The branch master has been updated via e396c114eb7233e24ba6a920606cfdd6bc6cff7c (commit) via e2ef7f1265e727567e8963aa2756a387a621ef71 (commit) from bfbb62c3b0a8f8d223f84ebf7507594cee99f135 (commit)
- Log ----------------------------------------------------------------- commit e396c114eb7233e24ba6a920606cfdd6bc6cff7c Author: Tianjia Zhang <tianjia.zh...@linux.alibaba.com> Date: Wed Sep 15 11:00:50 2021 +0800 apps/s_client: Add ktls option From openssl-3.0.0-alpha15, KTLS is turned off by default, even if KTLS feature in compilation, which makes it difficult to use KTLS through s_server/s_client, so a parameter option 'ktls' is added to enable KTLS through cmdline. Signed-off-by: Tianjia Zhang <tianjia.zh...@linux.alibaba.com> Reviewed-by: Paul Yang <kaishen...@antfin.com> Reviewed-by: Tomas Mraz <to...@openssl.org> Reviewed-by: Paul Dale <pa...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16609) commit e2ef7f1265e727567e8963aa2756a387a621ef71 Author: Tianjia Zhang <tianjia.zh...@linux.alibaba.com> Date: Wed Sep 15 11:39:51 2021 +0800 apps/s_server: Add ktls option From openssl-3.0.0-alpha15, KTLS is turned off by default, even if KTLS feature in compilation, which makes it difficult to use KTLS through s_server/s_client, so a parameter option 'ktls' is added to enable KTLS through cmdline. At the same time, SSL_sendfile() depends on KTLS feature to work properly, make parameters sendfile depend on parameters ktls. Signed-off-by: Tianjia Zhang <tianjia.zh...@linux.alibaba.com> Reviewed-by: Paul Yang <kaishen...@antfin.com> Reviewed-by: Tomas Mraz <to...@openssl.org> Reviewed-by: Paul Dale <pa...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16609) ----------------------------------------------------------------------- Summary of changes: apps/s_client.c | 16 ++++++++++++++++ apps/s_server.c | 20 +++++++++++++++++++- doc/man1/openssl-s_client.pod.in | 7 +++++++ doc/man1/openssl-s_server.pod.in | 10 +++++++++- 4 files changed, 51 insertions(+), 2 deletions(-) diff --git a/apps/s_client.c b/apps/s_client.c index 3b9be0e8c2..6ccb7a42d0 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -467,6 +467,7 @@ typedef enum OPTION_choice { OPT_DANE_TLSA_RRDATA, OPT_DANE_EE_NO_NAME, OPT_ENABLE_PHA, OPT_SCTP_LABEL_BUG, + OPT_KTLS, OPT_R_ENUM, OPT_PROV_ENUM } OPTION_CHOICE; @@ -664,6 +665,9 @@ const OPTIONS s_client_options[] = { {"srp_strength", OPT_SRP_STRENGTH, 'p', "(deprecated) Minimal length in bits for N"}, #endif +#ifndef OPENSSL_NO_KTLS + {"ktls", OPT_KTLS, '-', "Enable Kernel TLS for sending and receiving"}, +#endif OPT_R_OPTIONS, OPT_S_OPTIONS, @@ -888,6 +892,9 @@ int s_client_main(int argc, char **argv) int sctp_label_bug = 0; #endif int ignore_unexpected_eof = 0; +#ifndef OPENSSL_NO_KTLS + int enable_ktls = 0; +#endif FD_ZERO(&readfds); FD_ZERO(&writefds); @@ -1457,6 +1464,11 @@ int s_client_main(int argc, char **argv) case OPT_ENABLE_PHA: enable_pha = 1; break; + case OPT_KTLS: +#ifndef OPENSSL_NO_KTLS + enable_ktls = 1; +#endif + break; } } @@ -1700,6 +1712,10 @@ int s_client_main(int argc, char **argv) if (ignore_unexpected_eof) SSL_CTX_set_options(ctx, SSL_OP_IGNORE_UNEXPECTED_EOF); +#ifndef OPENSSL_NO_KTLS + if (enable_ktls) + SSL_CTX_set_options(ctx, SSL_OP_ENABLE_KTLS); +#endif if (vpmtouched && !SSL_CTX_set1_param(ctx, vpm)) { BIO_printf(bio_err, "Error setting verify params\n"); diff --git a/apps/s_server.c b/apps/s_server.c index c5d9221e90..9f448298f0 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -716,7 +716,7 @@ typedef enum OPTION_choice { OPT_SRTP_PROFILES, OPT_KEYMATEXPORT, OPT_KEYMATEXPORTLEN, OPT_KEYLOG_FILE, OPT_MAX_EARLY, OPT_RECV_MAX_EARLY, OPT_EARLY_DATA, OPT_S_NUM_TICKETS, OPT_ANTI_REPLAY, OPT_NO_ANTI_REPLAY, OPT_SCTP_LABEL_BUG, - OPT_HTTP_SERVER_BINMODE, OPT_NOCANAMES, OPT_IGNORE_UNEXPECTED_EOF, + OPT_HTTP_SERVER_BINMODE, OPT_NOCANAMES, OPT_IGNORE_UNEXPECTED_EOF, OPT_KTLS, OPT_R_ENUM, OPT_S_ENUM, OPT_V_ENUM, @@ -958,6 +958,7 @@ const OPTIONS s_server_options[] = { {"alpn", OPT_ALPN, 's', "Set the advertised protocols for the ALPN extension (comma-separated list)"}, #ifndef OPENSSL_NO_KTLS + {"ktls", OPT_KTLS, '-', "Enable Kernel TLS for sending and receiving"}, {"sendfile", OPT_SENDFILE, '-', "Use sendfile to response file with -WWW"}, #endif @@ -1053,6 +1054,9 @@ int s_server_main(int argc, char *argv[]) int sctp_label_bug = 0; #endif int ignore_unexpected_eof = 0; +#ifndef OPENSSL_NO_KTLS + int enable_ktls = 0; +#endif /* Init of few remaining global variables */ local_argc = argc; @@ -1627,6 +1631,11 @@ int s_server_main(int argc, char *argv[]) case OPT_NOCANAMES: no_ca_names = 1; break; + case OPT_KTLS: +#ifndef OPENSSL_NO_KTLS + enable_ktls = 1; +#endif + break; case OPT_SENDFILE: #ifndef OPENSSL_NO_KTLS use_sendfile = 1; @@ -1694,6 +1703,11 @@ int s_server_main(int argc, char *argv[]) #endif #ifndef OPENSSL_NO_KTLS + if (use_sendfile && enable_ktls == 0) { + BIO_printf(bio_out, "Warning: -sendfile depends on -ktls, enabling -ktls now.\n"); + enable_ktls = 1; + } + if (use_sendfile && www <= 1) { BIO_printf(bio_err, "Can't use -sendfile without -WWW or -HTTP\n"); goto end; @@ -1883,6 +1897,10 @@ int s_server_main(int argc, char *argv[]) if (ignore_unexpected_eof) SSL_CTX_set_options(ctx, SSL_OP_IGNORE_UNEXPECTED_EOF); +#ifndef OPENSSL_NO_KTLS + if (enable_ktls) + SSL_CTX_set_options(ctx, SSL_OP_ENABLE_KTLS); +#endif if (max_send_fragment > 0 && !SSL_CTX_set_max_send_fragment(ctx, max_send_fragment)) { diff --git a/doc/man1/openssl-s_client.pod.in b/doc/man1/openssl-s_client.pod.in index 6328cd07d9..709bc49375 100644 --- a/doc/man1/openssl-s_client.pod.in +++ b/doc/man1/openssl-s_client.pod.in @@ -116,6 +116,7 @@ B<openssl> B<s_client> [B<-srp_lateuser>] [B<-srp_moregroups>] [B<-srp_strength> I<number>] +[B<-ktls>] {- $OpenSSL::safe::opt_name_synopsis -} {- $OpenSSL::safe::opt_version_synopsis -} {- $OpenSSL::safe::opt_x_synopsis -} @@ -765,6 +766,12 @@ Tolerate other than the known B<g> and B<N> values. Set the minimal acceptable length, in bits, for B<N>. This option is deprecated. +=item B<-ktls> + +Enable Kernel TLS for sending and receiving. +This option was introduced in OpenSSL 3.1.0. +Kernel TLS is off by default as of OpenSSL 3.1.0. + {- $OpenSSL::safe::opt_version_item -} {- $OpenSSL::safe::opt_name_item -} diff --git a/doc/man1/openssl-s_server.pod.in b/doc/man1/openssl-s_server.pod.in index 115eceb0e3..c461a0cd73 100644 --- a/doc/man1/openssl-s_server.pod.in +++ b/doc/man1/openssl-s_server.pod.in @@ -128,6 +128,7 @@ B<openssl> B<s_server> [B<-no_dhe>] [B<-nextprotoneg> I<val>] [B<-alpn> I<val>] +[B<-ktls>] [B<-sendfile>] [B<-keylogfile> I<outfile>] [B<-recv_max_early_data> I<int>] @@ -762,11 +763,18 @@ Protocol names are printable ASCII strings, for example "http/1.1" or "spdy/3". The flag B<-nextprotoneg> cannot be specified if B<-tls1_3> is used. +=item B<-ktls> + +Enable Kernel TLS for sending and receiving. +This option was introduced in OpenSSL 3.1.0. +Kernel TLS is off by default as of OpenSSL 3.1.0. + =item B<-sendfile> If this option is set and KTLS is enabled, SSL_sendfile() will be used instead of BIO_write() to send the HTTP response requested by a client. -This option is only valid if B<-WWW> or B<-HTTP> is specified. +This option is only valid when B<-ktls> along with B<-WWW> or B<-HTTP> +are specified. =item B<-keylogfile> I<outfile>