From cb156974c5f1aa8f070e286c873fa44a1405a465 Mon Sep 17 00:00:00 2001 From: Chuck Lever Date: Thu, 25 Sep 2025 14:01:07 -0400 Subject: [PATCH 01/16] tlshd: Add kernel's quic.h Currently, QUIC support is disabled in tlshd unless the kernel's uapi/linux/quic.h file is present on the system. Since that work is not yet upstream, pretty much no build environment has this file. Including this header now enables the oracle/ktls-utils testing workflows for the code in quic.c, and also enables development for tlshd code near the quic.c code -- ie, at least now building fails immediately if you've done something incompatible with what's in quic.c. This copy of quic.h can be updated periodically or removed entirely when the kernel version of this file becomes reliably available. I pulled the file from: https://lore.kernel.org/netdev/cover.1758234904.git.lucien.xin@gmail.com/T/#m377dc3b337c5bcfef79dc64400fec3a5e41cdbe0 Signed-off-by: Chuck Lever --- configure.ac | 7 +- src/tlshd/Makefile.am | 3 +- src/tlshd/quic.h | 236 ++++++++++++++++++++++++++++++++++++++++++ src/tlshd/tlshd.h | 9 +- 4 files changed, 249 insertions(+), 6 deletions(-) create mode 100644 src/tlshd/quic.h diff --git a/configure.ac b/configure.ac index f59bead..da03e76 100644 --- a/configure.ac +++ b/configure.ac @@ -64,10 +64,9 @@ PKG_CHECK_MODULES([LIBNL_GENL3], libnl-genl-3.0 >= 3.1) AC_SUBST([LIBNL_GENL3_CFLAGS]) AC_SUBST([LIBNL_GENL3_LIBS]) -AC_CHECK_HEADER([linux/quic.h], - [AC_CHECK_LIB([gnutls], [gnutls_handshake_set_secret_function], - [AC_DEFINE([HAVE_GNUTLS_QUIC], [1], [Define to 1 if QUIC is found.])])]) - +AC_CHECK_LIB([gnutls], [gnutls_handshake_set_secret_function], + [AC_DEFINE([HAVE_GNUTLS_QUIC], [1], + [Define to 1 if you have the gnutls_handshake_set_secret_function function.])]) AC_CHECK_LIB([gnutls], [gnutls_transport_is_ktls_enabled], [AC_DEFINE([HAVE_GNUTLS_TRANSPORT_IS_KTLS_ENABLED], [1], [Define to 1 if you have the gnutls_transport_is_ktls_enabled function.])]) diff --git a/src/tlshd/Makefile.am b/src/tlshd/Makefile.am index 2f6aeba..3151ebe 100644 --- a/src/tlshd/Makefile.am +++ b/src/tlshd/Makefile.am @@ -21,7 +21,8 @@ tlshd_CFLAGS = -Werror -Wall -Wextra $(LIBGNUTLS_CFLAGS) \ $(LIBKEYUTILS_CFLAGS) $(GLIB_CFLAGS) $(LIBNL3_CFLAGS) \ $(LIBNL_GENL3_CFLAGS) tlshd_SOURCES = client.c config.c handshake.c keyring.c ktls.c log.c \ - main.c netlink.c netlink.h server.c tlshd.h quic.c + main.c netlink.c netlink.h server.c tlshd.h quic.c \ + quic.h tlshd_LDADD = $(LIBGNUTLS_LIBS) $(LIBKEYUTILS_LIBS) $(GLIB_LIBS) \ $(LIBNL3_LIBS) $(LIBNL_GENL3_LIBS) diff --git a/src/tlshd/quic.h b/src/tlshd/quic.h new file mode 100644 index 0000000..f7c8539 --- /dev/null +++ b/src/tlshd/quic.h @@ -0,0 +1,236 @@ +/* SPDX-License-Identifier: GPL-2.0+ WITH Linux-syscall-note */ +/* QUIC kernel implementation + * (C) Copyright Red Hat Corp. 2023 + * + * This file is part of the QUIC kernel implementation + * + * Written or modified by: + * Xin Long + */ + +#ifndef _UAPI_LINUX_QUIC_H +#define _UAPI_LINUX_QUIC_H + +#include +#ifdef __KERNEL__ +#include +#else +#include +#endif + +/* NOTE: Structure descriptions are specified in: + * https://datatracker.ietf.org/doc/html/draft-lxin-quic-socket-apis + */ + +/* Send or Receive Options APIs */ +enum quic_cmsg_type { + QUIC_STREAM_INFO, + QUIC_HANDSHAKE_INFO, +}; + +#define QUIC_STREAM_TYPE_SERVER_MASK 0x01 +#define QUIC_STREAM_TYPE_UNI_MASK 0x02 +#define QUIC_STREAM_TYPE_MASK 0x03 + +enum quic_msg_flags { + /* flags for stream_flags */ + MSG_STREAM_NEW = MSG_SYN, + MSG_STREAM_FIN = MSG_FIN, + MSG_STREAM_UNI = MSG_CONFIRM, + MSG_STREAM_DONTWAIT = MSG_WAITFORONE, + MSG_STREAM_SNDBLOCK = MSG_ERRQUEUE, + + /* extented flags for msg_flags */ + MSG_DATAGRAM = MSG_RST, + MSG_NOTIFICATION = MSG_MORE, +}; + +enum quic_crypto_level { + QUIC_CRYPTO_APP, + QUIC_CRYPTO_INITIAL, + QUIC_CRYPTO_HANDSHAKE, + QUIC_CRYPTO_EARLY, + QUIC_CRYPTO_MAX, +}; + +struct quic_handshake_info { + __u8 crypto_level; +}; + +struct quic_stream_info { + __s64 stream_id; + __u32 stream_flags; +}; + +/* Socket Options APIs */ +#define QUIC_SOCKOPT_EVENT 0 +#define QUIC_SOCKOPT_STREAM_OPEN 1 +#define QUIC_SOCKOPT_STREAM_RESET 2 +#define QUIC_SOCKOPT_STREAM_STOP_SENDING 3 +#define QUIC_SOCKOPT_CONNECTION_ID 4 +#define QUIC_SOCKOPT_CONNECTION_CLOSE 5 +#define QUIC_SOCKOPT_CONNECTION_MIGRATION 6 +#define QUIC_SOCKOPT_KEY_UPDATE 7 +#define QUIC_SOCKOPT_TRANSPORT_PARAM 8 +#define QUIC_SOCKOPT_CONFIG 9 +#define QUIC_SOCKOPT_TOKEN 10 +#define QUIC_SOCKOPT_ALPN 11 +#define QUIC_SOCKOPT_SESSION_TICKET 12 +#define QUIC_SOCKOPT_CRYPTO_SECRET 13 +#define QUIC_SOCKOPT_TRANSPORT_PARAM_EXT 14 + +#define QUIC_VERSION_V1 0x1 +#define QUIC_VERSION_V2 0x6b3343cf + +struct quic_transport_param { + __u8 remote; + __u8 disable_active_migration; + __u8 grease_quic_bit; + __u8 stateless_reset; + __u8 disable_1rtt_encryption; + __u8 disable_compatible_version; + __u8 active_connection_id_limit; + __u8 ack_delay_exponent; + __u16 max_datagram_frame_size; + __u16 max_udp_payload_size; + __u32 max_idle_timeout; + __u32 max_ack_delay; + __u16 max_streams_bidi; + __u16 max_streams_uni; + __u64 max_data; + __u64 max_stream_data_bidi_local; + __u64 max_stream_data_bidi_remote; + __u64 max_stream_data_uni; + __u64 reserved; +}; + +struct quic_config { + __u32 version; + __u32 plpmtud_probe_interval; + __u32 initial_smoothed_rtt; + __u32 payload_cipher_type; + __u8 congestion_control_algo; + __u8 validate_peer_address; + __u8 stream_data_nodelay; + __u8 receive_session_ticket; + __u8 certificate_request; + __u8 reserved[3]; +}; + +struct quic_crypto_secret { + __u8 send; /* send or recv */ + __u8 level; /* crypto level */ + __u32 type; /* TLS_CIPHER_* */ +#define QUIC_CRYPTO_SECRET_BUFFER_SIZE 48 + __u8 secret[QUIC_CRYPTO_SECRET_BUFFER_SIZE]; +}; + +enum quic_cong_algo { + QUIC_CONG_ALG_RENO, + QUIC_CONG_ALG_CUBIC, + QUIC_CONG_ALG_MAX, +}; + +struct quic_errinfo { + __s64 stream_id; + __u32 errcode; +}; + +struct quic_connection_id_info { + __u8 dest; + __u32 active; + __u32 prior_to; +}; + +struct quic_event_option { + __u8 type; + __u8 on; +}; + +/* Event APIs */ +enum quic_event_type { + QUIC_EVENT_NONE, + QUIC_EVENT_STREAM_UPDATE, + QUIC_EVENT_STREAM_MAX_DATA, + QUIC_EVENT_STREAM_MAX_STREAM, + QUIC_EVENT_CONNECTION_ID, + QUIC_EVENT_CONNECTION_CLOSE, + QUIC_EVENT_CONNECTION_MIGRATION, + QUIC_EVENT_KEY_UPDATE, + QUIC_EVENT_NEW_TOKEN, + QUIC_EVENT_NEW_SESSION_TICKET, + QUIC_EVENT_MAX, +}; + +enum { + QUIC_STREAM_SEND_STATE_READY, + QUIC_STREAM_SEND_STATE_SEND, + QUIC_STREAM_SEND_STATE_SENT, + QUIC_STREAM_SEND_STATE_RECVD, + QUIC_STREAM_SEND_STATE_RESET_SENT, + QUIC_STREAM_SEND_STATE_RESET_RECVD, + + QUIC_STREAM_RECV_STATE_RECV, + QUIC_STREAM_RECV_STATE_SIZE_KNOWN, + QUIC_STREAM_RECV_STATE_RECVD, + QUIC_STREAM_RECV_STATE_READ, + QUIC_STREAM_RECV_STATE_RESET_RECVD, + QUIC_STREAM_RECV_STATE_RESET_READ, +}; + +struct quic_stream_update { + __s64 id; + __u8 state; + __u32 errcode; + __u64 finalsz; +}; + +struct quic_stream_max_data { + __s64 id; + __u64 max_data; +}; + +struct quic_connection_close { + __u32 errcode; + __u8 frame; + __u8 phrase[]; +}; + +union quic_event { + struct quic_stream_update update; + struct quic_stream_max_data max_data; + struct quic_connection_close close; + struct quic_connection_id_info info; + __u64 max_stream; + __u8 local_migration; + __u8 key_update_phase; +}; + +enum { + QUIC_TRANSPORT_ERROR_NONE = 0x00, + QUIC_TRANSPORT_ERROR_INTERNAL = 0x01, + QUIC_TRANSPORT_ERROR_CONNECTION_REFUSED = 0x02, + QUIC_TRANSPORT_ERROR_FLOW_CONTROL = 0x03, + QUIC_TRANSPORT_ERROR_STREAM_LIMIT = 0x04, + QUIC_TRANSPORT_ERROR_STREAM_STATE = 0x05, + QUIC_TRANSPORT_ERROR_FINAL_SIZE = 0x06, + QUIC_TRANSPORT_ERROR_FRAME_ENCODING = 0x07, + QUIC_TRANSPORT_ERROR_TRANSPORT_PARAM = 0x08, + QUIC_TRANSPORT_ERROR_CONNECTION_ID_LIMIT = 0x09, + QUIC_TRANSPORT_ERROR_PROTOCOL_VIOLATION = 0x0a, + QUIC_TRANSPORT_ERROR_INVALID_TOKEN = 0x0b, + QUIC_TRANSPORT_ERROR_APPLICATION = 0x0c, + QUIC_TRANSPORT_ERROR_CRYPTO_BUF_EXCEEDED = 0x0d, + QUIC_TRANSPORT_ERROR_KEY_UPDATE = 0x0e, + QUIC_TRANSPORT_ERROR_AEAD_LIMIT_REACHED = 0x0f, + QUIC_TRANSPORT_ERROR_NO_VIABLE_PATH = 0x10, + + /* The cryptographic handshake failed. A range of 256 values is reserved + * for carrying error codes specific to the cryptographic handshake that + * is used. Codes for errors occurring when TLS is used for the + * cryptographic handshake are described in Section 4.8 of [QUIC-TLS]. + */ + QUIC_TRANSPORT_ERROR_CRYPTO = 0x0100, +}; + +#endif /* _UAPI_LINUX_QUIC_H */ diff --git a/src/tlshd/tlshd.h b/src/tlshd/tlshd.h index 6ee950d..7f3ec40 100644 --- a/src/tlshd/tlshd.h +++ b/src/tlshd/tlshd.h @@ -122,7 +122,14 @@ extern void tlshd_tls13_serverhello_handshake(struct tlshd_handshake_parms *parm extern void tlshd_quic_serverhello_handshake(struct tlshd_handshake_parms *parms); #ifdef HAVE_GNUTLS_QUIC -#include +#include "quic.h" + +#ifndef SOL_QUIC +#define SOL_QUIC 288 +#endif +#ifndef IPPROTO_QUIC +#define IPPROTO_QUIC 261 +#endif #define TLSHD_QUIC_MAX_DATA_LEN 4096 #define TLSHD_QUIC_MAX_ALPNS_LEN 128 From f2fd929affb451517e3f5f6e5975ceb14fad219d Mon Sep 17 00:00:00 2001 From: Xin Long Date: Thu, 25 Sep 2025 12:38:05 -0400 Subject: [PATCH 02/16] tlshd: leave session_status as EIO on GnuTLS failure in QUIC session setup Align the QUIC session setup error handling with the TLS 1.3 code paths: - tlshd_tls13_client_x509_handshake() - tlshd_tls13_client_psk_handshake() - tlshd_tls13_server_x509_handshake() - tlshd_tls13_server_psk_handshake() The QUIC session setup functions: - tlshd_quic_client_set_x509_session() - tlshd_quic_client_set_psk_session() - tlshd_quic_server_set_x509_session() - tlshd_quic_server_set_psk_session() will no longer return an error directly. Instead, if a GnuTLS API call fails, session_status is left as EIO after logging the Gnutls errors. Signed-off-by: Xin Long Signed-off-by: Chuck Lever --- src/tlshd/client.c | 42 ++++++++++++++++++++---------------------- src/tlshd/server.c | 29 +++++++++++++---------------- 2 files changed, 33 insertions(+), 38 deletions(-) diff --git a/src/tlshd/client.c b/src/tlshd/client.c index ad9a793..3415fdd 100644 --- a/src/tlshd/client.c +++ b/src/tlshd/client.c @@ -530,17 +530,17 @@ static int tlshd_quic_client_x509_verify_function(gnutls_session_t session) #define TLSHD_QUIC_NO_CERT_AUTH 3 -static int tlshd_quic_client_set_x509_session(struct tlshd_quic_conn *conn) +static void tlshd_quic_client_set_x509_session(struct tlshd_quic_conn *conn) { struct tlshd_handshake_parms *parms = conn->parms; gnutls_certificate_credentials_t cred; gnutls_session_t session; - int ret = -EINVAL; + int ret; if (conn->cert_req != TLSHD_QUIC_NO_CERT_AUTH) { if (!tlshd_x509_client_get_certs(parms) || !tlshd_x509_client_get_privkey(parms)) { - tlshd_log_error("cert/privkey get error %d", -ret); - return ret; + tlshd_log_error("Failed to get cert or privkey"); + return; } } ret = gnutls_certificate_allocate_credentials(&cred); @@ -581,7 +581,8 @@ static int tlshd_quic_client_set_x509_session(struct tlshd_quic_conn *conn) goto err_session; } conn->session = session; - return 0; + return; + err_session: gnutls_deinit(session); err_cred: @@ -590,29 +591,28 @@ static int tlshd_quic_client_set_x509_session(struct tlshd_quic_conn *conn) tlshd_x509_client_put_privkey(); tlshd_x509_client_put_certs(); tlshd_log_gnutls_error(ret); - return ret; } -static int tlshd_quic_client_set_anon_session(struct tlshd_quic_conn *conn) +static void tlshd_quic_client_set_anon_session(struct tlshd_quic_conn *conn) { conn->cert_req = TLSHD_QUIC_NO_CERT_AUTH; - return tlshd_quic_client_set_x509_session(conn); + tlshd_quic_client_set_x509_session(conn); } -static int tlshd_quic_client_set_psk_session(struct tlshd_quic_conn *conn) +static void tlshd_quic_client_set_psk_session(struct tlshd_quic_conn *conn) { key_serial_t peerid = g_array_index(conn->parms->peerids, key_serial_t, 0); gnutls_psk_client_credentials_t cred; gnutls_session_t session; char *identity = NULL; gnutls_datum_t key; - int ret = -EINVAL; + int ret; if (!tlshd_keyring_get_psk_username(peerid, &identity) || !tlshd_keyring_get_psk_key(peerid, &key)) { free(identity); - tlshd_log_error("identity/key get error %d", -ret); - return ret; + tlshd_log_error("Failed to get key identity or read key"); + return; } ret = gnutls_psk_allocate_client_credentials(&cred); @@ -630,7 +630,8 @@ static int tlshd_quic_client_set_psk_session(struct tlshd_quic_conn *conn) if (ret) goto err_session; conn->session = session; - return 0; + return; + err_session: gnutls_deinit(session); err_cred: @@ -638,7 +639,6 @@ static int tlshd_quic_client_set_psk_session(struct tlshd_quic_conn *conn) err: free(identity); tlshd_log_gnutls_error(ret); - return ret; } /** @@ -659,26 +659,24 @@ void tlshd_quic_clienthello_handshake(struct tlshd_handshake_parms *parms) switch (parms->auth_mode) { case HANDSHAKE_AUTH_UNAUTH: - ret = tlshd_quic_client_set_anon_session(conn); + tlshd_quic_client_set_anon_session(conn); break; case HANDSHAKE_AUTH_X509: - ret = tlshd_quic_client_set_x509_session(conn); + tlshd_quic_client_set_x509_session(conn); break; case HANDSHAKE_AUTH_PSK: - ret = tlshd_quic_client_set_psk_session(conn); + tlshd_quic_client_set_psk_session(conn); break; default: - ret = -EINVAL; tlshd_log_debug("Unrecognized auth mode (%d)", parms->auth_mode); } - if (ret) { - conn->errcode = -ret; + + if (!conn->session) goto out; - } tlshd_quic_start_handshake(conn); -out: parms->session_status = conn->errcode; +out: tlshd_quic_conn_destroy(conn); } #else diff --git a/src/tlshd/server.c b/src/tlshd/server.c index 6531f08..8bb769f 100644 --- a/src/tlshd/server.c +++ b/src/tlshd/server.c @@ -562,17 +562,17 @@ static int tlshd_quic_server_psk_cb(gnutls_session_t session, const char *userna return 0; } -static int tlshd_quic_server_set_x509_session(struct tlshd_quic_conn *conn) +static void tlshd_quic_server_set_x509_session(struct tlshd_quic_conn *conn) { struct tlshd_handshake_parms *parms = conn->parms; gnutls_certificate_credentials_t cred; gnutls_datum_t ticket_key; gnutls_session_t session; - int ret = -EINVAL; + int ret; if (!tlshd_x509_server_get_certs(parms) || !tlshd_x509_server_get_privkey(parms)) { - tlshd_log_error("cert/privkey get error %d", -ret); - return ret; + tlshd_log_error("Failed to get cert or privkey"); + return; } ret = gnutls_certificate_allocate_credentials(&cred); @@ -619,7 +619,8 @@ static int tlshd_quic_server_set_x509_session(struct tlshd_quic_conn *conn) conn->is_serv = 1; conn->session = session; - return 0; + return; + err_session: gnutls_deinit(session); err_cred: @@ -628,10 +629,9 @@ static int tlshd_quic_server_set_x509_session(struct tlshd_quic_conn *conn) tlshd_x509_server_put_privkey(); tlshd_x509_server_put_certs(); tlshd_log_gnutls_error(ret); - return ret; } -static int tlshd_quic_server_set_psk_session(struct tlshd_quic_conn *conn) +static void tlshd_quic_server_set_psk_session(struct tlshd_quic_conn *conn) { gnutls_psk_server_credentials_t cred; gnutls_session_t session; @@ -654,14 +654,14 @@ static int tlshd_quic_server_set_psk_session(struct tlshd_quic_conn *conn) conn->is_serv = 1; conn->session = session; - return 0; + return; + err_session: gnutls_deinit(session); err_cred: gnutls_psk_free_server_credentials(cred); err: tlshd_log_gnutls_error(ret); - return ret; } /** @@ -682,23 +682,20 @@ void tlshd_quic_serverhello_handshake(struct tlshd_handshake_parms *parms) switch (parms->auth_mode) { case HANDSHAKE_AUTH_X509: - ret = tlshd_quic_server_set_x509_session(conn); + tlshd_quic_server_set_x509_session(conn); break; case HANDSHAKE_AUTH_PSK: - ret = tlshd_quic_server_set_psk_session(conn); + tlshd_quic_server_set_psk_session(conn); break; default: - ret = -EINVAL; tlshd_log_debug("Unrecognized auth mode (%d)", parms->auth_mode); } - if (ret) { - conn->errcode = -ret; + if (!conn->session) goto out; - } tlshd_quic_start_handshake(conn); -out: parms->session_status = conn->errcode; +out: tlshd_quic_conn_destroy(conn); } #else From 227225e28ed842976681fe18720c3cb3ae53177a Mon Sep 17 00:00:00 2001 From: Xin Long Date: Thu, 25 Sep 2025 12:38:06 -0400 Subject: [PATCH 03/16] tlshd: set conn errcode to EACCES on GnuTLS failure in QUIC handshake Align QUIC handshake error handling with the TLS 1.3 path in tlshd_start_tls_handshake(). In tlshd_quic_start_handshake(), any error returned from the GnuTLS API is now logged and mapped to conn->errcode = EACCES (session_status). Note: unlike TLS 1.3, the QUIC handshake manages its own packet send/recv. Timeouts are handled separately, with conn->errcode set to ETIMEDOUT by quic_timer_handler(). Signed-off-by: Xin Long Signed-off-by: Chuck Lever --- src/tlshd/quic.c | 66 +++++++++++++++++++++++++++--------------------- 1 file changed, 37 insertions(+), 29 deletions(-) diff --git a/src/tlshd/quic.c b/src/tlshd/quic.c index f19e1db..0e0852e 100644 --- a/src/tlshd/quic.c +++ b/src/tlshd/quic.c @@ -188,7 +188,7 @@ static int quic_tp_send_func(gnutls_session_t session, gnutls_buffer_t extdata) ret = gnutls_buffer_append_data(extdata, buf, len); if (ret) { tlshd_log_gnutls_error(ret); - return ret; + return -1; } return 0; @@ -230,6 +230,7 @@ static char quic_priority[] = static int quic_session_set_priority(gnutls_session_t session, uint32_t cipher) { char p[136] = {}; + int ret; memcpy(p, quic_priority, strlen(quic_priority)); switch (cipher) { @@ -249,14 +250,19 @@ static int quic_session_set_priority(gnutls_session_t session, uint32_t cipher) strcat(p, "AES-128-GCM:+AES-256-GCM:+AES-128-CCM:+CHACHA20-POLY1305"); } - return gnutls_priority_set_direct(session, p, NULL); + ret = gnutls_priority_set_direct(session, p, NULL); + if (ret) { + tlshd_log_gnutls_error(ret); + return -1; + } + return 0; } static int quic_session_set_alpns(gnutls_session_t session, char *alpn_data) { gnutls_datum_t alpns[TLSHD_QUIC_MAX_ALPNS_LEN / 2]; char *alpn = strtok(alpn_data, ","); - int count = 0; + int count = 0, ret; while (alpn) { while (*alpn == ' ') @@ -267,7 +273,12 @@ static int quic_session_set_alpns(gnutls_session_t session, char *alpn_data) alpn = strtok(NULL, ","); } - return gnutls_alpn_set_protocols(session, alpns, count, GNUTLS_ALPN_MANDATORY); + ret = gnutls_alpn_set_protocols(session, alpns, count, GNUTLS_ALPN_MANDATORY); + if (ret) { + tlshd_log_gnutls_error(ret); + return -1; + } + return 0; } static gnutls_record_encryption_level_t quic_get_encryption_level(uint8_t level) @@ -401,7 +412,7 @@ static int quic_handshake_crypto_data(const struct tlshd_quic_conn *conn, level = quic_get_encryption_level(level); if (datalen > 0) { ret = gnutls_handshake_write(session, level, data, datalen); - if (ret != 0) { + if (ret) { if (!gnutls_error_is_fatal(ret)) return 0; goto err; @@ -418,7 +429,7 @@ static int quic_handshake_crypto_data(const struct tlshd_quic_conn *conn, err: gnutls_alert_send_appropriate(session, ret); tlshd_log_gnutls_error(ret); - return ret; + return -1; } /** @@ -486,24 +497,25 @@ static int tlshd_quic_session_configure(struct tlshd_quic_conn *conn) gnutls_session_t session = conn->session; int ret; - ret = quic_session_set_priority(session, conn->cipher); - if (ret) - return ret; + if (quic_session_set_priority(session, conn->cipher)) + return -1; - if (conn->alpns[0]) { - ret = quic_session_set_alpns(session, conn->alpns); - if (ret) - return ret; - } + if (conn->alpns[0] && quic_session_set_alpns(session, conn->alpns)) + return -1; gnutls_handshake_set_secret_function(session, quic_secret_func); gnutls_handshake_set_read_function(session, quic_read_func); gnutls_alert_set_read_function(session, quic_alert_read_func); - return gnutls_session_ext_register( + ret = gnutls_session_ext_register( session, "QUIC Transport Parameters", QUIC_TLSEXT_TP_PARAM, GNUTLS_EXT_TLS, quic_tp_recv_func, quic_tp_send_func, NULL, NULL, NULL, GNUTLS_EXT_FLAG_TLS | GNUTLS_EXT_FLAG_CLIENT_HELLO | GNUTLS_EXT_FLAG_EE); + if (ret) { + tlshd_log_gnutls_error(ret); + return -1; + } + return 0; } static void tlshd_quic_recv_session_ticket(struct tlshd_quic_conn *conn) @@ -532,16 +544,16 @@ static void tlshd_quic_recv_session_ticket(struct tlshd_quic_conn *conn) return; /* process new session ticket msg and get the generated session data */ - ret = quic_handshake_crypto_data(conn, QUIC_CRYPTO_APP, conn->ticket, len); - if (ret) { - conn->errcode = -ret; + if (quic_handshake_crypto_data(conn, QUIC_CRYPTO_APP, conn->ticket, len)) { + conn->errcode = EACCES; return; } + size = sizeof(conn->ticket); ret = gnutls_session_get_data(session, conn->ticket, &size); if (ret) { tlshd_log_gnutls_error(ret); - conn->errcode = -ret; + conn->errcode = EACCES; return; } @@ -569,17 +581,14 @@ void tlshd_quic_start_handshake(struct tlshd_quic_conn *conn) FD_ZERO(&readfds); FD_SET(sockfd, &readfds); - ret = tlshd_quic_session_configure(conn); - if (ret) { - tlshd_log_gnutls_error(ret); - conn->errcode = -ret; + if (tlshd_quic_session_configure(conn)) { + conn->errcode = EACCES; return; } if (!conn->is_serv) { - ret = quic_handshake_crypto_data(conn, QUIC_CRYPTO_INITIAL, NULL, 0); - if (ret) { - conn->errcode = -ret; + if (quic_handshake_crypto_data(conn, QUIC_CRYPTO_INITIAL, NULL, 0)) { + conn->errcode = EACCES; return; } @@ -614,9 +623,8 @@ void tlshd_quic_start_handshake(struct tlshd_quic_conn *conn) return tlshd_log_error("socket recvmsg error %d", errno); } tlshd_log_debug("> Handshake RECV: %u %u", msg->len, msg->level); - ret = quic_handshake_crypto_data(conn, msg->level, msg->data, msg->len); - if (ret) { - conn->errcode = -ret; + if (quic_handshake_crypto_data(conn, msg->level, msg->data, msg->len)) { + conn->errcode = EACCES; return; } } From f1e560d379d7292354d0ed9730cf8837469df242 Mon Sep 17 00:00:00 2001 From: Chuck Lever Date: Sun, 7 Sep 2025 23:07:04 -0400 Subject: [PATCH 04/16] tlshd: Translate kernel-style Doxygen comments in src/tlshd/client.c I started the ktls-utils project using the Linux kernel flavor of Doxygen commenting which user-space Doxygen does not recognize by default. Convert existing comments in client.c to what a normal user space Doxygen run expects to see. This will enable deployment of an automatically-generated documentation web site. Signed-off-by: Chuck Lever --- src/tlshd/client.c | 158 +++++++++++++++++++++++++++++++++++++++------ 1 file changed, 138 insertions(+), 20 deletions(-) diff --git a/src/tlshd/client.c b/src/tlshd/client.c index 3415fdd..2664ffb 100644 --- a/src/tlshd/client.c +++ b/src/tlshd/client.c @@ -1,10 +1,14 @@ -/* - * Perform a TLSv1.3 handshake. +/** + * @file client.c + * @brief Perform a client-side TLS handshake * + * @copyright * Copyright (c) 2022 Oracle and/or its affiliates. * Copyright (c) 2022 SUSE LLC. * Copyright (c) 2024 Red Hat, Inc. - * + */ + +/* * ktls-utils is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License as * published by the Free Software Foundation; version 2. @@ -43,6 +47,13 @@ #include "tlshd.h" #include "netlink.h" +/** + * @brief Initialize client side trust store + * @param[out] cred Trust store to initialize + * + * @returns a GnuTLS error code. Caller must release credentials + * using gnutls_certificate_free_credentials(3). + */ static int tlshd_client_get_truststore(gnutls_certificate_credentials_t cred) { char *pathname; @@ -74,6 +85,10 @@ static int tlshd_client_get_truststore(gnutls_certificate_credentials_t cred) return GNUTLS_E_SUCCESS; } +/** + * @brief Initiate an x.509-based TLS handshake without a client certificate + * @param[in] parms Handshake parameters + */ static void tlshd_tls13_client_anon_handshake(struct tlshd_handshake_parms *parms) { gnutls_certificate_credentials_t xcred; @@ -134,13 +149,50 @@ static void tlshd_tls13_client_anon_handshake(struct tlshd_handshake_parms *parm gnutls_certificate_free_credentials(xcred); } +/** + * @var gnutls_privkey_t tlshd_pq_privkey + * Client peer's post-quantum private key + */ static gnutls_privkey_t tlshd_pq_privkey; + +/** + * @var gnutls_privkey_t tlshd_privkey + * Client peer's private key + */ static gnutls_privkey_t tlshd_privkey; + +/** + * @var unsigned int tlshd_pq_certs_len + * Count of client peer's post-quantum certificates + */ static unsigned int tlshd_pq_certs_len = TLSHD_MAX_CERTS; + +/** + * @var unsigned int tlshd_certs_len + * Count of client peer's certificates + */ static unsigned int tlshd_certs_len = TLSHD_MAX_CERTS; + +/** + * @var gnutls_pcert_st tlshd_certs + * Client peer's certificates + */ static gnutls_pcert_st tlshd_certs[TLSHD_MAX_CERTS]; + +/** + * @var gnutls_pk_algorithm_t tlshd_pq_pkalg + * Client peer certificate's public key algorithms + */ static gnutls_pk_algorithm_t tlshd_pq_pkalg = GNUTLS_PK_UNKNOWN; +/** + * @brief Retrieve client certificates to be used for ClientHello + * @param[in] parms Handshake parameters + * + * @retval true Client certificates were found. Caller must release + * the certificates using tlshd_x509_client_put_certs. + * @retval false No usable client certificates were found + */ static bool tlshd_x509_client_get_certs(struct tlshd_handshake_parms *parms) { if (parms->x509_cert != TLS_NO_CERT) @@ -151,6 +203,9 @@ static bool tlshd_x509_client_get_certs(struct tlshd_handshake_parms *parms) &tlshd_pq_pkalg); } +/** + * @brief Release client certificates that were used for ClientHello + */ static void tlshd_x509_client_put_certs(void) { unsigned int i; @@ -159,6 +214,14 @@ static void tlshd_x509_client_put_certs(void) gnutls_pcert_deinit(&tlshd_certs[i]); } +/** + * @brief Retrieve the private key to be used for ClientHello + * @param[in] parms Handshake parameters + * + * @retval true Private key was found. Caller must release the + * private key using tlshd_x509_client_put_privkey. + * @retval false No usable private key was found + */ static bool tlshd_x509_client_get_privkey(struct tlshd_handshake_parms *parms) { if (parms->x509_privkey != TLS_NO_PRIVKEY) @@ -168,12 +231,20 @@ static bool tlshd_x509_client_get_privkey(struct tlshd_handshake_parms *parms) &tlshd_privkey); } +/** + * @brief Release the private key that was used for ClientHello + */ static void tlshd_x509_client_put_privkey(void) { gnutls_privkey_deinit(tlshd_privkey); gnutls_privkey_deinit(tlshd_pq_privkey); } +/** + * @brief Audit trust chain of incoming server certificate + * @param[in] req_ca_rdn + * @param[in] nreqs + */ static void tlshd_x509_log_issuers(const gnutls_datum_t *req_ca_rdn, int nreqs) { char issuer_dn[256]; @@ -196,7 +267,18 @@ static void tlshd_x509_log_issuers(const gnutls_datum_t *req_ca_rdn, int nreqs) } /** - * tlshd_x509_retrieve_key_cb - Initialize client's x.509 identity + * @brief Initialize the client peer's x.509 identity + * @param[in] session session in the midst of a handshake + * @param[in] req_ca_rdn + * @param[in] nreqs + * @param[in] pk_algos + * @param[in] pk_algos_length + * @param[out] pcert + * @param[out] pcert_length + * @param[out] privkey + * + * @retval 0 Success; output parameters are set accordingly + * @retval -1 Failure * * Callback function is of type gnutls_certificate_retrieve_function2 * @@ -204,10 +286,6 @@ static void tlshd_x509_log_issuers(const gnutls_datum_t *req_ca_rdn, int nreqs) * gnutls/doc/examples/ex-cert-select.c. * * Sketched-in and untested. - * - * Return values: - * %0: Success; output parameters are set accordingly - * %-1: Failure */ static int tlshd_x509_retrieve_key_cb(gnutls_session_t session, @@ -256,13 +334,12 @@ tlshd_x509_retrieve_key_cb(gnutls_session_t session, } /** - * tlshd_client_x509_verify_function - Verify remote's x.509 certificate - * @session: session in the midst of a handshake - * @parms: handshake parameters + * @brief Verify the remote peer's x.509 certificate + * @param[in] session session in the midst of a handshake + * @param[in] parms Handshake parameters * - * Return values: - * %GNUTLS_E_SUCCESS: Incoming certificate has been successfully verified - * %GNUTLS_E_CERTIFICATE_ERROR: certificate verification failed + * @retval GNUTLS_E_SUCCESS Certificate has been successfully verified + * @retval GNUTLS_E_CERTIFICATE_ERROR Certificate verification failed */ static int tlshd_client_x509_verify_function(gnutls_session_t session, struct tlshd_handshake_parms *parms) @@ -313,6 +390,13 @@ static int tlshd_client_x509_verify_function(gnutls_session_t session, return GNUTLS_E_SUCCESS; } +/** + * @brief Verify the remote peer's x.509 certificate (TLSv1.3) + * @param[in] session session in the midst of a handshake + * + * @retval GNUTLS_E_SUCCESS Certificate has been successfully verified + * @retval GNUTLS_E_CERTIFICATE_ERROR Certificate verification failed + */ static int tlshd_tls13_client_x509_verify_function(gnutls_session_t session) { struct tlshd_handshake_parms *parms = gnutls_session_get_ptr(session); @@ -320,6 +404,10 @@ static int tlshd_tls13_client_x509_verify_function(gnutls_session_t session) return tlshd_client_x509_verify_function(session, parms); } +/** + * @brief Initiate an x.509-based TLS handshake with a client certificate + * @param[in] parms Handshake parameters + */ static void tlshd_tls13_client_x509_handshake(struct tlshd_handshake_parms *parms) { gnutls_certificate_credentials_t xcred; @@ -384,6 +472,11 @@ static void tlshd_tls13_client_x509_handshake(struct tlshd_handshake_parms *parm gnutls_certificate_free_credentials(xcred); } +/** + * @brief Initiate one PSK-based handshake + * @param[in] parms Handshake parameters + * @param[in] peerid Serial number of local peer ID to present + */ static void tlshd_tls13_client_psk_handshake_one(struct tlshd_handshake_parms *parms, key_serial_t peerid) { @@ -475,6 +568,10 @@ static void tlshd_tls13_client_psk_handshake_one(struct tlshd_handshake_parms *p free(identity); } +/** + * @brief Initiate an PSK-based TLS handshake + * @param[in] parms Handshake parameters + */ static void tlshd_tls13_client_psk_handshake(struct tlshd_handshake_parms *parms) { key_serial_t peerid; @@ -498,9 +595,8 @@ static void tlshd_tls13_client_psk_handshake(struct tlshd_handshake_parms *parms } /** - * tlshd_tls13_clienthello_handshake - send a TLSv1.3 ClientHello - * @parms: handshake parameters - * + * @brief Send a TLSv1.3 ClientHello + * @param[in] parms Handshake parameters */ void tlshd_tls13_clienthello_handshake(struct tlshd_handshake_parms *parms) { @@ -521,6 +617,13 @@ void tlshd_tls13_clienthello_handshake(struct tlshd_handshake_parms *parms) } #ifdef HAVE_GNUTLS_QUIC +/** + * @brief Verify the remote peer's x.509 certificate (QUIC) + * @param[in] session session in the midst of a handshake + * + * @retval GNUTLS_E_SUCCESS Certificate has been successfully verified + * @retval GNUTLS_E_CERTIFICATE_ERROR Certificate verification failed + */ static int tlshd_quic_client_x509_verify_function(gnutls_session_t session) { struct tlshd_quic_conn *conn = gnutls_session_get_ptr(session); @@ -530,6 +633,10 @@ static int tlshd_quic_client_x509_verify_function(gnutls_session_t session) #define TLSHD_QUIC_NO_CERT_AUTH 3 +/** + * @brief Prepare a session for a QUIC client handshake using an x.509 cert + * @param[in] conn + */ static void tlshd_quic_client_set_x509_session(struct tlshd_quic_conn *conn) { struct tlshd_handshake_parms *parms = conn->parms; @@ -593,12 +700,20 @@ static void tlshd_quic_client_set_x509_session(struct tlshd_quic_conn *conn) tlshd_log_gnutls_error(ret); } +/** + * @brief Prepare a session for a QUIC client handshake using no authentication + * @param[in] conn + */ static void tlshd_quic_client_set_anon_session(struct tlshd_quic_conn *conn) { conn->cert_req = TLSHD_QUIC_NO_CERT_AUTH; tlshd_quic_client_set_x509_session(conn); } +/** + * @brief Prepare a session for a QUIC client handshake using a pre-shared key + * @param[in] conn + */ static void tlshd_quic_client_set_psk_session(struct tlshd_quic_conn *conn) { key_serial_t peerid = g_array_index(conn->parms->peerids, key_serial_t, 0); @@ -642,9 +757,8 @@ static void tlshd_quic_client_set_psk_session(struct tlshd_quic_conn *conn) } /** - * tlshd_quic_clienthello_handshake - send a QUIC Client Initial - * @parms: handshake parameters - * + * @brief Send a QUIC Client Initial + * @param[in] parms Handshake parameters */ void tlshd_quic_clienthello_handshake(struct tlshd_handshake_parms *parms) { @@ -680,6 +794,10 @@ void tlshd_quic_clienthello_handshake(struct tlshd_handshake_parms *parms) tlshd_quic_conn_destroy(conn); } #else +/** + * @brief Send a QUIC Client Initial + * @param[in] parms Handshake parameters + */ void tlshd_quic_clienthello_handshake(struct tlshd_handshake_parms *parms) { tlshd_log_debug("QUIC handshake is not enabled (%d)", parms->auth_mode); From c20ced5da6ca74342b3c867d989a4e1c25e9aecb Mon Sep 17 00:00:00 2001 From: Chuck Lever Date: Sun, 7 Sep 2025 23:07:04 -0400 Subject: [PATCH 05/16] tlshd: Translate kernel-style Doxygen comments in src/tlshd/config.c I started the ktls-utils project using the Linux kernel flavor of Doxygen commenting which user-space Doxygen does not recognize by default. Convert existing comments in config.c to what a normal user space Doxygen run expects to see. This will enable deployment of an automatically-generated documentation web site. Signed-off-by: Chuck Lever --- src/tlshd/config.c | 152 ++++++++++++++++++++++++++------------------- 1 file changed, 88 insertions(+), 64 deletions(-) diff --git a/src/tlshd/config.c b/src/tlshd/config.c index bf57df1..1afe1ff 100644 --- a/src/tlshd/config.c +++ b/src/tlshd/config.c @@ -1,6 +1,10 @@ +/** + * @file config.c + * @brief Parse tlshd's config file + */ + /* - * Parse tlshd's config file. - * + * @copyright * Copyright (c) 2022 Oracle and/or its affiliates. * * ktls-utils is free software; you can redistribute it and/or @@ -44,16 +48,20 @@ #include "tlshd.h" +/** + * @var GKeyFile *tlshd_configuration + * In-memory parsed config file + */ static GKeyFile *tlshd_configuration; /** - * tlshd_config_init - Read tlshd's config file - * @pathname: Pathname to config file - * @legacy: Don't generate an error if the config file doesn't exist + * @brief Parse tlshd's config file + * @param[in] pathname Pathname to config file + * @param[in] legacy Don't generate an error if the specified + * config file doesn't exist * - * Return values: - * %true: Config file read successfully - * %false: Unable to read config file + * @retval true Config file parsed successfully + * @retval false Unable to read config file */ bool tlshd_config_init(const gchar *pathname, bool legacy) { @@ -111,26 +119,49 @@ bool tlshd_config_init(const gchar *pathname, bool legacy) return true; } +/** + * @brief Release parsed config file data + */ void tlshd_config_shutdown(void) { g_key_file_free(tlshd_configuration); } /** - * ALLPERMS exists in glibc, but not on musl, so we manually - * define TLSHD_ACCESSPERMS instead of using ALLPERMS. + * @def TLSHD_ACCESSPERMS + * @brief ALLPERMS exists in glibc, but not on musl, so we manually + * define TLSHD_ACCESSPERMS instead of using ALLPERMS. */ #define TLSHD_ACCESSPERMS (S_IRWXU|S_IRWXG|S_IRWXO) -/* - * Expected file attributes +/** + * @def TLSHD_OWNER + * @brief Expected owner of certificate and private key files */ #define TLSHD_OWNER 0 /* root */ + +/** + * @def TLSHD_CERT_MODE + * @brief Expected mode of certificate files + */ #define TLSHD_CERT_MODE (S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH) + +/** + * @def TLSHD_PRIVKEY_MODE + * @brief Expected mode of private key files + */ #define TLSHD_PRIVKEY_MODE (S_IRUSR|S_IWUSR) -/* - * On success, caller must release buffer returned in @data by calling free(3) +/** + * @brief Read one configuration file + * @param[in] pathname Pathname to file that is to be read + * @param[out] data Buffer containing all file content + * @param[in] owner Expected owner of file + * @param[in] mode Expected mode of file + * + * @retval true File content retrieved successfully. Caller must + * release "data->data" by calling free(3) + * @retval false File content not retrieved */ static bool tlshd_config_read_datum(const char *pathname, gnutls_datum_t *data, uid_t owner, mode_t mode) @@ -189,13 +220,13 @@ static bool tlshd_config_read_datum(const char *pathname, gnutls_datum_t *data, } /** - * tlshd_config_get_truststore - Get truststore for {Client,Server}Hello from .conf - * @peer_type: IN: peer type - * @bundle: OUT: pathname to truststore + * @brief Get truststore to use for {Client,Server}Hello + * @param[in] peer_type peer type + * @param[out] bundle pathname to truststore * - * Return values: - * %false: pathname not retrieved - * %true: pathname retrieved successfully; caller must free @bundle using free(3) + * @retval true Trust store retrieved successfully. Caller must free + * "*bundle" using free(3) + * @retval false Trust store not retrieved */ bool tlshd_config_get_truststore(int peer_type, char **bundle) { @@ -226,13 +257,13 @@ bool tlshd_config_get_truststore(int peer_type, char **bundle) } /** - * tlshd_config_get_crl - Get CRL for {Client,Server}Hello from .conf - * @peer_type: IN: peer type - * @result: OUT: pathname to CRL + * @brief Get CRL for {Client,Server}Hello from .conf + * @param[in] peer_type peer type + * @param[out] result pathname to CRL * - * Return values: - * %false: pathname not retrieved - * %true: pathname retrieved successfully; caller must free @result using free(3) + * @retval true CRL retrieved successfully. Caller must free + * "*result" using free(3) + * @retval false CRL not retrieved */ bool tlshd_config_get_crl(int peer_type, char **result) { @@ -308,16 +339,14 @@ static bool tlshd_cert_check_pk_alg(__attribute__ ((unused)) gnutls_datum_t *dat #endif /* HAVE_GNUTLS_MLDSA */ /** - * __tlshd_config_get_certs - Helper for tlshd_config_get_certs() - * @peer_type: IN: peer type - * @certs: OUT: in-memory certificates - * @certs_len: IN: maximum number of certs to get, OUT: number of certs found - * @pkgalg: IN: if non-NULL, indicates we want to retrieve the PQ cert, - * OUT: if non-NULL, store the PQ public-key alg that was used in the PQ cert + * @brief Helper for tlshd_config_get_certs() + * @param[in] peer_type peer type + * @param[out] certs in-memory certificates + * @param[in,out] certs_len maximum number of certs to get, number of certs found + * @param[out] pkalg buffer for returning PQ algorithm * - * Return values: - * %true: certificate retrieved successfully - * %false: certificate not retrieved + * @retval true Certificate(s) retrieved successfully + * @retval false Certificate(s) not retrieved */ static bool __tlshd_config_get_certs(int peer_type, gnutls_pcert_st *certs, unsigned int *certs_len, @@ -372,21 +401,20 @@ static bool __tlshd_config_get_certs(int peer_type, gnutls_pcert_st *certs, } /** - * tlshd_config_get_certs - Get certs for {Client,Server} Hello from .conf - * @peer_type: IN: peer type - * @certs: OUT: in-memory certificates - * @pq_certs_len: IN: maximum number of PQ certs to get, OUT: number of PQ certs found - * @certs_len: IN: maximum number of certs to get, OUT: number of certs found - * @pkgalg: OUT: the PQ public-key alg that was used in the PQ cert + * @brief Get certs for {Client,Server} Hello + * @param[in] peer_type peer type + * @param[out] certs in-memory certificates + * @param[in,out] pq_certs_len maximum number of PQ certs to get, number of PQ certs found + * @param[in,out] certs_len maximum number of certs to get, number of certs found + * @param[out] pkalg the PQ public-key alg that was used in the PQ cert * - * Retrieve the PQ cert(s) first, then the RSA cert(s). Both are stored in the - * same list. Note that @pq_certs_len is deducted from the available @certs_len - * and is also used to determine the offset to store the RSA cert(s) in the - * @certs array. + * Retrieve the PQ cert(s) first, then the RSA cert(s). Both are + * stored in the same list. Note that "pq_certs_len" is deducted + * from the available "certs_len" and is also used to determine + * the offset to store the RSA cert(s) in the "certs array". * - * Return values: - * %true: certificate retrieved successfully - * %false: certificate not retrieved + * @retval true Certificate(s) retrieved successfully + * @retval false Certificate(s) not retrieved */ bool tlshd_config_get_certs(int peer_type, gnutls_pcert_st *certs, unsigned int *pq_certs_len, @@ -407,14 +435,13 @@ bool tlshd_config_get_certs(int peer_type, gnutls_pcert_st *certs, } /** - * __tlshd_config_get_privkey - Helper for tlshd_config_get_privkey() - * @peer_type: IN: peer type - * @privkey: OUT: in-memory private key - * @pq: IN: if true, retrieve the PQ private key + * @brief Helper for tlshd_config_get_privkey() + * @param[in] peer_type peer type + * @param[out] privkey in-memory private key + * @param[in] pq if true, retrieve the PQ private key * - * Return values: - * %true: private key retrieved successfully - * %false: private key not retrieved + * @retval true Private key retrieved successfully + * @retval false Private key not retrieved */ static bool __tlshd_config_get_privkey(int peer_type, gnutls_privkey_t *privkey, bool pq) { @@ -463,16 +490,13 @@ static bool __tlshd_config_get_privkey(int peer_type, gnutls_privkey_t *privkey, } /** - * tlshd_config_get_privkey - Get private key for {Client,Server}Hello from .conf - * @peer_type: IN: peer type - * @pq_privkey: OUT: in-memory PQ private key - * @privkey: OUT: in-memory private key - * - * Retrieve the PQ private key first, then the RSA private key. + * @brief Get private key for {Client,Server}Hello + * @param[in] peer_type peer type + * @param[out] pq_privkey in-memory PQ private key + * @param[out] privkey in-memory private key * - * Return values: - * %true: private key retrieved successfully - * %false: private key not retrieved + * @retval true Private key retrieved successfully + * @retval false Private key not retrieved */ bool tlshd_config_get_privkey(int peer_type, gnutls_privkey_t *pq_privkey, gnutls_privkey_t *privkey) From 63b0ba79bf480b70a8ba740ff9dcf9f2c02602de Mon Sep 17 00:00:00 2001 From: Chuck Lever Date: Wed, 24 Sep 2025 13:49:11 -0400 Subject: [PATCH 06/16] tlshd: Translate kernel-style Doxygen comments in src/tlshd/handshake.c I started the ktls-utils project using the Linux kernel flavor of Doxygen commenting which user-space Doxygen does not recognize by default. Convert existing comments in handshake.c to what a normal user space Doxygen run expects to see. This will enable deployment of an automatically-generated documentation web site. Signed-off-by: Chuck Lever --- src/tlshd/handshake.c | 32 ++++++++++++++++++++++---------- 1 file changed, 22 insertions(+), 10 deletions(-) diff --git a/src/tlshd/handshake.c b/src/tlshd/handshake.c index f688932..07a37d9 100644 --- a/src/tlshd/handshake.c +++ b/src/tlshd/handshake.c @@ -1,9 +1,13 @@ -/* - * Service a request for a TLS handshake on behalf of an - * in-kernel TLS consumer. +/** + * @file handshake.c + * @brief Service a request for a TLS handshake on behalf of an + * in-kernel TLS consumer * + * @copyright * Copyright (c) 2022 Oracle and/or its affiliates. - * + */ + +/* * ktls-utils is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License as * published by the Free Software Foundation; version 2. @@ -43,6 +47,11 @@ #include "tlshd.h" #include "netlink.h" +/** + * @brief Toggle the use of the Nagle algorithm + * @param[in] session TLS session to modify + * @param[in] val new setting + */ static void tlshd_set_nagle(gnutls_session_t session, int val) { int ret; @@ -53,6 +62,11 @@ static void tlshd_set_nagle(gnutls_session_t session, int val) tlshd_log_perror("setsockopt (NODELAY)"); } +/** + * @brief Retrieve the current Nagle algorithm setting + * @param[in] session TLS session to modify + * @param[out] saved where to save the current setting + */ static void tlshd_save_nagle(gnutls_session_t session, int *saved) { socklen_t len; @@ -72,10 +86,9 @@ static void tlshd_save_nagle(gnutls_session_t session, int *saved) } /** - * tlshd_start_tls_handshake - Drive the handshake interaction - * @session: TLS session to initialize - * @parms: handshake parameters - * + * @brief Kick off a handshake interaction + * @param[in] session TLS session to initialize + * @param[in] parms Handshake parameters */ void tlshd_start_tls_handshake(gnutls_session_t session, struct tlshd_handshake_parms *parms) @@ -115,8 +128,7 @@ void tlshd_start_tls_handshake(gnutls_session_t session, } /** - * tlshd_service_socket - Service a kernel socket needing a key operation - * + * @brief Service a kernel socket needing a handshake operation */ void tlshd_service_socket(void) { From a536ccf325c621e4914711aed9001b175b516020 Mon Sep 17 00:00:00 2001 From: Chuck Lever Date: Sun, 7 Sep 2025 23:07:04 -0400 Subject: [PATCH 07/16] tlshd: Translate kernel-style Doxygen comments in src/tlshd/keyring.c I started the ktls-utils project using the Linux kernel flavor of Doxygen commenting which user-space Doxygen does not recognize by default. Convert existing comments in keyring.c to what a normal user space Doxygen run expects to see. This will enable deployment of an automatically-generated documentation web site. Signed-off-by: Chuck Lever --- src/tlshd/keyring.c | 79 +++++++++++++++++++++++---------------------- 1 file changed, 40 insertions(+), 39 deletions(-) diff --git a/src/tlshd/keyring.c b/src/tlshd/keyring.c index 32f2d27..fb2024c 100644 --- a/src/tlshd/keyring.c +++ b/src/tlshd/keyring.c @@ -1,8 +1,12 @@ -/* - * Scrape authentication information from kernel keyring. +/** + * @file keyring.c + * @brief Linux keyring management * + * @copyright * Copyright (c) 2022 Oracle and/or its affiliates. - * + */ + +/* * ktls-utils is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License as * published by the Free Software Foundation; version 2. @@ -40,15 +44,14 @@ #include "tlshd.h" /** - * tlshd_keyring_get_psk_username - Retrieve username for PSK handshake - * @serial: Key serial number to look up - * @username: On success, filled in with NUL-terminated user name + * @brief Retrieve username for PSK handshake + * @param[in] serial Key serial number to look up + * @param[out] username Filled in with NUL-terminated user name * - * Caller must use gnutls_free() to free @username when finished. + * Caller must use gnutls_free() to free "username" when finished. * - * Return values: - * %true: Success; @username has been initialized - * %false: Failure + * @retval true Success; "username" has been initialized + * @retval false Failure */ bool tlshd_keyring_get_psk_username(key_serial_t serial, char **username) { @@ -80,15 +83,14 @@ bool tlshd_keyring_get_psk_username(key_serial_t serial, char **username) } /** - * tlshd_keyring_get_psk_key - Retrieve pre-shared key for PSK handshake - * @serial: Key serial number to look up - * @key: On success, filled in with pre-shared key + * @brief Retrieve pre-shared key for PSK handshake + * @param[in] serial Key serial number to look up + * @param[out] key Filled in with pre-shared key * - * Caller must use free() to free @key->data when finished. + * Caller must use free() to free "key->data" when finished. * - * Return values: - * %true: Success; @key has been initialized - * %false: Failure + * @retval true Success; "key" has been