aws
diff --git a/‎codebuild/spec/buildspec_ktls_keyupdate.yml
Lines changed: 1 addition & 0 deletions b/‎codebuild/spec/buildspec_ktls_keyupdate.yml
Lines changed: 1 addition & 0 deletions
diff --git a/‎tests/features/S2N_KTLS_KEYUPDATE_SUPPORTED.c
Lines changed: 0 additions & 26 deletions b/‎tests/features/S2N_KTLS_KEYUPDATE_SUPPORTED.c
Lines changed: 0 additions & 26 deletions
diff --git a/‎tests/features/S2N_KTLS_KEYUPDATE_SUPPORTED.flags b/‎tests/features/S2N_KTLS_KEYUPDATE_SUPPORTED.flags
diff --git a/‎tests/testlib/s2n_ktls_test_utils.c
Lines changed: 0 additions & 43 deletions b/‎tests/testlib/s2n_ktls_test_utils.c
Lines changed: 0 additions & 43 deletions
diff --git a/‎tests/testlib/s2n_ktls_test_utils.h
Lines changed: 0 additions & 5 deletions b/‎tests/testlib/s2n_ktls_test_utils.h
Lines changed: 0 additions & 5 deletions
diff --git a/‎tests/unit/s2n_key_update_test.c
Lines changed: 12 additions & 17 deletions b/‎tests/unit/s2n_key_update_test.c
Lines changed: 12 additions & 17 deletions
diff --git a/‎tests/unit/s2n_ktls_io_sendfile_test.c
Lines changed: 4 additions & 13 deletions b/‎tests/unit/s2n_ktls_io_sendfile_test.c
Lines changed: 4 additions & 13 deletions
diff --git a/‎tests/unit/s2n_ktls_io_test.c
Lines changed: 21 additions & 53 deletions b/‎tests/unit/s2n_ktls_io_test.c
Lines changed: 21 additions & 53 deletions
@@ -25,6 +25,7 @@ env:
     NIX_CACHE_BUCKET: "s3://s2n-tls-nixcachebucket-x86-64?region=us-west-2"
     NIX_INSTALLER: "https://nixos.org/nix/install"
     S2N_KTLS_TESTING_EXPECTED: 1
+    S2N_KTLS_KEYUPDATE_TESTING_EXPECTED: 1
 phases:
   pre_build:
     commands:
 
@@ -15,8 +15,6 @@
 
 #include "testlib/s2n_ktls_test_utils.h"
 
-#include "testlib/s2n_testlib.h"
-
 S2N_RESULT s2n_ktls_set_control_data(struct msghdr *msg, char *buf, size_t buf_size,
         int cmsg_type, uint8_t record_type);
 S2N_RESULT s2n_ktls_get_control_data(struct msghdr *msg, int cmsg_type, uint8_t *record_type);
@@ -249,44 +247,3 @@ S2N_RESULT s2n_test_records_in_ancillary(struct s2n_test_ktls_io_stuffer *ktls_i
     RESULT_ENSURE_EQ(extra, 0);
     return S2N_RESULT_OK;
 }
-
-int s2n_test_setsockopt_noop(int fd, int level, int optname, const void *optval, socklen_t optlen)
-{
-    return S2N_SUCCESS;
-}
-
-int s2n_test_setsockopt_aes128_tx(int fd, int level, int optname, const void *optval, socklen_t optlen)
-{
-    POSIX_ENSURE_EQ(fd, S2N_TEST_SEND_FD);
-    if (level == S2N_SOL_TLS) {
-        POSIX_ENSURE_EQ(optname, S2N_TLS_TX);
-        POSIX_ENSURE_EQ(optlen, sizeof(s2n_ktls_crypto_info_tls12_aes_gcm_128));
-    } else if (level == S2N_SOL_TCP) {
-        POSIX_ENSURE_EQ(optname, S2N_TCP_ULP);
-        POSIX_ENSURE_EQ(optlen, S2N_TLS_ULP_NAME_SIZE);
-    } else {
-        POSIX_BAIL(S2N_ERR_SAFETY);
-    }
-    return S2N_SUCCESS;
-}
-
-S2N_RESULT s2n_test_configure_connection_for_ktls(struct s2n_connection *conn, uint8_t version, struct s2n_cipher_suite *cipher)
-{
-    RESULT_ENSURE_REF(conn);
-
-    RESULT_GUARD(s2n_ktls_set_setsockopt_cb(s2n_test_setsockopt_noop));
-
-    /* config I/O */
-    RESULT_GUARD_POSIX(s2n_connection_set_write_fd(conn, S2N_TEST_SEND_FD));
-    RESULT_GUARD_POSIX(s2n_connection_set_read_fd(conn, S2N_TEST_RECV_FD));
-    conn->ktls_send_enabled = false;
-    conn->ktls_recv_enabled = false;
-
-    /* set kTLS supported cipher */
-    conn->secure->cipher_suite = cipher;
-    conn->actual_protocol_version = version;
-    /* configure connection so that the handshake is complete */
-    RESULT_GUARD(s2n_skip_handshake(conn));
-
-    return S2N_RESULT_OK;
-}
@@ -18,8 +18,6 @@
 
