[PATCH 2 of 2] SSL: SSL_sendfile() support with kernel TLS

Maxim Dounin mdounin at mdounin.ru
Thu Nov 24 18:31:43 UTC 2022 

Hello!

On Thu, Nov 24, 2022 at 01:21:51PM +0400, Sergey Kandaurov wrote:

> > On 27 Sep 2021, at 17:18, Maxim Dounin <mdounin at mdounin.ru> wrote:
> > 
> > # HG changeset patch
> > # User Maxim Dounin <mdounin at mdounin.ru>
> > # Date 1632717779 -10800
> > #      Mon Sep 27 07:42:59 2021 +0300
> > # Node ID ff514bf17f7f2257dcf036c5c973b74672cefa9a
> > # Parent  8f0fd60c33c106fba5f1ce3cafe990f15fcccc0c
> > SSL: SSL_sendfile() support with kernel TLS.
> > 
> > Requires OpenSSL 3.0 compiled with "enable-ktls" option.  Further, KTLS
> > needs to be enabled in kernel, and in OpenSSL, either via OpenSSL
> > configuration file or with "ssl_conf_command Options KTLS;" in nginx
> > configuration.
> > 
> > On FreeBSD, kernel TLS is available starting with FreeBSD 13.0, and
> > can be enabled with "sysctl kern.ipc.tls.enable=1" and "kldload ktls_ocf".
> > 
> > On Linux, kernel TLS is available starting with kernel 4.13 (at least 5.2
> > is recommended), and needs kernel compiled with CONFIG_TLS=y (with
> > CONFIG_TLS=m, which is used at least on Ubuntu 21.04 by default,
> > the tls module needs to be loaded with "modprobe tls").
> > 
> > diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
> 
> [..]
> 
> > @@ -2882,6 +2937,150 @@ ngx_ssl_write_early(ngx_connection_t *c,
> > #endif
> > 
> > 
> > +static ssize_t
> > +ngx_ssl_sendfile(ngx_connection_t *c, ngx_buf_t *file, size_t size)
> > +{
> > +#ifdef BIO_get_ktls_send
> > +
> > +    int        sslerr;
> > +    ssize_t    n;
> > +    ngx_err_t  err;
> > +
> > +    ngx_ssl_clear_error(c->log);
> > +
> > +    ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
> > +                   "SSL to sendfile: @%O %uz",
> > +                   file->file_pos, size);
> > +
> > +    ngx_set_errno(0);
> > +
> > +    n = SSL_sendfile(c->ssl->connection, file->file->fd, file->file_pos,
> > +                     size, 0);
> > +
> > +    ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_sendfile: %d", n);
> > +
> 
> Hello,
> 
> looks like a wrong format specifier slipped through review.
> Patch to address this:
> 
> # HG changeset patch
> # User Sergey Kandaurov <pluknet at nginx.com>
> # Date 1669241969 -14400
> #      Thu Nov 24 02:19:29 2022 +0400
> # Node ID 66ad8bd4b9e4347bda8fe64423632ded19093db2
> # Parent  75bfb3a97ca3d6292fb7877b89bb46720c15da80
> SSL: fixed debug logging of SSL_sendfile() return value.
> 
> diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
> --- a/src/event/ngx_event_openssl.c
> +++ b/src/event/ngx_event_openssl.c
> @@ -3020,7 +3020,7 @@ ngx_ssl_sendfile(ngx_connection_t *c, ng
>      n = SSL_sendfile(c->ssl->connection, file->file->fd, file->file_pos,
>                       size, flags);
>  
> -    ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_sendfile: %d", n);
> +    ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_sendfile: %z", n);
>  
>      if (n > 0) {
>  
> 

Looks good.

-- 
Maxim Dounin
http://mdounin.ru/

More information about the nginx-devel mailing list