gh-99813: Start using SSL_sendfile when available
#99907
Conversation
Start using SSL_sendfile when availableSSL_sendfile when available
Conflicts: Modules/clinic/_ssl.c.h
|
@gpshead could you please review this when you have a chance? |
|
I've recently pushed some changes after testing the new functionality manually by sending small and large files from Linux with the |
Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
| with client_context.wrap_socket(socket.socket(), | ||
| server_hostname=hostname) as s: | ||
| s.connect((HOST, server.port)) | ||
| # kTLS seems to work only with a connection created before |
There was a problem hiding this comment.
Can you check whether it "seems" to work or not? (for a personal project I would accept this but I'm interested in knowing whether this is an issue with Python SSL or OpenSSL)
There was a problem hiding this comment.
Okay, I'll post more details about this soon
There was a problem hiding this comment.
I can reproduce the same issue with C code using OpenSSL (without Python). Please check my findings here. I mentioned a possible patch, let me know if we can apply it or there can be undesirable consequences.
FYI, ssl.OP_ENABLE_KTLS to enable kTLS has been available since Python 3.12 (and it could be added to options as a simple integer even before). And the issue is not specific to SSL_sendfile, it affects kTLS availability for simple reads and writes.
I added my reproducer to an existing OpenSSL issue openssl/openssl#19676 (comment).
Misc/NEWS.d/next/Library/2023-03-13-22-51-40.gh-issue-99813.40TV02.rst
Outdated
Show resolved
Hide resolved
Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
|
@picnixz OpenSSL provides |
There was a problem hiding this comment.
I'd like @ZeroIntensity to have a look for threads safety and @gpshead to confirm the implementation as well. We could add a What's New entry but it's more of an implementation detail so I would prefer not to in the first place.
| @@ -74,6 +74,33 @@ | |||
| #endif | |||
|
|
|||
|
|
|||
| #ifdef BIO_get_ktls_send | |||
| # ifdef MS_WINDOWS | |||
| typedef long long Py_off_t; | |||
There was a problem hiding this comment.
I think I've seen this construction elsewhere. This is off topic but I think we should add it to the default clinic converters or be able to share code like that across clinic generated code. I need to think about it later.
| // Also, it returns -1 for failure before OpenSSL 3.0.4. | ||
| return Py_NewRef(uses == 1 ? Py_True : Py_False); | ||
| #else | ||
| return Py_NewRef(Py_False); |
There was a problem hiding this comment.
For this one, use Py_RETURN_FALSE
| [clinic start generated code]*/ | ||
|
|
||
| static PyObject * | ||
| _ssl__SSLSocket_uses_ktls_for_send_impl(PySSLSocket *self) |
There was a problem hiding this comment.
This function needs a critical section. Concurrent calls to SSL_get_wbio aren't thread-safe without the lock.
| int uses = BIO_get_ktls_send(SSL_get_wbio(self->ssl)); | ||
| // BIO_get_ktls_send() returns 1 if kTLS is used and 0 if not. | ||
| // Also, it returns -1 for failure before OpenSSL 3.0.4. | ||
| return Py_NewRef(uses == 1 ? Py_True : Py_False); |
There was a problem hiding this comment.
This is an immortal reference, you can omit Py_NewRef.
There was a problem hiding this comment.
Ideally it's better to make it explicit. We had a similar discussion on the discord and on some issues
There was a problem hiding this comment.
Oh? I thought the consensus was to omit immortal reference counting.
There was a problem hiding this comment.
I think there was no clear consensus but I think it's better to use the macro when possible and use Py_NewRef otherwise, even if the macro does not use Py_NewRef. IIRC, the discussion involved Irit and Serhiy so if you can find it and see what we eventually decided, it would be great! (I don't have the time nor the resources for that). And if I incorrectly remembered the consensus then I apologise in advance!
| [clinic start generated code]*/ | ||
|
|
||
| static PyObject * | ||
| _ssl__SSLSocket_uses_ktls_for_recv_impl(PySSLSocket *self) |
There was a problem hiding this comment.
Ditto, let's add a critical section.
| @@ -0,0 +1,4 @@ | |||
| Python now uses ``SSL_sendfile`` internally when it is possible (see | |||
There was a problem hiding this comment.
We know it's Python, but we don't know it's SSL:
| Python now uses ``SSL_sendfile`` internally when it is possible (see | |
| :mod:`ssl` now uses ``SSL_sendfile`` internally when it is possible (see |
There was a problem hiding this comment.
It's the same wording as the previous entry (in the docs)
There was a problem hiding this comment.
I think it makes sense in the docs because there's context. It's not immediately clear that we're talking about ssl here.
| int has_timeout; | ||
|
|
||
| if (sock != NULL) { | ||
| if ((PyObject *)sock == Py_None) { |
There was a problem hiding this comment.
Not a real issue, but thinking out loud for me and Bénédikt: does Py_Is come with _PyObject_CAST? If so, it seems more useful than == here. If not, we should add it.
| Py_INCREF(sock); | ||
| } | ||
|
|
||
| if (sock != NULL) { |
There was a problem hiding this comment.
Why isn't this merged with the case above?
| - :meth:`~socket.socket.sendfile` (but :mod:`os.sendfile` will be used | ||
| for plain-text sockets only, else :meth:`~socket.socket.send` will be used) | ||
| - :meth:`~socket.socket.sendfile` (but it may be high-performant only when | ||
| the kernel TLS is enabled (see :data:`~ssl.OP_ENABLE_KTLS`) or when a |
There was a problem hiding this comment.
I'm not sure what we do about nested parentheses in the docs. I haven't seen them anywhere else, so I'd like to avoid them here. Could we reword this a little to avoid that?
SSL_sendfile()from OpenSSL 3.0 inSSLSocket.sendfilewhen available. #99813New
_ssl__SSLSocket_sendfile_implfunction is very similar to_ssl__SSLSocket_write_implwith a few adjustments for theSSL_sendfilesyscall.I am glad there was non-SSL
socket.socket.sendfileand underlyingsocket.socket._sendfile_use_sendfileimplemented. I reused that code for newssl.SSLSocket._sendfile_use_ssl_sendfileby moving shared logic tosocket.socket._sendfile_zerocopy.And
test.test_ssl.ThreadedTests.test_sendfileneeded to have a socket bound before an SSL context wrapped it because this seemed to affect kTLS availability.