 #define S2N_TEST_KTLS_MOCK_HEADER_SIZE     3
 #define S2N_TEST_KTLS_MOCK_HEADER_TAG_SIZE 1
-#define S2N_TEST_SEND_FD                   66
-#define S2N_TEST_RECV_FD                   55
 
 /* The record_type is communicated via ancillary data when using kTLS. For this
  * reason s2n must use `send/recvmsg` syscalls rather than `send/read`. To mimic
@@ -76,6 +74,3 @@ S2N_RESULT s2n_test_validate_ancillary(struct s2n_test_ktls_io_stuffer *ktls_io,
         uint8_t expected_record_type, uint16_t expected_len);
 S2N_RESULT s2n_test_records_in_ancillary(struct s2n_test_ktls_io_stuffer *ktls_io,
         uint16_t expected_records);
-int s2n_test_setsockopt_noop(int fd, int level, int optname, const void *optval, socklen_t optlen);
-int s2n_test_setsockopt_aes128_tx(int fd, int level, int optname, const void *optval, socklen_t optlen);
-S2N_RESULT s2n_test_configure_connection_for_ktls(struct s2n_connection *conn, uint8_t version, struct s2n_cipher_suite *cipher);
@@ -17,11 +17,9 @@
 
 #include "crypto/s2n_sequence.h"
 #include "s2n_test.h"
-#include "testlib/s2n_ktls_test_utils.h"
 #include "testlib/s2n_testlib.h"
 #include "tls/s2n_cipher_suites.h"
 #include "tls/s2n_connection.h"
-#include "tls/s2n_ktls.h"
 #include "tls/s2n_post_handshake.h"
 #include "tls/s2n_quic_support.h"
 #include "tls/s2n_tls13_handshake.h"
@@ -150,36 +148,33 @@ int main(int argc, char **argv)
             EXPECT_SUCCESS(s2n_connection_free(conn));
         };
 
-        /* Key update messages not allowed with ktls unless the platform supports it */
+        /* Key update messages not allowed with ktls by default */
         {
             DEFER_CLEANUP(struct s2n_stuffer input, s2n_stuffer_free);
             EXPECT_SUCCESS(s2n_stuffer_growable_alloc(&input, 0));
 
             DEFER_CLEANUP(struct s2n_connection *conn = s2n_connection_new(S2N_SERVER),
                     s2n_connection_ptr_free);
             EXPECT_NOT_NULL(conn);
-            EXPECT_OK(s2n_test_configure_connection_for_ktls(conn, S2N_TLS13, &s2n_tls13_aes_128_gcm_sha256));
+            conn->actual_protocol_version = S2N_TLS13;
+            EXPECT_NOT_NULL(conn->secure);
+            conn->secure->cipher_suite = &s2n_tls13_aes_256_gcm_sha384;
 
