[openssl] master update
Dr. Paul Dale
pauli at openssl.org
Sat Sep 18 21:40:19 UTC 2021
The branch master has been updated
via e396c114eb7233e24ba6a920606cfdd6bc6cff7c (commit)
via e2ef7f1265e727567e8963aa2756a387a621ef71 (commit)
from bfbb62c3b0a8f8d223f84ebf7507594cee99f135 (commit)
- Log -----------------------------------------------------------------
commit e396c114eb7233e24ba6a920606cfdd6bc6cff7c
Author: Tianjia Zhang <tianjia.zhang at linux.alibaba.com>
Date: Wed Sep 15 11:00:50 2021 +0800
apps/s_client: Add ktls option
From openssl-3.0.0-alpha15, KTLS is turned off by default, even if
KTLS feature in compilation, which makes it difficult to use KTLS
through s_server/s_client, so a parameter option 'ktls' is added
to enable KTLS through cmdline.
Signed-off-by: Tianjia Zhang <tianjia.zhang at linux.alibaba.com>
Reviewed-by: Paul Yang <kaishen.yy at antfin.com>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16609)
commit e2ef7f1265e727567e8963aa2756a387a621ef71
Author: Tianjia Zhang <tianjia.zhang at linux.alibaba.com>
Date: Wed Sep 15 11:39:51 2021 +0800
apps/s_server: Add ktls option
From openssl-3.0.0-alpha15, KTLS is turned off by default, even if
KTLS feature in compilation, which makes it difficult to use KTLS
through s_server/s_client, so a parameter option 'ktls' is added
to enable KTLS through cmdline.
At the same time, SSL_sendfile() depends on KTLS feature to work
properly, make parameters sendfile depend on parameters ktls.
Signed-off-by: Tianjia Zhang <tianjia.zhang at linux.alibaba.com>
Reviewed-by: Paul Yang <kaishen.yy at antfin.com>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16609)
-----------------------------------------------------------------------
Summary of changes:
apps/s_client.c | 16 ++++++++++++++++
apps/s_server.c | 20 +++++++++++++++++++-
doc/man1/openssl-s_client.pod.in | 7 +++++++
doc/man1/openssl-s_server.pod.in | 10 +++++++++-
4 files changed, 51 insertions(+), 2 deletions(-)
diff --git a/apps/s_client.c b/apps/s_client.c
index 3b9be0e8c2..6ccb7a42d0 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -467,6 +467,7 @@ typedef enum OPTION_choice {
OPT_DANE_TLSA_RRDATA, OPT_DANE_EE_NO_NAME,
OPT_ENABLE_PHA,
OPT_SCTP_LABEL_BUG,
+ OPT_KTLS,
OPT_R_ENUM, OPT_PROV_ENUM
} OPTION_CHOICE;
@@ -664,6 +665,9 @@ const OPTIONS s_client_options[] = {
{"srp_strength", OPT_SRP_STRENGTH, 'p',
"(deprecated) Minimal length in bits for N"},
#endif
+#ifndef OPENSSL_NO_KTLS
+ {"ktls", OPT_KTLS, '-', "Enable Kernel TLS for sending and receiving"},
+#endif
OPT_R_OPTIONS,
OPT_S_OPTIONS,
@@ -888,6 +892,9 @@ int s_client_main(int argc, char **argv)
int sctp_label_bug = 0;
#endif
int ignore_unexpected_eof = 0;
+#ifndef OPENSSL_NO_KTLS
+ int enable_ktls = 0;
+#endif
FD_ZERO(&readfds);
FD_ZERO(&writefds);
@@ -1457,6 +1464,11 @@ int s_client_main(int argc, char **argv)
case OPT_ENABLE_PHA:
enable_pha = 1;
break;
+ case OPT_KTLS:
+#ifndef OPENSSL_NO_KTLS
+ enable_ktls = 1;
+#endif
+ break;
}
}
@@ -1700,6 +1712,10 @@ int s_client_main(int argc, char **argv)
if (ignore_unexpected_eof)
SSL_CTX_set_options(ctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
+#ifndef OPENSSL_NO_KTLS
+ if (enable_ktls)
+ SSL_CTX_set_options(ctx, SSL_OP_ENABLE_KTLS);
+#endif
if (vpmtouched && !SSL_CTX_set1_param(ctx, vpm)) {
BIO_printf(bio_err, "Error setting verify params\n");
diff --git a/apps/s_server.c b/apps/s_server.c
index c5d9221e90..9f448298f0 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -716,7 +716,7 @@ typedef enum OPTION_choice {
OPT_SRTP_PROFILES, OPT_KEYMATEXPORT, OPT_KEYMATEXPORTLEN,
OPT_KEYLOG_FILE, OPT_MAX_EARLY, OPT_RECV_MAX_EARLY, OPT_EARLY_DATA,
OPT_S_NUM_TICKETS, OPT_ANTI_REPLAY, OPT_NO_ANTI_REPLAY, OPT_SCTP_LABEL_BUG,
