Sep 11, 2022 · Nov 30, 2022 · Dec 5, 2022 · Dec 5, 2022 · Dec 5, 2022 · Mar 13, 2023
diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
     (but passing a non-zero ``flags`` argument is not allowed)
   - :meth:`~socket.socket.send`, :meth:`~socket.socket.sendall` (with
     the same limitation)
   - :meth:`~socket.socket.sendfile` (but :mod:`os.sendfile` will be used
     for plain-text sockets only, else :meth:`~socket.socket.send` will be used)
   - :meth:`~socket.socket.sendfile` (it may be high-performant only when
     the kernel TLS is enabled by setting :data:`~ssl.OP_ENABLE_KTLS` or when a
     socket is plain-text, else :meth:`~socket.socket.send` will be used)
   - :meth:`~socket.socket.shutdown`

   However, since the SSL (and TLS) protocol has its own framing atop
      functions support reading and writing of data larger than 2 GB. Writing
      zero-length data no longer fails with a protocol violation error.

   .. versionchanged:: next
      Python now uses ``SSL_sendfile`` internally when possible. The
      function sends a file more efficiently because it performs TLS encryption
      in the kernel to avoid additional context switches.

 SSL sockets also have the following additional methods and attributes:

 .. method:: SSLSocket.read(len=1024, buffer=None)
diff --git a/Lib/socket.py b/Lib/socket.py
 import os
 import sys
 from enum import IntEnum, IntFlag
 from functools import partial

 try:
    import errno
        text.mode = mode
        return text

    if hasattr(os, 'sendfile'):
    def _sendfile_zerocopy(self, zerocopy_func, giveup_exc_type, file,
                           offset=0, count=None):
        """
        Send a file using a zero-copy function.
        """
        import selectors

        def _sendfile_use_sendfile(self, file, offset=0, count=None):
            # Lazy import to improve module import time
            import selectors
        self._check_sendfile_params(file, offset, count)
        sockno = self.fileno()
        try:
            fileno = file.fileno()
        except (AttributeError, io.UnsupportedOperation) as err:
            raise giveup_exc_type(err)  # not a regular file
        try:
            fsize = os.fstat(fileno).st_size
        except OSError as err:
            raise giveup_exc_type(err)  # not a regular file
        if not fsize:
            return 0  # empty file
        # Truncate to 1GiB to avoid OverflowError, see bpo-38319.
        blocksize = min(count or fsize, 2 ** 30)
        timeout = self.gettimeout()
        if timeout == 0:
            raise ValueError("non-blocking sockets are not supported")
        # poll/select have the advantage of not requiring any
        # extra file descriptor, contrarily to epoll/kqueue
        # (also, they require a single syscall).
        if hasattr(selectors, 'PollSelector'):
            selector = selectors.PollSelector()
        else:
            selector = selectors.SelectSelector()
        selector.register(sockno, selectors.EVENT_WRITE)

            self._check_sendfile_params(file, offset, count)
            sockno = self.fileno()
            try:
                fileno = file.fileno()
            except (AttributeError, io.UnsupportedOperation) as err:
                raise _GiveupOnSendfile(err)  # not a regular file
            try:
                fsize = os.fstat(fileno).st_size
            except OSError as err:
                raise _GiveupOnSendfile(err)  # not a regular file
            if not fsize:
                return 0  # empty file
            # Truncate to 1GiB to avoid OverflowError, see bpo-38319.
            blocksize = min(count or fsize, 2 ** 30)
            timeout = self.gettimeout()
            if timeout == 0:
                raise ValueError("non-blocking sockets are not supported")
            # poll/select have the advantage of not requiring any
            # extra file descriptor, contrarily to epoll/kqueue
            # (also, they require a single syscall).
            if hasattr(selectors, 'PollSelector'):
                selector = selectors.PollSelector()
            else:
                selector = selectors.SelectSelector()
            selector.register(sockno, selectors.EVENT_WRITE)

