50ec750567
This patch adds support for the Linux TLS Tx socket option. If the socket option is successful, then the data-path of the TCP socket is implemented by the kernel. We choose to set this option at the earliest - just after CCS is complete. Signed-off-by: Boris Pismenny <borisp@mellanox.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Yang <yang.yang@baishancloud.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5253)
155 lines
5.6 KiB
Text
155 lines
5.6 KiB
Text
=pod
|
|
|
|
=head1 NAME
|
|
|
|
SSL_CTX_set_mode, SSL_CTX_clear_mode, SSL_set_mode, SSL_clear_mode, SSL_CTX_get_mode, SSL_get_mode - manipulate SSL engine mode
|
|
|
|
=head1 SYNOPSIS
|
|
|
|
#include <openssl/ssl.h>
|
|
|
|
long SSL_CTX_set_mode(SSL_CTX *ctx, long mode);
|
|
long SSL_CTX_clear_mode(SSL_CTX *ctx, long mode);
|
|
long SSL_set_mode(SSL *ssl, long mode);
|
|
long SSL_clear_mode(SSL *ssl, long mode);
|
|
|
|
long SSL_CTX_get_mode(SSL_CTX *ctx);
|
|
long SSL_get_mode(SSL *ssl);
|
|
|
|
=head1 DESCRIPTION
|
|
|
|
SSL_CTX_set_mode() adds the mode set via bitmask in B<mode> to B<ctx>.
|
|
Options already set before are not cleared.
|
|
SSL_CTX_clear_mode() removes the mode set via bitmask in B<mode> from B<ctx>.
|
|
|
|
SSL_set_mode() adds the mode set via bitmask in B<mode> to B<ssl>.
|
|
Options already set before are not cleared.
|
|
SSL_clear_mode() removes the mode set via bitmask in B<mode> from B<ssl>.
|
|
|
|
SSL_CTX_get_mode() returns the mode set for B<ctx>.
|
|
|
|
SSL_get_mode() returns the mode set for B<ssl>.
|
|
|
|
=head1 NOTES
|
|
|
|
The following mode changes are available:
|
|
|
|
=over 4
|
|
|
|
=item SSL_MODE_ENABLE_PARTIAL_WRITE
|
|
|
|
Allow SSL_write_ex(..., n, &r) to return with 0 < r < n (i.e. report success
|
|
when just a single record has been written). This works in a similar way for
|
|
SSL_write(). When not set (the default), SSL_write_ex() or SSL_write() will only
|
|
report success once the complete chunk was written. Once SSL_write_ex() or
|
|
SSL_write() returns successful, B<r> bytes have been written and the next call
|
|
to SSL_write_ex() or SSL_write() must only send the n-r bytes left, imitating
|
|
the behaviour of write().
|
|
|
|
=item SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER
|
|
|
|
Make it possible to retry SSL_write_ex() or SSL_write() with changed buffer
|
|
location (the buffer contents must stay the same). This is not the default to
|
|
avoid the misconception that non-blocking SSL_write() behaves like
|
|
non-blocking write().
|
|
|
|
=item SSL_MODE_AUTO_RETRY
|
|
|
|
During normal operations, non-application data records might need to be sent or
|
|
received that the application is not aware of.
|
|
If a non-application data record was processed,
|
|
L<SSL_read_ex(3)> and L<SSL_read(3)> can return with a failure and indicate the
|
|
need to retry with B<SSL_ERROR_WANT_READ>.
|
|
If such a non-application data record was processed, the flag
|
|
B<SSL_MODE_AUTO_RETRY> causes it to try to process the next record instead of
|
|
returning.
|
|
|
|
In a non-blocking environment applications must be prepared to handle
|
|
incomplete read/write operations.
|
|
Setting B<SSL_MODE_AUTO_RETRY> for a non-blocking B<BIO> will process
|
|
non-application data records until either no more data is available or
|
|
an application data record has been processed.