- OPT_HTTP_SERVER_BINMODE, OPT_NOCANAMES, OPT_IGNORE_UNEXPECTED_EOF,
+ OPT_HTTP_SERVER_BINMODE, OPT_NOCANAMES, OPT_IGNORE_UNEXPECTED_EOF, OPT_KTLS,
OPT_R_ENUM,
OPT_S_ENUM,
OPT_V_ENUM,
@@ -958,6 +958,7 @@ const OPTIONS s_server_options[] = {
{"alpn", OPT_ALPN, 's',
"Set the advertised protocols for the ALPN extension (comma-separated list)"},
#ifndef OPENSSL_NO_KTLS
+ {"ktls", OPT_KTLS, '-', "Enable Kernel TLS for sending and receiving"},
{"sendfile", OPT_SENDFILE, '-', "Use sendfile to response file with -WWW"},
#endif
@@ -1053,6 +1054,9 @@ int s_server_main(int argc, char *argv[])
int sctp_label_bug = 0;
#endif
int ignore_unexpected_eof = 0;
+#ifndef OPENSSL_NO_KTLS
+ int enable_ktls = 0;
+#endif
/* Init of few remaining global variables */
local_argc = argc;
@@ -1627,6 +1631,11 @@ int s_server_main(int argc, char *argv[])
case OPT_NOCANAMES:
no_ca_names = 1;
break;
+ case OPT_KTLS:
+#ifndef OPENSSL_NO_KTLS
+ enable_ktls = 1;
+#endif
+ break;
case OPT_SENDFILE:
#ifndef OPENSSL_NO_KTLS
use_sendfile = 1;
@@ -1694,6 +1703,11 @@ int s_server_main(int argc, char *argv[])
#endif
#ifndef OPENSSL_NO_KTLS
+ if (use_sendfile && enable_ktls == 0) {
+ BIO_printf(bio_out, "Warning: -sendfile depends on -ktls, enabling -ktls now.\n");
+ enable_ktls = 1;
+ }
+
if (use_sendfile && www <= 1) {
BIO_printf(bio_err, "Can't use -sendfile without -WWW or -HTTP\n");
goto end;
@@ -1883,6 +1897,10 @@ int s_server_main(int argc, char *argv[])
if (ignore_unexpected_eof)
SSL_CTX_set_options(ctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
+#ifndef OPENSSL_NO_KTLS
+ if (enable_ktls)
+ SSL_CTX_set_options(ctx, SSL_OP_ENABLE_KTLS);
+#endif
if (max_send_fragment > 0
&& !SSL_CTX_set_max_send_fragment(ctx, max_send_fragment)) {
diff --git a/doc/man1/openssl-s_client.pod.in b/doc/man1/openssl-s_client.pod.in
index 6328cd07d9..709bc49375 100644
--- a/doc/man1/openssl-s_client.pod.in
+++ b/doc/man1/openssl-s_client.pod.in
@@ -116,6 +116,7 @@ B<openssl> B<s_client>
[B<-srp_lateuser>]
[B<-srp_moregroups>]
[B<-srp_strength> I<number>]
+[B<-ktls>]
{- $OpenSSL::safe::opt_name_synopsis -}
{- $OpenSSL::safe::opt_version_synopsis -}
{- $OpenSSL::safe::opt_x_synopsis -}
@@ -765,6 +766,12 @@ Tolerate other than the known B<g> and B<N> values.
Set the minimal acceptable length, in bits, for B<N>. This option is
deprecated.
+=item B<-ktls>
+
+Enable Kernel TLS for sending and receiving.
+This option was introduced in OpenSSL 3.1.0.
+Kernel TLS is off by default as of OpenSSL 3.1.0.
+
{- $OpenSSL::safe::opt_version_item -}
{- $OpenSSL::safe::opt_name_item -}
diff --git a/doc/man1/openssl-s_server.pod.in b/doc/man1/openssl-s_server.pod.in
index 115eceb0e3..c461a0cd73 100644
--- a/doc/man1/openssl-s_server.pod.in
+++ b/doc/man1/openssl-s_server.pod.in
@@ -128,6 +128,7 @@ B<openssl> B<s_server>
[B<-no_dhe>]
[B<-nextprotoneg> I<val>]
[B<-alpn> I<val>]
+[B<-ktls>]
[B<-sendfile>]
[B<-keylogfile> I<outfile>]
[B<-recv_max_early_data> I<int>]
@@ -762,11 +763,18 @@ Protocol names are printable ASCII strings, for example "http/1.1" or
"spdy/3".
The flag B<-nextprotoneg> cannot be specified if B<-tls1_3> is used.
+=item B<-ktls>
+
+Enable Kernel TLS for sending and receiving.
+This option was introduced in OpenSSL 3.1.0.
+Kernel TLS is off by default as of OpenSSL 3.1.0.
+
=item B<-sendfile>
If this option is set and KTLS is enabled, SSL_sendfile() will be used
instead of BIO_write() to send the HTTP response requested by a client.
-This option is only valid if B<-WWW> or B<-HTTP> is specified.
+This option is only valid when B<-ktls> along with B<-WWW> or B<-HTTP>
+are specified.
=item B<-keylogfile> I<outfile>
More information about the openssl-commits
mailing list