            total_sent = 0
            # localize variable access to minimize overhead
            selector_select = selector.select
            os_sendfile = os.sendfile
            try:
                while True:
                    if timeout and not selector_select(timeout):
                        raise TimeoutError('timed out')
                    if count:
                        blocksize = min(count - total_sent, blocksize)
                        if blocksize <= 0:
                            break
                    try:
                        sent = os_sendfile(sockno, fileno, offset, blocksize)
                    except BlockingIOError:
                        if not timeout:
                            # Block until the socket is ready to send some
                            # data; avoids hogging CPU resources.
                            selector_select()
                        continue
                    except OSError as err:
                        if total_sent == 0:
                            # We can get here for different reasons, the main
                            # one being 'file' is not a regular mmap(2)-like
                            # file, in which case we'll fall back on using
                            # plain send().
                            raise _GiveupOnSendfile(err)
                        raise err from None
                    else:
                        if sent == 0:
                            break  # EOF
                        offset += sent
                        total_sent += sent
                return total_sent
            finally:
                if total_sent > 0 and hasattr(file, 'seek'):
                    file.seek(offset)
        total_sent = 0
        # localize variable access to minimize overhead
        selector_select = selector.select
        try:
            while True:
                if timeout and not selector_select(timeout):
                    raise TimeoutError('timed out')
                if count:
                    blocksize = min(count - total_sent, blocksize)
                    if blocksize <= 0:
                        break
                try:
                    sent = zerocopy_func(fileno, offset, blocksize)
                except BlockingIOError:
                    if not timeout:
                        # Block until the socket is ready to send some
                        # data; avoids hogging CPU resources.
                        selector_select()
                    continue
                except OSError as err:
                    if total_sent == 0:
                        # We can get here for different reasons, the main
                        # one being 'file' is not a regular mmap(2)-like
                        # file, in which case we'll fall back on using
                        # plain send().
                        raise giveup_exc_type(err)
                    raise err from None
                else:
                    if sent == 0:
                        break  # EOF
                    offset += sent
                    total_sent += sent
            return total_sent
        finally:
            if total_sent > 0 and hasattr(file, 'seek'):
                file.seek(offset)

    if hasattr(os, 'sendfile'):
        def _sendfile_use_sendfile(self, file, offset=0, count=None):
            return self._sendfile_zerocopy(
                partial(os.sendfile, self.fileno()),
                _GiveupOnSendfile,
                file, offset, count,
            )
    else:
        def _sendfile_use_sendfile(self, file, offset=0, count=None):
            raise _GiveupOnSendfile(
diff --git a/Lib/ssl.py b/Lib/ssl.py
    return func


 class _GiveupOnSSLSendfile(Exception):
    pass


 class SSLSocket(socket):
    """This class implements a subtype of socket.socket that wraps
    the underlying OS socket in an SSL context when necessary, and
            return super().sendall(data, flags)

    def sendfile(self, file, offset=0, count=None):
        """Send a file, possibly by usingos.sendfile()if this is a
 clear-text socket.  Return the total number of bytes sent.
        """Send a file, possibly by usingan efficientsendfile()call if
 the system supports it.  Return the total number of bytes sent.
        """
        if self._sslobj is not None:
            return self._sendfile_use_send(file, offset, count)
        else:
            # os.sendfile() works with plain sockets only
        if self._sslobj is None:
            return super().sendfile(file, offset, count)

        if not self._sslobj.uses_ktls_for_send():
            return self._sendfile_use_send(file, offset, count)

        sendfile = getattr(self._sslobj, "sendfile", None)
        if sendfile is None:
            return self._sendfile_use_send(file, offset, count)

        try:
            return self._sendfile_zerocopy(
                sendfile, _GiveupOnSSLSendfile, file, offset, count,
            )
        except _GiveupOnSSLSendfile:
            return self._sendfile_use_send(file, offset, count)

    def recv(self, buflen=1024, flags=0):
        self._checkClosed()
        if self._sslobj is not None:
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
            self.assertRaises(ValueError, s.write, b'hello')