-            /* Only able to read ktls key updates if platform supports it */
+            /* Fails if receiving with ktls:
+             * Kernel key update would be required.
+             */
             conn->ktls_send_enabled = true;
             conn->ktls_recv_enabled = true;
-            EXPECT_SUCCESS(s2n_stuffer_write_uint8(&input, S2N_KEY_UPDATE_NOT_REQUESTED));
-            if (s2n_ktls_keyupdate_is_supported_on_platform()) {
-                EXPECT_SUCCESS(s2n_key_update_recv(conn, &input));
-            } else {
-                EXPECT_FAILURE_WITH_ERRNO(s2n_key_update_recv(conn, &input), S2N_ERR_KTLS_KEYUPDATE);
-            }
+            EXPECT_FAILURE_WITH_ERRNO(s2n_key_update_recv(conn, &input), S2N_ERR_KTLS_KEYUPDATE);
             EXPECT_SUCCESS(s2n_stuffer_wipe(&input));
 
-            /* Only able to write ktls key updates if platform supports it */
+            /* Fails if only sending with ktls, but peer requested an update:
+             * Kernel key update would be required.
+             */
             conn->ktls_send_enabled = true;
             conn->ktls_recv_enabled = false;
             EXPECT_SUCCESS(s2n_stuffer_write_uint8(&input, S2N_KEY_UPDATE_REQUESTED));
-            if (s2n_ktls_keyupdate_is_supported_on_platform()) {
-                EXPECT_SUCCESS(s2n_key_update_recv(conn, &input));
-            } else {
-                EXPECT_FAILURE_WITH_ERRNO(s2n_key_update_recv(conn, &input), S2N_ERR_KTLS_KEYUPDATE);
-            }
+            EXPECT_FAILURE_WITH_ERRNO(s2n_key_update_recv(conn, &input), S2N_ERR_KTLS_KEYUPDATE);
             EXPECT_EQUAL(s2n_stuffer_data_available(&input), 0);
 
             /* Succeeds if only sending with ktls and no update requested:
 
@@ -18,7 +18,6 @@
 
 #include "crypto/s2n_sequence.h"
 #include "s2n_test.h"
-#include "testlib/s2n_ktls_test_utils.h"
 #include "testlib/s2n_testlib.h"
 #include "tls/s2n_ktls.h"
 #include "utils/s2n_random.h"
@@ -224,7 +223,6 @@ int main(int argc, char **argv)
 
     /* Test: key encryption limit tracked */
     {
-        /* Create a cipher_suite with an artificially lower encryption limit */
         struct s2n_record_algorithm test_record_alg = *s2n_tls13_aes_128_gcm_sha256.record_alg;
         test_record_alg.encryption_limit = 0;
         struct s2n_cipher_suite test_cipher_suite = s2n_tls13_aes_128_gcm_sha256;
@@ -233,8 +231,8 @@ int main(int argc, char **argv)
         DEFER_CLEANUP(struct s2n_connection *conn = s2n_connection_new(S2N_SERVER),
                 s2n_connection_ptr_free);
         EXPECT_NOT_NULL(conn);
-        EXPECT_OK(s2n_test_configure_connection_for_ktls(conn, S2N_TLS13, &s2n_tls13_aes_128_gcm_sha256));
         conn->ktls_send_enabled = true;
+        conn->actual_protocol_version = S2N_TLS13;
 
         DEFER_CLEANUP(struct s2n_test_io_pair io_pair = { 0 }, s2n_io_pair_close);
         EXPECT_SUCCESS(s2n_io_pair_init_non_blocking(&io_pair));
@@ -256,16 +254,9 @@ int main(int argc, char **argv)
         /* Test: Enforce the encryption limit */
         EXPECT_NOT_NULL(conn->secure);
         conn->secure->cipher_suite = &test_cipher_suite;
-
-        if (s2n_ktls_keyupdate_is_supported_on_platform()) {
-            EXPECT_SUCCESS(s2n_sendfile(conn, ro_file, 0, sizeof(test_data), &bytes_written, &blocked));
-            EXPECT_EQUAL(conn->recv_key_updated, 0);
-            EXPECT_EQUAL(conn->send_key_updated, 1);
-        } else {
-            EXPECT_FAILURE_WITH_ERRNO(
-                    s2n_sendfile(conn, ro_file, 0, sizeof(test_data), &bytes_written, &blocked),
-                    S2N_ERR_KTLS_KEY_LIMIT);
-        }
+        EXPECT_FAILURE_WITH_ERRNO(
+                s2n_sendfile(conn, ro_file, 0, sizeof(test_data), &bytes_written, &blocked),
+                S2N_ERR_KTLS_KEY_LIMIT);
     };
 
