From: Ulrich Weber <ulrich.weber@gmail.com>
Date: Thu, 26 Jun 2025 14:16:06 +0000 (+0200)
Subject: ktls: move ktls_enable() within ktls_start()
X-Git-Tag: 3.0-PRE-CLANG-FORMAT-WEBKIT~61
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=74403146ab741cb2b294cffe95e6d249662bc11f;p=thirdparty%2Fopenssl.git

ktls: move ktls_enable() within ktls_start()

On linux ktls can only be enabled on established TCP sockets.
When SSL_set_fd() is called before the connection is established
ktls_enable() fails and ktls is not setup.

This moves ktls_enable() call within then ktls_start() function.
Multiple calls to ktls_start() will trigger additional ktls_enable()
calls which fail with EEXIST, but do not affect the ktls socket.

CLA: trivial

Signed-off-by: Ulrich Weber <ulrich.weber@gmail.com>

Reviewed-by: Paul Yang <paulyang.inf@gmail.com>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27908)

(cherry picked from commit f23f706a26f2e7cd5dd5221d57e2d0db28530f4e)
---

diff --git a/crypto/bio/bio_sock2.c b/crypto/bio/bio_sock2.c
index 8bdad0c0b6a..d81f2cdf775 100644
--- a/crypto/bio/bio_sock2.c
+++ b/crypto/bio/bio_sock2.c
@@ -117,15 +117,6 @@ int BIO_connect(int sock, const BIO_ADDR *addr, int options)
         }
         return 0;
     }
-# ifndef OPENSSL_NO_KTLS
-    /*
-     * The new socket is created successfully regardless of ktls_enable.
-     * ktls_enable doesn't change any functionality of the socket, except
-     * changing the setsockopt to enable the processing of ktls_start.
-     * Thus, it is not a problem to call it for non-TLS sockets.
-     */
-    ktls_enable(sock);
-# endif
     return 1;
 }
 
diff --git a/crypto/bio/bss_conn.c b/crypto/bio/bss_conn.c
index 0d91f25fe70..69bf40f0816 100644
--- a/crypto/bio/bss_conn.c
+++ b/crypto/bio/bss_conn.c
@@ -210,15 +210,6 @@ static int conn_state(BIO *b, BIO_CONNECT *c)
                 goto exit_loop;
             } else {
                 c->state = BIO_CONN_S_OK;
-# ifndef OPENSSL_NO_KTLS
-                /*
-                 * The new socket is created successfully regardless of ktls_enable.
-                 * ktls_enable doesn't change any functionality of the socket, except
-                 * changing the setsockopt to enable the processing of ktls_start.
-                 * Thus, it is not a problem to call it for non-TLS sockets.
-                 */
-                ktls_enable(b->num);
-# endif
             }
             break;
 
diff --git a/crypto/bio/bss_sock.c b/crypto/bio/bss_sock.c
index f5d88102303..7158e1db580 100644
--- a/crypto/bio/bss_sock.c
+++ b/crypto/bio/bss_sock.c
@@ -63,17 +63,6 @@ BIO *BIO_new_socket(int fd, int close_flag)
     if (ret == NULL)
         return NULL;
     BIO_set_fd(ret, fd, close_flag);
-# ifndef OPENSSL_NO_KTLS
-    {
-        /*
-         * The new socket is created successfully regardless of ktls_enable.
-         * ktls_enable doesn't change any functionality of the socket, except
-         * changing the setsockopt to enable the processing of ktls_start.
-         * Thus, it is not a problem to call it for non-TLS sockets.
-         */
-        ktls_enable(fd);
-    }
-# endif
     return ret;
 }
 
diff --git a/include/internal/ktls.h b/include/internal/ktls.h
index 95492fd0659..e15ac194dcb 100644
--- a/include/internal/ktls.h
+++ b/include/internal/ktls.h
@@ -284,6 +284,12 @@ static ossl_inline int ktls_enable(int fd)
 static ossl_inline int ktls_start(int fd, ktls_crypto_info_t *crypto_info,
                                   int is_tx)
 {
+    /*
+     * Socket must be in TCP established state to enable KTLS.
+     * Further calls to enable ktls will return EEXIST
+     */
+    ktls_enable(fd);
+
     return setsockopt(fd, SOL_TLS, is_tx ? TLS_TX : TLS_RX,
                       crypto_info, crypto_info->tls_crypto_info_len) ? 0 : 1;
 }
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index e628140dfae..9712170b99c 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1406,15 +1406,6 @@ int SSL_set_fd(SSL *s, int fd)
     }
     BIO_set_fd(bio, fd, BIO_NOCLOSE);
     SSL_set_bio(s, bio, bio);
-#ifndef OPENSSL_NO_KTLS
-    /*
-     * The new socket is created successfully regardless of ktls_enable.
-     * ktls_enable doesn't change any functionality of the socket, except
-     * changing the setsockopt to enable the processing of ktls_start.
-     * Thus, it is not a problem to call it for non-TLS sockets.
-     */
-    ktls_enable(fd);
-#endif /* OPENSSL_NO_KTLS */
     ret = 1;
  err:
     return ret;
@@ -1434,15 +1425,6 @@ int SSL_set_wfd(SSL *s, int fd)
         }
         BIO_set_fd(bio, fd, BIO_NOCLOSE);
         SSL_set0_wbio(s, bio);
-#ifndef OPENSSL_NO_KTLS
-        /*
-         * The new socket is created successfully regardless of ktls_enable.
-         * ktls_enable doesn't change any functionality of the socket, except
-         * changing the setsockopt to enable the processing of ktls_start.
-         * Thus, it is not a problem to call it for non-TLS sockets.
-         */
-        ktls_enable(fd);
-#endif /* OPENSSL_NO_KTLS */
     } else {
         BIO_up_ref(rbio);
         SSL_set0_wbio(s, rbio);