[openssl/openssl] cd715b: Add support for KTLS zerocopy sendfile on Linux

nvmmax noreply at github.com
Thu Nov 24 12:21:56 UTC 2022 

  Branch: refs/heads/master
  Home:   https://github.com/openssl/openssl
  Commit: cd715b7e7fdd2aeb0fd80220d2df5187b291f87a
      https://github.com/openssl/openssl/commit/cd715b7e7fdd2aeb0fd80220d2df5187b291f87a
  Author: Maxim Mikityanskiy <maximmi at nvidia.com>
  Date:   2022-11-24 (Thu, 24 Nov 2022)

  Changed paths:
    M CHANGES.md
    M apps/s_server.c
    M crypto/bio/bss_conn.c
    M crypto/bio/bss_sock.c
    M doc/man1/openssl-s_server.pod.in
    M doc/man3/SSL_CONF_cmd.pod
    M doc/man3/SSL_CTX_set_options.pod
    M include/internal/bio.h
    M include/internal/ktls.h
    M include/openssl/bio.h.in
    M include/openssl/ssl.h.in
    M ssl/record/methods/ktls_meth.c
    M ssl/ssl_conf.c
    M test/sslapitest.c

  Log Message:
  -----------
  Add support for KTLS zerocopy sendfile on Linux

TLS device offload allows to perform zerocopy sendfile transmissions.
FreeBSD provides this feature by default, and Linux 5.19 introduced it
as an opt-in. Zerocopy improves the TX rate significantly, but has a
side effect: if the underlying file is changed while being transmitted,
and a TCP retransmission happens, the receiver may get a TLS record
containing both new and old data, which leads to an authentication
failure and termination of connection. This effect is the reason Linux
makes a copy on sendfile by default.

This commit adds support for TLS zerocopy sendfile on Linux disabled by
default to avoid any unlikely backward compatibility issues on Linux,
although sacrificing consistency in OpenSSL's behavior on Linux and
FreeBSD. A new option called KTLSTxZerocopySendfile is added to enable
the new zerocopy behavior on Linux. This option should be used when the
the application guarantees that the file is not modified during
transmission, or it doesn't care about breaking the connection.

The related documentation is also added in this commit. The unit test
added doesn't test the actual functionality (it would require specific
hardware and a non-local peer), but solely checks that it's possible to
set the new option flag.

Signed-off-by: Maxim Mikityanskiy <maximmi at nvidia.com>
Reviewed-by: Tariq Toukan <tariqt at nvidia.com>
Reviewed-by: Boris Pismenny <borisp at nvidia.com>
Reviewed-by: Matt Caswell <matt at openssl.org>
Reviewed-by: Todd Short <todd.short at me.com>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18650)

More information about the openssl-commits mailing list