From nobody Wed May 25 12:24:02 2022 X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 6F3431B5F725; Wed, 25 May 2022 12:24:02 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4L7Vc22fk0z3Ftb; Wed, 25 May 2022 12:24:02 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1653481442; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=kkI25ebUbxMZH56BdMTcI0VYtylGkaOp/HTPb7Ce7Fk=; b=P4sBGx8+zMLpZ1G+NdeOr4vkak584kqwRDBimJtwxfKb6gjNAVgGH66X+tPieSITeWRdjB O7hFvJqMukzahpCuuxmqBB2NbD4hP3B/evtooWCfV1o8OWsV7tYw3JJx2NuJfbwYmWhhkM TZKz2zUasTjItEQJ2dbnofDFzVtQ7PlCZtRqkV6HRQos6jqsQlg5aZjw8cUq7/TIKXw4co yAMsQ3Msbo77fZQKZzkHzs+aGsTeYp2mmMEXA8bc8hTXjY+Z/mEpKr79c8YoYD6EWk2FrB WZpsyocpSK6ChpzfQlFFFa3aoeBVKi0Lq3sq6RgFxW3h7un3n3oXR6qwSwU00A== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 3AB5319537; Wed, 25 May 2022 12:24:02 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 24PCO2EN089807; Wed, 25 May 2022 12:24:02 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 24PCO2Jg089806; Wed, 25 May 2022 12:24:02 GMT (envelope-from git) Date: Wed, 25 May 2022 12:24:02 GMT Message-Id: <202205251224.24PCO2Jg089806@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Jochen Neumeister Subject: git: d26dda4d759a - main - www/nginx: Merge Options KTLS from www/nginx-devel: List-Id: Commits to the main branch of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-main@freebsd.org X-BeenThere: dev-commits-ports-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: joneum X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: d26dda4d759aa0787a8e60ed4cbe67d662ca4791 Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1653481442; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=kkI25ebUbxMZH56BdMTcI0VYtylGkaOp/HTPb7Ce7Fk=; b=HFPhcxk5/IhYqw0oZRz99onaq36vAbcSrsbdXOKhBJKiaICTQzxx5vJ6tTti1SiqYiXwZg leSsn5LjODJvuIjY7IDVtF5NC99M7XBjfQgIg1bBxFrzO5Kqe7mhlguP9zGnDbGIWJJYhM bt2zBvNUlthRoegPBT0Es/d2ThvAbcyypCagYhqxaNlDyrXcmIg2416VIf2EmJfBwI/YwY ruAjsx6IDpB6f4vTpPDufOloZJTpRiaofXmLMvOOLu2SNH7Dm6KbXW6HJ3tJpaFwTUx6LI HOoDivD1bqj69SjR9yuX+Wh+fWK3uGI6YW2cBEZloUiIjePotRuwFSabP28mCA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1653481442; a=rsa-sha256; cv=none; b=APNgt+O6Ra4IVIkvhF0WmHjyUXIrXCZexDjb16LrYouFwvXDTXk4GwcZt/rSZvqaf41778 B+b+cgH0T0FmBOf4yT1GzzqrpnLlSQypqmQknvI8kYhqgD6M0719xapiHL9dfc3xevId/U LsbZ9FSm2gNO7//VJszq86tl7CzUASPHaq7xdme8v4GyBn5zv0Bw8sS2Ad9MiS9T2NX60P DYfqX+xbW43Ic1Vi99WGjeQ3aDHFimtcJAAGSo41TMDmmmrVX6/r0N6rT1mB4rRjPxMsqt R2TuLpqlEpKpHX9TEp/Dlt81bDExxUi3wEdG64A/tR26eogjOtdfWVmkEmZZ+Q== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by joneum: URL: https://cgit.FreeBSD.org/ports/commit/?id=d26dda4d759aa0787a8e60ed4cbe67d662ca4791 commit d26dda4d759aa0787a8e60ed4cbe67d662ca4791 Author: Jochen Neumeister AuthorDate: 2022-05-25 12:20:32 +0000 Commit: Jochen Neumeister CommitDate: 2022-05-25 12:23:56 +0000 www/nginx: Merge Options KTLS from www/nginx-devel: New kernel TLS feature is available starting with