initialized + * @retval false Failure */ bool tlshd_keyring_get_psk_key(key_serial_t serial, gnutls_datum_t *key) { @@ -111,15 +113,14 @@ bool tlshd_keyring_get_psk_key(key_serial_t serial, gnutls_datum_t *key) } /** - * tlshd_keyring_get_privkey - Retrieve privkey for x.509 handshake - * @serial: Key serial number to look up - * @privkey: On success, filled in with a private key + * @brief Retrieve privkey for x.509 handshake + * @param[in] serial Key serial number to look up + * @param[out] privkey Filled in with a private key * - * Caller must use gnutls_privkey_deinit() to free @privkey when finished. + * Caller must use gnutls_privkey_deinit() to free "privkey" when finished. * - * Return values: - * %true: Success; @privkey has been initialized - * %false: Failure + * @retval true Success; "privkey" has been initialized + * @retval false Failure */ bool tlshd_keyring_get_privkey(key_serial_t serial, gnutls_privkey_t *privkey) { @@ -157,16 +158,15 @@ bool tlshd_keyring_get_privkey(key_serial_t serial, gnutls_privkey_t *privkey) } /** - * tlshd_keyring_get_certs - Retrieve certs for x.509 handshake - * @serial: Key serial number to look up - * @certs: On success, filled in with certificates - * @certs_len: IN: maximum number of certs to get, OUT: number of certs found + * @brief Retrieve certs for x.509 handshake + * @param[in] serial Key serial number to look up + * @param[out] certs On success, filled in with certificates + * @param[in,out] certs_len Maximum number of certs to get, number of certs found * - * Caller must use gnutls_pcert_deinit() to free @cert when finished. + * Caller must use gnutls_pcert_deinit() to free "cert" when finished. * - * Return values: - * %true: Success; @cert has been initialized - * %false: Failure + * @retval true Success; "cert" has been initialized + * @retval false Failure */ bool tlshd_keyring_get_certs(key_serial_t serial, gnutls_pcert_st *certs, unsigned int *certs_len) @@ -205,11 +205,11 @@ bool tlshd_keyring_get_certs(key_serial_t serial, gnutls_pcert_st *certs, } /** - * tlshd_keyring_create_cert - Create key containing peer's certificate - * @cert: Initialized x.509 certificate - * @peername: hostname of the remote peer + * @brief Create key containing peer's certificate + * @param[in] cert Initialized x.509 certificate + * @param[in] peername Hostname of the remote peer * - * Returns a positive key serial number on success; otherwise + * @returns a positive key serial number on success; otherwise * TLS_NO_PEERID. */ key_serial_t tlshd_keyring_create_cert(gnutls_x509_crt_t cert, @@ -246,10 +246,11 @@ key_serial_t tlshd_keyring_create_cert(gnutls_x509_crt_t cert, } /** - * tlshd_keyring_link_session - Link a keyring into the session keyring - * @keyring: keyring to be linked + * @brief Link a keyring into the session keyring + * @param[in] keyring keyring to be linked * - * Returns 0 on success and -1 on error. + * @retval 0 Success + * @retval -1 Failure */ int tlshd_keyring_link_session(const char *keyring) { From 27c9eddc85395d53aca607edfd289ada10b404bb Mon Sep 17 00:00:00 2001 From: Chuck Lever Date: Sun, 7 Sep 2025 23:07:04 -0400 Subject: [PATCH 08/16] tlshd: Translate kernel-style Doxygen comments in src/tlshd/ktls.c I started the ktls-utils project using the Linux kernel flavor of Doxygen commenting which user-space Doxygen does not recognize by default. Convert existing comments in ktls.c to what a normal user space Doxygen run expects to see. This will enable deployment of an automatically-generated documentation web site. Signed-off-by: Chuck Lever --- src/tlshd/ktls.c | 118 ++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 102 insertions(+), 16 deletions(-) diff --git a/src/tlshd/ktls.c b/src/tlshd/ktls.c index bc75313..d87a3e8 100644 --- a/src/tlshd/ktls.c +++ b/src/tlshd/ktls.c @@ -1,9 +1,13 @@ -/* - * Initialize a kTLS socket. In some cases initialization might - * be handled by the TLS library. +/** + * @file ktls.c + * @brief Initialize a kTLS socket. In some cases initialization might + * be handled by the TLS library * + * @copyright * Copyright (c) 2022 Oracle and/or its affiliates. - * + */ + +/* * ktls-utils is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License as * published by the Free Software Foundation; version 2. @@ -42,6 +46,13 @@ #include "tlshd.h" #include "netlink.h" +/** + * @brief Concatenate two NUL-terminated C strings + * @param[in] str1 left-hand string + * @param[in] str2 right-hand string + * + * @returns "str1" followed by "str2" + */ static char *tlshd_string_concat(char *str1, const char *str2) { size_t len = 0; @@ -69,6 +80,14 @@ static char *tlshd_string_concat(char *str1, const char *str2) } #ifdef HAVE_GNUTLS_TRANSPORT_IS_KTLS_ENABLED +/** + * @brief Determine if a session is kTLS-enabled + * @param[in] session An established TLS session + * @param[in] read Which side of the duplex to check + * + * @retval true The session is prepared to use kTLS + * @retval false The session is not prepared to use kTLS + */ static bool tlshd_is_ktls_enabled(gnutls_session_t session, unsigned read) { int ret; @@ -90,6 +109,14 @@ static bool tlshd_is_ktls_enabled(gnutls_session_t session, unsigned read) } #else +/** + * @brief Determine if a session is kTLS-enabled + * @param[in] session An established TLS session + * @param[in] read Which side of the duplex to check + * + * @retval true The session is prepared to use kTLS + * @retval false The session is not prepared to use kTLS + */ static bool tlshd_is_ktls_enabled(__attribute__ ((unused)) gnutls_session_t session, __attribute__ ((unused)) unsigned read) { @@ -97,6 +124,16 @@ static bool tlshd_is_ktls_enabled(__attribute__ ((unused)) gnutls_session_t sess } #endif +/** + * @brief Call setsockopt(3), with error logging + * @param[in] sock An open socket descriptor + * @param[in] read Read or write side + * @param[in] info The value to set + * @param[in] infolen The size of "info", in bytes + * + * @retval true The option was set successfully + * @retval false The option was not set + */ static bool tlshd_setsockopt(int sock, unsigned read, const void *info, socklen_t infolen) { @@ -123,6 +160,15 @@ static bool tlshd_setsockopt(int sock, unsigned read, const void *info, } #if defined(TLS_CIPHER_AES_GCM_128) +/** + * @brief Configure TLS session for AES-GCM-128 encryption + * @param[in] session An established TLS session + * @param[in] sock An open socket descriptor + * @param[in] read Read or write side + * + * @retval true The session was configured successfully + * @retval false The session was not configured + */ static bool tlshd_set_aes_gcm128_info(gnutls_session_t session, int sock, unsigned read) { @@ -162,6 +208,15 @@ static bool tlshd_set_aes_gcm128_info(gnutls_session_t session, int sock, #endif #if defined(TLS_CIPHER_AES_GCM_256) +/** + * @brief Configure TLS session for AES-GCM-256 encryption + * @param[in] session An established TLS session + * @param[in] sock An open socket descriptor + * @param[in] read Read or write side + * + * @retval true The session was configured successfully + * @retval false The session was not configured + */ static bool tlshd_set_aes_gcm256_info(gnutls_session_t session, int sock, unsigned read) { @@ -201,6 +256,15 @@ static bool tlshd_set_aes_gcm256_info(gnutls_session_t session, int sock, #endif #if defined(TLS_CIPHER_AES_CCM_128) +/** + * @brief Configure TLS session for AES-CCM-128 encryption + * @param[in] session An established TLS session + * @param[in] sock An open socket descriptor + * @param[in] read Read or write side + * + * @retval true The session was configured successfully + * @retval false The session was not configured + */ static bool tlshd_set_aes_ccm128_info(gnutls_session_t session, int sock, unsigned read) { @@ -240,6 +304,15 @@ static bool tlshd_set_aes_ccm128_info(gnutls_session_t session, int sock, #endif #if defined(TLS_CIPHER_CHACHA20_POLY1305) +/** + * @brief Configure TLS session for ChaCha-Poly1305 encryption + * @param[in] session An established TLS session + * @param[in] sock An open socket descriptor + * @param[in] read Read or write side + * + * @retval true The session was configured successfully + * @retval false The session was not configured + */ static bool tlshd_set_chacha20_poly1305_info(gnutls_session_t session, int sock, unsigned read) { @@ -275,10 +348,10 @@ static bool tlshd_set_chacha20_poly1305_info(gnutls_session_t session, int sock, #endif /** - * tlshd_initialize_ktls - Initialize socket for use by kTLS - * @session: TLS session descriptor + * @brief Initialize a socket for use by kTLS + * @param[in] session TLS session descriptor * - * Returns zero on success, or a positive errno value. + * @returns zero on success, or a positive errno value. */ unsigned int tlshd_initialize_ktls(gnutls_session_t session) { @@ -320,6 +393,13 @@ unsigned int tlshd_initialize_ktls(gnutls_session_t session) return EIO; } +/** + * @brief Concatenate a cipher name to a string + * @param[in] pstring NUL-terminated C string + * @param[in] cipher GnuTLS cipher number + * + * @retval A NUL-terminated C string; caller must free the string with free(3) + */ static char *tlshd_cipher_string_emit(char *pstring, unsigned int cipher) { switch (cipher) { @@ -350,6 +430,13 @@ static gnutls_priority_t tlshd_gnutls_priority_psk; static gnutls_priority_t tlshd_gnutls_priority_psk_sha256; static gnutls_priority_t tlshd_gnutls_priority_psk_sha384; +/** + * @brief Initialize GnuTLS priority caches + * @param[in] ciphers Array of GnuTLS cipher numbers + * @param[in] cipher_count count of elements in "ciphers" + * + * @retval Zero on success; a negative errno if a failure occurred. + */ static int tlshd_gnutls_priority_init_list(const unsigned int *ciphers, int cipher_count) { @@ -502,9 +589,9 @@ static int tlshd_gnutls_priority_init_list(const unsigned int *ciphers, } /** - * tlshd_gnutls_priority_init - Initialize GnuTLS priority caches + * @brief Initialize GnuTLS priority caches * - * Returns zero on success, or a negative errno value if a failure + * @returns zero on success, or a negative errno value if a failure * occurred. */ int tlshd_gnutls_priority_init(void) @@ -536,12 +623,12 @@ int tlshd_gnutls_priority_init(void) } /** - * tlshd_gnutls_priority_set - Initialize priorities per-session - * @session: session to initialize - * @parms: handshake parameters - * @psk_len: size of pre-shared key in bytes, or zero + * @brief Select GnuTLS priority cache to use for "session" + * @param[in] session Session to initialize + * @param[in] parms Handshake parameters + * @param[in] psk_len Size of pre-shared key in bytes, or zero * - * Returns GNUTLS_E_SUCCESS on success, otherwise an error code. + * @returns GNUTLS_E_SUCCESS on success, otherwise an error code. */ int tlshd_gnutls_priority_set(gnutls_session_t session, const struct tlshd_handshake_parms *parms, @@ -562,8 +649,7 @@ int tlshd_gnutls_priority_set(gnutls_session_t session, } /** - * tlshd_gnutls_priority_deinit - Free GnuTLS priority caches - * + * @brief Free GnuTLS priority caches */ void tlshd_gnutls_priority_deinit(void) { From ff28f1fcea85e5d7980c814a97359566c11916aa Mon Sep 17 00:00:00 2001 From: Chuck Lever Date: Sun, 7 Sep 2025 23:07:04 -0400 Subject: [PATCH 09/16] tlshd: Translate kernel-style Doxygen comments in src/tlshd/log.c I started the ktls-utils project using the Linux kernel flavor of Doxygen commenting which user-space Doxygen does not recognize by default. Convert existing comments in log.c to what a normal user space Doxygen run expects to see. This will enable deployment of an automatically-generated documentation web site. --- src/tlshd/log.c | 102 +++++++++++++++++++++++++----------------------- 1 file changed, 53 insertions(+), 49 deletions(-) diff --git a/src/tlshd/log.c b/src/tlshd/log.c index ad39d36..b70d4af 100644 --- a/src/tlshd/log.c +++ b/src/tlshd/log.c @@ -1,8 +1,12 @@ -/* - * Record audit and debugging information in the system log. +/** + * @file log.c + * @brief Record audit and debugging information in the system log * + * @copyright * Copyright (c) 2022 Oracle and/or its affiliates. - * + */ + +/* * ktls-utils is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License as * published by the Free Software Foundation; version 2. @@ -40,14 +44,27 @@ #include "tlshd.h" +/** + * @var int tlshd_debug + * Global debug verbosity setting + */ int tlshd_debug; + +/** + * @var int tlshd_tls_debug + * Global debug verbosity setting for TLS library calls + */ int tlshd_tls_debug; + +/** + * @var int tlshd_stderr + * Global setting to output on stderr as well as syslog + */ int tlshd_stderr; /** - * tlshd_log_completion - Emit completion notification - * @parms: handshake parameters - * + * @brief Emit completion notification + * @param[in] parms Handshake parameters */ void tlshd_log_completion(struct tlshd_handshake_parms *parms) { @@ -69,9 +86,8 @@ void tlshd_log_completion(struct tlshd_handshake_parms *parms) } /** - * tlshd_log_debug - Emit a debugging notification - * @fmt - printf-style format string - * + * @brief Emit a debugging notification + * @param[in] fmt printf-style format string */ void tlshd_log_debug(const char *fmt, ...) { @@ -86,9 +102,8 @@ void tlshd_log_debug(const char *fmt, ...) } /** - * tlshd_log_error - Emit a generic error notification - * @fmt - printf-style format string - * + * @brief Emit a generic error notification + * @param[in] fmt printf-style format string */ void tlshd_log_error(const char *fmt, ...) { @@ -100,9 +115,8 @@ void tlshd_log_error(const char *fmt, ...) } /** - * tlshd_log_notice - Emit a generic warning - * @fmt - printf-style format string - * + * @brief Emit a generic warning + * @param[in] fmt printf-style format string */ void tlshd_log_notice(const char *fmt, ...) { @@ -114,9 +128,8 @@ void tlshd_log_notice(const char *fmt, ...) } /** - * tlshd_log_perror - Emit "system call failed" notification - * @sap: remote address to log - * + * @brief Emit "system call failed" notification + * @param[in] prefix Identifier string */ void tlshd_log_perror(const char *prefix) { @@ -124,9 +137,8 @@ void tlshd_log_perror(const char *prefix) } /** - * tlshd_log_gai_error - Emit "getaddr/nameinfo failed" notification - * @error: error code returned by getaddrinfo(3) or getnameinfo(3) - * + * @brief Emit "getaddr/nameinfo failed" notification + * @param[in] error error code returned by getaddrinfo(3) or getnameinfo(3) */ void tlshd_log_gai_error(int error) { @@ -160,9 +172,8 @@ static const struct tlshd_cert_status_bit tlshd_cert_status_names[] = { }; /** - * tlshd_log_cert_verification_error - Report a failed certificate verification - * @session: Session with a failed handshake - * + * @brief Report a failed certificate verification + * @param[in] session Session with a failed handshake */ void tlshd_log_cert_verification_error(gnutls_session_t session) { @@ -178,9 +189,8 @@ void tlshd_log_cert_verification_error(gnutls_session_t session) } /** - * tlshd_log_gnutls_error - Emit "library call failed" notification - * @error: GnuTLS error code to log - * + * @brief Emit "library call failed" notification + * @param[in] error GnuTLS error code to log */ void tlshd_log_gnutls_error(int error) { @@ -188,10 +198,9 @@ void tlshd_log_gnutls_error(int error) } /** - * tlshd_gnutls_log_func - Library callback function to log a message - * @level: log level - * @msg: message to log - * + * @brief Library callback function to log a message + * @param[in] level Log level + * @param[in] msg Message to log */ void tlshd_gnutls_log_func(int level, const char *msg) { @@ -199,10 +208,9 @@ void tlshd_gnutls_log_func(int level, const char *msg) } /** - * tlshd_gnutls_audit_func - Library callback function to log an audit message - * @session: controlling GnuTLS session - * @msg: message to log - * + * @brief Library callback function to log an audit message + * @param[in] session Controlling GnuTLS session + * @param[in] msg Message to log */ void tlshd_gnutls_audit_func(__attribute__ ((unused)) gnutls_session_t session, const char *msg) @@ -211,10 +219,9 @@ void tlshd_gnutls_audit_func(__attribute__ ((unused)) gnutls_session_t session, } /** - * tlshd_log_gerror - Emit glib2 "library call failed" notification - * @msg: message to log - * @error: error information - * + * @brief Emit glib2 "library call failed" notification + * @param[in] msg Message to log + * @param[in] error Error information */ void tlshd_log_gerror(const char *msg, GError *error) { @@ -222,10 +229,9 @@ void tlshd_log_gerror(const char *msg, GError *error) } /** - * tlshd_log_nl_error - Log a netlink error - * @msg: message to log - * @err: error number - * + * @brief Log a netlink error + * @param[in] msg Message to log + * @param[in] err Error number */ void tlshd_log_nl_error(const char *msg, int err) { @@ -233,8 +239,8 @@ void tlshd_log_nl_error(const char *msg, int err) } /** - * tlshd_log_init - Initialize audit logging - * @progname: NUL-terminated string containing program name + * @brief Initialize audit logging + * @param[in] progname NUL-terminated string containing program name * */ void tlshd_log_init(const char *progname) @@ -250,8 +256,7 @@ void tlshd_log_init(const char *progname) } /** - * tlshd_log_shutdown - Log a tlshd shutdown notice - * + * @brief Log a tlshd shutdown notice */ void tlshd_log_shutdown(void) { @@ -259,8 +264,7 @@ void tlshd_log_shutdown(void) } /** - * tlshd_log_close - Release audit logging resources - * + * @brief Release audit logging resources */ void tlshd_log_close(void) { From fdbf96f814d568b77964c6730d7486c1c5594ccc Mon Sep 17 00:00:00 2001 From: Chuck Lever Date: Wed, 24 Sep 2025 13:55:36 -0400 Subject: [PATCH 10/16] tlshd: Translate kernel-style Doxygen comments in src/tlshd/main.c I started the ktls-utils project using the Linux kernel flavor of Doxygen commenting which user-space Doxygen does not recognize by default. Convert existing comments in main.c to what a normal user space Doxygen run expects to see. This will enable deployment of an automatically-generated documentation web site. Signed-off-by: Chuck Lever --- src/tlshd/main.c | 26 +++++++++++++++++++++----- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/src/tlshd/main.c b/src/tlshd/main.c index 00ba990..add3492 100644 --- a/src/tlshd/main.c +++ b/src/tlshd/main.c @@ -1,9 +1,13 @@ -/* - * Handle a request for a TLS handshake on behalf of an - * in-kernel TLS consumer. +/** + * @file main.c + * @brief Handle a request for a TLS handshake on behalf of an + * in-kernel TLS consumer * + * @copyright * Copyright (c) 2022 - 2023 Oracle and/or its affiliates. - * + */ + +/* * ktls-utils is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License as * published by the Free Software Foundation; version 2. @@ -56,11 +60,23 @@ static const struct option longopts[] = { { NULL, 0, NULL, 0 } }; -static void usage(const char *progname) +/** + * @brief Emit a program usage message on stderr + * @param[in] progname NUL-terminated C string containing program name + */ +static void usage(char *progname) { fprintf(stderr, "usage: %s [-chsv]\n", progname); } +/** + * @brief tlshd program entry point + * @param[in] argc Count of elements in "argv" + * @param[in] argv Command line parameters + * + * @retval EXIT_SUCCESS Program terminated normally + * @retval EXIT_FAILURE Program encountered an error + */ int main(int argc, char **argv) { static gchar config_file[PATH_MAX + 1]; From c204e03548713bf34545d733f90f8e0b4b4785bb Mon Sep 17 00:00:00 2001 From: Chuck Lever Date: Sun, 7 Sep 2025 23:07:04 -0400 Subject: [PATCH 11/16] tlshd: Translate kernel-style Doxygen comments in src/tlshd/netlink.c I started the ktls-utils project using the Linux kernel flavor of Doxygen commenting which user-space Doxygen does not recognize by default. Convert existing comments in netlink.c to what a normal user space Doxygen run expects to see. This will enable deployment of an automatically-generated documentation web site. Signed-off-by: Chuck Lever --- src/tlshd/netlink.c | 110 ++++++++++++++++++++++++++++++++++++++------ 1 file changed, 95 insertions(+), 15 deletions(-) diff --git a/src/tlshd/netlink.c b/src/tlshd/netlink.c index e59c945..25ade94 100644 --- a/src/tlshd/netlink.c +++ b/src/tlshd/netlink.c @@ -1,8 +1,12 @@ -/* - * Netlink operations for tlshd +/** + * @file netlink.c + * @brief Handle communication with the kernel via netlink * + * @copyright * Copyright (c) 2023 Oracle and/or its affiliates. - * + */ + +/* * ktls-utils is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License as * published by the Free Software Foundation; version 2. @@ -51,8 +55,20 @@ #include "tlshd.h" #include "netlink.h" +/** + * @var unsigned int tlshd_delay_done + * Global number of seconds to delay each handshake completion + */ unsigned int tlshd_delay_done; +/** + * @brief Open a netlink socket + * @param [out] sock A netlink socket descriptor + * + * @retval 0 Success; caller must close "sock" with tlshd_genl_sock_close + * @retval ENOMEM Failed to allocate the socket + * @retval ENOLINK Failed to connect to the netlink service + */ static int tlshd_genl_sock_open(struct nl_sock **sock) { struct nl_sock *nls; @@ -79,6 +95,10 @@ static int tlshd_genl_sock_open(struct nl_sock **sock) return ret; } +/** + * @brief Close a netlink socket + * @param[in] nls A netlink socket descriptor + */ static void tlshd_genl_sock_close(struct nl_sock *nls) { if (!nls) @@ -88,6 +108,10 @@ static void tlshd_genl_sock_close(struct nl_sock *nls) nl_socket_free(nls); } +/** + * @var struct nla_policy tlshd_accept_nl_policy + * Netlink policies for ACCEPT arguments + */ #if LIBNL_VER_NUM >= LIBNL_VER(3,5) static const struct nla_policy #else @@ -105,11 +129,33 @@ tlshd_accept_nl_policy[HANDSHAKE_A_ACCEPT_MAX + 1] = { [HANDSHAKE_A_ACCEPT_KEYRING] = { .type = NLA_U32, }, }; +/** + * @var struct nl_sock *tlshd_notification_nls + * Netlink socket on which notification events arrive + */ static struct nl_sock *tlshd_notification_nls; +/** + * @var sigset_t tlshd_sig_poll_mask + * Daemon's signal poll mask + */ static sigset_t tlshd_sig_poll_mask; + +/** + * @var int tlshd_sig_poll_fd + * Daemon's signal poll file descriptor + */ static int tlshd_sig_poll_fd; +/** + * @brief Process one netlink notification event + * @param[in] msg A netlink event to be handled + * @param[in] arg Additional arguments + * + * @retval NL_OK Proceed with the next message + * @retval NL_SKIP Skip this message. + * @retval NL_STOP Stop and discard remaining messages. + */ static int tlshd_genl_event_handler(struct nl_msg *msg, __attribute__ ((unused)) void *arg) { @@ -148,8 +194,7 @@ static int tlshd_genl_event_handler(struct nl_msg *msg, } /** - * tlshd_genl_dispatch - handle notification events - * + * @brief Handle notification events */ void tlshd_genl_dispatch(void) { @@ -231,6 +276,11 @@ void tlshd_genl_dispatch(void) tlshd_genl_sock_close(tlshd_notification_nls); } +/** + * @brief Extract the key serial number of the key with the remote peerid + * @param[in] parms Handshake parameters + * @param[in] head List of nlattrs to parse + */ static void tlshd_parse_peer_identity(struct tlshd_handshake_parms *parms, struct nlattr *head) { @@ -245,6 +295,10 @@ static void tlshd_parse_peer_identity(struct tlshd_handshake_parms *parms, g_array_append_val(parms->peerids, peerid); } +/** + * @var struct nla_policy tlshd_x509_nl_policy + * Netlink policies for x.509 key serial numbers + */ #if LIBNL_VER_NUM >= LIBNL_VER(3,5) static const struct nla_policy #else @@ -255,6 +309,11 @@ tlshd_x509_nl_policy[HANDSHAKE_A_X509_MAX + 1] = { [HANDSHAKE_A_X509_PRIVKEY] = { .type = NLA_U32, }, }; +/** + * @brief Extract the key serial number of the key with the cert / privkey + * @param[in] parms Handshake parameters + * @param[in] head List of nlattrs to parse + */ static void tlshd_parse_certificate(struct tlshd_handshake_parms *parms, struct nlattr *head) { @@ -277,6 +336,15 @@ static void tlshd_parse_certificate(struct tlshd_handshake_parms *parms, parms->x509_privkey = nla_get_s32(tb[HANDSHAKE_A_X509_PRIVKEY]); } +/** + * @brief Process an ACCESS argument + * @param[in] msg Message to be processed + * @param[out] arg Handshake parms to be filled in + * + * @retval NL_OK Proceed with the next message + * @retval NL_SKIP Skip this message. + * @retval NL_STOP Stop and discard remaining messages. + */ static int tlshd_genl_valid_handler(struct nl_msg *msg, void *arg) { struct nlattr *tb[HANDSHAKE_A_ACCEPT_MAX + 1]; @@ -363,6 +431,10 @@ static int tlshd_genl_valid_handler(struct nl_msg *msg, void *arg) return NL_SKIP; } +/** + * @var struct tlshd_handshake_parms tlshd_default_handshake_parms + * Starting parameter values for each handshake + */ static const struct tlshd_handshake_parms tlshd_default_handshake_parms = { .peername = NULL, .peeraddr = NULL, @@ -379,13 +451,15 @@ static const struct tlshd_handshake_parms tlshd_default_handshake_parms = { }; /** - * tlshd_genl_get_handshake_parms - Retrieve handshake parameters - * @parms: buffer to fill in with parameters + * @brief Retrieve handshake parameters + * @param[in] parms Buffer to fill in with parameters * - * Returns 0 if handshake parameters were retrieved successfully. + * Caller must release handshake resources by calling + * tlshd_genl_put_handshake_parms when finished. * + * @returns 0 if handshake parameters were retrieved successfully. * Otherwise a positive errno is returned, and the content of - * @parms is indeterminant. + * "parms" is indeterminant. */ int tlshd_genl_get_handshake_parms(struct tlshd_handshake_parms *parms) { @@ -460,9 +534,8 @@ int tlshd_genl_get_handshake_parms(struct tlshd_handshake_parms *parms) } /** - * tlshd_genl_put_handshake_parms - Release handshake resources - * @parms: handshake parameters to be released - * + * @brief Release handshake resources + * @param[in] parms Handshake parameters to be released */ void tlshd_genl_put_handshake_parms(struct tlshd_handshake_parms *parms) { @@ -474,6 +547,14 @@ void tlshd_genl_put_handshake_parms(struct tlshd_handshake_parms *parms) free(parms->peeraddr); } +/** + * @brief Format all remote peerid arguments + * @param[in] msg + * @param[in] parms Handshake parameters + * + * retval 0 Formatted all remote peerid arguments successfully + * retval -1 Failed to format + */ static int tlshd_genl_put_remote_peerids(struct nl_msg *msg, struct tlshd_handshake_parms *parms) { @@ -494,9 +575,8 @@ static int tlshd_genl_put_remote_peerids(struct nl_msg *msg, } /** - * tlshd_genl_done - Indicate handshake has completed successfully - * @parms: buffer filled in with parameters - * + * @brief Indicate handshake has completed successfully + * @param[in] parms Buffer filled in with parameters */ void tlshd_genl_done(struct tlshd_handshake_parms *parms) { From a2ca76e1358436225de9a787368660edba231fbb Mon Sep 17 00:00:00 2001 From: Chuck Lever Date: Sun, 7 Sep 2025 23:07:04 -0400 Subject: [PATCH 12/16] tlshd: Translate kernel-style Doxygen comments in src/tlshd/quic.c I started the ktls-utils project using the Linux kernel flavor of Doxygen commenting which user-space Doxygen does not recognize by default. Convert existing comments in quic.c to what a normal user space Doxygen run expects to see. This will enable deployment of an automatically-generated documentation web site. Signed-off-by: Chuck Lever --- src/tlshd/quic.c | 180 +++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 166 insertions(+), 14 deletions(-) diff --git a/src/tlshd/quic.c b/src/tlshd/quic.c index 0e0852e..a9b096a 100644 --- a/src/tlshd/quic.c +++ b/src/tlshd/quic.c @@ -1,8 +1,12 @@ -/* - * Perform a QUIC server or client side handshake. +/** + * @file quic.c + * @brief Utility functions for QUIC handshakes * + * @copyright * Copyright (c) 2024 Red Hat, Inc. - * + */ + +/* * ktls-utils is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License as * published by the Free Software Foundation; version 2. @@ -31,6 +35,10 @@ #include "tlshd.h" #ifdef HAVE_GNUTLS_QUIC +/** + * @brief Callback to handle a timer expiry + * @param[in,out] arg user data + */ static void quic_timer_handler(union sigval arg) { struct tlshd_quic_conn *conn = arg.sival_ptr; @@ -39,6 +47,13 @@ static void quic_timer_handler(union sigval arg) conn->errcode = ETIMEDOUT; } +/** + * @brief Set a handshake timer + * @param[in,out] conn QUIC handshake context + * + * @retval 0 Timer configured successfully + * @retval -1 Failed to configure timer + */ static int quic_conn_setup_timer(struct tlshd_quic_conn *conn) { uint64_t msec = conn->parms->timeout_ms; @@ -62,11 +77,21 @@ static int quic_conn_setup_timer(struct tlshd_quic_conn *conn) return 0; } +/** + * @brief Delete a handshake timer + * @param[in,out] conn QUIC handshake context + */ static void quic_conn_delete_timer(struct tlshd_quic_conn *conn) { timer_delete(conn->timer); } +/** + * @brief Convert a GnuTLS cipher number to a kTLS cipher number + * @param[in] cipher kTLS cipher number to be converted + * + * @returns a kTLS cipher number. + */ static uint32_t quic_get_tls_cipher_type(gnutls_cipher_algorithm_t cipher) { switch (cipher) { @@ -84,6 +109,12 @@ static uint32_t quic_get_tls_cipher_type(gnutls_cipher_algorithm_t cipher) } } +/** + * @brief Convert a GnuTLS encryption level number + * @param[in] level GnuTLS encryption level + * + * @returns a QUIC encryption level number. + */ static enum quic_crypto_level quic_get_crypto_level(gnutls_record_encryption_level_t level) { switch (level) { @@ -101,6 +132,17 @@ static enum quic_crypto_level quic_get_crypto_level(gnutls_record_encryption_lev } } +/** + * @brief Callback to process a new traffic secret + * @param[in,out] session GnuTLS session + * @param[in] level GnuTLS encryption level + * @param[in] rx_secret Receive secret, or NULL + * @param[in] tx_secret Transmit secret, or NULL + * @param[in] secretlen Length of secrets, in bytes + * + * @retval 0 Callback completed successfully + * @retval -1 Callback failed + */ static int quic_secret_func(gnutls_session_t session, gnutls_record_encryption_level_t level, const void *rx_secret, const void *tx_secret, size_t secretlen) { @@ -150,6 +192,15 @@ static int quic_secret_func(gnutls_session_t session, gnutls_record_encryption_l return 0; } +/** + * @brief Callback to handle an outgoing alert + * @param[in,out] session GnuTLS session + * @param[in] level GnuTLS encryption level + * @param[in] alert_level TLS alert level number + * @param[in] alert_desc TLS alert description number + * + * @retval 0 Callback completed successfully + */ static int quic_alert_read_func(gnutls_session_t session, gnutls_record_encryption_level_t gtls_level, gnutls_alert_level_t alert_level, @@ -160,6 +211,15 @@ static int quic_alert_read_func(gnutls_session_t session, return 0; } +/** + * @brief Callback to receive handshake data + * @param[in,out] session GnuTLS session + * @param[in] buf Buffer containing received data + * @param[in] len Length of content in "buf", in bytes + * + * @retval 0 Callback completed successfully + * @retval -1 Callback failed + */ static int quic_tp_recv_func(gnutls_session_t session, const uint8_t *buf, size_t len) { struct tlshd_quic_conn *conn = gnutls_session_get_ptr(session); @@ -172,6 +232,14 @@ static int quic_tp_recv_func(gnutls_session_t session, const uint8_t *buf, size_ return 0; } +/** + * @brief Callback to send handshake data + * @param[in,out] session GnuTLS session + * @param[in] buf Buffer to be filled in with data to send + * + * @retval 0 Callback completed successfully + * @retval -1 Callback failed + */ static int quic_tp_send_func(gnutls_session_t session, gnutls_buffer_t extdata) { struct tlshd_quic_conn *conn = gnutls_session_get_ptr(session); @@ -194,6 +262,17 @@ static int quic_tp_send_func(gnutls_session_t session, gnutls_buffer_t extdata) return 0; } +/** + * @brief Callback to handle an outgoing handshake message + * @param[in,out] session GnuTLS session + * @param[in] level GnuTLS encryption level + * @param[in] htype GnuTLS handshake description + * @param[in] data message to be processed + * @param[in] datalen length of "data" in bytes + * + * @retval 0 Callback completed successfully + * @retval -1 Callback failed + */ static int quic_read_func(gnutls_session_t session, gnutls_record_encryption_level_t level, gnutls_handshake_description_t htype, const void *data, size_t datalen) { @@ -224,9 +303,21 @@ static int quic_read_func(gnutls_session_t session, gnutls_record_encryption_lev return 0; } +/** + * @var char quic_priority + * Default GnuTLS priority string for QUIC connections + */ static char quic_priority[] = "%DISABLE_TLS13_COMPAT_MODE:NORMAL:-VERS-ALL:+VERS-TLS1.3:+PSK:-CIPHER-ALL:+"; +/** + * @brief Set the GnuTLS priority string for a session + * @param[in,out] session GnuTLS session + * @param[in] cipher kTLS cipher number to set + * + * @retval 0 GnuTLS priority string set successfully + * @retval -1 Failed to set GnuTLS priority string + */ static int quic_session_set_priority(gnutls_session_t session, uint32_t cipher) { char p[136] = {}; @@ -258,6 +349,14 @@ static int quic_session_set_priority(gnutls_session_t session, uint32_t cipher) return 0; } +/** + * @brief Set the ALPN information on a session + * @param[in,out] session GnuTLS session + * @param[in] alpn_data ALPN string to set + * + * @retval 0 ALPN string set successfully + * @retval -1 Failed to set ALPN string + */ static int quic_session_set_alpns(gnutls_session_t session, char *alpn_data) { gnutls_datum_t alpns[TLSHD_QUIC_MAX_ALPNS_LEN / 2]; @@ -281,6 +380,12 @@ static int quic_session_set_alpns(gnutls_session_t session, char *alpn_data) return 0; } +/** + * @brief Translate the encryption level value + * @param[in] level QUIC encryption level + * + * @returns an equivalent GNUTLS_ENCRYPTION value + */ static gnutls_record_encryption_level_t quic_get_encryption_level(uint8_t level) { switch (level) { @@ -298,6 +403,13 @@ static gnutls_record_encryption_level_t quic_get_encryption_level(uint8_t level) } } +/** + * @brief Retrieve QUIC connection configuration + * @param[in] conn QUIC handshake context + * + * @retval 0 Connection configuration retrieved successfully + * @retval -1 Failed to retrieve configuration + */ static int quic_conn_get_config(struct tlshd_quic_conn *conn) { int sockfd = conn->parms->sockfd; @@ -326,6 +438,13 @@ static int quic_conn_get_config(struct tlshd_quic_conn *conn) return 0; } +/** + * @brief Send one QUIC handshake message on a socket + * @param[in] sockfd Socket on which to send + * @param[in] msg Buffer containing message to send + * + * @returns the number of bytes sent, or -1 if an error occurred. + */ static int quic_handshake_sendmsg(int sockfd, struct tlshd_quic_msg *msg) { char outcmsg[CMSG_SPACE(sizeof(struct quic_handshake_info))]; @@ -359,6 +478,13 @@ static int quic_handshake_sendmsg(int sockfd, struct tlshd_quic_msg *msg) return sendmsg(sockfd, &outmsg, flags); } +/** + * @brief Receive one QUIC handshake message on a socket + * @param[in] sockfd Socket on which to receive + * @param[in,out] msg Buffer in which to receive a message + * + * @returns the number of bytes received, or -1 if an error occurred. + */ static int quic_handshake_recvmsg(int sockfd, struct tlshd_quic_msg *msg) { char incmsg[CMSG_SPACE(sizeof(struct quic_handshake_info))]; @@ -397,11 +523,28 @@ static int quic_handshake_recvmsg(int sockfd, struct tlshd_quic_msg *msg) return ret; } -static int quic_handshake_completed(const struct tlshd_quic_conn *conn) +/** + * @brief Predicate: Has the QUIC handshake completed + * @param[in] conn QUIC handshake context + * + * @retval true The handshake completed + * @retval false The handshake has not completed + */ +static bool quic_handshake_completed(const struct tlshd_quic_conn *conn) { return conn->completed || conn->errcode; } +/** + * @brief Get the generated session data + * @param[in] conn QUIC handshake context + * @param[in] level Encryption level + * @param[in] data Ticket blob + * @param[in] datalen length of "data" in bytes + * + * @retval 0 Session data retrieved successfully + * @retval -1 Session data is not available + */ static int quic_handshake_crypto_data(const struct tlshd_quic_conn *conn, uint8_t level, const uint8_t *data, size_t datalen) @@ -433,11 +576,11 @@ static int quic_handshake_crypto_data(const struct tlshd_quic_conn *conn, } /** - * tlshd_quic_conn_create - Create a context for QUIC handshake - * @conn_p: pointer to accept the QUIC handshake context created - * @parms: handshake parameters + * @brief Create a context for QUIC handshake + * @param[out] conn_p Pointer to accept the QUIC handshake context created + * @param[in] parms Handshake parameters * - * Returns: %0 on success, or a negative error code + * @returns 0 on success, or a negative error code */ int tlshd_quic_conn_create(struct tlshd_quic_conn **conn_p, struct tlshd_handshake_parms *parms) { @@ -471,9 +614,8 @@ int tlshd_quic_conn_create(struct tlshd_quic_conn **conn_p, struct tlshd_handsha } /** - * tlshd_quic_conn_destroy - Destroy a context for QUIC handshake - * @conn: QUIC handshake context to destroy - * + * @brief Destroy a context for QUIC handshake + * @param[in] conn QUIC handshake context to destroy */ void tlshd_quic_conn_destroy(struct tlshd_quic_conn *conn) { @@ -492,6 +634,13 @@ void tlshd_quic_conn_destroy(struct tlshd_quic_conn *conn) #define QUIC_TLSEXT_TP_PARAM 0x39u +/** + * @brief Configure a tlshd_quic_conn + * @param[in,out] conn QUIC handshake context + * + * @retval 0 Connection configured successfully + * @retval -1 Failed to configure the connection + */ static int tlshd_quic_session_configure(struct tlshd_quic_conn *conn) { gnutls_session_t session = conn->session; @@ -518,6 +667,10 @@ static int tlshd_quic_session_configure(struct tlshd_quic_conn *conn) return 0; } +/** + * @brief Set up a QUIC receive session ticket + * @param[in,out] conn QUIC handshake context + */ static void tlshd_quic_recv_session_ticket(struct tlshd_quic_conn *conn) { gnutls_session_t session = conn->session; @@ -567,9 +720,8 @@ static void tlshd_quic_recv_session_ticket(struct tlshd_quic_conn *conn) } /** - * tlshd_quic_start_handshake - Drive the handshake interaction - * @conn: QUIC handshake context - * + * @brief Drive a QUIC handshake interaction + * @param[in,out] conn QUIC handshake context */ void tlshd_quic_start_handshake(struct tlshd_quic_conn *conn) { From 6c67d525580b7f70910551d56a66fd86ef15703f Mon Sep 17 00:00:00 2001 From: Chuck Lever Date: Sun, 7 Sep 2025 23:07:04 -0400 Subject: [PATCH 13/16] tlshd: Translate kernel-style Doxygen comments in src/tlshd/server.c I started the ktls-utils project using the Linux kernel flavor of Doxygen commenting which user-space Doxygen does not recognize by default. Convert existing comments in server.c to what a normal user space Doxygen run expects to see. This will enable deployment of an automatically-generated documentation web site. Signed-off-by: Chuck Lever --- src/tlshd/server.c | 203 +++++++++++++++++++++++++++++++++++++++------ 1 file changed, 177 insertions(+), 26 deletions(-) diff --git a/src/tlshd/server.c b/src/tlshd/server.c index 8bb769f..ca084a1 100644 --- a/src/tlshd/server.c +++ b/src/tlshd/server.c @@ -1,9 +1,13 @@ -/* - * Perform a TLSv1.3 server-side handshake. +/** + * @file server.c + * @brief Perform a TLSv1.3 server-side handshake * + * @copyright * Copyright (c) 2023 Oracle and/or its affiliates. * Copyright (c) 2024 Red Hat, Inc. - * + */ + +/* * ktls-utils is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License as * published by the Free Software Foundation; version 2. @@ -42,13 +46,50 @@ #include "tlshd.h" #include "netlink.h" +/** + * @var gnutls_privkey_t tlshd_server_pq_privkey + * Server peer's post-quantum private key + */ static gnutls_privkey_t tlshd_server_pq_privkey; + +/** + * @var gnutls_privkey_t tlshd_server_privkey + * Server peer's RSA private key + */ static gnutls_privkey_t tlshd_server_privkey; + +/** + * @var unsigned int tlshd_server_pq_certs_len + * Count of server peer's PQ certificates + */ static unsigned int tlshd_server_pq_certs_len = TLSHD_MAX_CERTS; + +/** + * @var unsigned int tlshd_server_certs_len + * Count of server peer's certificates + */ static unsigned int tlshd_server_certs_len = TLSHD_MAX_CERTS; + +/** + * @var gnutls_pcert_st tlshd_server_certs + * Server peer's certificates + */ static gnutls_pcert_st tlshd_server_certs[TLSHD_MAX_CERTS]; + +/** + * @var gnutls_pk_algorithm_t tlshd_server_pq_pkalg + * Server peer certificate's public key algorithms + */ static gnutls_pk_algorithm_t tlshd_server_pq_pkalg = GNUTLS_PK_UNKNOWN; +/** + * @brief Retrieve server certificates to be used for ServerHello + * @param[in] parms Handshake parameters + * + * @retval true Server certificates were found. Caller must release + * the certificates using tlshd_x509_server_put_certs. + * @retval false No usable server certificates were found + */ static bool tlshd_x509_server_get_certs(struct tlshd_handshake_parms *parms) { if (parms->x509_cert != TLS_NO_CERT) @@ -61,6 +102,9 @@ static bool tlshd_x509_server_get_certs(struct tlshd_handshake_parms *parms) &tlshd_server_pq_pkalg); } +/** + * @brief Release server certificates that were used for ServerHello + */ static void tlshd_x509_server_put_certs(void) { unsigned int i; @@ -69,6 +113,14 @@ static void tlshd_x509_server_put_certs(void) gnutls_pcert_deinit(&tlshd_server_certs[i]); } +/** + * @brief Retrieve the private key to be used for ServerHello + * @param[in] parms Handshake parameters + * + * @retval true Private key was found. Caller must release the + * private key using tlshd_x509_server_put_privkey. + * @retval false No usable private key was found + */ static bool tlshd_x509_server_get_privkey(struct tlshd_handshake_parms *parms) { if (parms->x509_privkey != TLS_NO_PRIVKEY) @@ -79,12 +131,20 @@ static bool tlshd_x509_server_get_privkey(struct tlshd_handshake_parms *parms) &tlshd_server_privkey); } +/** + * @brief Release the private key that was used for ServerHello + */ static void tlshd_x509_server_put_privkey(void) { gnutls_privkey_deinit(tlshd_server_pq_privkey); gnutls_privkey_deinit(tlshd_server_privkey); } +/** + * @brief Audit trust chain of incoming client certificate + * @param[in] req_ca_rdn + * @param[in] nreqs + */ static void tlshd_x509_log_issuers(const gnutls_datum_t *req_ca_rdn, int nreqs) { char issuer_dn[256]; @@ -107,7 +167,18 @@ static void tlshd_x509_log_issuers(const gnutls_datum_t *req_ca_rdn, int nreqs) } /** - * tlshd_x509_retrieve_key_cb - Initialize client's x.509 identity + * @brief Initialize the server peer's x.509 identity + * @param[in] session session in the midst of a handshake + * @param[in] req_ca_rdn + * @param[in] nreqs + * @param[in] pk_algos + * @param[in] pk_algos_length + * @param[out] pcert + * @param[out] pcert_length + * @param[out] privkey + * + * @retval 0 Success; output parameters are set accordingly + * @retval -1 Failure * * Callback function is of type gnutls_certificate_retrieve_function2 * @@ -115,10 +186,6 @@ static void tlshd_x509_log_issuers(const gnutls_datum_t *req_ca_rdn, int nreqs) * gnutls/doc/examples/ex-cert-select.c. * * Sketched-in and untested. - * - * Return values: - * %0: Success; output parameters are set accordingly - * %-1: Failure */ static int tlshd_x509_retrieve_key_cb(gnutls_session_t session, @@ -197,6 +264,13 @@ tlshd_x509_retrieve_key_cb(gnutls_session_t session, return 0; } +/** + * @brief Initialize server-side trust store + * @param[out] cred Trust store to initialize + * + * @returns a GnuTLS error code. Caller must release credentials + * using gnutls_certificate_free_credentials(3). + */ static int tlshd_server_get_truststore(gnutls_certificate_credentials_t cred) { char *pathname; @@ -227,9 +301,9 @@ static int tlshd_server_get_truststore(gnutls_certificate_credentials_t cred) } /** - * tlshd_server_x509_verify_function - Verify remote's x.509 certificate - * @session: session in the midst of a handshake - * @parms: handshake parameters + * @brief Verify remote's x.509 certificate + * @param[in] session Session in the midst of a handshake + * @param[in] parms Handshake parameters * * A return value of %GNUTLS_E_SUCCESS indicates that the TLS session * has been allowed to continue. tlshd either sets the peerid array if @@ -299,6 +373,13 @@ static int tlshd_server_x509_verify_function(gnutls_session_t session, return GNUTLS_E_CERTIFICATE_ERROR; } +/** + * @brief Verify a remote peer's x.509 certificate (TLSv1.3) + * @param[in] session session in the midst of a handshake + * + * @retval GNUTLS_E_SUCCESS Certificate has been successfully verified + * @retval GNUTLS_E_CERTIFICATE_ERROR Certificate verification failed + */ static int tlshd_tls13_server_x509_verify_function(gnutls_session_t session) { struct tlshd_handshake_parms *parms = gnutls_session_get_ptr(session); @@ -306,6 +387,10 @@ static int tlshd_tls13_server_x509_verify_function(gnutls_session_t session) return tlshd_server_x509_verify_function(session, parms); } +/** + * @brief Process an x.509-based TLS handshake with a server certificate + * @param[in] parms Handshake parameters + */ static void tlshd_tls13_server_x509_handshake(struct tlshd_handshake_parms *parms) { gnutls_certificate_credentials_t xcred; @@ -386,17 +471,16 @@ static void tlshd_tls13_server_x509_handshake(struct tlshd_handshake_parms *parm } /** - * tlshd_server_psk_cb - Validate remote's username - * @session: session in the midst of a handshake - * @username: remote's username - * @key: PSK matching @username + * @brief Validate the remote peer's username + * @param[in] session Session in the midst of a handshake + * @param[in] username Remote peer's username + * @param[in] key PSK matching "username" * - * Searches for a key with description @username in the session - * keyring, and stores the PSK data in @key if found. + * Searches for a key with description "username" in the session + * keyring, and stores the PSK data in "key" if found. * - * Return values: - * %0: Matching key has been stored in @key - * %-1: Error during lookup, @key is not updated + * @retval 0 Matching key has been stored in "key" + * @retval -1 Error during lookup, "key" is not updated */ static int tlshd_server_psk_cb(gnutls_session_t session, const char *username, gnutls_datum_t *key) @@ -426,6 +510,10 @@ static int tlshd_server_psk_cb(gnutls_session_t session, return 0; } +/** + * @brief Process an PSK-based TLS handshake (TLSv1.3) + * @param[in] parms Handshake parameters + */ static void tlshd_tls13_server_psk_handshake(struct tlshd_handshake_parms *parms) { gnutls_psk_server_credentials_t psk_cred; @@ -471,9 +559,8 @@ static void tlshd_tls13_server_psk_handshake(struct tlshd_handshake_parms *parms } /** - * tlshd_tls13_serverhello_handshake - send a TLSv1.3 ServerHello - * @parms: handshake parameters - * + * @brief Send a TLSv1.3 ServerHello + * @param[in] parms Handshake parameters */ void tlshd_tls13_serverhello_handshake(struct tlshd_handshake_parms *parms) { @@ -491,6 +578,17 @@ void tlshd_tls13_serverhello_handshake(struct