    def test_sendfile(self):
        """Try to send a file using kTLS if possible."""
        TEST_DATA = b"x" * 512
        with open(os_helper.TESTFN, 'wb') as f:
            f.write(TEST_DATA)
        self.addCleanup(os_helper.unlink, os_helper.TESTFN)
        client_context, server_context, hostname = testing_context()
        client_context.options |= getattr(ssl, 'OP_ENABLE_KTLS', 0)
        server = ThreadedEchoServer(context=server_context, chatty=False)
        with server:
            with client_context.wrap_socket(socket.socket(),
                                            server_hostname=hostname) as s:
                s.connect((HOST, server.port))
        # kTLS seems to work only with a connection created before
        # wrapping `sock` by the SSL context in contrast to calling
        # `sock.connect()` after the wrapping.
        with server, socket.create_connection((HOST, server.port)) as sock:
            with client_context.wrap_socket(
                sock, server_hostname=hostname
            ) as ssock:
                if support.verbose:
                    ktls_used = ssock._sslobj.uses_ktls_for_send()
                    print(
                        'kTLS is',
                        'available' if ktls_used else 'unavailable',
                    )
                with open(os_helper.TESTFN, 'rb') as file:
 s.sendfile(file)
 self.assertEqual(s.recv(1024), TEST_DATA)
 ssock.sendfile(file)
                self.assertEqual(ssock.recv(1024), TEST_DATA)

    def test_session(self):
        client_context, server_context, hostname = testing_context()
diff --git a/Misc/NEWS.d/next/Library/2023-03-13-22-51-40.gh-issue-99813.40TV02.rst b/Misc/NEWS.d/next/Library/2023-03-13-22-51-40.gh-issue-99813.40TV02.rst
 :mod:`ssl` now uses ``SSL_sendfile`` internally when it is possible (see
 :data:`~ssl.OP_ENABLE_KTLS`). The function sends a file more efficiently
 because it performs TLS encryption in the kernel to avoid additional context
 switches. Patch by Illia Volochii.
Original file line number	Diff line number	Diff line change
Expand Up		@@ -1078,8 +1078,9 @@ SSL Sockets
		(but passing a non-zero ``flags`` argument is not allowed)
		- :meth:`~socket.socket.send`, :meth:`~socket.socket.sendall` (with
		the same limitation)
		- :meth:`~socket.socket.sendfile` (but :mod:`os.sendfile` will be used
		for plain-text sockets only, else :meth:`~socket.socket.send` will be used)
		- :meth:`~socket.socket.sendfile` (it may be high-performant only when
		the kernel TLS is enabled by setting :data:`~ssl.OP_ENABLE_KTLS` or when a
		socket is plain-text, else :meth:`~socket.socket.send` will be used)
		- :meth:`~socket.socket.shutdown`

		However, since the SSL (and TLS) protocol has its own framing atop
Expand DownExpand Up		@@ -1113,6 +1114,11 @@ SSL Sockets
		functions support reading and writing of data larger than 2 GB. Writing
		zero-length data no longer fails with a protocol violation error.

		.. versionchanged:: next
		Python now uses ``SSL_sendfile`` internally when possible. The
		function sends a file more efficiently because it performs TLS encryption
		in the kernel to avoid additional context switches.

		SSL sockets also have the following additional methods and attributes:

		.. method:: SSLSocket.read(len=1024, buffer=None)
Expand Down
Original file line number	Diff line number	Diff line change
Expand Up		@@ -56,6 +56,7 @@
		import os
		import sys
		from enum import IntEnum, IntFlag
		from functools import partial

		try:
		import errno
Expand DownExpand Up		@@ -348,75 +349,83 @@ def makefile(self, mode="r", buffering=None, *,
		text.mode = mode
		return text

		if hasattr(os, 'sendfile'):
		def _sendfile_zerocopy(self, zerocopy_func, giveup_exc_type, file,
		offset=0, count=None):
		"""
		Send a file using a zero-copy function.
		"""
		import selectors

		def _sendfile_use_sendfile(self, file, offset=0, count=None):
		# Lazy import to improve module import time
		import selectors
		self._check_sendfile_params(file, offset, count)
		sockno = self.fileno()
		try:
		fileno = file.fileno()
		except (AttributeError, io.UnsupportedOperation) as err:
		raise giveup_exc_type(err) # not a regular file
		try:
		fsize = os.fstat(fileno).st_size
		except OSError as err:
		raise giveup_exc_type(err) # not a regular file
		if not fsize:
		return 0 # empty file
		# Truncate to 1GiB to avoid OverflowError, see bpo-38319.
		blocksize = min(count or fsize, 2 ** 30)
		timeout = self.gettimeout()
		if timeout == 0:
		raise ValueError("non-blocking sockets are not supported")
		# poll/select have the advantage of not requiring any
		# extra file descriptor, contrarily to epoll/kqueue
		# (also, they require a single syscall).
		if hasattr(selectors, 'PollSelector'):
		selector = selectors.PollSelector()
		else:
		selector = selectors.SelectSelector()
		selector.register(sockno, selectors.EVENT_WRITE)

