From: Tianjia Zhang Date: Wed, 15 Sep 2021 03:39:51 +0000 (+0800) Subject: apps/s_server: Add ktls option X-Git-Tag: openssl-3.2.0-alpha1~3560 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e2ef7f1265e727567e8963aa2756a387a621ef71;p=thirdparty%2Fopenssl.git apps/s_server: Add ktls option From openssl-3.0.0-alpha15, KTLS is turned off by default, even if KTLS feature in compilation, which makes it difficult to use KTLS through s_server/s_client, so a parameter option 'ktls' is added to enable KTLS through cmdline. At the same time, SSL_sendfile() depends on KTLS feature to work properly, make parameters sendfile depend on parameters ktls. Signed-off-by: Tianjia Zhang Reviewed-by: Paul Yang Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16609) --- diff --git a/apps/s_server.c b/apps/s_server.c index c5d9221e90c..9f448298f09 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -716,7 +716,7 @@ typedef enum OPTION_choice { OPT_SRTP_PROFILES, OPT_KEYMATEXPORT, OPT_KEYMATEXPORTLEN, OPT_KEYLOG_FILE, OPT_MAX_EARLY, OPT_RECV_MAX_EARLY, OPT_EARLY_DATA, OPT_S_NUM_TICKETS, OPT_ANTI_REPLAY, OPT_NO_ANTI_REPLAY, OPT_SCTP_LABEL_BUG, - OPT_HTTP_SERVER_BINMODE, OPT_NOCANAMES, OPT_IGNORE_UNEXPECTED_EOF, + OPT_HTTP_SERVER_BINMODE, OPT_NOCANAMES, OPT_IGNORE_UNEXPECTED_EOF, OPT_KTLS, OPT_R_ENUM, OPT_S_ENUM, OPT_V_ENUM, @@ -958,6 +958,7 @@ const OPTIONS s_server_options[] = { {"alpn", OPT_ALPN, 's', "Set the advertised protocols for the ALPN extension (comma-separated list)"}, #ifndef OPENSSL_NO_KTLS + {"ktls", OPT_KTLS, '-', "Enable Kernel TLS for sending and receiving"}, {"sendfile", OPT_SENDFILE, '-', "Use sendfile to response file with -WWW"}, #endif @@ -1053,6 +1054,9 @@ int s_server_main(int argc, char *argv[]) int sctp_label_bug = 0; #endif int ignore_unexpected_eof = 0; +#ifndef OPENSSL_NO_KTLS + int enable_ktls = 0; +#endif /* Init of few remaining global variables */ local_argc = argc; @@ -1627,6 +1631,11 @@ int s_server_main(int argc, char *argv[]) case OPT_NOCANAMES: no_ca_names = 1; break; + case OPT_KTLS: +#ifndef OPENSSL_NO_KTLS + enable_ktls = 1; +#endif + break; case OPT_SENDFILE: #ifndef OPENSSL_NO_KTLS use_sendfile = 1; @@ -1694,6 +1703,11 @@ int s_server_main(int argc, char *argv[]) #endif #ifndef OPENSSL_NO_KTLS + if (use_sendfile && enable_ktls == 0) { + BIO_printf(bio_out, "Warning: -sendfile depends on -ktls, enabling -ktls now.\n"); + enable_ktls = 1; + } + if (use_sendfile && www <= 1) { BIO_printf(bio_err, "Can't use -sendfile without -WWW or -HTTP\n"); goto end; @@ -1883,6 +1897,10 @@ int s_server_main(int argc, char *argv[]) if (ignore_unexpected_eof) SSL_CTX_set_options(ctx, SSL_OP_IGNORE_UNEXPECTED_EOF); +#ifndef OPENSSL_NO_KTLS + if (enable_ktls) + SSL_CTX_set_options(ctx, SSL_OP_ENABLE_KTLS); +#endif if (max_send_fragment > 0 && !SSL_CTX_set_max_send_fragment(ctx, max_send_fragment)) { diff --git a/doc/man1/openssl-s_server.pod.in b/doc/man1/openssl-s_server.pod.in index 115eceb0e32..c461a0cd738 100644 --- a/doc/man1/openssl-s_server.pod.in +++ b/doc/man1/openssl-s_server.pod.in @@ -128,6 +128,7 @@ B B [B<-no_dhe>] [B<-nextprotoneg> I] [B<-alpn> I] +[B<-ktls>] [B<-sendfile>] [B<-keylogfile> I] [B<-recv_max_early_data> I] @@ -762,11 +763,18 @@ Protocol names are printable ASCII strings, for example "http/1.1" or "spdy/3". The flag B<-nextprotoneg> cannot be specified if B<-tls1_3> is used. +=item B<-ktls> + +Enable Kernel TLS for sending and receiving. +This option was introduced in OpenSSL 3.1.0. +Kernel TLS is off by default as of OpenSSL 3.1.0. + =item B<-sendfile> If this option is set and KTLS is enabled, SSL_sendfile() will be used instead of BIO_write() to send the HTTP response requested by a client. -This option is only valid if B<-WWW> or B<-HTTP> is specified. +This option is only valid when B<-ktls> along with B<-WWW> or B<-HTTP> +are specified. =item B<-keylogfile> I