     EXPECT_EQUAL(close(ro_file), 0);
 
@@ -1251,25 +1251,25 @@ int main(int argc, char **argv)
         EXPECT_TRUE(large_test_data_records > 0);
         const size_t test_encryption_limit = large_test_data_records;
 
-        /* Create a cipher_suite with an artificially lower encryption limit */
         struct s2n_record_algorithm test_record_alg = *s2n_tls13_aes_128_gcm_sha256.record_alg;
         test_record_alg.encryption_limit = test_encryption_limit;
         struct s2n_cipher_suite test_cipher_suite = s2n_tls13_aes_128_gcm_sha256;
         test_cipher_suite.record_alg = &test_record_alg;
 
         for (s2n_mode mode = 0; mode <= 1; mode++) {
-            /* Test: Sequence number tracked correctly */
+            DEFER_CLEANUP(struct s2n_connection *conn = s2n_connection_new(mode),
+                    s2n_connection_ptr_free);
+            EXPECT_NOT_NULL(conn);
+            EXPECT_OK(s2n_ktls_set_sendmsg_cb(conn, s2n_test_ktls_sendmsg_mark_all_sent, conn));
+            conn->ktls_send_enabled = true;
+            EXPECT_NOT_NULL(conn->secure);
+            conn->secure->cipher_suite = &test_cipher_suite;
+            conn->actual_protocol_version = S2N_TLS13;
+
             s2n_blocked_status blocked = S2N_NOT_BLOCKED;
-            {
-                DEFER_CLEANUP(struct s2n_connection *conn = s2n_connection_new(mode),
-                        s2n_connection_ptr_free);
-                EXPECT_NOT_NULL(conn);
-                EXPECT_OK(s2n_test_configure_connection_for_ktls(conn, S2N_TLS13, &s2n_tls13_aes_128_gcm_sha256));
-                EXPECT_OK(s2n_ktls_set_setsockopt_cb(s2n_test_setsockopt_aes128_tx));
-                EXPECT_OK(s2n_ktls_set_sendmsg_cb(conn, s2n_test_ktls_sendmsg_mark_all_sent, conn->send_io_context));
-                conn->ktls_send_enabled = true;
-                conn->secure->cipher_suite = &test_cipher_suite;
 
+            /* Test: Sequence number tracked correctly */
+            {
                 DEFER_CLEANUP(struct s2n_blob seq_num = { 0 }, s2n_blob_zero);
                 EXPECT_OK(s2n_connection_get_sequence_number(conn, conn->mode, &seq_num));
 
@@ -1301,30 +1301,14 @@ int main(int argc, char **argv)
                 EXPECT_OK(s2n_assert_seq_num_equal(seq_num, expected_seq_num));
 
                 /* Test: Send enough data to hit the encryption limit */
-                if (s2n_ktls_keyupdate_is_supported_on_platform()) {
-                    EXPECT_SUCCESS(s2n_send(conn, large_test_data, sizeof(large_test_data), &blocked));
-                    /* After a keyupdate, sequence number is reset to 0. Then the sequence number will
-                     * be incremented to the number of records needed to send large_test_data. */
-                    expected_seq_num = large_test_data_records;
-                } else {
-                    EXPECT_FAILURE_WITH_ERRNO(
-                            s2n_send(conn, large_test_data, sizeof(large_test_data), &blocked),
-                            S2N_ERR_KTLS_KEY_LIMIT);
-                }
+                EXPECT_FAILURE_WITH_ERRNO(
+                        s2n_send(conn, large_test_data, sizeof(large_test_data), &blocked),
+                        S2N_ERR_KTLS_KEY_LIMIT);
                 EXPECT_OK(s2n_assert_seq_num_equal(seq_num, expected_seq_num));
             };
 
