[openssl] master update

Dr. Paul Dale pauli at openssl.org
Sat Sep 18 21:40:19 UTC 2021


The branch master has been updated
       via  e396c114eb7233e24ba6a920606cfdd6bc6cff7c (commit)
       via  e2ef7f1265e727567e8963aa2756a387a621ef71 (commit)
      from  bfbb62c3b0a8f8d223f84ebf7507594cee99f135 (commit)


- Log -----------------------------------------------------------------
commit e396c114eb7233e24ba6a920606cfdd6bc6cff7c
Author: Tianjia Zhang <tianjia.zhang at linux.alibaba.com>
Date:   Wed Sep 15 11:00:50 2021 +0800

    apps/s_client: Add ktls option
    
    From openssl-3.0.0-alpha15, KTLS is turned off by default, even if
    KTLS feature in compilation, which makes it difficult to use KTLS
    through s_server/s_client, so a parameter option 'ktls' is added
    to enable KTLS through cmdline.
    
    Signed-off-by: Tianjia Zhang <tianjia.zhang at linux.alibaba.com>
    
    Reviewed-by: Paul Yang <kaishen.yy at antfin.com>
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    Reviewed-by: Paul Dale <pauli at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/16609)

commit e2ef7f1265e727567e8963aa2756a387a621ef71
Author: Tianjia Zhang <tianjia.zhang at linux.alibaba.com>
Date:   Wed Sep 15 11:39:51 2021 +0800

    apps/s_server: Add ktls option
    
    From openssl-3.0.0-alpha15, KTLS is turned off by default, even if
    KTLS feature in compilation, which makes it difficult to use KTLS
    through s_server/s_client, so a parameter option 'ktls' is added
    to enable KTLS through cmdline.
    
    At the same time, SSL_sendfile() depends on KTLS feature to work
    properly, make parameters sendfile depend on parameters ktls.
    
    Signed-off-by: Tianjia Zhang <tianjia.zhang at linux.alibaba.com>
    
    Reviewed-by: Paul Yang <kaishen.yy at antfin.com>
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    Reviewed-by: Paul Dale <pauli at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/16609)

-----------------------------------------------------------------------

Summary of changes:
 apps/s_client.c                  | 16 ++++++++++++++++
 apps/s_server.c                  | 20 +++++++++++++++++++-
 doc/man1/openssl-s_client.pod.in |  7 +++++++
 doc/man1/openssl-s_server.pod.in | 10 +++++++++-
 4 files changed, 51 insertions(+), 2 deletions(-)

diff --git a/apps/s_client.c b/apps/s_client.c
index 3b9be0e8c2..6ccb7a42d0 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -467,6 +467,7 @@ typedef enum OPTION_choice {
     OPT_DANE_TLSA_RRDATA, OPT_DANE_EE_NO_NAME,
     OPT_ENABLE_PHA,
     OPT_SCTP_LABEL_BUG,
+    OPT_KTLS,
     OPT_R_ENUM, OPT_PROV_ENUM
 } OPTION_CHOICE;
 
@@ -664,6 +665,9 @@ const OPTIONS s_client_options[] = {
     {"srp_strength", OPT_SRP_STRENGTH, 'p',
      "(deprecated) Minimal length in bits for N"},
 #endif
+#ifndef OPENSSL_NO_KTLS
+    {"ktls", OPT_KTLS, '-', "Enable Kernel TLS for sending and receiving"},
+#endif
 
     OPT_R_OPTIONS,
     OPT_S_OPTIONS,
@@ -888,6 +892,9 @@ int s_client_main(int argc, char **argv)
     int sctp_label_bug = 0;
 #endif
     int ignore_unexpected_eof = 0;
+#ifndef OPENSSL_NO_KTLS
+    int enable_ktls = 0;
+#endif
 
     FD_ZERO(&readfds);
     FD_ZERO(&writefds);
@@ -1457,6 +1464,11 @@ int s_client_main(int argc, char **argv)
         case OPT_ENABLE_PHA:
             enable_pha = 1;
             break;
+        case OPT_KTLS:
+#ifndef OPENSSL_NO_KTLS
+            enable_ktls = 1;
+#endif
+            break;
         }
     }
 
@@ -1700,6 +1712,10 @@ int s_client_main(int argc, char **argv)
 
     if (ignore_unexpected_eof)
         SSL_CTX_set_options(ctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
+#ifndef OPENSSL_NO_KTLS
+    if (enable_ktls)
+        SSL_CTX_set_options(ctx, SSL_OP_ENABLE_KTLS);
+#endif
 