		self._check_sendfile_params(file, offset, count)
		sockno = self.fileno()
		try:
		fileno = file.fileno()
		except (AttributeError, io.UnsupportedOperation) as err:
		raise _GiveupOnSendfile(err) # not a regular file
		try:
		fsize = os.fstat(fileno).st_size
		except OSError as err:
		raise _GiveupOnSendfile(err) # not a regular file
		if not fsize:
		return 0 # empty file
		# Truncate to 1GiB to avoid OverflowError, see bpo-38319.
		blocksize = min(count or fsize, 2 ** 30)
		timeout = self.gettimeout()
		if timeout == 0:
		raise ValueError("non-blocking sockets are not supported")
		# poll/select have the advantage of not requiring any
		# extra file descriptor, contrarily to epoll/kqueue
		# (also, they require a single syscall).
		if hasattr(selectors, 'PollSelector'):
		selector = selectors.PollSelector()
		else:
		selector = selectors.SelectSelector()
		selector.register(sockno, selectors.EVENT_WRITE)

		total_sent = 0
		# localize variable access to minimize overhead
		selector_select = selector.select
		os_sendfile = os.sendfile
		try:
		while True:
		if timeout and not selector_select(timeout):
		raise TimeoutError('timed out')
		if count:
		blocksize = min(count - total_sent, blocksize)
		if blocksize <= 0:
		break
		try:
		sent = os_sendfile(sockno, fileno, offset, blocksize)
		except BlockingIOError:
		if not timeout:
		# Block until the socket is ready to send some
		# data; avoids hogging CPU resources.
		selector_select()
		continue
		except OSError as err:
		if total_sent == 0:
		# We can get here for different reasons, the main
		# one being 'file' is not a regular mmap(2)-like
		# file, in which case we'll fall back on using
		# plain send().
		raise _GiveupOnSendfile(err)
		raise err from None
		else:
		if sent == 0:
		break # EOF
		offset += sent
		total_sent += sent
		return total_sent
		finally:
		if total_sent > 0 and hasattr(file, 'seek'):
		file.seek(offset)
		total_sent = 0
		# localize variable access to minimize overhead
		selector_select = selector.select
		try:
		while True:
		if timeout and not selector_select(timeout):
		raise TimeoutError('timed out')
		if count:
		blocksize = min(count - total_sent, blocksize)
		if blocksize <= 0:
		break
		try:
		sent = zerocopy_func(fileno, offset, blocksize)
		except BlockingIOError:
		if not timeout:
		# Block until the socket is ready to send some
		# data; avoids hogging CPU resources.
		selector_select()
		continue
		except OSError as err:
		if total_sent == 0:
		# We can get here for different reasons, the main
		# one being 'file' is not a regular mmap(2)-like
		# file, in which case we'll fall back on using
		# plain send().
		raise giveup_exc_type(err)
		raise err from None
		else:
		if sent == 0:
		break # EOF
		offset += sent
		total_sent += sent
		return total_sent
		finally:
		if total_sent > 0 and hasattr(file, 'seek'):
		file.seek(offset)

		if hasattr(os, 'sendfile'):
		def _sendfile_use_sendfile(self, file, offset=0, count=None):
		return self._sendfile_zerocopy(
		partial(os.sendfile, self.fileno()),
		_GiveupOnSendfile,
		file, offset, count,
		)
		else:
		def _sendfile_use_sendfile(self, file, offset=0, count=None):
		raise _GiveupOnSendfile(
Expand Down
Original file line number	Diff line number	Diff line change
Expand Up		@@ -975,6 +975,10 @@ def _sslcopydoc(func):
		return func


		class _GiveupOnSSLSendfile(Exception):
		pass


		class SSLSocket(socket):
		"""This class implements a subtype of socket.socket that wraps
		the underlying OS socket in an SSL context when necessary, and
Expand DownExpand Up		@@ -1266,15 +1270,26 @@ def sendall(self, data, flags=0):
		return super().sendall(data, flags)