             /* Test: Exact encryption limit boundary */
             {
-                DEFER_CLEANUP(struct s2n_connection *conn = s2n_connection_new(S2N_SERVER),
-                        s2n_connection_ptr_free);
-                EXPECT_NOT_NULL(conn);
-                EXPECT_OK(s2n_test_configure_connection_for_ktls(conn, S2N_TLS13, &s2n_tls13_aes_128_gcm_sha256));
-                EXPECT_OK(s2n_ktls_set_setsockopt_cb(s2n_test_setsockopt_aes128_tx));
-                EXPECT_OK(s2n_ktls_set_sendmsg_cb(conn, s2n_test_ktls_sendmsg_mark_all_sent, conn->send_io_context));
-                conn->ktls_send_enabled = true;
-                conn->secure->cipher_suite = &test_cipher_suite;
-
                 DEFER_CLEANUP(struct s2n_blob seq_num = { 0 }, s2n_blob_zero);
                 EXPECT_OK(s2n_connection_get_sequence_number(conn, conn->mode, &seq_num));
 
@@ -1335,27 +1319,14 @@ int main(int argc, char **argv)
                 EXPECT_OK(s2n_assert_seq_num_equal(seq_num, test_encryption_limit));
 
                 /* One more record should exceed the encryption limit */
-                if (s2n_ktls_keyupdate_is_supported_on_platform()) {
-                    EXPECT_SUCCESS(s2n_send(conn, large_test_data, sizeof(large_test_data), &blocked));
-                } else {
-                    EXPECT_FAILURE_WITH_ERRNO(
-                            s2n_send(conn, large_test_data, sizeof(large_test_data), &blocked),
-                            S2N_ERR_KTLS_KEY_LIMIT);
-                }
+                EXPECT_FAILURE_WITH_ERRNO(
+                        s2n_send(conn, large_test_data, sizeof(large_test_data), &blocked),
+                        S2N_ERR_KTLS_KEY_LIMIT);
                 EXPECT_OK(s2n_assert_seq_num_equal(seq_num, test_encryption_limit));
             };
 
             /* Test: Limit not tracked with TLS1.2 */
             {
-                DEFER_CLEANUP(struct s2n_connection *conn = s2n_connection_new(S2N_SERVER),
-                        s2n_connection_ptr_free);
-                EXPECT_NOT_NULL(conn);
-                EXPECT_OK(s2n_test_configure_connection_for_ktls(conn, S2N_TLS13, &s2n_tls13_aes_128_gcm_sha256));
-                EXPECT_OK(s2n_ktls_set_setsockopt_cb(s2n_test_setsockopt_aes128_tx));
-                EXPECT_OK(s2n_ktls_set_sendmsg_cb(conn, s2n_test_ktls_sendmsg_mark_all_sent, conn->send_io_context));
-                conn->ktls_send_enabled = true;
-                conn->secure->cipher_suite = &test_cipher_suite;
-
                 DEFER_CLEANUP(struct s2n_blob seq_num = { 0 }, s2n_blob_zero);
                 EXPECT_OK(s2n_connection_get_sequence_number(conn, conn->mode, &seq_num));
 
@@ -1375,13 +1346,10 @@ int main(int argc, char **argv)
 
                 /* Passing the limit with TLS1.3 is an error if key updated is not supported */
                 conn->actual_protocol_version = S2N_TLS13;
-                if (s2n_ktls_keyupdate_is_supported_on_platform()) {
-                    EXPECT_SUCCESS(s2n_send(conn, large_test_data, sizeof(large_test_data), &blocked));
-                } else {
-                    EXPECT_FAILURE_WITH_ERRNO(
-                            s2n_send(conn, large_test_data, sizeof(large_test_data), &blocked),
-                            S2N_ERR_KTLS_KEY_LIMIT);
-                }
+                EXPECT_FAILURE_WITH_ERRNO(
+                        s2n_send(conn, large_test_data, sizeof(large_test_data), &blocked),
+                        S2N_ERR_KTLS_KEY_LIMIT);
+
                 /* Passing the limit with TLS1.2 is NOT an error */
                 conn->actual_protocol_version = S2N_TLS12;
                 EXPECT_EQUAL(s2n_send(conn, large_test_data, 1, &blocked), 1);