     if (vpmtouched && !SSL_CTX_set1_param(ctx, vpm)) {
         BIO_printf(bio_err, "Error setting verify params\n");
diff --git a/apps/s_server.c b/apps/s_server.c
index c5d9221e90..9f448298f0 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -716,7 +716,7 @@ typedef enum OPTION_choice {
     OPT_SRTP_PROFILES, OPT_KEYMATEXPORT, OPT_KEYMATEXPORTLEN,
     OPT_KEYLOG_FILE, OPT_MAX_EARLY, OPT_RECV_MAX_EARLY, OPT_EARLY_DATA,
     OPT_S_NUM_TICKETS, OPT_ANTI_REPLAY, OPT_NO_ANTI_REPLAY, OPT_SCTP_LABEL_BUG,
-    OPT_HTTP_SERVER_BINMODE, OPT_NOCANAMES, OPT_IGNORE_UNEXPECTED_EOF,
+    OPT_HTTP_SERVER_BINMODE, OPT_NOCANAMES, OPT_IGNORE_UNEXPECTED_EOF, OPT_KTLS,
     OPT_R_ENUM,
     OPT_S_ENUM,
     OPT_V_ENUM,
@@ -958,6 +958,7 @@ const OPTIONS s_server_options[] = {
     {"alpn", OPT_ALPN, 's',
      "Set the advertised protocols for the ALPN extension (comma-separated list)"},
 #ifndef OPENSSL_NO_KTLS
+    {"ktls", OPT_KTLS, '-', "Enable Kernel TLS for sending and receiving"},
     {"sendfile", OPT_SENDFILE, '-', "Use sendfile to response file with -WWW"},
 #endif
 
@@ -1053,6 +1054,9 @@ int s_server_main(int argc, char *argv[])
     int sctp_label_bug = 0;
 #endif
     int ignore_unexpected_eof = 0;
+#ifndef OPENSSL_NO_KTLS
+    int enable_ktls = 0;
+#endif
 
     /* Init of few remaining global variables */
     local_argc = argc;
@@ -1627,6 +1631,11 @@ int s_server_main(int argc, char *argv[])
         case OPT_NOCANAMES:
             no_ca_names = 1;
             break;
+        case OPT_KTLS:
+#ifndef OPENSSL_NO_KTLS
+            enable_ktls = 1;
+#endif
+            break;
         case OPT_SENDFILE:
 #ifndef OPENSSL_NO_KTLS
             use_sendfile = 1;
@@ -1694,6 +1703,11 @@ int s_server_main(int argc, char *argv[])
 #endif
 
 #ifndef OPENSSL_NO_KTLS
+    if (use_sendfile && enable_ktls == 0) {
+        BIO_printf(bio_out, "Warning: -sendfile depends on -ktls, enabling -ktls now.\n");
+        enable_ktls = 1;
+    }
+
     if (use_sendfile && www <= 1) {
         BIO_printf(bio_err, "Can't use -sendfile without -WWW or -HTTP\n");
         goto end;
@@ -1883,6 +1897,10 @@ int s_server_main(int argc, char *argv[])
 
     if (ignore_unexpected_eof)
         SSL_CTX_set_options(ctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
+#ifndef OPENSSL_NO_KTLS
+    if (enable_ktls)
+        SSL_CTX_set_options(ctx, SSL_OP_ENABLE_KTLS);
+#endif
 
     if (max_send_fragment > 0
         && !SSL_CTX_set_max_send_fragment(ctx, max_send_fragment)) {
diff --git a/doc/man1/openssl-s_client.pod.in b/doc/man1/openssl-s_client.pod.in
index 6328cd07d9..709bc49375 100644
--- a/doc/man1/openssl-s_client.pod.in
+++ b/doc/man1/openssl-s_client.pod.in
@@ -116,6 +116,7 @@ B<openssl> B<s_client>
 [B<-srp_lateuser>]
 [B<-srp_moregroups>]
 [B<-srp_strength> I<number>]
+[B<-ktls>]
 {- $OpenSSL::safe::opt_name_synopsis -}
 {- $OpenSSL::safe::opt_version_synopsis -}
 {- $OpenSSL::safe::opt_x_synopsis -}
@@ -765,6 +766,12 @@ Tolerate other than the known B<g> and B<N> values.
 Set the minimal acceptable length, in bits, for B<N>.  This option is
 deprecated.
 
+=item B<-ktls>
+
+Enable Kernel TLS for sending and receiving.
+This option was introduced in OpenSSL 3.1.0.
+Kernel TLS is off by default as of OpenSSL 3.1.0.
+
 {- $OpenSSL::safe::opt_version_item -}
 
 {- $OpenSSL::safe::opt_name_item -}
diff --git a/doc/man1/openssl-s_server.pod.in b/doc/man1/openssl-s_server.pod.in
index 115eceb0e3..c461a0cd73 100644
--- a/doc/man1/openssl-s_server.pod.in
+++ b/doc/man1/openssl-s_server.pod.in
@@ -128,6 +128,7 @@ B<openssl> B<s_server>
 [B<-no_dhe>]
 [B<-nextprotoneg> I<val>]
 [B<-alpn> I<val>]
+[B<-ktls>]
 [B<-sendfile>]
 [B<-keylogfile> I<outfile>]
 [B<-recv_max_early_data> I<int>]
@@ -762,11 +763,18 @@ Protocol names are printable ASCII strings, for example "http/1.1" or
 "spdy/3".
 The flag B<-nextprotoneg> cannot be specified if B<-tls1_3> is used.
 
+=item B<-ktls>
+
+Enable Kernel TLS for sending and receiving.
+This option was introduced in OpenSSL 3.1.0.
+Kernel TLS is off by default as of OpenSSL 3.1.0.
+
 =item B<-sendfile>
 
 If this option is set and KTLS is enabled, SSL_sendfile() will be used
 instead of BIO_write() to send the HTTP response requested by a client.
-This option is only valid if B<-WWW> or B<-HTTP> is specified.
+This option is only valid when B<-ktls> along with B<-WWW> or B<-HTTP>
+are specified.
 
 =item B<-keylogfile> I<outfile>
 


More information about the openssl-commits mailing list