		def sendfile(self, file, offset=0, count=None):
		"""Send a file, possibly by usingos.sendfile()if this is a
		clear-text socket. Return the total number of bytes sent.
		"""Send a file, possibly by usingan efficientsendfile()call if
		the system supports it. Return the total number of bytes sent.
		"""
		if self._sslobj is not None:
		return self._sendfile_use_send(file, offset, count)
		else:
		# os.sendfile() works with plain sockets only
		if self._sslobj is None:
		return super().sendfile(file, offset, count)

		if not self._sslobj.uses_ktls_for_send():
		return self._sendfile_use_send(file, offset, count)

		sendfile = getattr(self._sslobj, "sendfile", None)
		if sendfile is None:
		return self._sendfile_use_send(file, offset, count)

		try:
		return self._sendfile_zerocopy(
		sendfile, _GiveupOnSSLSendfile, file, offset, count,
		)
		except _GiveupOnSSLSendfile:
		return self._sendfile_use_send(file, offset, count)

		def recv(self, buflen=1024, flags=0):
		self._checkClosed()
		if self._sslobj is not None:
Expand Down
Original file line number	Diff line number	Diff line change
Expand Up		@@ -4297,19 +4297,30 @@ def test_read_write_after_close_raises_valuerror(self):
		self.assertRaises(ValueError, s.write, b'hello')

		def test_sendfile(self):
		"""Try to send a file using kTLS if possible."""
		TEST_DATA = b"x" * 512
		with open(os_helper.TESTFN, 'wb') as f:
		f.write(TEST_DATA)
		self.addCleanup(os_helper.unlink, os_helper.TESTFN)
		client_context, server_context, hostname = testing_context()
		client_context.options \|= getattr(ssl, 'OP_ENABLE_KTLS', 0)
		server = ThreadedEchoServer(context=server_context, chatty=False)
		with server:
		with client_context.wrap_socket(socket.socket(),
		server_hostname=hostname) as s:
		s.connect((HOST, server.port))
		# kTLS seems to work only with a connection created before
Copy link Member picnixzApr 17, 2025 Choose a reason for hiding this comment The reason will be displayed to describe this comment to others.Learn more. Can you check whether it "seems" to work or not? (for a personal project I would accept this but I'm interested in knowing whether this is an issue with Python SSL or OpenSSL) Copy link ContributorAuthor illia-vApr 18, 2025 Choose a reason for hiding this comment The reason will be displayed to describe this comment to others.Learn more. Okay, I'll post more details about this soon Copy link ContributorAuthor illia-vApr 19, 2025 Choose a reason for hiding this comment The reason will be displayed to describe this comment to others.Learn more. I can reproduce the same issue with C code using OpenSSL (without Python). Please check my findingshere. I mentioned a possible patch, let me know if we can apply it or there can be undesirable consequences. FYI,`ssl.OP_ENABLE_KTLS` to enable kTLS has been available since Python 3.12 (and it could be added to options as a simple integer even before). And the issue is not specific to`SSL_sendfile`, it affects kTLS availability for simple reads and writes. I added my reproducer to an existing OpenSSL issueopenssl/openssl#19676 (comment).
		# wrapping `sock` by the SSL context in contrast to calling
		# `sock.connect()` after the wrapping.
		with server, socket.create_connection((HOST, server.port)) as sock:
		with client_context.wrap_socket(
		sock, server_hostname=hostname
		) as ssock:
		if support.verbose:
		ktls_used = ssock._sslobj.uses_ktls_for_send()
		print(
		'kTLS is',
		'available' if ktls_used else 'unavailable',
		)
illia-v marked this conversation as resolved. Show resolvedHide resolved
		with open(os_helper.TESTFN, 'rb') as file:
		s.sendfile(file)
		self.assertEqual(s.recv(1024), TEST_DATA)
		ssock.sendfile(file)
		self.assertEqual(ssock.recv(1024), TEST_DATA)

		def test_session(self):
		client_context, server_context, hostname = testing_context()
Expand Down
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,4 @@
		:mod:`ssl` now uses ``SSL_sendfile`` internally when it is possible (see
		:data:`~ssl.OP_ENABLE_KTLS`). The function sends a file more efficiently
		because it performs TLS encryption in the kernel to avoid additional context
		switches. Patch by Illia Volochii.