|
|
|
|
In a blocking environment, applications are not always prepared to
|
|
deal with the functions returning intermediate reports such as retry
|
|
requests, and setting the B<SSL_MODE_AUTO_RETRY> flag will cause the functions
|
|
to only return after successfully processing an application data record or a
|
|
failure.
|
|
|
|
Turning off B<SSL_MODE_AUTO_RETRY> can be useful with blocking B<BIO>s in case
|
|
they are used in combination with something like select() or poll().
|
|
Otherwise the call to SSL_read() or SSL_read_ex() might hang when a
|
|
non-application record was sent and no application data was sent.
|
|
|
|
=item SSL_MODE_RELEASE_BUFFERS
|
|
|
|
When we no longer need a read buffer or a write buffer for a given SSL,
|
|
then release the memory we were using to hold it.
|
|
Using this flag can
|
|
save around 34k per idle SSL connection.
|
|
This flag has no effect on SSL v2 connections, or on DTLS connections.
|
|
|
|
=item SSL_MODE_SEND_FALLBACK_SCSV
|
|
|
|
Send TLS_FALLBACK_SCSV in the ClientHello.
|
|
To be set only by applications that reconnect with a downgraded protocol
|
|
version; see draft-ietf-tls-downgrade-scsv-00 for details.
|
|
|
|
DO NOT ENABLE THIS if your application attempts a normal handshake.
|
|
Only use this in explicit fallback retries, following the guidance
|
|
in draft-ietf-tls-downgrade-scsv-00.
|
|
|
|
=item SSL_MODE_ASYNC
|
|
|
|
Enable asynchronous processing. TLS I/O operations may indicate a retry with
|
|
SSL_ERROR_WANT_ASYNC with this mode set if an asynchronous capable engine is
|
|
used to perform cryptographic operations. See L<SSL_get_error(3)>.
|
|
|
|
=item SSL_MODE_NO_KTLS_TX
|
|
|
|
Disable the use of the kernel TLS egress data-path.
|
|
By default kernel TLS is enabled if it is supported by the negotiated ciphersuites
|
|
and extensions and OpenSSL has been compiled with support for it.
|
|
The kernel TLS data-path implements the record layer,
|
|
and the crypto algorithm. The kernel will utilize the best hardware
|
|
available for crypto. Using the kernel data-path should reduce the memory
|
|
footprint of OpenSSL because no buffering is required. Also, the throughput
|
|
should improve because data copy is avoided when user data is encrypted into
|
|
kernel memory instead of the usual encrypt than copy to kernel.
|
|
|
|
Kernel TLS might not support all the features of OpenSSL. For instance,
|
|
renegotiation, and setting the maximum fragment size is not possible as of
|
|
Linux 4.20.
|
|
|
|
=back
|
|
|
|
All modes are off by default except for SSL_MODE_AUTO_RETRY which is on by
|
|
default since 1.1.1.
|
|
|
|
=head1 RETURN VALUES
|
|
|
|
SSL_CTX_set_mode() and SSL_set_mode() return the new mode bitmask
|
|
after adding B<mode>.
|
|
|
|
SSL_CTX_get_mode() and SSL_get_mode() return the current bitmask.
|
|
|
|
=head1 SEE ALSO
|
|
|
|
L<ssl(7)>, L<SSL_read_ex(3)>, L<SSL_read(3)>, L<SSL_write_ex(3)> or
|
|
L<SSL_write(3)>, L<SSL_get_error(3)>
|
|
|
|
=head1 HISTORY
|
|
|
|
SSL_MODE_ASYNC was first added to OpenSSL 1.1.0.
|
|
SSL_MODE_NO_KTLS_TX was first added to OpenSSL 3.0.0.
|
|
|
|
=head1 COPYRIGHT
|
|
|
|
Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
|
|
|
|
Licensed under the Apache License 2.0 (the "License"). You may not use
|
|
this file except in compliance with the License. You can obtain a copy
|
|
in the file LICENSE in the source distribution or at
|
|
L<https://www.openssl.org/source/license.html>.
|
|
|
|
=cut
|