Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DTLS decryption threaded #8284

Draft
wants to merge 3 commits into
base: master
Choose a base branch
from
Draft

DTLS decryption threaded #8284

wants to merge 3 commits into from

Conversation

SparkiDev
Copy link
Contributor

@SparkiDev SparkiDev commented Dec 13, 2024
edited by devin-ai-integration bot
Loading

DTLS Decryption Threaded

This PR adds support for DTLS decryption in separate threads, allowing parallel processing of encrypted packets.

Link to Devin run: https://app.devin.ai/sessions/47c568f4eabb4feea977a16db6ec8682

@SparkiDev SparkiDev self-assigned this Dec 13, 2024
@SparkiDev SparkiDev marked this pull request as draft December 13, 2024 05:20
@SparkiDev SparkiDev force-pushed the dtls_decrypt_threaded branch from 3b76118 to 4fdda82 Compare December 15, 2024 23:46
@SparkiDev
DTLS decryption threaded
dd3a59c 
Add support for decryption in threads for DTLS.
@SparkiDev SparkiDev force-pushed the dtls_decrypt_threaded branch 3 times, most recently from a68f776 to dbb5103 Compare December 17, 2024 10:31
@SparkiDev
Multithreaded encrypt: improvements
3133e2c 
Split out encryption in software for TLSv13.
Call software encryption in async encrypt.
Support ChaCha20-Poly1305.
@SparkiDev SparkiDev force-pushed the dtls_decrypt_threaded branch 7 times, most recently from 97e745f to ae9ce19 Compare December 19, 2024 00:04
@SparkiDev
Multithreaded decrypt: improvements
ed2606e 
Split out decryption in software for TLSv13.
Call software decryption in async decrypt.
Support ChaCha20-Poly1305.
@SparkiDev SparkiDev force-pushed the dtls_decrypt_threaded branch from ae9ce19 to ed2606e Compare December 19, 2024 00:36
@kp-mariappan-ramasamy kp-mariappan-ramasamy mentioned this pull request Jan 7, 2025
Merged
8 tasks
@dgarske dgarske assigned wolfSSL-Bot and unassigned wolfSSL-Bot Jan 24, 2025
julek-wolfssl
julek-wolfssl requested changes Jan 29, 2025
View reviewed changes
Copy link
Member

@julek-wolfssl julek-wolfssl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

First comments. More tomorrow. This PR would be a good place to add unit testing for threaded crypt and rw.

src/dtls13.c
Comment on lines -959 to +970
if (ret == 0 || ret == WC_NO_ERR_TRACE(WANT_WRITE))
if (ret == 0 || ret == WC_NO_ERR_TRACE(WANT_WRITE)) {
#ifdef WOLFSSL_RW_THREADED
int lockRet = wc_LockMutex(&ssl->dtls13Rtx.mutex);
if (lockRet < 0) {
return lockRet;
}
#endif
Dtls13RtxAddRecord(&ssl->dtls13Rtx, rtxRecord);
#ifdef WOLFSSL_RW_THREADED
wc_UnLockMutex(&ssl->dtls13Rtx.mutex);
#endif
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I still think its better to use a high level lock. That will avoid any other possible races as well as handle other post-hs messages.

src/tls13.c
Comment on lines -2428 to +2431
static WC_INLINE void BuildTls13Nonce(WOLFSSL* ssl, byte* nonce, const byte* iv,
int order)
#ifndef WOLFSSL_THREADED_CRYPT
static WC_INLINE
#endif
void BuildTls13Nonce(WOLFSSL* ssl, byte* nonce, const byte* iv, int order)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not just make this never static?

@dgarske dgarske requested a review from rizlik February 13, 2025 16:10
@rizlik rizlik force-pushed the dtls_decrypt_threaded branch 2 times, most recently from 548f028 to ed2606e Compare February 19, 2025 09:19
@rizlik
Copy link
Contributor

rizlik commented Feb 19, 2025

sorry, force pushed by mistake while reviewing, restored to the original commit

rizlik
rizlik requested changes Feb 19, 2025
View reviewed changes
Copy link
Contributor

@rizlik rizlik left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This includes the review of commit e4a661f as this PR is strictly related.
These are some high level comments:

  1. Thread Keys Not Updated After Key Update
    Thread keys are set in SendData the first time a thread is used but are never updated after a key update. This desynchronization leads to errors during decryption.
    I created a small unit test here: https://github.com/rizlik/wolfssl/blob/68d5cfbed6f2bd18a88b2ee5654015bb6598519c/tests/api/test_dtls.c#L604 that should reproduce the issue.

  2. Changed Return Value Semantic of wolfSSL_write
    The return value semantics of wolfSSL_write changed, returning a size even if no data is sent, also the size returned is not equal to the plaintext size. This may apply to decryption side as well. As the application already needs to do some work to setup the threads, it can be an idea to use a separate API for threaded encryption/decryption.

  3. Unit Test Failures with WOLFSSL_THREADED_CRYPT
    Enabling WOLFSSL_THREADED_CRYPT causes multiple unit tests to fail.

  4. Lack of Testing
    These are two very complex features (RW_THREADED and THREADED_CRYPT), but no tests have been added and the current tests are failing.

  5. Lingering Data Sending from Threads
    After the application calls wolfSSL_write(), threads run and encrypt the data. How should the application trigger the sending of the data when ready? Should it use a 0-sized write? If so, it's better to document it. Overall, it might be beneficial to add a new API.

  6. Unclear Feature Scope (DTLS vs. TLS 1.3)
    It's unclear if the feature is only for DTLS or also for TLS 1.3. The code should be modularized better if it's only for DTLS. If it can be used also for TLS 1.3, then the sending and encryption order needs to be maintained AFAIU.

  7. Handling Busy Threads
    If all threads are busy, the current implementation might loop indefinitely. Suggestion: Return WANT_WRITE instead.

  8. Signal Field in ThreadCrypt Struct
    There is a signal field per ThreadCrypt struct, but only a global signal can be set. Suggestion: Either drop the field or allow enabling each thread individually.

  9. Return Values of wolfSSL_Async* API
    The wolfSSL_Async* API should return WOLFSSL_SUCCESS instead of zero.

  10. Lingering Messages in WOLFSSL_RW_THREADED
    There are problems with stale messages if the application is not continuously calling wolfSSL_read()/wolfSSL_write(). Post-handshake messages may remain stale and not be sent.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rizlik rizlik rizlik requested changes

@julek-wolfssl julek-wolfssl julek-wolfssl requested changes

Requested changes must be addressed to merge this pull request.

Assignees

@rizlik rizlik

@SparkiDev SparkiDev

@julek-wolfssl julek-wolfssl

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@SparkiDev @rizlik @julek-wolfssl @wolfSSL-Bot