FreeBSD 13.0, and it requires OpenSSL 3.0, compiled with "enable-ktls" option. Further, KTLS needs to be enabled in kernel, and in OpenSSL, either via OpenSSL configuration file or with ssl_conf_command Options KTLS; in nginx configuration. To enable kernel TLS on FreeBSD 13 and above: # kldload ktls_ocf # sysctl kern.ipc.tls.enable=1 to load a software backend, see man ktls(4) for details. Also, please visit the following link to get more details https://hg.nginx.org/nginx/rev/65946a191197 Obtained from: https://cgit.freebsd.org/ports/commit/?id=62502a50558bbc0950693a9ea52aee738a80f0c8 Sponsored by: Netzkommune GmbH --- www/nginx/Makefile | 7 +- www/nginx/Makefile.options.desc | 1 - www/nginx/files/extra-patch-ktls | 312 --------------------------------------- 3 files changed, 2 insertions(+), 318 deletions(-) diff --git a/www/nginx/Makefile b/www/nginx/Makefile index 25cec968899b..a7003cd8aede 100644 --- a/www/nginx/Makefile +++ b/www/nginx/Makefile @@ -2,7 +2,7 @@ PORTNAME= nginx PORTVERSION= 1.22.0 -PORTREVISION?= 0 +PORTREVISION?= 1 PORTEPOCH= 2 CATEGORIES= www MASTER_SITES= https://nginx.org/download/ \ @@ -92,7 +92,7 @@ OPTIONS_GROUP_HTTPGRP+= AJP AWS_AUTH BROTLI CACHE_PURGE CLOJURE CT DEVEL_KIT \ RDS_JSON REDIS2 RTMP SET_MISC SFLOW SHIBBOLETH SLOWFS_CACHE \ SMALL_LIGHT SRCACHE VOD VTS XSS WEBSOCKIFY OPTIONS_GROUP_MAILGRP= MAIL MAIL_IMAP MAIL_POP3 MAIL_SMTP MAIL_SSL -OPTIONS_DEFINE= DEBUG DEBUGLOG DSO FILE_AIO IPV6 KTLS NJS THREADS WWW +OPTIONS_DEFINE= DEBUG DEBUGLOG DSO FILE_AIO IPV6 NJS THREADS WWW OPTIONS_DEFAULT?= DSO FILE_AIO HTTP HTTP_ADDITION HTTP_AUTH_REQ HTTP_CACHE \ HTTP_DAV HTTP_FLV HTTP_GZIP_STATIC HTTP_GUNZIP_FILTER \ HTTP_MP4 HTTP_RANDOM_INDEX HTTP_REALIP HTTP_SECURE_LINK \ @@ -100,8 +100,6 @@ OPTIONS_DEFAULT?= DSO FILE_AIO HTTP HTTP_ADDITION HTTP_AUTH_REQ HTTP_CACHE \ HTTPV2 MAIL MAIL_SSL STREAM STREAM_SSL STREAM_SSL_PREREAD \ THREADS WWW -OPTIONS_EXCLUDE=${${OSVERSION} < 1300042:?KTLS:} - OPTIONS_RADIO+= GSSAPI OPTIONS_RADIO_GSSAPI= GSSAPI_HEIMDAL GSSAPI_MIT GSSAPI_HEIMDAL_USES= gssapi:heimdal,flags @@ -176,7 +174,6 @@ HTTP_XSLT_USE= GNOME=libxml2,libxslt HTTP_XSLT_VARS= DSO_BASEMODS+=http_xslt_module HTTPV2_IMPLIES= HTTP_SSL HTTPV2_CONFIGURE_ON= --with-http_v2_module -KTLS_EXTRA_PATCHES= ${PATCHDIR}/extra-patch-ktls:-p1 MAIL_VARS= DSO_BASEMODS+=mail MAIL_IMAP_CONFIGURE_OFF= --without-mail_imap_module MAIL_POP3_CONFIGURE_OFF= --without-mail_pop3_module diff --git a/www/nginx/Makefile.options.desc b/www/nginx/Makefile.options.desc index cddd8202fdcb..4f6cf73db8fc 100644 --- a/www/nginx/Makefile.options.desc +++ b/www/nginx/Makefile.options.desc @@ -77,7 +77,6 @@ HTTP_XSLT_DESC= Enable http_xslt module HTTP_ZIP_DESC= 3rd party http_zip module ICONV_DESC= 3rd party iconv module IPV6_DESC= Enable IPv6 support -KTLS_DESC= Kernel TLS offload LET_DESC= 3rd party let module LINK_DESC= 3rd party link function module LUA_DESC= 3rd party lua module diff --git a/www/nginx/files/extra-patch-ktls