tlshd_handshake_parms *parms) } #ifdef HAVE_GNUTLS_QUIC +/** + * @brief Verify the ALPNs presented by a remote peer + * @param[in] session + * @param[in] htype + * @param[in] when + * @param[in] incoming + * @param[in] msg + * + * @retval 0 ALPN verification was successful + * @retval -1 ALPN verification failed + */ static int tlshd_quic_server_alpn_verify(gnutls_session_t session, unsigned int htype, unsigned int when, unsigned int incoming, const gnutls_datum_t *msg) @@ -515,6 +613,25 @@ static int tlshd_quic_server_alpn_verify(gnutls_session_t session, unsigned int return 0; } +/** + * @brief Anti-reply protection + * @param[in] dbf + * @param[in] exp_time + * @param[in] key + * @param[in] data + * + * Currently, tlshd handles each handshake request in a new process + * rather than a thread. As a result, it cannot share the + * gnutls_anti_replay_t object across processes. This causes 0-RTT + * data to be automatically disabled, since + * _gnutls_anti_replay_check() fails validation in the absence of a + * shared anti-replay context. + * + * To properly support 0-RTT data, we need to enable sharing of the + * gnutls_anti_replay_t object across processes in some way. + * + * @retval 0 Not a replay + */ static int tlshd_quic_server_anti_replay_db_add_func(void *dbf, time_t exp_time, const gnutls_datum_t *key, const gnutls_datum_t *data) @@ -523,8 +640,19 @@ static int tlshd_quic_server_anti_replay_db_add_func(void *dbf, time_t exp_time, return 0; } +/** + * @var gnutls_anti_replay_t tlshd_quic_server_anti_replay + * Shared anti-replay context + */ static gnutls_anti_replay_t tlshd_quic_server_anti_replay; +/** + * @brief Verify a remote peer's x.509 certificate (QUIC) + * @param[in] session session in the midst of a handshake + * + * @retval GNUTLS_E_SUCCESS Certificate has been successfully verified + * @retval GNUTLS_E_CERTIFICATE_ERROR Certificate verification failed + */ static int tlshd_quic_server_x509_verify_function(gnutls_session_t session) { struct tlshd_quic_conn *conn = gnutls_session_get_ptr(session); @@ -532,6 +660,18 @@ static int tlshd_quic_server_x509_verify_function(gnutls_session_t session) return tlshd_server_x509_verify_function(session, conn->parms); } +/** + * @brief Validate the remote peer's username + * @param[in] session Session in the midst of a handshake + * @param[in] username Remote peer's username + * @param[in] key PSK matching "username" + * + * Searches for a key with description "username" in the session + * keyring, and stores the PSK data in "key" if found. + * + * @retval 0 Matching key has been stored in "key" + * @retval -1 Error during lookup, "key" is not updated + */ static int tlshd_quic_server_psk_cb(gnutls_session_t session, const char *username, gnutls_datum_t *key) { @@ -562,6 +702,10 @@ static int tlshd_quic_server_psk_cb(gnutls_session_t session, const char *userna return 0; } +/** + * @brief Prepare a session for a QUIC server handshake using an x.509 cert + * @param[in] conn + */ static void tlshd_quic_server_set_x509_session(struct tlshd_quic_conn *conn) { struct tlshd_handshake_parms *parms = conn->parms; @@ -631,6 +775,10 @@ static void tlshd_quic_server_set_x509_session(struct tlshd_quic_conn *conn) tlshd_log_gnutls_error(ret); } +/** + * @brief Prepare a session for a QUIC client handshake using a pre-shared key + * @param[in] conn + */ static void tlshd_quic_server_set_psk_session(struct tlshd_quic_conn *conn) { gnutls_psk_server_credentials_t cred; @@ -665,9 +813,8 @@ static void tlshd_quic_server_set_psk_session(struct tlshd_quic_conn *conn) } /** - * tlshd_quic_serverhello_handshake - send a QUIC Server Initial - * @parms: handshake parameters - * + * @brief Send a QUIC Server Initial + * @param[in] parms Handshake parameters */ void tlshd_quic_serverhello_handshake(struct tlshd_handshake_parms *parms) { @@ -699,6 +846,10 @@ void tlshd_quic_serverhello_handshake(struct tlshd_handshake_parms *parms) tlshd_quic_conn_destroy(conn); } #else +/** + * @brief Send a QUIC Server Initial + * @param[in] parms Handshake parameters + */ void tlshd_quic_serverhello_handshake(struct tlshd_handshake_parms *parms) { tlshd_log_debug("QUIC handshake is not enabled (%d)", parms->auth_mode); From b8aba7943bf2fdad47b70ccd7ea7adff21202faa Mon Sep 17 00:00:00 2001 From: Chuck Lever Date: Sun, 7 Sep 2025 23:07:04 -0400 Subject: [PATCH 14/16] tlshd: Translate kernel-style Doxygen comments in src/tlshd/tlshd.h I started the ktls-utils project using the Linux kernel flavor of Doxygen commenting which user-space Doxygen does not recognize by default. Convert existing comments in tlshd.h to what a normal user space Doxygen run expects to see. This will enable deployment of an automatically-generated documentation web site. Signed-off-by: Chuck Lever --- src/tlshd/tlshd.h | 80 ++++++++++++++++++++++++++++++++++++----------- 1 file changed, 62 insertions(+), 18 deletions(-) diff --git a/src/tlshd/tlshd.h b/src/tlshd/tlshd.h index 7f3ec40..5d8965b 100644 --- a/src/tlshd/tlshd.h +++ b/src/tlshd/tlshd.h @@ -1,6 +1,9 @@ +/** + * @file tlshd.h + * @brief Generic definitions and forward declarations for tlshd + */ + /* - * Generic definitions and forward declarations for tlshd. - * * ktls-utils is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License as * published by the Free Software Foundation; version 2. @@ -18,6 +21,10 @@ #include +/** + * @def ARRAY_SIZE + * @brief Generate the number of elements in an array + */ #define ARRAY_SIZE(a) (sizeof(a) / sizeof((a)[0])) extern int tlshd_debug; @@ -27,21 +34,27 @@ extern int tlshd_stderr; struct nl_sock; +/** + * @struct tlshd_handshake_parms + * @brief Handshake parameters (global) + */ struct tlshd_handshake_parms { - char *peername; - char *peeraddr; - int sockfd; - int ip_proto; - uint32_t handshake_type; - unsigned int timeout_ms; - uint32_t auth_mode; - key_serial_t keyring; - key_serial_t x509_cert; - key_serial_t x509_privkey; - GArray *peerids; - GArray *remote_peerids; - - unsigned int session_status; + /*@{*/ + char *peername; /**< Remote's DNS label */ + char *peeraddr; /**< Remote's IP address */ + int sockfd; /**< Socket on which to perform the handshake */ + int ip_proto; /**< Transport protocol number */ + uint32_t handshake_type; /**< Handshake interaction to perform */ + unsigned int timeout_ms; /**< How long to wait for completion */ + uint32_t auth_mode; /**< x.509, PSK, etc. */ + key_serial_t keyring; /**< Keyring containing auth material */ + key_serial_t x509_cert; /**< Key serial of our x.509 cert */ + key_serial_t x509_privkey; /**< Key serial of our x.509 private key */ + GArray *peerids; /**< Peer identities to present to servers */ + GArray *remote_peerids; /**< Peer identities presented by clients */ + + unsigned int session_status; /**< Handshake completion status */ + /*@}*/ }; enum peer_type { @@ -134,6 +147,10 @@ extern void tlshd_quic_serverhello_handshake(struct tlshd_handshake_parms *parms #define TLSHD_QUIC_MAX_DATA_LEN 4096 #define TLSHD_QUIC_MAX_ALPNS_LEN 128 +/** + * @struct tlshd_quic_msg + * @brief QUIC message format + */ struct tlshd_quic_msg { struct tlshd_quic_msg *next; uint8_t data[TLSHD_QUIC_MAX_DATA_LEN]; @@ -141,6 +158,10 @@ struct tlshd_quic_msg { uint8_t level; }; +/** + * @struct tlshd_quic_conn + * @brief QUIC connection object + */ struct tlshd_quic_conn { struct tlshd_handshake_parms *parms; char alpns[TLSHD_QUIC_MAX_ALPNS_LEN]; @@ -161,16 +182,39 @@ struct tlshd_quic_conn { struct tlshd_quic_msg recv_msg; }; -/* quic.c */ extern int tlshd_quic_conn_create(struct tlshd_quic_conn **conn_p, struct tlshd_handshake_parms *parms); extern void tlshd_quic_conn_destroy(struct tlshd_quic_conn *conn); extern void tlshd_quic_start_handshake(struct tlshd_quic_conn *conn); + #endif +/** + * @def TLS_DEFAULT_PSK_TYPE + * @brief Default type of pre-shared key + */ #define TLS_DEFAULT_PSK_TYPE "psk" + +/** + * @def TLS_NO_PEERID + * @brief No peer ID provided via keyring + */ #define TLS_NO_PEERID (0) + +/** + * @def TLS_NO_CERT + * @brief No certificate provided via keyring + */ #define TLS_NO_CERT (0) + +/** + * @def TLS_NO_PRIVKEY + * @brief No private key provided via keyring + */ #define TLS_NO_PRIVKEY (0) -/* Max number of (chained) certs to load */ + +/** + * @def TLSHD_MAX_CERTS + * @brief Maximum number of (chained) certs to load + */ #define TLSHD_MAX_CERTS 10 From f1b0b83592d506cd82a3a5273e6f0934235f3fb8 Mon Sep 17 00:00:00 2001 From: Chuck Lever Date: Tue, 2 Sep 2025 22:33:04 -0400 Subject: [PATCH 15/16] Build Doxygen web site Make use of the nice documenting comments I've added over the years to build some developer documentation. The generated pages are not installed (but could be if there is demand). Signed-off-by: Chuck Lever --- .gitignore | 1 + Makefile.am | 3 +- configure.ac | 8 + docs/Doxyfile.in | 2836 ++++++++++++++++++++++++++++++++++++++++++++ docs/Makefile.am | 29 + src/Makefile.am | 2 + src/mainpage.c | 20 + src/tlshd/config.c | 12 + src/tlshd/main.c | 16 + 9 files changed, 2926 insertions(+), 1 deletion(-) create mode 100644 docs/Doxyfile.in create mode 100644 docs/Makefile.am create mode 100644 src/mainpage.c diff --git a/.gitignore b/.gitignore index e5c1e55..1e7e5a7 100644 --- a/.gitignore +++ b/.gitignore @@ -5,6 +5,7 @@ configure.ac~ configure configure~ cscope.* +docs/doxygen/ Makefile Makefile.in .deps/ diff --git a/Makefile.am b/Makefile.am index 1e54d28..3756df9 100644 --- a/Makefile.am +++ b/Makefile.am @@ -20,5 +20,6 @@ AUTOMAKE_OPTIONS = foreign EXTRA_DIST = autogen.sh CONTRIBUTING.md LICENSE.txt \ README.md SECURITY.md -SUBDIRS = etc man src systemd +SUBDIRS = docs etc man src systemd + MAINTAINERCLEANFILES = Makefile.in cscope.* ktls-utils*.tar.gz diff --git a/configure.ac b/configure.ac index da03e76..f545fe8 100644 --- a/configure.ac +++ b/configure.ac @@ -64,6 +64,12 @@ PKG_CHECK_MODULES([LIBNL_GENL3], libnl-genl-3.0 >= 3.1) AC_SUBST([LIBNL_GENL3_CFLAGS]) AC_SUBST([LIBNL_GENL3_LIBS]) +AC_CHECK_PROG(DOXYGEN, doxygen, doxygen, false) +if test "$DOXYGEN" = false; then + AC_MSG_WARN([Doxygen not found - documentation will not be built]) +fi +AM_CONDITIONAL([HAVE_DOXYGEN], [test "$DOXYGEN" != "false"]) + AC_CHECK_LIB([gnutls], [gnutls_handshake_set_secret_function], [AC_DEFINE([HAVE_GNUTLS_QUIC], [1], [Define to 1 if you have the gnutls_handshake_set_secret_function function.])]) @@ -94,6 +100,8 @@ fi AC_SUBST([AM_CPPFLAGS]) AC_CONFIG_FILES([Makefile \ + docs/Doxyfile \ + docs/Makefile \ etc/Makefile \ etc/tlshd/Makefile \ man/Makefile \ diff --git a/docs/Doxyfile.in b/docs/Doxyfile.in new file mode 100644 index 0000000..71540cd --- /dev/null +++ b/docs/Doxyfile.in @@ -0,0 +1,2836 @@ +# Doxyfile 1.12.0 + +# This file describes the settings to be used by the documentation system +# Doxygen (www.doxygen.org) for a project. +# +# All text after a double hash (##) is considered a comment and is placed in +# front of the TAG it is preceding. +# +# All text after a single hash (#) is considered a comment and will be ignored. +# The format is: +# TAG = value [value, ...] +# For lists, items can also be appended using: +# TAG += value [value, ...] +# Values that contain spaces should be placed between quotes (\" \"). +# +# Note: +# +# Use Doxygen to compare the used configuration file with the template +# configuration file: +# doxygen -x [configFile] +# Use Doxygen to compare the used configuration file with the template +# configuration file without replacing the environment variables or CMake type +# replacement variables: +# doxygen -x_noenv [configFile] + +#--------------------------------------------------------------------------- +# Project related configuration options +#--------------------------------------------------------------------------- + +# This tag specifies the encoding used for all characters in the configuration +# file that follow. The default is UTF-8 which is also the encoding used for all +# text before the first occurrence of this tag. Doxygen uses libiconv (or the +# iconv built into libc) for the transcoding. See +# https://www.gnu.org/software/libiconv/ for the list of possible encodings. +# The default value is: UTF-8. + +DOXYFILE_ENCODING = UTF-8 + +# The PROJECT_NAME tag is a single word (or a sequence of words surrounded by +# double-quotes, unless you are using Doxywizard) that should identify the +# project for which the documentation is generated. This name is used in the +# title of most generated pages and in a few other places. +# The default value is: My Project. + +PROJECT_NAME = ktls-utils + +# The PROJECT_NUMBER tag can be used to enter a project or revision number. This +# could be handy for archiving the generated documentation or if some version +# control system is used. + +PROJECT_NUMBER = @PACKAGE_VERSION@ + +# Using the PROJECT_BRIEF tag one can provide an optional one line description +# for a project that appears at the top of each page and should give viewer a +# quick idea about the purpose of the project. Keep the description short. + +PROJECT_BRIEF = "Kernel TLS user space components" + +# With the PROJECT_LOGO tag one can specify a logo or an icon that is included +# in the documentation. The maximum height of the logo should not exceed 55 +# pixels and the maximum width should not exceed 200 pixels. Doxygen will copy +# the logo to the output directory. + +PROJECT_LOGO = + +# With the PROJECT_ICON tag one can specify an icon that is included in the tabs +# when the HTML document is shown. Doxygen will copy the logo to the output +# directory. + +PROJECT_ICON = + +# The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) path +# into which the generated documentation will be written. If a relative path is +# entered, it will be relative to the location where Doxygen was started. If +# left blank the current directory will be used. + +OUTPUT_DIRECTORY = doxygen + +# If the CREATE_SUBDIRS tag is set to YES then Doxygen will create up to 4096 +# sub-directories (in 2 levels) under the output directory of each output format +# and will distribute the generated files over these directories. Enabling this +# option can be useful when feeding Doxygen a huge amount of source files, where +# putting all generated files in the same directory would otherwise causes +# performance problems for the file system. Adapt CREATE_SUBDIRS_LEVEL to +# control the number of sub-directories. +# The default value is: NO. + +CREATE_SUBDIRS = NO + +# Controls the number of sub-directories that will be created when +# CREATE_SUBDIRS tag is set to YES. Level 0 represents 16 directories, and every +# level increment doubles the number of directories, resulting in 4096 +# directories at level 8 which is the default and also the maximum value. The +# sub-directories are organized in 2 levels, the first level always has a fixed +# number of 16 directories. +# Minimum value: 0, maximum value: 8, default value: 8. +# This tag requires that the tag CREATE_SUBDIRS is set to YES. + +CREATE_SUBDIRS_LEVEL = 8 + +# If the ALLOW_UNICODE_NAMES tag is set to YES, Doxygen will allow non-ASCII +# characters to appear in the names of generated files. If set to NO, non-ASCII +# characters will be escaped, for example _xE3_x81_x84 will be used for Unicode +# U+3044. +# The default value is: NO. + +ALLOW_UNICODE_NAMES = NO + +# The OUTPUT_LANGUAGE tag is used to specify the language in which all +# documentation generated by Doxygen is written. Doxygen will use this +# information to generate all constant output in the proper language. +# Possible values are: Afrikaans, Arabic, Armenian, Brazilian, Bulgarian, +# Catalan, Chinese, Chinese-Traditional, Croatian, Czech, Danish, Dutch, English +# (United States), Esperanto, Farsi (Persian), Finnish, French, German, Greek, +# Hindi, Hungarian, Indonesian, Italian, Japanese, Japanese-en (Japanese with +# English messages), Korean, Korean-en (Korean with English messages), Latvian, +# Lithuanian, Macedonian, Norwegian, Persian (Farsi), Polish, Portuguese, +# Romanian, Russian, Serbian, Serbian-Cyrillic, Slovak, Slovene, Spanish, +# Swedish, Turkish, Ukrainian and Vietnamese. +# The default value is: English. + +OUTPUT_LANGUAGE = English + +# If the BRIEF_MEMBER_DESC tag is set to YES, Doxygen will include brief member +# descriptions after the members that are listed in the file and class +# documentation (similar to Javadoc). Set to NO to disable this. +# The default value is: YES. + +BRIEF_MEMBER_DESC = YES + +# If the REPEAT_BRIEF tag is set to YES, Doxygen will prepend the brief +# description of a member or function before the detailed description +# +# Note: If both HIDE_UNDOC_MEMBERS and BRIEF_MEMBER_DESC are set to NO, the +# brief descriptions will be completely suppressed. +# The default value is: YES. + +REPEAT_BRIEF = YES + +# This tag implements a quasi-intelligent brief description abbreviator that is +# used to form the text in various listings. Each string in this list, if found +# as the leading text of the brief description, will be stripped from the text +# and the result, after processing the whole list, is used as the annotated +# text. Otherwise, the brief description is used as-is. If left blank, the +# following values are used ($name is automatically replaced with the name of +# the entity):The $name class, The $name widget, The $name file, is, provides, +# specifies, contains, represents, a, an and the. + +ABBREVIATE_BRIEF = "The $name class" \ + "The $name widget" \ + "The $name file" \ + is \ + provides \ + specifies \ + contains \ + represents \ + a \ + an \ + the + +# If the ALWAYS_DETAILED_SEC and REPEAT_BRIEF tags are both set to YES then +# Doxygen will generate a detailed section even if there is only a brief +# description. +# The default value is: NO. + +ALWAYS_DETAILED_SEC = NO + +# If the INLINE_INHERITED_MEMB tag is set to YES, Doxygen will show all +# inherited members of a class in the documentation of that class as if those +# members were ordinary class members. Constructors, destructors and assignment +# operators of the base classes will not be shown. +# The default value is: NO. + +INLINE_INHERITED_MEMB = NO + +# If the FULL_PATH_NAMES tag is set to YES, Doxygen will prepend the full path +# before files name in the file list and in the header files. If set to NO the +# shortest path that makes the file name unique will be used +# The default value is: YES. + +FULL_PATH_NAMES = YES + +# The STRIP_FROM_PATH tag can be used to strip a user-defined part of the path. +# Stripping is only done if one of the specified strings matches the left-hand +# part of the path. The tag can be used to show relative paths in the file list. +# If left blank the directory from which Doxygen is run is used as the path to +# strip. +# +# Note that you can specify absolute paths here, but also relative paths, which +# will be relative from the directory where Doxygen is started. +# This tag requires that the tag FULL_PATH_NAMES is set to YES. + +STRIP_FROM_PATH = + +# The STRIP_FROM_INC_PATH tag can be used to strip a user-defined part of the +# path mentioned in the documentation of a class, which tells the reader which +# header file to include in order to use a class. If left blank only the name of +# the header file containing the class definition is used. Otherwise one should +# specify the list of include paths that are normally passed to the compiler +# using the -I flag. + +STRIP_FROM_INC_PATH = + +# If the SHORT_NAMES tag is set to YES, Doxygen will generate much shorter (but +# less readable) file names. This can be useful is your file systems doesn't +# support long names like on DOS, Mac, or CD-ROM. +# The default value is: NO. + +SHORT_NAMES = NO + +# If the JAVADOC_AUTOBRIEF tag is set to YES then Doxygen will interpret the +# first line (until the first dot) of a Javadoc-style comment as the brief +# description. If set to NO, the Javadoc-style will behave just like regular Qt- +# style comments (thus requiring an explicit @brief command for a brief +# description.) +# The default value is: NO. + +JAVADOC_AUTOBRIEF = NO + +# If the JAVADOC_BANNER tag is set to YES then Doxygen will interpret a line +# such as +# /*************** +# as being the beginning of a Javadoc-style comment "banner". If set to NO, the +# Javadoc-style will behave just like regular comments and it will not be +# interpreted by Doxygen. +# The default value is: NO. + +JAVADOC_BANNER = NO + +# If the QT_AUTOBRIEF tag is set to YES then Doxygen will interpret the first +# line (until the first dot) of a Qt-style comment as the brief description. If +# set to NO, the Qt-style will behave just like regular Qt-style comments (thus +# requiring an explicit \brief command for a brief description.) +# The default value is: NO. + +QT_AUTOBRIEF = NO + +# The MULTILINE_CPP_IS_BRIEF tag can be set to YES to make Doxygen treat a +# multi-line C++ special comment block (i.e. a block of //! or /// comments) as +# a brief description. This used to be the default behavior. The new default is +# to treat a multi-line C++ comment block as a detailed description. Set this +# tag to YES if you prefer the old behavior instead. +# +# Note that setting this tag to YES also means that rational rose comments are +# not recognized any more. +# The default value is: NO. + +MULTILINE_CPP_IS_BRIEF = NO + +# By default Python docstrings are displayed as preformatted text and Doxygen's +# special commands cannot be used. By setting PYTHON_DOCSTRING to NO the +# Doxygen's special commands can be used and the contents of the docstring +# documentation blocks is shown as Doxygen documentation. +# The default value is: YES. + +PYTHON_DOCSTRING = YES + +# If the INHERIT_DOCS tag is set to YES then an undocumented member inherits the +# documentation from any documented member that it re-implements. +# The default value is: YES. + +INHERIT_DOCS = YES + +# If the SEPARATE_MEMBER_PAGES tag is set to YES then Doxygen will produce a new +# page for each member. If set to NO, the documentation of a member will be part +# of the file/class/namespace that contains it. +# The default value is: NO. + +SEPARATE_MEMBER_PAGES = NO + +# The TAB_SIZE tag can be used to set the number of spaces in a tab. Doxygen +# uses this value to replace tabs by spaces in code fragments. +# Minimum value: 1, maximum value: 16, default value: 4. + +TAB_SIZE = 4 + +# This tag can be used to specify a number of aliases that act as commands in +# the documentation. An alias has the form: +# name=value +# For example adding +# "sideeffect=@par Side Effects:^^" +# will allow you to put the command \sideeffect (or @sideeffect) in the +# documentation, which will result in a user-defined paragraph with heading +# "Side Effects:". Note that you cannot put \n's in the value part of an alias +# to insert newlines (in the resulting output). You can put ^^ in the value part +# of an alias to insert a newline as if a physical newline was in the original +# file. When you need a literal { or } or , in the value part of an alias you +# have to escape them by means of a backslash (\), this can lead to conflicts +# with the commands \{ and \} for these it is advised to use the version @{ and +# @} or use a double escape (\\{ and \\}) + +ALIASES = + +# Set the OPTIMIZE_OUTPUT_FOR_C tag to YES if your project consists of C sources +# only. Doxygen will then generate output that is more tailored for C. For +# instance, some of the names that are used will be different. The list of all +# members will be omitted, etc. +# The default value is: NO. + +OPTIMIZE_OUTPUT_FOR_C = NO + +# Set the OPTIMIZE_OUTPUT_JAVA tag to YES if your project consists of Java or +# Python sources only. Doxygen will then generate output that is more tailored +# for that language. For instance, namespaces will be presented as packages, +# qualified scopes will look different, etc. +# The default value is: NO. + +OPTIMIZE_OUTPUT_JAVA = NO + +# Set the OPTIMIZE_FOR_FORTRAN tag to YES if your project consists of Fortran +# sources. Doxygen will then generate output that is tailored for Fortran. +# The default value is: NO. + +OPTIMIZE_FOR_FORTRAN = NO + +# Set the OPTIMIZE_OUTPUT_VHDL tag to YES if your project consists of VHDL +# sources. Doxygen will then generate output that is tailored for VHDL. +# The default value is: NO. + +OPTIMIZE_OUTPUT_VHDL = NO + +# Set the OPTIMIZE_OUTPUT_SLICE tag to YES if your project consists of Slice +# sources only. Doxygen will then generate output that is more tailored for that +# language. For instance, namespaces will be presented as modules, types will be +# separated into more groups, etc. +# The default value is: NO. + +OPTIMIZE_OUTPUT_SLICE = NO + +# Doxygen selects the parser to use depending on the extension of the files it +# parses. With this tag you can assign which parser to use for a given +# extension. Doxygen has a built-in mapping, but you can override or extend it +# using this tag. The format is ext=language, where ext is a file extension, and +# language is one of the parsers supported by Doxygen: IDL, Java, JavaScript, +# Csharp (C#), C, C++, Lex, D, PHP, md (Markdown), Objective-C, Python, Slice, +# VHDL, Fortran (fixed format Fortran: FortranFixed, free formatted Fortran: +# FortranFree, unknown formatted Fortran: Fortran. In the later case the parser +# tries to guess whether the code is fixed or free formatted code, this is the +# default for Fortran type files). For instance to make Doxygen treat .inc files +# as Fortran files (default is PHP), and .f files as C (default is Fortran), +# use: inc=Fortran f=C. +# +# Note: For files without extension you can use no_extension as a placeholder. +# +# Note that for custom extensions you also need to set FILE_PATTERNS otherwise +# the files are not read by Doxygen. When specifying no_extension you should add +# * to the FILE_PATTERNS. +# +# Note see also the list of default file extension mappings. + +EXTENSION_MAPPING = + +# If the MARKDOWN_SUPPORT tag is enabled then Doxygen pre-processes all comments +# according to the Markdown format, which allows for more readable +# documentation. See https://daringfireball.net/projects/markdown/ for details. +# The output of markdown processing is further processed by Doxygen, so you can +# mix Doxygen, HTML, and XML commands with Markdown formatting. Disable only in +# case of backward compatibilities issues. +# The default value is: YES. + +MARKDOWN_SUPPORT = YES + +# When the TOC_INCLUDE_HEADINGS tag is set to a non-zero value, all headings up +# to that level are automatically included in the table of contents, even if +# they do not have an id attribute. +# Note: This feature currently applies only to Markdown headings. +# Minimum value: 0, maximum value: 99, default value: 6. +# This tag requires that the tag MARKDOWN_SUPPORT is set to YES. + +TOC_INCLUDE_HEADINGS = 6 + +# The MARKDOWN_ID_STYLE tag can be used to specify the algorithm used to +# generate identifiers for the Markdown headings. Note: Every identifier is +# unique. +# Possible values are: DOXYGEN use a fixed 'autotoc_md' string followed by a +# sequence number starting at 0 and GITHUB use the lower case version of title +# with any whitespace replaced by '-' and punctuation characters removed. +# The default value is: DOXYGEN. +# This tag requires that the tag MARKDOWN_SUPPORT is set to YES. + +MARKDOWN_ID_STYLE = DOXYGEN + +# When enabled Doxygen tries to link words that correspond to documented +# classes, or namespaces to their corresponding documentation. Such a link can +# be prevented in individual cases by putting a % sign in front of the word or +# globally by setting AUTOLINK_SUPPORT to NO. +# The default value is: YES. + +AUTOLINK_SUPPORT = YES + +# If you use STL classes (i.e. std::string, std::vector, etc.) but do not want +# to include (a tag file for) the STL sources as input, then you should set this +# tag to YES in order to let Doxygen match functions declarations and +# definitions whose arguments contain STL classes (e.g. func(std::string); +# versus func(std::string) {}). This also makes the inheritance and +# collaboration diagrams that involve STL classes more complete and accurate. +# The default value is: NO. + +BUILTIN_STL_SUPPORT = NO + +# If you use Microsoft's C++/CLI language, you should set this option to YES to +# enable parsing support. +# The default value is: NO. + +CPP_CLI_SUPPORT = NO + +# Set the SIP_SUPPORT tag to YES if your project consists of sip (see: +# https://www.riverbankcomputing.com/software) sources only. Doxygen will parse +# them like normal C++ but will assume all classes use public instead of private +# inheritance when no explicit protection keyword is present. +# The default value is: NO. + +SIP_SUPPORT = NO + +# For Microsoft's IDL there are propget and propput attributes to indicate +# getter and setter methods for a property. Setting this option to YES will make +# Doxygen to replace the get and set methods by a property in the documentation. +# This will only work if the methods are indeed getting or setting a simple +# type. If this is not the case, or you want to show the methods anyway, you +# should set this option to NO. +# The default value is: YES. + +IDL_PROPERTY_SUPPORT = YES + +# If member grouping is used in the documentation and the DISTRIBUTE_GROUP_DOC +# tag is set to YES then Doxygen will reuse the documentation of the first +# member in the group (if any) for the other members of the group. By default +# all members of a group must be documented explicitly. +# The default value is: NO. + +DISTRIBUTE_GROUP_DOC = NO + +# If one adds a struct or class to a group and this option is enabled, then also +# any nested class or struct is added to the same group. By default this option +# is disabled and one has to add nested compounds explicitly via \ingroup. +# The default value is: NO. + +GROUP_NESTED_COMPOUNDS = NO + +# Set the SUBGROUPING tag to YES to allow class member groups of the same type +# (for instance a group of public functions) to be put as a subgroup of that +# type (e.g. under the Public Functions section). Set it to NO to prevent +# subgrouping. Alternatively, this can be done per class using the +# \nosubgrouping command. +# The default value is: YES. + +SUBGROUPING = YES + +# When the INLINE_GROUPED_CLASSES tag is set to YES, classes, structs and unions +# are shown inside the group in which they are included (e.g. using \ingroup) +# instead of on a separate page (for HTML and Man pages) or section (for LaTeX +# and RTF). +# +# Note that this feature does not work in combination with +# SEPARATE_MEMBER_PAGES. +# The default value is: NO. + +INLINE_GROUPED_CLASSES = NO + +# When the INLINE_SIMPLE_STRUCTS tag is set to YES, structs, classes, and unions +# with only public data fields or simple typedef fields will be shown inline in +# the documentation of the scope in which they are defined (i.e. file, +# namespace, or group documentation), provided this scope is documented. If set +# to NO, structs, classes, and unions are shown on a separate page (for HTML and +# Man pages) or section (for LaTeX and RTF). +# The default value is: NO. + +INLINE_SIMPLE_STRUCTS = NO + +# When TYPEDEF_HIDES_STRUCT tag is enabled, a typedef of a struct, union, or +# enum is documented as struct, union, or enum with the name of the typedef. So +# typedef struct TypeS {} TypeT, will appear in the documentation as a struct +# with name TypeT. When disabled the typedef will appear as a member of a file, +# namespace, or class. And the struct will be named TypeS. This can typically be +# useful for C code in case the coding convention dictates that all compound +# types are typedef'ed and only the typedef is referenced, never the tag name. +# The default value is: NO. + +TYPEDEF_HIDES_STRUCT = NO + +# The size of the symbol lookup cache can be set using LOOKUP_CACHE_SIZE. This +# cache is used to resolve symbols given their name and scope. Since this can be +# an expensive process and often the same symbol appears multiple times in the +# code, Doxygen keeps a cache of pre-resolved symbols. If the cache is too small +# Doxygen will become slower. If the cache is too large, memory is wasted. The +# cache size is given by this formula: 2^(16+LOOKUP_CACHE_SIZE). The valid range +# is 0..9, the default is 0, corresponding to a cache size of 2^16=65536 +# symbols. At the end of a run Doxygen will report the cache usage and suggest +# the optimal cache size from a speed point of view. +# Minimum value: 0, maximum value: 9, default value: 0. + +LOOKUP_CACHE_SIZE = 0 + +# The NUM_PROC_THREADS specifies the number of threads Doxygen is allowed to use +# during processing. When set to 0 Doxygen will based this on the number of +# cores available in the system. You can set it explicitly to a value larger +# than 0 to get more control over the balance between CPU load and processing +# speed. At this moment only the input processing can be done using multiple +# threads. Since this is still an experimental feature the default is set to 1, +# which effectively disables parallel processing. Please report any issues you +# encounter. Generating dot graphs in parallel is controlled by the +# DOT_NUM_THREADS setting. +# Minimum value: 0, maximum value: 32, default value: 1. + +NUM_PROC_THREADS = 1 + +# If the TIMESTAMP tag is set different from NO then each generated page will +# contain the date or date and time when the page was generated. Setting this to +# NO can help when comparing the output of multiple runs. +# Possible values are: YES, NO, DATETIME and DATE. +# The default value is: NO. + +TIMESTAMP = NO + +#--------------------------------------------------------------------------- +# Build related configuration options +#--------------------------------------------------------------------------- + +# If the EXTRACT_ALL tag is set to YES, Doxygen will assume all entities in +# documentation are documented, even if no documentation was available. Private +# class members and static file members will be hidden unless the +# EXTRACT_PRIVATE respectively EXTRACT_STATIC tags are set to YES. +# Note: This will also disable the warnings about undocumented members that are +# normally produced when WARNINGS is set to YES. +# The default value is: NO. + +EXTRACT_ALL = YES + +# If the EXTRACT_PRIVATE tag is set to YES, all private members of a class will +# be included in the documentation. +# The default value is: NO. + +EXTRACT_PRIVATE = NO + +# If the EXTRACT_PRIV_VIRTUAL tag is set to YES, documented private virtual +# methods of a class will be included in the documentation. +# The default value is: NO. + +EXTRACT_PRIV_VIRTUAL = NO + +# If the EXTRACT_PACKAGE tag is set to YES, all members with package or internal +# scope will be included in the documentation. +# The default value is: NO. + +EXTRACT_PACKAGE = NO + +# If the EXTRACT_STATIC tag is set to YES, all static members of a file will be +# included in the documentation. +# The default value is: NO. + +EXTRACT_STATIC = YES + +# If the EXTRACT_LOCAL_CLASSES tag is set to YES, classes (and structs) defined +# locally in source files will be included in the documentation. If set to NO, +# only classes defined in header files are included. Does not have any effect +# for Java sources. +# The default value is: YES. + +EXTRACT_LOCAL_CLASSES = YES + +# This flag is only useful for Objective-C code. If set to YES, local methods, +# which are defined in the implementation section but not in the interface are +# included in the documentation. If set to NO, only methods in the interface are +# included. +# The default value is: NO. + +EXTRACT_LOCAL_METHODS = NO + +# If this flag is set to YES, the members of anonymous namespaces will be +# extracted and appear in the documentation as a namespace called +# 'anonymous_namespace{file}', where file will be replaced with the base name of +# the file that contains the anonymous namespace. By default anonymous namespace +# are hidden. +# The default value is: NO. + +EXTRACT_ANON_NSPACES = NO + +# If this flag is set to YES, the name of an unnamed parameter in a declaration +# will be determined by the corresponding definition. By default unnamed +# parameters remain unnamed in the output. +# The default value is: YES. + +RESOLVE_UNNAMED_PARAMS = YES + +# If the HIDE_UNDOC_MEMBERS tag is set to YES, Doxygen will hide all +# undocumented members inside documented classes or files. If set to NO these +# members will be included in the various overviews, but no documentation +# section is generated. This option has no effect if EXTRACT_ALL is enabled. +# The default value is: NO. + +HIDE_UNDOC_MEMBERS = NO + +# If the HIDE_UNDOC_CLASSES tag is set to YES, Doxygen will hide all +# undocumented classes that are normally visible in the class hierarchy. If set +# to NO, these classes will be included in the various overviews. This option +# will also hide undocumented C++ concepts if enabled. This option has no effect +# if EXTRACT_ALL is enabled. +# The default value is: NO. + +HIDE_UNDOC_CLASSES = NO + +# If the HIDE_FRIEND_COMPOUNDS tag is set to YES, Doxygen will hide all friend +# declarations. If set to NO, these declarations will be included in the +# documentation. +# The default value is: NO. + +HIDE_FRIEND_COMPOUNDS = NO + +# If the HIDE_IN_BODY_DOCS tag is set to YES, Doxygen will hide any +# documentation blocks found inside the body of a function. If set to NO, these +# blocks will be appended to the function's detailed documentation block. +# The default value is: NO. + +HIDE_IN_BODY_DOCS = NO + +# The INTERNAL_DOCS tag determines if documentation that is typed after a +# \internal command is included. If the tag is set to NO then the documentation +# will be excluded. Set it to YES to include the internal documentation. +# The default value is: NO. + +INTERNAL_DOCS = NO + +# With the correct setting of option CASE_SENSE_NAMES Doxygen will better be +# able to match the capabilities of the underlying filesystem. In case the +# filesystem is case sensitive (i.e. it supports files in the same directory +# whose names only differ in casing), the option must be set to YES to properly +# deal with such files in case they appear in the input. For filesystems that +# are not case sensitive the option should be set to NO to properly deal with +# output files written for symbols that only differ in casing, such as for two +# classes, one named CLASS and the other named Class, and to also support +# references to files without having to specify the exact matching casing. On +# Windows (including Cygwin) and macOS, users should typically set this option +# to NO, whereas on Linux or other Unix flavors it should typically be set to +# YES. +# Possible values are: SYSTEM, NO and YES. +# The default value is: SYSTEM. + +CASE_SENSE_NAMES = SYSTEM + +# If the HIDE_SCOPE_NAMES tag is set to NO then Doxygen will show members with +# their full class and namespace scopes in the documentation. If set to YES, the +# scope will be hidden. +# The default value is: NO. + +HIDE_SCOPE_NAMES = NO + +# If the HIDE_COMPOUND_REFERENCE tag is set to NO (default) then Doxygen will +# append additional text to a page's title, such as Class Reference. If set to +# YES the compound reference will be hidden. +# The default value is: NO. + +HIDE_COMPOUND_REFERENCE= NO + +# If the SHOW_HEADERFILE tag is set to YES then the documentation for a class +# will show which file needs to be included to use the class. +# The default value is: YES. + +SHOW_HEADERFILE = YES + +# If the SHOW_INCLUDE_FILES tag is set to YES then Doxygen will put a list of +# the files that are included by a file in the documentation of that file. +# The default value is: YES. + +SHOW_INCLUDE_FILES = NO + +# If the SHOW_GROUPED_MEMB_INC tag is set to YES then Doxygen will add for each +# grouped member an include statement to the documentation, telling the reader +# which file to include in order to use the member. +# The default value is: NO. + +SHOW_GROUPED_MEMB_INC = NO + +# If the FORCE_LOCAL_INCLUDES tag is set to YES then Doxygen will list include +# files with double quotes in the documentation rather than with sharp brackets. +# The default value is: NO. + +FORCE_LOCAL_INCLUDES = NO + +# If the INLINE_INFO tag is set to YES then a tag [inline] is inserted in the +# documentation for inline members. +# The default value is: YES. + +INLINE_INFO = YES + +# If the SORT_MEMBER_DOCS tag is set to YES then Doxygen will sort the +# (detailed) documentation of file and class members alphabetically by member +# name. If set to NO, the members will appear in declaration order. +# The default value is: YES. + +SORT_MEMBER_DOCS = YES + +# If the SORT_BRIEF_DOCS tag is set to YES then Doxygen will sort the brief +# descriptions of file, namespace and class members alphabetically by member +# name. If set to NO, the members will appear in declaration order. Note that +# this will also influence the order of the classes in the class list. +# The default value is: NO. + +SORT_BRIEF_DOCS = NO + +# If the SORT_MEMBERS_CTORS_1ST tag is set to YES then Doxygen will sort the +# (brief and detailed) documentation of class members so that constructors and +# destructors are listed first. If set to NO the constructors will appear in the +# respective orders defined by SORT_BRIEF_DOCS and SORT_MEMBER_DOCS. +# Note: If SORT_BRIEF_DOCS is set to NO this option is ignored for sorting brief +# member documentation. +# Note: If SORT_MEMBER_DOCS is set to NO this option is ignored for sorting +# detailed member documentation. +# The default value is: NO. + +SORT_MEMBERS_CTORS_1ST = NO + +# If the SORT_GROUP_NAMES tag is set to YES then Doxygen will sort the hierarchy +# of group names into alphabetical order. If set to NO the group names will +# appear in their defined order. +# The default value is: NO. + +SORT_GROUP_NAMES = NO + +# If the SORT_BY_SCOPE_NAME tag is set to YES, the class list will be sorted by +# fully-qualified names, including namespaces. If set to NO, the class list will +# be sorted only by class name, not including the namespace part. +# Note: This option is not very useful if HIDE_SCOPE_NAMES is set to YES. +# Note: This option applies only to the class list, not to the alphabetical +# list. +# The default value is: NO. + +SORT_BY_SCOPE_NAME = NO + +# If the STRICT_PROTO_MATCHING option is enabled and Doxygen fails to do proper +# type resolution of all parameters of a function it will reject a match between +# the prototype and the implementation of a member function even if there is +# only one candidate or it is obvious which candidate to choose by doing a +# simple string match. By disabling STRICT_PROTO_MATCHING Doxygen will still +# accept a match between prototype and implementation in such cases. +# The default value is: NO. + +STRICT_PROTO_MATCHING = NO + +# The GENERATE_TODOLIST tag can be used to enable (YES) or disable (NO) the todo +# list. This list is created by putting \todo commands in the documentation. +# The default value is: YES. + +GENERATE_TODOLIST = YES + +# The GENERATE_TESTLIST tag can be used to enable (YES) or disable (NO) the test +# list. This list is created by putting \test commands in the documentation. +# The default value is: YES. + +GENERATE_TESTLIST = YES + +# The GENERATE_BUGLIST tag can be used to enable (YES) or disable (NO) the bug +# list. This list is created by putting \bug commands in the documentation. +# The default value is: YES. + +GENERATE_BUGLIST = YES + +# The GENERATE_DEPRECATEDLIST tag can be used to enable (YES) or disable (NO) +# the deprecated list. This list is created by putting \deprecated commands in +# the documentation. +# The default value is: YES. + +GENERATE_DEPRECATEDLIST= YES + +# The ENABLED_SECTIONS tag can be used to enable conditional documentation +# sections, marked by \if ... \endif and \cond +# ... \endcond blocks. + +ENABLED_SECTIONS = + +# The MAX_INITIALIZER_LINES tag determines the maximum number of lines that the +# initial value of a variable or macro / define can have for it to appear in the +# documentation. If the initializer consists of more lines than specified here +# it will be hidden. Use a value of 0 to hide initializers completely. The +# appearance of the value of individual variables and macros / defines can be +# controlled using \showinitializer or \hideinitializer command in the +# documentation regardless of this setting. +# Minimum value: 0, maximum value: 10000, default value: 30. + +MAX_INITIALIZER_LINES = 30 + +# Set the SHOW_USED_FILES tag to NO to disable the list of files generated at +# the bottom of the documentation of classes and structs. If set to YES, the +# list will mention the files that were used to generate the documentation. +# The default value is: YES. + +SHOW_USED_FILES = YES + +# Set the SHOW_FILES tag to NO to disable the generation of the Files page. This +# will remove the Files entry from the Quick Index and from the Folder Tree View +# (if specified). +# The default value is: YES. + +SHOW_FILES = YES + +# Set the SHOW_NAMESPACES tag to NO to disable the generation of the Namespaces +# page. This will remove the Namespaces entry from the Quick Index and from the +# Folder Tree View (if specified). +# The default value is: YES. + +SHOW_NAMESPACES = YES + +# The FILE_VERSION_FILTER tag can be used to specify a program or script that +# Doxygen should invoke to get the current version for each file (typically from +# the version control system). Doxygen will invoke the program by executing (via +# popen()) the command command input-file, where command is the value of the +# FILE_VERSION_FILTER tag, and input-file is the name of an input file provided +# by Doxygen. Whatever the program writes to standard output is used as the file +# version. For an example see the documentation. + +FILE_VERSION_FILTER = + +# The LAYOUT_FILE tag can be used to specify a layout file which will be parsed +# by Doxygen. The layout file controls the global structure of the generated +# output files in an output format independent way. To create the layout file +# that represents Doxygen's defaults, run Doxygen with the -l option. You can +# optionally specify a file name after the option, if omitted DoxygenLayout.xml +# will be used as the name of the layout file. See also section "Changing the +# layout of pages" for information. +# +# Note that if you run Doxygen from a directory containing a file called +# DoxygenLayout.xml, Doxygen will parse it automatically even if the LAYOUT_FILE +# tag is left empty. + +LAYOUT_FILE = + +# The CITE_BIB_FILES tag can be used to specify one or more bib files containing +# the reference definitions. This must be a list of .bib files. The .bib +# extension is automatically appended if omitted. This requires the bibtex tool +# to be installed. See also https://en.wikipedia.org/wiki/BibTeX for more info. +# For LaTeX the style of the bibliography can be controlled using +# LATEX_BIB_STYLE. To use this feature you need bibtex and perl available in the +# search path. See also \cite for info how to create references. + +CITE_BIB_FILES = + +# The EXTERNAL_TOOL_PATH tag can be used to extend the search path (PATH +# environment variable) so that external tools such as latex and gs can be +# found. +# Note: Directories specified with EXTERNAL_TOOL_PATH are added in front of the +# path already specified by the PATH variable, and are added in the order +# specified. +# Note: This option is particularly useful for macOS version 14 (Sonoma) and +# higher, when running Doxygen from Doxywizard, because in this case any user- +# defined changes to the PATH are ignored. A typical example on macOS is to set +# EXTERNAL_TOOL_PATH = /Library/TeX/texbin /usr/local/bin +# together with the standard path, the full search path used by doxygen when +# launching external tools will then become +# PATH=/Library/TeX/texbin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin + +EXTERNAL_TOOL_PATH = + +#--------------------------------------------------------------------------- +# Configuration options related to warning and progress messages +#--------------------------------------------------------------------------- + +# The QUIET tag can be used to turn on/off the messages that are generated to +# standard output by Doxygen. If QUIET is set to YES this implies that the +# messages are off. +# The default value is: NO. + +QUIET = NO + +# The WARNINGS tag can be used to turn on/off the warning messages that are +# generated to standard error (stderr) by Doxygen. If WARNINGS is set to YES +# this implies that the warnings are on. +# +# Tip: Turn warnings on while writing the documentation. +# The default value is: YES. + +WARNINGS = YES + +# If the WARN_IF_UNDOCUMENTED tag is set to YES then Doxygen will generate +# warnings for undocumented members. If EXTRACT_ALL is set to YES then this flag +# will automatically be disabled. +# The default value is: YES. + +WARN_IF_UNDOCUMENTED = YES + +# If the WARN_IF_DOC_ERROR tag is set to YES, Doxygen will generate warnings for +# potential errors in the documentation, such as documenting some parameters in +# a documented function twice, or documenting parameters that don't exist or +# using markup commands wrongly. +# The default value is: YES. + +WARN_IF_DOC_ERROR = YES + +# If WARN_IF_INCOMPLETE_DOC is set to YES, Doxygen will warn about incomplete +# function parameter documentation. If set to NO, Doxygen will accept that some +# parameters have no documentation without warning. +# The default value is: YES. + +WARN_IF_INCOMPLETE_DOC = YES + +# This WARN_NO_PARAMDOC option can be enabled to get warnings for functions that +# are documented, but have no documentation for their parameters or return +# value. If set to NO, Doxygen will only warn about wrong parameter +# documentation, but not about the absence of documentation. If EXTRACT_ALL is +# set to YES then this flag will automatically be disabled. See also +# WARN_IF_INCOMPLETE_DOC +# The default value is: NO. + +WARN_NO_PARAMDOC = YES + +# If WARN_IF_UNDOC_ENUM_VAL option is set to YES, Doxygen will warn about +# undocumented enumeration values. If set to NO, Doxygen will accept +# undocumented enumeration values. If EXTRACT_ALL is set to YES then this flag +# will automatically be disabled. +# The default value is: NO. + +WARN_IF_UNDOC_ENUM_VAL = NO + +# If the WARN_AS_ERROR tag is set to YES then Doxygen will immediately stop when +# a warning is encountered. If the WARN_AS_ERROR tag is set to FAIL_ON_WARNINGS +# then Doxygen will continue running as if WARN_AS_ERROR tag is set to NO, but +# at the end of the Doxygen process Doxygen will return with a non-zero status. +# If the WARN_AS_ERROR tag is set to FAIL_ON_WARNINGS_PRINT then Doxygen behaves +# like FAIL_ON_WARNINGS but in case no WARN_LOGFILE is defined Doxygen will not +# write the warning messages in between other messages but write them at the end +# of a run, in case a WARN_LOGFILE is defined the warning messages will be +# besides being in the defined file also be shown at the end of a run, unless +# the WARN_LOGFILE is defined as - i.e. standard output (stdout) in that case +# the behavior will remain as with the setting FAIL_ON_WARNINGS. +# Possible values are: NO, YES, FAIL_ON_WARNINGS and FAIL_ON_WARNINGS_PRINT. +# The default value is: NO. + +WARN_AS_ERROR = NO + +# The WARN_FORMAT tag determines the format of the warning messages that Doxygen +# can produce. The string should contain the $file, $line, and $text tags, which +# will be replaced by the file and line number from which the warning originated +# and the warning text. Optionally the format may contain $version, which will +# be replaced by the version of the file (if it could be obtained via +# FILE_VERSION_FILTER) +# See also: WARN_LINE_FORMAT +# The default value is: $file:$line: $text. + +WARN_FORMAT = "$file:$line: $text" + +# In the $text part of the WARN_FORMAT command it is possible that a reference +# to a more specific place is given. To make it easier to jump to this place +# (outside of Doxygen) the user can define a custom "cut" / "paste" string. +# Example: +# WARN_LINE_FORMAT = "'vi $file +$line'" +# See also: WARN_FORMAT +# The default value is: at line $line of file $file. + +WARN_LINE_FORMAT = "at line $line of file $file" + +# The WARN_LOGFILE tag can be used to specify a file to which warning and error +# messages should be written. If left blank the output is written to standard +# error (stderr). In case the file specified cannot be opened for writing the +# warning and error messages are written to standard error. When as file - is +# specified the warning and error messages are written to standard output +# (stdout). + +WARN_LOGFILE = + +#--------------------------------------------------------------------------- +# Configuration options related to the input files +#--------------------------------------------------------------------------- + +# The INPUT tag is used to specify the files and/or directories that contain +# documented source files. You may enter file names like myfile.cpp or +# directories like /usr/src/myproject. Separate the files or directories with +# spaces. See also FILE_PATTERNS and EXTENSION_MAPPING +# Note: If this tag is empty the current directory is searched. + +INPUT = ../src/ + +# This tag can be used to specify the character encoding of the source files +# that Doxygen parses. Internally Doxygen uses the UTF-8 encoding. Doxygen uses +# libiconv (or the iconv built into libc) for the transcoding. See the libiconv +# documentation (see: +# https://www.gnu.org/software/libiconv/) for the list of possible encodings. +# See also: INPUT_FILE_ENCODING +# The default value is: UTF-8. + +INPUT_ENCODING = UTF-8 + +# This tag can be used to specify the character encoding of the source files +# that Doxygen parses The INPUT_FILE_ENCODING tag can be used to specify +# character encoding on a per file pattern basis. Doxygen will compare the file +# name with each pattern and apply the encoding instead of the default +# INPUT_ENCODING) if there is a match. The character encodings are a list of the +# form: pattern=encoding (like *.php=ISO-8859-1). +# See also: INPUT_ENCODING for further information on supported encodings. + +INPUT_FILE_ENCODING = + +# If the value of the INPUT tag contains directories, you can use the +# FILE_PATTERNS tag to specify one or more wildcard patterns (like *.cpp and +# *.h) to filter out the source-files in the directories. +# +# Note that for custom extensions or not directly supported extensions you also +# need to set EXTENSION_MAPPING for the extension otherwise the files are not +# read by Doxygen. +# +# Note the list of default checked file patterns might differ from the list of +# default file extension mappings. +# +# If left blank the following patterns are tested:*.c, *.cc, *.cxx, *.cxxm, +# *.cpp, *.cppm, *.ccm, *.c++, *.c++m, *.java, *.ii, *.ixx, *.ipp, *.i++, *.inl, +# *.idl, *.ddl, *.odl, *.h, *.hh, *.hxx, *.hpp, *.h++, *.ixx, *.l, *.cs, *.d, +# *.php, *.php4, *.php5, *.phtml, *.inc, *.m, *.markdown, *.md, *.mm, *.dox (to +# be provided as Doxygen C comment), *.py, *.pyw, *.f90, *.f95, *.f03, *.f08, +# *.f18, *.f, *.for, *.vhd, *.vhdl, *.ucf, *.qsf and *.ice. + +FILE_PATTERNS = *.c \ + *.h + +# The RECURSIVE tag can be used to specify whether or not subdirectories should +# be searched for input files as well. +# The default value is: NO. + +RECURSIVE = YES + +# The EXCLUDE tag can be used to specify files and/or directories that should be +# excluded from the INPUT source files. This way you can easily exclude a +# subdirectory from a directory tree whose root is specified with the INPUT tag. +# +# Note that relative paths are relative to the directory from which Doxygen is +# run. + +EXCLUDE = + +# The EXCLUDE_SYMLINKS tag can be used to select whether or not files or +# directories that are symbolic links (a Unix file system feature) are excluded +# from the input. +# The default value is: NO. + +EXCLUDE_SYMLINKS = NO + +# If the value of the INPUT tag contains directories, you can use the +# EXCLUDE_PATTERNS tag to specify one or more wildcard patterns to exclude +# certain files from those directories. +# +# Note that the wildcards are matched against the file with absolute path, so to +# exclude all test directories for example use the pattern */test/* + +EXCLUDE_PATTERNS = */test/* \ + */tests/* + +# The EXCLUDE_SYMBOLS tag can be used to specify one or more symbol names +# (namespaces, classes, functions, etc.) that should be excluded from the +# output. The symbol name can be a fully qualified name, a word, or if the +# wildcard * is used, a substring. Examples: ANamespace, AClass, +# ANamespace::AClass, ANamespace::*Test + +EXCLUDE_SYMBOLS = + +# The EXAMPLE_PATH tag can be used to specify one or more files or directories +# that contain example code fragments that are included (see the \include +# command). + +EXAMPLE_PATH = ../etc/ man/ + +# If the value of the EXAMPLE_PATH tag contains directories, you can use the +# EXAMPLE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp and +# *.h) to filter out the source-files in the directories. If left blank all +# files are included. + +EXAMPLE_PATTERNS = * + +# If the EXAMPLE_RECURSIVE tag is set to YES then subdirectories will be +# searched for input files to be used with the \include or \dontinclude commands +# irrespective of the value of the RECURSIVE tag. +# The default value is: NO. + +EXAMPLE_RECURSIVE = YES + +# The IMAGE_PATH tag can be used to specify one or more files or directories +# that contain images that are to be included in the documentation (see the +# \image command). + +IMAGE_PATH = + +# The INPUT_FILTER tag can be used to specify a program that Doxygen should +# invoke to filter for each input file. Doxygen will invoke the filter program +# by executing (via popen()) the command: +# +# +# +# where is the value of the INPUT_FILTER tag, and is the +# name of an input file. Doxygen will then use the output that the filter +# program writes to standard output. If FILTER_PATTERNS is specified, this tag +# will be ignored. +# +# Note that the filter must not add or remove lines; it is applied before the +# code is scanned, but not when the output code is generated. If lines are added +# or removed, the anchors will not be placed correctly. +# +# Note that Doxygen will use the data processed and written to standard output +# for further processing, therefore nothing else, like debug statements or used +# commands (so in case of a Windows batch file always use @echo OFF), should be +# written to standard output. +# +# Note that for custom extensions or not directly supported extensions you also +# need to set EXTENSION_MAPPING for the extension otherwise the files are not +# properly processed by Doxygen. + +INPUT_FILTER = + +# The FILTER_PATTERNS tag can be used to specify filters on a per file pattern +# basis. Doxygen will compare the file name with each pattern and apply the +# filter if there is a match. The filters are a list of the form: pattern=filter +# (like *.cpp=my_cpp_filter). See INPUT_FILTER for further information on how +# filters are used. If the FILTER_PATTERNS tag is empty or if none of the +# patterns match the file name, INPUT_FILTER is applied. +# +# Note that for custom extensions or not directly supported extensions you also +# need to set EXTENSION_MAPPING for the extension otherwise the files are not +# properly processed by Doxygen. + +FILTER_PATTERNS = + +# If the FILTER_SOURCE_FILES tag is set to YES, the input filter (if set using +# INPUT_FILTER) will also be used to filter the input files that are used for +# producing the source files to browse (i.e. when SOURCE_BROWSER is set to YES). +# The default value is: NO. + +FILTER_SOURCE_FILES = NO + +# The FILTER_SOURCE_PATTERNS tag can be used to specify source filters per file +# pattern. A pattern will override the setting for FILTER_PATTERN (if any) and +# it is also possible to disable source filtering for a specific pattern using +# *.ext= (so without naming a filter). +# This tag requires that the tag FILTER_SOURCE_FILES is set to YES. + +FILTER_SOURCE_PATTERNS = + +# If the USE_MDFILE_AS_MAINPAGE tag refers to the name of a markdown file that +# is part of the input, its contents will be placed on the main page +# (index.html). This can be useful if you have a project on for instance GitHub +# and want to reuse the introduction page also for the Doxygen output. + +USE_MDFILE_AS_MAINPAGE = + +# The Fortran standard specifies that for fixed formatted Fortran code all +# characters from position 72 are to be considered as comment. A common +# extension is to allow longer lines before the automatic comment starts. The +# setting FORTRAN_COMMENT_AFTER will also make it possible that longer lines can +# be processed before the automatic comment starts. +# Minimum value: 7, maximum value: 10000, default value: 72. + +FORTRAN_COMMENT_AFTER = 72 + +#--------------------------------------------------------------------------- +# Configuration options related to source browsing +#--------------------------------------------------------------------------- + +# If the SOURCE_BROWSER tag is set to YES then a list of source files will be +# generated. Documented entities will be cross-referenced with these sources. +# +# Note: To get rid of all source code in the generated output, make sure that +# also VERBATIM_HEADERS is set to NO. +# The default value is: NO. + +SOURCE_BROWSER = NO + +# Setting the INLINE_SOURCES tag to YES will include the body of functions, +# multi-line macros, enums or list initialized variables directly into the +# documentation. +# The default value is: NO. + +INLINE_SOURCES = NO + +# Setting the STRIP_CODE_COMMENTS tag to YES will instruct Doxygen to hide any +# special comment blocks from generated source code fragments. Normal C, C++ and +# Fortran comments will always remain visible. +# The default value is: YES. + +STRIP_CODE_COMMENTS = YES + +# If the REFERENCED_BY_RELATION tag is set to YES then for each documented +# entity all documented functions referencing it will be listed. +# The default value is: NO. + +REFERENCED_BY_RELATION = NO + +# If the REFERENCES_RELATION tag is set to YES then for each documented function +# all documented entities called/used by that function will be listed. +# The default value is: NO. + +REFERENCES_RELATION = NO + +# If the REFERENCES_LINK_SOURCE tag is set to YES and SOURCE_BROWSER tag is set +# to YES then the hyperlinks from functions in REFERENCES_RELATION and +# REFERENCED_BY_RELATION lists will link to the source code. Otherwise they will +# link to the documentation. +# The default value is: YES. + +REFERENCES_LINK_SOURCE = YES + +# If SOURCE_TOOLTIPS is enabled (the default) then hovering a hyperlink in the +# source code will show a tooltip with additional information such as prototype, +# brief description and links to the definition and documentation. Since this +# will make the HTML file larger and loading of large files a bit slower, you +# can opt to disable this feature. +# The default value is: YES. +# This tag requires that the tag SOURCE_BROWSER is set to YES. + +SOURCE_TOOLTIPS = YES + +# If the USE_HTAGS tag is set to YES then the references to source code will +# point to the HTML generated by the htags(1) tool instead of Doxygen built-in +# source browser. The htags tool is part of GNU's global source tagging system +# (see https://www.gnu.org/software/global/global.html). You will need version +# 4.8.6 or higher. +# +# To use it do the following: +# - Install the latest version of global +# - Enable SOURCE_BROWSER and USE_HTAGS in the configuration file +# - Make sure the INPUT points to the root of the source tree +# - Run doxygen as normal +# +# Doxygen will invoke htags (and that will in turn invoke gtags), so these +# tools must be available from the command line (i.e. in the search path). +# +# The result: instead of the source browser generated by Doxygen, the links to +# source code will now point to the output of htags. +# The default value is: NO. +# This tag requires that the tag SOURCE_BROWSER is set to YES. + +USE_HTAGS = NO + +# If the VERBATIM_HEADERS tag is set the YES then Doxygen will generate a +# verbatim copy of the header file for each class for which an include is +# specified. Set to NO to disable this. +# See also: Section \class. +# The default value is: YES. + +VERBATIM_HEADERS = YES + +#--------------------------------------------------------------------------- +# Configuration options related to the alphabetical class index +#--------------------------------------------------------------------------- + +# If the ALPHABETICAL_INDEX tag is set to YES, an alphabetical index of all +# compounds will be generated. Enable this if the project contains a lot of +# classes, structs, unions or interfaces. +# The default value is: YES. + +ALPHABETICAL_INDEX = YES + +# The IGNORE_PREFIX tag can be used to specify a prefix (or a list of prefixes) +# that should be ignored while generating the index headers. The IGNORE_PREFIX +# tag works for classes, function and member names. The entity will be placed in +# the alphabetical list under the first letter of the entity name that remains +# after removing the prefix. +# This tag requires that the tag ALPHABETICAL_INDEX is set to YES. + +IGNORE_PREFIX = + +#--------------------------------------------------------------------------- +# Configuration options related to the HTML output +#--------------------------------------------------------------------------- + +# If the GENERATE_HTML tag is set to YES, Doxygen will generate HTML output +# The default value is: YES. + +GENERATE_HTML = YES + +# The HTML_OUTPUT tag is used to specify where the HTML docs will be put. If a +# relative path is entered the value of OUTPUT_DIRECTORY will be put in front of +# it. +# The default directory is: html. +# This tag requires that the tag GENERATE_HTML is set to YES. + +HTML_OUTPUT = html + +# The HTML_FILE_EXTENSION tag can be used to specify the file extension for each +# generated HTML page (for example: .htm, .php, .asp). +# The default value is: .html. +# This tag requires that the tag GENERATE_HTML is set to YES. + +HTML_FILE_EXTENSION = .html + +# The HTML_HEADER tag can be used to specify a user-defined HTML header file for +# each generated HTML page. If the tag is left blank Doxygen will generate a +# standard header. +# +# To get valid HTML the header file that includes any scripts and style sheets +# that Doxygen needs, which is dependent on the configuration options used (e.g. +# the setting GENERATE_TREEVIEW). It is highly recommended to start with a +# default header using +# doxygen -w html new_header.html new_footer.html new_stylesheet.css +# YourConfigFile +# and then modify the file new_header.html. See also section "Doxygen usage" +# for information on how to generate the default header that Doxygen normally +# uses. +# Note: The header is subject to change so you typically have to regenerate the +# default header when upgrading to a newer version of Doxygen. For a description +# of the possible markers and block names see the documentation. +# This tag requires that the tag GENERATE_HTML is set to YES. + +HTML_HEADER = + +# The HTML_FOOTER tag can be used to specify a user-defined HTML footer for each +# generated HTML page. If the tag is left blank Doxygen will generate a standard +# footer. See HTML_HEADER for more information on how to generate a default +# footer and what special commands can be used inside the footer. See also +# section "Doxygen usage" for information on how to generate the default footer +# that Doxygen normally uses. +# This tag requires that the tag GENERATE_HTML is set to YES. + +HTML_FOOTER = + +# The HTML_STYLESHEET tag can be used to specify a user-defined cascading style +# sheet that is used by each HTML page. It can be used to fine-tune the look of +# the HTML output. If left blank Doxygen will generate a default style sheet. +# See also section "Doxygen usage" for information on how to generate the style +# sheet that Doxygen normally uses. +# Note: It is recommended to use HTML_EXTRA_STYLESHEET instead of this tag, as +# it is more robust and this tag (HTML_STYLESHEET) will in the future become +# obsolete. +# This tag requires that the tag GENERATE_HTML is set to YES. + +HTML_STYLESHEET = + +# The HTML_EXTRA_STYLESHEET tag can be used to specify additional user-defined +# cascading style sheets that are included after the standard style sheets +# created by Doxygen. Using this option one can overrule certain style aspects. +# This is preferred over using HTML_STYLESHEET since it does not replace the +# standard style sheet and is therefore more robust against future updates. +# Doxygen will copy the style sheet files to the output directory. +# Note: The order of the extra style sheet files is of importance (e.g. the last +# style sheet in the list overrules the setting of the previous ones in the +# list). +# Note: Since the styling of scrollbars can currently not be overruled in +# Webkit/Chromium, the styling will be left out of the default doxygen.css if +# one or more extra stylesheets have been specified. So if scrollbar +# customization is desired it has to be added explicitly. For an example see the +# documentation. +# This tag requires that the tag GENERATE_HTML is set to YES. + +HTML_EXTRA_STYLESHEET = + +# The HTML_EXTRA_FILES tag can be used to specify one or more extra images or +# other source files which should be copied to the HTML output directory. Note +# that these files will be copied to the base HTML output directory. Use the +# $relpath^ marker in the HTML_HEADER and/or HTML_FOOTER files to load these +# files. In the HTML_STYLESHEET file, use the file name only. Also note that the +# files will be copied as-is; there are no commands or markers available. +# This tag requires that the tag GENERATE_HTML is set to YES. + +HTML_EXTRA_FILES = + +# The HTML_COLORSTYLE tag can be used to specify if the generated HTML output +# should be rendered with a dark or light theme. +# Possible values are: LIGHT always generates light mode output, DARK always +# generates dark mode output, AUTO_LIGHT automatically sets the mode according +# to the user preference, uses light mode if no preference is set (the default), +# AUTO_DARK automatically sets the mode according to the user preference, uses +# dark mode if no preference is set and TOGGLE allows a user to switch between +# light and dark mode via a button. +# The default value is: AUTO_LIGHT. +# This tag requires that the tag GENERATE_HTML is set to YES. + +HTML_COLORSTYLE = AUTO_LIGHT + +# The HTML_COLORSTYLE_HUE tag controls the color of the HTML output. Doxygen +# will adjust the colors in the style sheet and background images according to +# this color. Hue is specified as an angle on a color-wheel, see +# https://en.wikipedia.org/wiki/Hue for more information. For instance the value +# 0 represents red, 60 is yellow, 120 is green, 180 is cyan, 240 is blue, 300 +# purple, and 360 is red again. +# Minimum value: 0, maximum value: 359, default value: 220. +# This tag requires that the tag GENERATE_HTML is set to YES. + +HTML_COLORSTYLE_HUE = 220 + +# The HTML_COLORSTYLE_SAT tag controls the purity (or saturation) of the colors +# in the HTML output. For a value of 0 the output will use gray-scales only. A +# value of 255 will produce the most vivid colors. +# Minimum value: 0, maximum value: 255, default value: 100. +# This tag requires that the tag GENERATE_HTML is set to YES. + +HTML_COLORSTYLE_SAT = 100 + +# The HTML_COLORSTYLE_GAMMA tag controls the gamma correction applied to the +# luminance component of the colors in the HTML output. Values below 100 +# gradually make the output lighter, whereas values above 100 make the output +# darker. The value divided by 100 is the actual gamma applied, so 80 represents +# a gamma of 0.8, The value 220 represents a gamma of 2.2, and 100 does not +# change the gamma. +# Minimum value: 40, maximum value: 240, default value: 80. +# This tag requires that the tag GENERATE_HTML is set to YES. + +HTML_COLORSTYLE_GAMMA = 80 + +# If the HTML_DYNAMIC_MENUS tag is set to YES then the generated HTML +# documentation will contain a main index with vertical navigation menus that +# are dynamically created via JavaScript. If disabled, the navigation index will +# consists of multiple levels of tabs that are statically embedded in every HTML +# page. Disable this option to support browsers that do not have JavaScript, +# like the Qt help browser. +# The default value is: YES. +# This tag requires that the tag GENERATE_HTML is set to YES. + +HTML_DYNAMIC_MENUS = YES + +# If the HTML_DYNAMIC_SECTIONS tag is set to YES then the generated HTML +# documentation will contain sections that can be hidden and shown after the +# page has loaded. +# The default value is: NO. +# This tag requires that the tag GENERATE_HTML is set to YES. + +HTML_DYNAMIC_SECTIONS = NO + +# If the HTML_CODE_FOLDING tag is set to YES then classes and functions can be +# dynamically folded and expanded in the generated HTML source code. +# The default value is: YES. +# This tag requires that the tag GENERATE_HTML is set to YES. + +HTML_CODE_FOLDING = YES + +# If the HTML_COPY_CLIPBOARD tag is set to YES then Doxygen will show an icon in +# the top right corner of code and text fragments that allows the user to copy +# its content to the clipboard. Note this only works if supported by the browser +# and the web page is served via a secure context (see: +# https://www.w3.org/TR/secure-contexts/), i.e. using the https: or file: +# protocol. +# The default value is: YES. +# This tag requires that the tag GENERATE_HTML is set to YES. + +HTML_COPY_CLIPBOARD = YES + +# Doxygen stores a couple of settings persistently in the browser (via e.g. +# cookies). By default these settings apply to all HTML pages generated by +# Doxygen across all projects. The HTML_PROJECT_COOKIE tag can be used to store +# the settings under a project specific key, such that the user preferences will +# be stored separately. +# This tag requires that the tag GENERATE_HTML is set to YES. + +HTML_PROJECT_COOKIE = + +# With HTML_INDEX_NUM_ENTRIES one can control the preferred number of entries +# shown in the various tree structured indices initially; the user can expand +# and collapse entries dynamically later on. Doxygen will expand the tree to +# such a level that at most the specified number of entries are visible (unless +# a fully collapsed tree already exceeds this amount). So setting the number of +# entries 1 will produce a full collapsed tree by default. 0 is a special value +# representing an infinite number of entries and will result in a full expanded +# tree by default. +# Minimum value: 0, maximum value: 9999, default value: 100. +# This tag requires that the tag GENERATE_HTML is set to YES. + +HTML_INDEX_NUM_ENTRIES = 100 + +# If the GENERATE_DOCSET tag is set to YES, additional index files will be +# generated that can be used as input for Apple's Xcode 3 integrated development +# environment (see: +# https://developer.apple.com/xcode/), introduced with OSX 10.5 (Leopard). To +# create a documentation set, Doxygen will generate a Makefile in the HTML +# output directory. Running make will produce the docset in that directory and +# running make install will install the docset in +# ~/Library/Developer/Shared/Documentation/DocSets so that Xcode will find it at +# startup. See https://developer.apple.com/library/archive/featuredarticles/Doxy +# genXcode/_index.html for more information. +# The default value is: NO. +# This tag requires that the tag GENERATE_HTML is set to YES. + +GENERATE_DOCSET = NO + +# This tag determines the name of the docset feed. A documentation feed provides +# an umbrella under which multiple documentation sets from a single provider +# (such as a company or product suite) can be grouped. +# The default value is: Doxygen generated docs. +# This tag requires that the tag GENERATE_DOCSET is set to YES. + +DOCSET_FEEDNAME = "Doxygen generated docs" + +# This tag determines the URL of the docset feed. A documentation feed provides +# an umbrella under which multiple documentation sets from a single provider +# (such as a company or product suite) can be grouped. +# This tag requires that the tag GENERATE_DOCSET is set to YES. + +DOCSET_FEEDURL = + +# This tag specifies a string that should uniquely identify the documentation +# set bundle. This should be a reverse domain-name style string, e.g. +# com.mycompany.MyDocSet. Doxygen will append .docset to the name. +# The default value is: org.doxygen.Project. +# This tag requires that the tag GENERATE_DOCSET is set to YES. + +DOCSET_BUNDLE_ID = org.doxygen.Project + +# The DOCSET_PUBLISHER_ID tag specifies a string that should uniquely identify +# the documentation publisher. This should be a reverse domain-name style +# string, e.g. com.mycompany.MyDocSet.documentation. +# The default value is: org.doxygen.Publisher. +# This tag requires that the tag GENERATE_DOCSET is set to YES. + +DOCSET_PUBLISHER_ID = org.doxygen.Publisher + +# The DOCSET_PUBLISHER_NAME tag identifies the documentation publisher. +# The default value is: Publisher. +# This tag requires that the tag GENERATE_DOCSET is set to YES. + +DOCSET_PUBLISHER_NAME = Publisher + +# If the GENERATE_HTMLHELP tag is set to YES then Doxygen generates three +# additional HTML index files: index.hhp, index.hhc, and index.hhk. The +# index.hhp is a project file that can be read by Microsoft's HTML Help Workshop +# on Windows. In the beginning of 2021 Microsoft took the original page, with +# a.o. the download links, offline the HTML help workshop was already many years +# in maintenance mode). You can download the HTML help workshop from the web +# archives at Installation executable (see: +# http://web.archive.org/web/20160201063255/http://download.microsoft.com/downlo +# ad/0/A/9/0A939EF6-E31C-430F-A3DF-DFAE7960D564/htmlhelp.exe). +# +# The HTML Help Workshop contains a compiler that can convert all HTML output +# generated by Doxygen into a single compiled HTML file (.chm). Compiled HTML +# files are now used as the Windows 98 help format, and will replace the old +# Windows help format (.hlp) on all Windows platforms in the future. Compressed +# HTML files also contain an index, a table of contents, and you can search for +# words in the documentation. The HTML workshop also contains a viewer for +# compressed HTML files. +# The default value is: NO. +# This tag requires that the tag GENERATE_HTML is set to YES. + +GENERATE_HTMLHELP = NO + +# The CHM_FILE tag can be used to specify the file name of the resulting .chm +# file. You can add a path in front of the file if the result should not be +# written to the html output directory. +# This tag requires that the tag GENERATE_HTMLHELP is set to YES. + +CHM_FILE = + +# The HHC_LOCATION tag can be used to specify the location (absolute path +# including file name) of the HTML help compiler (hhc.exe). If non-empty, +# Doxygen will try to run the HTML help compiler on the generated index.hhp. +# The file has to be specified with full path. +# This tag requires that the tag GENERATE_HTMLHELP is set to YES. + +HHC_LOCATION = + +# The GENERATE_CHI flag controls if a separate .chi index file is generated +# (YES) or that it should be included in the main .chm file (NO). +# The default value is: NO. +# This tag requires that the tag GENERATE_HTMLHELP is set to YES. + +GENERATE_CHI = NO + +# The CHM_INDEX_ENCODING is used to encode HtmlHelp index (hhk), content (hhc) +# and project file content. +# This tag requires that the tag GENERATE_HTMLHELP is set to YES. + +CHM_INDEX_ENCODING = + +# The BINARY_TOC flag controls whether a binary table of contents is generated +# (YES) or a normal table of contents (NO) in the .chm file. Furthermore it +# enables the Previous and Next buttons. +# The default value is: NO. +# This tag requires that the tag GENERATE_HTMLHELP is set to YES. + +BINARY_TOC = NO + +# The TOC_EXPAND flag can be set to YES to add extra items for group members to +# the table of contents of the HTML help documentation and to the tree view. +# The default value is: NO. +# This tag requires that the tag GENERATE_HTMLHELP is set to YES. + +TOC_EXPAND = NO + +# The SITEMAP_URL tag is used to specify the full URL of the place where the +# generated documentation will be placed on the server by the user during the +# deployment of the documentation. The generated sitemap is called sitemap.xml +# and placed on the directory specified by HTML_OUTPUT. In case no SITEMAP_URL +# is specified no sitemap is generated. For information about the sitemap +# protocol see https://www.sitemaps.org +# This tag requires that the tag GENERATE_HTML is set to YES. + +SITEMAP_URL = + +# If the GENERATE_QHP tag is set to YES and both QHP_NAMESPACE and +# QHP_VIRTUAL_FOLDER are set, an additional index file will be generated that +# can be used as input for Qt's qhelpgenerator to generate a Qt Compressed Help +# (.qch) of the generated HTML documentation. +# The default value is: NO. +# This tag requires that the tag GENERATE_HTML is set to YES. + +GENERATE_QHP = NO + +# If the QHG_LOCATION tag is specified, the QCH_FILE tag can be used to specify +# the file name of the resulting .qch file. The path specified is relative to +# the HTML output folder. +# This tag requires that the tag GENERATE_QHP is set to YES. + +QCH_FILE = + +# The QHP_NAMESPACE tag specifies the namespace to use when generating Qt Help +# Project output. For more information please see Qt Help Project / Namespace +# (see: +# https://doc.qt.io/archives/qt-4.8/qthelpproject.html#namespace). +# The default value is: org.doxygen.Project. +# This tag requires that the tag GENERATE_QHP is set to YES. + +QHP_NAMESPACE = org.doxygen.Project + +# The QHP_VIRTUAL_FOLDER tag specifies the namespace to use when generating Qt +# Help Project output. For more information please see Qt Help Project / Virtual +# Folders (see: +# https://doc.qt.io/archives/qt-4.8/qthelpproject.html#virtual-folders). +# The default value is: doc. +# This tag requires that the tag GENERATE_QHP is set to YES. + +QHP_VIRTUAL_FOLDER = doc + +# If the QHP_CUST_FILTER_NAME tag is set, it specifies the name of a custom +# filter to add. For more information please see Qt Help Project / Custom +# Filters (see: +# https://doc.qt.io/archives/qt-4.8/qthelpproject.html#custom-filters). +# This tag requires that the tag GENERATE_QHP is set to YES. + +QHP_CUST_FILTER_NAME = + +# The QHP_CUST_FILTER_ATTRS tag specifies the list of the attributes of the +# custom filter to add. For more information please see Qt Help Project / Custom +# Filters (see: +# https://doc.qt.io/archives/qt-4.8/qthelpproject.html#custom-filters). +# This tag requires that the tag GENERATE_QHP is set to YES. + +QHP_CUST_FILTER_ATTRS = + +# The QHP_SECT_FILTER_ATTRS tag specifies the list of the attributes this +# project's filter section matches. Qt Help Project / Filter Attributes (see: +# https://doc.qt.io/archives/qt-4.8/qthelpproject.html#filter-attributes). +# This tag requires that the tag GENERATE_QHP is set to YES. + +QHP_SECT_FILTER_ATTRS = + +# The QHG_LOCATION tag can be used to specify the location (absolute path +# including file name) of Qt's qhelpgenerator. If non-empty Doxygen will try to +# run qhelpgenerator on the generated .qhp file. +# This tag requires that the tag GENERATE_QHP is set to YES. + +QHG_LOCATION = + +# If the GENERATE_ECLIPSEHELP tag is set to YES, additional index files will be +# generated, together with the HTML files, they form an Eclipse help plugin. To +# install this plugin and make it available under the help contents menu in +# Eclipse, the contents of the directory containing the HTML and XML files needs +# to be copied into the plugins directory of eclipse. The name of the directory +# within the plugins directory should be the same as the ECLIPSE_DOC_ID value. +# After copying Eclipse needs to be restarted before the help appears. +# The default value is: NO. +# This tag requires that the tag GENERATE_HTML is set to YES. + +GENERATE_ECLIPSEHELP = NO + +# A unique identifier for the Eclipse help plugin. When installing the plugin +# the directory name containing the HTML and XML files should also have this +# name. Each documentation set should have its own identifier. +# The default value is: org.doxygen.Project. +# This tag requires that the tag GENERATE_ECLIPSEHELP is set to YES. + +ECLIPSE_DOC_ID = org.doxygen.Project + +# If you want full control over the layout of the generated HTML pages it might +# be necessary to disable the index and replace it with your own. The +# DISABLE_INDEX tag can be used to turn on/off the condensed index (tabs) at top +# of each HTML page. A value of NO enables the index and the value YES disables +# it. Since the tabs in the index contain the same information as the navigation +# tree, you can set this option to YES if you also set GENERATE_TREEVIEW to YES. +# The default value is: NO. +# This tag requires that the tag GENERATE_HTML is set to YES. + +DISABLE_INDEX = NO + +# The GENERATE_TREEVIEW tag is used to specify whether a tree-like index +# structure should be generated to display hierarchical information. If the tag +# value is set to YES, a side panel will be generated containing a tree-like +# index structure (just like the one that is generated for HTML Help). For this +# to work a browser that supports JavaScript, DHTML, CSS and frames is required +# (i.e. any modern browser). Windows users are probably better off using the +# HTML help feature. Via custom style sheets (see HTML_EXTRA_STYLESHEET) one can +# further fine tune the look of the index (see "Fine-tuning the output"). As an +# example, the default style sheet generated by Doxygen has an example that +# shows how to put an image at the root of the tree instead of the PROJECT_NAME. +# Since the tree basically has the same information as the tab index, you could +# consider setting DISABLE_INDEX to YES when enabling this option. +# The default value is: NO. +# This tag requires that the tag GENERATE_HTML is set to YES. + +GENERATE_TREEVIEW = YES + +# When both GENERATE_TREEVIEW and DISABLE_INDEX are set to YES, then the +# FULL_SIDEBAR option determines if the side bar is limited to only the treeview +# area (value NO) or if it should extend to the full height of the window (value +# YES). Setting this to YES gives a layout similar to +# https://docs.readthedocs.io with more room for contents, but less room for the +# project logo, title, and description. If either GENERATE_TREEVIEW or +# DISABLE_INDEX is set to NO, this option has no effect. +# The default value is: NO. +# This tag requires that the tag GENERATE_HTML is set to YES. + +FULL_SIDEBAR = NO + +# The ENUM_VALUES_PER_LINE tag can be used to set the number of enum values that +# Doxygen will group on one line in the generated HTML documentation. +# +# Note that a value of 0 will completely suppress the enum values from appearing +# in the overview section. +# Minimum value: 0, maximum value: 20, default value: 4. +# This tag requires that the tag GENERATE_HTML is set to YES. + +ENUM_VALUES_PER_LINE = 4 + +# When the SHOW_ENUM_VALUES tag is set doxygen will show the specified +# enumeration values besides the enumeration mnemonics. +# The default value is: NO. + +SHOW_ENUM_VALUES = NO + +# If the treeview is enabled (see GENERATE_TREEVIEW) then this tag can be used +# to set the initial width (in pixels) of the frame in which the tree is shown. +# Minimum value: 0, maximum value: 1500, default value: 250. +# This tag requires that the tag GENERATE_HTML is set to YES. + +TREEVIEW_WIDTH = 250 + +# If the EXT_LINKS_IN_WINDOW option is set to YES, Doxygen will open links to +# external symbols imported via tag files in a separate window. +# The default value is: NO. +# This tag requires that the tag GENERATE_HTML is set to YES. + +EXT_LINKS_IN_WINDOW = NO + +# If the OBFUSCATE_EMAILS tag is set to YES, Doxygen will obfuscate email +# addresses. +# The default value is: YES. +# This tag requires that the tag GENERATE_HTML is set to YES. + +OBFUSCATE_EMAILS = YES + +# If the HTML_FORMULA_FORMAT option is set to svg, Doxygen will use the pdf2svg +# tool (see https://github.com/dawbarton/pdf2svg) or inkscape (see +# https://inkscape.org) to generate formulas as SVG images instead of PNGs for +# the HTML output. These images will generally look nicer at scaled resolutions. +# Possible values are: png (the default) and svg (looks nicer but requires the +# pdf2svg or inkscape tool). +# The default value is: png. +# This tag requires that the tag GENERATE_HTML is set to YES. + +HTML_FORMULA_FORMAT = png + +# Use this tag to change the font size of LaTeX formulas included as images in +# the HTML documentation. When you change the font size after a successful +# Doxygen run you need to manually remove any form_*.png images from the HTML +# output directory to force them to be regenerated. +# Minimum value: 8, maximum value: 50, default value: 10. +# This tag requires that the tag GENERATE_HTML is set to YES. + +FORMULA_FONTSIZE = 10 + +# The FORMULA_MACROFILE can contain LaTeX \newcommand and \renewcommand commands +# to create new LaTeX commands to be used in formulas as building blocks. See +# the section "Including formulas" for details. + +FORMULA_MACROFILE = + +# Enable the USE_MATHJAX option to render LaTeX formulas using MathJax (see +# https://www.mathjax.org) which uses client side JavaScript for the rendering +# instead of using pre-rendered bitmaps. Use this if you do not have LaTeX +# installed or if you want to formulas look prettier in the HTML output. When +# enabled you may also need to install MathJax separately and configure the path +# to it using the MATHJAX_RELPATH option. +# The default value is: NO. +# This tag requires that the tag GENERATE_HTML is set to YES. + +USE_MATHJAX = YES + +# With MATHJAX_VERSION it is possible to specify the MathJax version to be used. +# Note that the different versions of MathJax have different requirements with +# regards to the different settings, so it is possible that also other MathJax +# settings have to be changed when switching between the different MathJax +# versions. +# Possible values are: MathJax_2 and MathJax_3. +# The default value is: MathJax_2. +# This tag requires that the tag USE_MATHJAX is set to YES. + +MATHJAX_VERSION = MathJax_3 + +# When MathJax is enabled you can set the default output format to be used for +# the MathJax output. For more details about the output format see MathJax +# version 2 (see: +# http://docs.mathjax.org/en/v2.7-latest/output.html) and MathJax version 3 +# (see: +# http://docs.mathjax.org/en/latest/web/components/output.html). +# Possible values are: HTML-CSS (which is slower, but has the best +# compatibility. This is the name for Mathjax version 2, for MathJax version 3 +# this will be translated into chtml), NativeMML (i.e. MathML. Only supported +# for MathJax 2. For MathJax version 3 chtml will be used instead.), chtml (This +# is the name for Mathjax version 3, for MathJax version 2 this will be +# translated into HTML-CSS) and SVG. +# The default value is: HTML-CSS. +# This tag requires that the tag USE_MATHJAX is set to YES. + +MATHJAX_FORMAT = HTML-CSS + +# When MathJax is enabled you need to specify the location relative to the HTML +# output directory using the MATHJAX_RELPATH option. The destination directory +# should contain the MathJax.js script. For instance, if the mathjax directory +# is located at the same level as the HTML output directory, then +# MATHJAX_RELPATH should be ../mathjax. The default value points to the MathJax +# Content Delivery Network so you can quickly see the result without installing +# MathJax. However, it is strongly recommended to install a local copy of +# MathJax from https://www.mathjax.org before deployment. The default value is: +# - in case of MathJax version 2: https://cdn.jsdelivr.net/npm/mathjax@2 +# - in case of MathJax version 3: https://cdn.jsdelivr.net/npm/mathjax@3 +# This tag requires that the tag USE_MATHJAX is set to YES. + +MATHJAX_RELPATH = https://cdn.jsdelivr.net/npm/mathjax@3 + +# The MATHJAX_EXTENSIONS tag can be used to specify one or more MathJax +# extension names that should be enabled during MathJax rendering. For example +# for MathJax version 2 (see +# https://docs.mathjax.org/en/v2.7-latest/tex.html#tex-and-latex-extensions): +# MATHJAX_EXTENSIONS = TeX/AMSmath TeX/AMSsymbols +# For example for MathJax version 3 (see +# http://docs.mathjax.org/en/latest/input/tex/extensions/index.html): +# MATHJAX_EXTENSIONS = ams +# This tag requires that the tag USE_MATHJAX is set to YES. + +MATHJAX_EXTENSIONS = + +# The MATHJAX_CODEFILE tag can be used to specify a file with JavaScript pieces +# of code that will be used on startup of the MathJax code. See the MathJax site +# (see: +# http://docs.mathjax.org/en/v2.7-latest/output.html) for more details. For an +# example see the documentation. +# This tag requires that the tag USE_MATHJAX is set to YES. + +MATHJAX_CODEFILE = + +# When the SEARCHENGINE tag is enabled Doxygen will generate a search box for +# the HTML output. The underlying search engine uses JavaScript and DHTML and +# should work on any modern browser. Note that when using HTML help +# (GENERATE_HTMLHELP), Qt help (GENERATE_QHP), or docsets (GENERATE_DOCSET) +# there is already a search function so this one should typically be disabled. +# For large projects the JavaScript based search engine can be slow, then +# enabling SERVER_BASED_SEARCH may provide a better solution. It is possible to +# search using the keyboard; to jump to the search box use + S +# (what the is depends on the OS and browser, but it is typically +# , /