err(_) => rustls_result::KtlsSecretExtractionDisabled,
+            }
+        }
+    }
+
     /// Sets a limit on the internal buffers used to buffer unsent plaintext (prior
     /// to completing the TLS handshake) and unsent TLS records. By default, there
     /// is no limit. The limit can be set at any time, even if the current buffer

librustls/src/connection.rs

@@ -211,7 +211,11 @@ u32_enum_builder! {
         // From InvalidEncryptedClientHello, with fields that get flattened.
         InvalidEncryptedClientHelloInvalidConfigList => 7700,
         InvalidEncryptedClientHelloNoCompatibleConfig => 7701,
-        InvalidEncryptedClientHelloSniRequired => 7702
+        InvalidEncryptedClientHelloSniRequired => 7702,
+
+        KtlsCompatibility => 7800,
+        KtlsUserCallback => 7801,
+        KtlsSecretExtractionDisabled => 7802
     }
 }
 
@@ -551,6 +555,9 @@ impl Display for rustls_result {
             InvalidEncryptedClientHelloSniRequired => {
                 Error::InvalidEncryptedClientHello(EncryptedClientHelloError::SniRequired).fmt(f)
             }
+            KtlsCompatibility => write!(f, "kTLS compatibility error"),
+            KtlsUserCallback => write!(f, "kTLS user callback"),
+            KtlsSecretExtractionDisabled => write!(f, "kTLS secret extraction disabled"),
         }
     }
 }