b/www/nginx/files/extra-patch-ktls deleted file mode 100644 index 52c40f53933c..000000000000 --- a/www/nginx/files/extra-patch-ktls +++ /dev/null @@ -1,312 +0,0 @@ -From 11ad5d15c487ecc0a37f9747bb4bfa5bb96893c1 Mon Sep 17 00:00:00 2001 -From: John Baldwin -Date: Thu, 22 Aug 2019 12:18:32 -0700 -Subject: [PATCH] Add support for using SSL_sendfile from OpenSSL. - -This uses kernel TLS on systems supported by OpenSSL to send -files via sendfile() over TLS connections. ---- - auto/lib/openssl/conf | 8 ++ - src/event/ngx_event_openssl.c | 172 ++++++++++++++++++++++++++++++++++ - src/event/ngx_event_openssl.h | 7 ++ - src/http/ngx_http_request.c | 14 ++- - src/http/ngx_http_upstream.c | 5 + - 5 files changed, 203 insertions(+), 3 deletions(-) - -diff --git a/auto/lib/openssl/conf b/auto/lib/openssl/conf -index 4fb52df7fe..c4772248ae 100644 ---- a/auto/lib/openssl/conf -+++ b/auto/lib/openssl/conf -@@ -123,6 +123,14 @@ else - CORE_INCS="$CORE_INCS $ngx_feature_path" - CORE_LIBS="$CORE_LIBS $ngx_feature_libs" - OPENSSL=YES -+ -+ ngx_feature="SSL_sendfile()" -+ ngx_feature_name="NGX_SSL_SENDFILE" -+ ngx_feature_run=no -+ ngx_feature_test="SSL *ssl; -+ (void)BIO_get_ktls_send(SSL_get_wbio(ssl)); -+ SSL_sendfile(ssl, -1, 0, 0, 0);" -+ . auto/feature - fi - fi - -diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c -index 93a6ae46ea..04759827fc 100644 ---- a/src/event/ngx_event_openssl.c -+++ b/src/event/ngx_event_openssl.c -@@ -52,6 +52,10 @@ static void ngx_ssl_shutdown_handler(ngx_event_t *ev); - static void ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, - ngx_err_t err, char *text); - static void ngx_ssl_clear_error(ngx_log_t *log); -+#if (NGX_SSL_SENDFILE) -+static ssize_t ngx_ssl_sendfile(ngx_connection_t *c, int fd, off_t off, -+ size_t size, int flags); -+#endif - - static ngx_int_t ngx_ssl_session_id_context(ngx_ssl_t *ssl, - ngx_str_t *sess_ctx, ngx_array_t *certificates); -@@ -1712,7 +1716,11 @@ ngx_ssl_handshake(ngx_connection_t *c) - c->recv = ngx_ssl_recv; - c->send = ngx_ssl_write; - c->recv_chain = ngx_ssl_recv_chain; -+#if (NGX_SSL_SENDFILE) -+ c->send_chain = ngx_ssl_sendfile_chain; -+#else - c->send_chain = ngx_ssl_send_chain; -+#endif - - #ifndef SSL_OP_NO_RENEGOTIATION - #if OPENSSL_VERSION_NUMBER < 0x10100000L -@@ -1741,6 +1749,13 @@ ngx_ssl_handshake(ngx_connection_t *c) - - c->ssl->handshaked = 1; - -+#if (NGX_SSL_SENDFILE) -+ c->ssl->can_use_sendfile = !!BIO_get_ktls_send(SSL_get_wbio(c->ssl->connection)); -+ ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, -+ "BIO_get_ktls_send: %d", c->ssl->can_use_sendfile); -+ c->sendfile = c->ssl->can_use_sendfile ? 