gh-99813: Start using SSL_sendfile when available
#99907
Conversation
Start using SSL_sendfile when availableSSL_sendfile when available
Conflicts: Modules/clinic/_ssl.c.h
|
@gpshead could you please review this when you have a chance? |
|
I've recently pushed some changes after testing the new functionality manually by sending small and large files from Linux with the |
| with client_context.wrap_socket(socket.socket(), | ||
| server_hostname=hostname) as s: | ||
| s.connect((HOST, server.port)) | ||
| # kTLS seems to work only with a connection created before |
There was a problem hiding this comment.
Can you check whether it "seems" to work or not? (for a personal project I would accept this but I'm interested in knowing whether this is an issue with Python SSL or OpenSSL)
There was a problem hiding this comment.
Okay, I'll post more details about this soon
There was a problem hiding this comment.
I can reproduce the same issue with C code using OpenSSL (without Python). Please check my findings here. I mentioned a possible patch, let me know if we can apply it or there can be undesirable consequences.
FYI, ssl.OP_ENABLE_KTLS to enable kTLS has been available since Python 3.12 (and it could be added to options as a simple integer even before). And the issue is not specific to SSL_sendfile, it affects kTLS availability for simple reads and writes.
I added my reproducer to an existing OpenSSL issue openssl/openssl#19676 (comment).
Misc/NEWS.d/next/Library/2023-03-13-22-51-40.gh-issue-99813.40TV02.rst
Outdated
Show resolved
Hide resolved
Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
|
@picnixz OpenSSL provides |
There was a problem hiding this comment.
I'd like @ZeroIntensity to have a look for threads safety and @gpshead to confirm the implementation as well. We could add a What's New entry but it's more of an implementation detail so I would prefer not to in the first place.
| @@ -74,6 +74,33 @@ | |||
| #endif | |||
|
|
|||
|
|
|||
| #ifdef BIO_get_ktls_send | |||
| # ifdef MS_WINDOWS | |||
| typedef long long Py_off_t; | |||
There was a problem hiding this comment.
I think I've seen this construction elsewhere. This is off topic but I think we should add it to the default clinic converters or be able to share code like that across clinic generated code. I need to think about it later.
| int uses = BIO_get_ktls_send(SSL_get_wbio(self->ssl)); | ||
| // BIO_get_ktls_send() returns 1 if kTLS is used and 0 if not. | ||
| // Also, it returns -1 for failure before OpenSSL 3.0.4. | ||
| return Py_NewRef(uses == 1 ? Py_True : Py_False); |
There was a problem hiding this comment.
This is an immortal reference, you can omit Py_NewRef.
There was a problem hiding this comment.
Ideally it's better to make it explicit. We had a similar discussion on the discord and on some issues
There was a problem hiding this comment.
Oh? I thought the consensus was to omit immortal reference counting.
There was a problem hiding this comment.
I think there was no clear consensus but I think it's better to use the macro when possible and use Py_NewRef otherwise, even if the macro does not use Py_NewRef. IIRC, the discussion involved Irit and Serhiy so if you can find it and see what we eventually decided, it would be great! (I don't have the time nor the resources for that). And if I incorrectly remembered the consensus then I apologise in advance!
There was a problem hiding this comment.
It started with returning Py_False without the wrapper as it looked like the most clean option, than I was asked to use Py_NewRef and Py_RETURN_FALSE.
"There should be one-- and preferably only one --obvious way to do it." is not applicable to returning booleans in CPython's C code definitely 😄
Misc/NEWS.d/next/Library/2023-03-13-22-51-40.gh-issue-99813.40TV02.rst
Outdated
Show resolved
Hide resolved
| int has_timeout; | ||
|
|
||
| if (sock != NULL) { | ||
| if ((PyObject *)sock == Py_None) { |
There was a problem hiding this comment.
Not a real issue, but thinking out loud for me and Bénédikt: does Py_Is come with _PyObject_CAST? If so, it seems more useful than == here. If not, we should add it.
Co-authored-by: Peter Bierma <zintensitydev@gmail.com>
|
@ZeroIntensity @picnixz thanks for the suggestion! I applied them |
SSL_sendfile()from OpenSSL 3.0 inSSLSocket.sendfilewhen available. #99813New
_ssl__SSLSocket_sendfile_implfunction is very similar to_ssl__SSLSocket_write_implwith a few adjustments for theSSL_sendfilesyscall.I am glad there was non-SSL
socket.socket.sendfileand underlyingsocket.socket._sendfile_use_sendfileimplemented. I reused that code for newssl.SSLSocket._sendfile_use_ssl_sendfileby moving shared logic tosocket.socket._sendfile_zerocopy.And
test.test_ssl.ThreadedTests.test_sendfileneeded to have a socket bound before an SSL context wrapped it because this seemed to affect kTLS availability.