diff options
author | Maxim Mikityanskiy <maximmi@nvidia.com> | 2022-11-09 11:26:11 +0200 |
---|---|---|
committer | Tomas Mraz <tomas@openssl.org> | 2022-11-24 13:19:37 +0100 |
commit | cd715b7e7fdd2aeb0fd80220d2df5187b291f87a (patch) | |
tree | af68ab6d8097544d1b7f6367cf3cc64d5679f71e /test/sslapitest.c | |
parent | 394f6f246af23876f3d7a0332eb194aaa5127643 (diff) | |
download | openssl-new-cd715b7e7fdd2aeb0fd80220d2df5187b291f87a.tar.gz |
Add support for KTLS zerocopy sendfile on Linux
TLS device offload allows to perform zerocopy sendfile transmissions.
FreeBSD provides this feature by default, and Linux 5.19 introduced it
as an opt-in. Zerocopy improves the TX rate significantly, but has a
side effect: if the underlying file is changed while being transmitted,
and a TCP retransmission happens, the receiver may get a TLS record
containing both new and old data, which leads to an authentication
failure and termination of connection. This effect is the reason Linux
makes a copy on sendfile by default.
This commit adds support for TLS zerocopy sendfile on Linux disabled by
default to avoid any unlikely backward compatibility issues on Linux,
although sacrificing consistency in OpenSSL's behavior on Linux and
FreeBSD. A new option called KTLSTxZerocopySendfile is added to enable
the new zerocopy behavior on Linux. This option should be used when the
the application guarantees that the file is not modified during
transmission, or it doesn't care about breaking the connection.
The related documentation is also added in this commit. The unit test
added doesn't test the actual functionality (it would require specific
hardware and a non-local peer), but solely checks that it's possible to
set the new option flag.
Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com>
Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
Reviewed-by: Boris Pismenny <borisp@nvidia.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18650)
Diffstat (limited to 'test/sslapitest.c')
-rw-r--r-- | test/sslapitest.c | 17 |
1 files changed, 13 insertions, 4 deletions
diff --git a/test/sslapitest.c b/test/sslapitest.c index 8f14381b56..a26f6286f3 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -1293,7 +1293,8 @@ end: #define SENDFILE_CHUNK (4 * 4096) #define min(a,b) ((a) > (b) ? (b) : (a)) -static int execute_test_ktls_sendfile(int tls_version, const char *cipher) +static int execute_test_ktls_sendfile(int tls_version, const char *cipher, + int zerocopy) { SSL_CTX *cctx = NULL, *sctx = NULL; SSL *clientssl = NULL, *serverssl = NULL; @@ -1350,6 +1351,12 @@ static int execute_test_ktls_sendfile(int tls_version, const char *cipher) if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS))) goto end; + if (zerocopy) { + if (!TEST_true(SSL_set_options(serverssl, + SSL_OP_ENABLE_KTLS_TX_ZEROCOPY_SENDFILE))) + goto end; + } + if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) goto end; @@ -1480,14 +1487,16 @@ static int test_ktls(int test) cipher->cipher); } -static int test_ktls_sendfile(int tst) +static int test_ktls_sendfile(int test) { struct ktls_test_cipher *cipher; + int tst = test >> 1; OPENSSL_assert(tst < (int)NUM_KTLS_TEST_CIPHERS); cipher = &ktls_test_ciphers[tst]; - return execute_test_ktls_sendfile(cipher->tls_version, cipher->cipher); + return execute_test_ktls_sendfile(cipher->tls_version, cipher->cipher, + test & 1); } #endif @@ -10544,7 +10553,7 @@ int setup_tests(void) #if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK) # if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3) ADD_ALL_TESTS(test_ktls, NUM_KTLS_TEST_CIPHERS * 4); - ADD_ALL_TESTS(test_ktls_sendfile, NUM_KTLS_TEST_CIPHERS); + ADD_ALL_TESTS(test_ktls_sendfile, NUM_KTLS_TEST_CIPHERS * 2); # endif #endif ADD_TEST(test_large_message_tls); |