1 : 0; -+#endif -+ - return NGX_OK; - } - -@@ -2609,6 +2624,163 @@ ngx_ssl_send_chain(ngx_connection_t *c, ngx_chain_t *in, off_t limit) - return in; - } - -+#if (NGX_SSL_SENDFILE) -+ngx_chain_t * -+ngx_ssl_sendfile_chain(ngx_connection_t *c, ngx_chain_t *in, off_t limit) -+{ -+ int can_use_sendfile; -+ ssize_t n; -+ -+ can_use_sendfile = BIO_get_ktls_send(SSL_get_wbio(c->ssl->connection)); -+ -+ ngx_log_debug5(NGX_LOG_DEBUG_EVENT, c->log, 0, -+ "Sending chain %p can_use_sendfile:%d c->sendfile:%d " \ -+ "c->ssl->buffer:%d limit:%O", -+ in, can_use_sendfile, c->sendfile, c->ssl->buffer, limit); -+ -+ if (! (can_use_sendfile && c->sendfile) || c->ssl->buffer) { -+ return ngx_ssl_send_chain(c, in, limit); -+ } -+ -+ /* the maximum limit size is the maximum int32_t value - the page size */ -+ if (limit == 0 || limit > (off_t) (NGX_MAX_INT32_VALUE - ngx_pagesize)) { -+ limit = NGX_MAX_INT32_VALUE - ngx_pagesize; -+ } -+ -+ while (in) { -+ if (ngx_buf_special(in->buf)) { -+ in = in->next; -+ continue; -+ } -+ -+ if (in->buf->in_file) { -+ ngx_chain_t *cl; -+ int sendfile_flags; -+ off_t sendfile_size; -+ -+ cl = in; -+#ifdef __FreeBSD__ -+ sendfile_flags = /* in->buf->sendfile_flags |*/ SF_NODISKIO; -+#else -+ sendfile_flags = in->buf->sendfile_flags; -+#endif -+ sendfile_size = ngx_chain_coalesce_file(&cl, limit); -+ -+ n = ngx_ssl_sendfile(c, in->buf->file->fd, in->buf->file_pos, -+ sendfile_size, sendfile_flags); -+ ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, -+ "ngx_ssl_sendfile returns:%z", n); -+ } else { -+ n = ngx_ssl_write(c, in->buf->pos, in->buf->last - in->buf->pos); -+ ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, -+ "ngx_ssl_write returns:%z", n); -+ } -+ -+ if (n == NGX_ERROR) { -+ return NGX_CHAIN_ERROR; -+ } -+ if (n == NGX_AGAIN) { -+ return in; -+ } -+ if (n == NGX_BUSY) { -+ c->busy_count = 1; -+ c->write->delayed = 1; -+ ngx_add_timer(c->write, 10); -+ return in; -+ } -+ -+ in = ngx_chain_update_sent(in, (off_t) n); -+ } -+ -+ return in; -+} -+ -+static ssize_t -+ngx_ssl_sendfile(ngx_connection_t *c, int fd, off_t off, size_t size, int flags) -+{ -+ int n, sslerr; -+ ngx_err_t err; -+ -+ ngx_ssl_clear_error(c->log); -+ -+ ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0, -+ "SSL to sendfile: %uz at %O with %Xd", size, off, flags); -+ -+ n = SSL_sendfile(c->ssl->connection, fd, off, size, flags); -+ -+ ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_sendfile: %d", n); -+ -+ if (n > 0) { -+ -+ if (c->ssl->saved_read_handler) { -+ -+ c->read->handler = c->ssl->saved_read_handler; -+ c->ssl->saved_read_handler = NULL; -+ c->read->ready = 1; -+ -+ if (ngx_handle_read_event(c->read, 0) != NGX_OK) { -+ return NGX_ERROR; -+ } -+ -+ ngx_post_event(c->read, &ngx_posted_events); -+ } -+ -+ c->sent += n; -+ -+ return n; -+ } -+ -+ sslerr = SSL_get_error(c->ssl->connection, n); -+ -+#ifdef __FreeBSD__ -+ if (sslerr == SSL_ERROR_WANT_WRITE && ngx_errno == EBUSY) { -+ ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "bioerr=NGX_EBUSY, sslerr=%d", sslerr); -+ return NGX_BUSY; -+ } -+#endif -+ -+ err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; -+ -+ ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr); -+ -+ if (sslerr == SSL_ERROR_WANT_WRITE) { -+ c->write->ready = 0; -+ return NGX_AGAIN; -+ } -+ -+ if (sslerr == SSL_ERROR_WANT_READ) { -+ -+ ngx_log_error(NGX_LOG_INFO, c->log, 0, -+ "peer started SSL renegotiation"); -+ -+ c->read->ready = 0; -+ -+ if (ngx_handle_read_event(c->read, 0) != NGX_OK) { -+ return NGX_ERROR; -+ } -+ -+ /* -+ * we do not set the timer because there is already -+ * the write event timer -+ */ -+ -+ if (c->ssl->saved_read_handler == NULL) { -+ c->ssl->saved_read_handler = c->read->handler; -+ c->read->handler = ngx_ssl_read_handler; -+ } -+ -+ return NGX_AGAIN; -+ } -+ -+ c->ssl->no_wait_shutdown = 1; -+ c->ssl->no_send_shutdown = 1; -+ c->write->error = 1; -+ -+ ngx_ssl_connection_error(c, sslerr, err, "SSL_sendfile() failed"); -+ -+ return NGX_ERROR; -+} -+#endif - - ssize_t - ngx_ssl_write(ngx_connection_t *c, u_char *data, size_t size) -diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h -index 329760d093..233b7f20c8 100644 ---- a/src/event/ngx_event_openssl.h -+++ b/src/event/ngx_event_openssl.h -@@ -106,6 +106,9 @@ struct ngx_ssl_connection_s { - unsigned in_ocsp:1; - unsigned early_preread:1; - unsigned write_blocked:1; -+#if (NGX_SSL_SENDFILE) -+ unsigned can_use_sendfile:1; -+#endif - }; - - -@@ -289,6 +292,10 @@ ssize_t ngx_ssl_write(ngx_connection_t *c, u_char *data, size_t size); - ssize_t ngx_ssl_recv_chain(ngx_connection_t *c, ngx_chain_t *cl, off_t limit); - ngx_chain_t *ngx_ssl_send_chain(ngx_connection_t *c, ngx_chain_t *in, - off_t limit); -+#if (NGX_SSL_SENDFILE) -+ngx_chain_t *ngx_ssl_sendfile_chain(ngx_connection_t *c, ngx_chain_t *in, -+ off_t limit); -+#endif - void ngx_ssl_free_buffer(ngx_connection_t *c); - ngx_int_t ngx_ssl_shutdown(ngx_connection_t *c); - void ngx_cdecl ngx_ssl_error(ngx_uint_t level, ngx_log_t *log, ngx_err_t err, -diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c -index 68d81e9320..e4a922a83a 100644 ---- a/src/http/ngx_http_request.c -+++ b/src/http/ngx_http_request.c -@@ -608,7 +608,10 @@ ngx_http_alloc_request(ngx_connection_t *c) - - #if (NGX_HTTP_SSL) - if (c->ssl) { -- r->main_filter_need_in_memory = 1; -+#if (NGX_SSL_SENDFILE) -+ if (c->ssl->can_use_sendfile == 0) -+#endif -+ r->main_filter_need_in_memory = 1; - } - #endif - -@@ -747,8 +750,13 @@ ngx_http_ssl_handshake(ngx_event_t *rev) - sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, - ngx_http_ssl_module); - -- if (ngx_ssl_create_connection(&sscf->ssl, c, NGX_SSL_BUFFER) -- != NGX_OK) -+ if (ngx_ssl_create_connection(&sscf->ssl, c, -+#if (NGX_SSL_SENDFILE) -+ 0 -+#else -+ NGX_SSL_BUFFER -+#endif -+ ) != NGX_OK) - { - ngx_http_close_connection(c); - return; -diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c -index 9cbb5a3b0c..f93f2ae244 100644 ---- a/src/http/ngx_http_upstream.c -+++ b/src/http/ngx_http_upstream.c -@@ -1715,6 +1715,11 @@ ngx_http_upstream_ssl_init_connection(ngx_http_request_t *r, - return; - } - -+#if (NGX_SSL_SENDFILE) -+ c->sendfile = 0; -+ u->output.sendfile = 0; -+#endif -+ - ngx_http_upstream_ssl_handshake(r, u, c); - } -