MINOR: cfgparse: Add a new "ktls" option to bind and server.

Add a new "ktls" option to bind and server. Valid values are "on" and
"off".
It currently does nothing, but when kTLS will be implemented, it will
enable or disable kTLS for the corresponding sockets.
It is marked as experimental for now.

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 84800a2cf4b5430848a076d3bd69b151560997ac..50269e8b49134e8c8ff6960c20cffd8dbe896061 100644 (file)
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -12178,6 +12178,7 @@ ssl-f-use [<sslbindconf> ...]*
     - crl-file
     - curves
     - ecdhe
+    - ktls
     - no-alpn
     - no-ca-names
     - npn
@@ -16752,6 +16753,11 @@ interface <interface>
   client IP addresses need to be able to reach frontends hosted on different
   interfaces.
 
+ktls <on|off> [ EXPERIMENTAL ]
+  Enables or disables ktls for those sockets. If enabled, kTLS will be used
+  if the kernel supports it and the cipher is compatible.
+  This is only available on linux.
+
 label <label>
   Sets an optional label for these sockets. It could be used group sockets by
   label, independently of where the bind lines were declared.
@@ -17925,6 +17931,13 @@ init-state { fully-up | up | down | fully-down }
 
 See also: "option tcp-check", "option httpchk"
 
+ktls <on|off> [ EXPERIMENTAL ]
+  May be used in the following contexts: tcp, http, log, peers, ring
+
+  Enables or disables ktls for those sockets. If enabled, kTLS will be used
+  if the kernel supports it and the cipher is compatible.
+  This is only available on Linux.
+
 log-bufsize <bufsize>
   May be used in the following contexts: log
 

diff --git a/include/haproxy/listener-t.h b/include/haproxy/listener-t.h
index 37840790eb0717c953bb7c38c3163a91f5034725..ce7e850193da0c86a8d0f0dc61e28aab9f41d279 100644 (file)
--- a/include/haproxy/listener-t.h
+++ b/include/haproxy/listener-t.h
@@ -140,6 +140,7 @@ struct ssl_bind_conf {
        unsigned int verify:3;     /* verify method (set of SSL_VERIFY_* flags) */
        unsigned int no_ca_names:1;/* do not send ca names to clients (ca_file related) */
        unsigned int early_data:1; /* early data allowed */
+       unsigned int ktls:1;       /* use kTLS if available */
        char *ca_file;             /* CAfile to use on verify and ca-names */
        char *ca_verify_file;      /* CAverify file to use on verify only */
        char *crl_file;            /* CRLfile to use on verify */

diff --git a/include/haproxy/server-t.h b/include/haproxy/server-t.h
index f0afac7dc96f35db0ccf83c7bbb9930c3c1356be..0584d92dff8ce5e7f74012c553f2e68553865559 100644 (file)
--- a/include/haproxy/server-t.h
+++ b/include/haproxy/server-t.h
@@ -204,6 +204,7 @@ enum srv_init_state {
 #define SRV_SSL_O_NO_TLS_TICKETS 0x0100 /* disable session resumption tickets */
 #define SRV_SSL_O_NO_REUSE       0x200  /* disable session reuse */
 #define SRV_SSL_O_EARLY_DATA     0x400  /* Allow using early data */
+#define SRV_SSL_O_KTLS           0x800  /* Use kTLS if available */
 
 /* log servers ring's protocols options */
 enum srv_log_proto {

diff --git a/src/cfgparse-ssl.c b/src/cfgparse-ssl.c
index 611d29bcf26147e8ab8254d989aff901d959c537..e1bb7096e435ed0fedb07ac00ea3fbe8cfcb44db 100644 (file)
--- a/src/cfgparse-ssl.c
+++ b/src/cfgparse-ssl.c
@@ -874,6 +874,36 @@ static int bind_parse_curves(char **args, int cur_arg, struct proxy *px, struct
        return ssl_bind_parse_curves(args, cur_arg, px, &conf->ssl_conf, 0, err);
 }
 
+/* parse the "ktls" bind keyword */
+static int ssl_bind_parse_ktls(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, int from_cli, char **err)
+{
+       if (!*args[cur_arg + 1]) {
+               memprintf(err, "'%s' expects \"on\" or \"off\" as an argument.",
+                         args[cur_arg]);
+               return ERR_ALERT | ERR_FATAL;
+       }
+       if (!experimental_directives_allowed) {
+               memprintf(err, "'%s' directive is experimental, must be allowed via a global 'expose-experimental-directive'", args[cur_arg]);
+               return ERR_ALERT | ERR_FATAL;
+       }
+       if (!strcasecmp(args[cur_arg + 1], "on")) {
+               conf->ktls = 1;
+       } else if (!strcasecmp(args[cur_arg + 1], "off")) {
+               conf->ktls = 0;
+       } else {
+               memprintf(err, "'%s' expects \"on\" or \"off\" as an argument, got '%s'.",
+                         args[cur_arg], args[cur_arg + 1]);
+               return ERR_ALERT | ERR_FATAL;
+       }
+       return 0;
+
+}
+
+static int bind_parse_ktls(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
+{
+       return ssl_bind_parse_ktls(args, cur_arg, px, &conf->ssl_conf, 0, err);
+}
+
 /* parse the "sigalgs" bind keyword */
 static int ssl_bind_parse_sigalgs(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, int from_cli, char **err)
 {
@@ -1890,6 +1920,32 @@ static int srv_parse_no_ssl(char **args, int *cur_arg, struct proxy *px, struct
        return 0;
 }
 
+/* parse the "ktls" server keywod */
+static int srv_parse_ktls(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
+{
+       if (!*args[*cur_arg + 1]) {
+               memprintf(err, "'%s' expects \"on\" or \"off\" as an argument.",
+                         args[*cur_arg]);
+               return ERR_ALERT | ERR_FATAL;
+       }
+
+       if (!experimental_directives_allowed) {
+               memprintf(err, "'%s' directive is experimental, must be allowed via a global 'expose-experimental-directive'", args[*cur_arg]);
+               return ERR_ALERT | ERR_FATAL;
+       }
+
+       if (!strcasecmp(args[*cur_arg + 1], "on")) {
+               newsrv->ssl_ctx.options |= SRV_SSL_O_KTLS;
+       } else if (!strcasecmp(args[*cur_arg + 1], "off")) {
+               newsrv->ssl_ctx.options &= ~SRV_SSL_O_KTLS;
+       } else {
+               memprintf(err, "'%s' expects \"on\" or \"off\" as an argument, got '%s'.",
+                         args[*cur_arg], args[*cur_arg + 1]);
+               return ERR_ALERT | ERR_FATAL;
+       }
+       return 0;
+}
+
 /* parse the "allow-0rtt" server keyword */
 static int srv_parse_allow_0rtt(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
 {
@@ -2450,6 +2506,7 @@ struct ssl_crtlist_kw ssl_crtlist_kws[] = {
        { "crl-file",              ssl_bind_parse_crl_file,         1 }, /* set certificate revocation list file use on client cert verify */
        { "curves",                ssl_bind_parse_curves,           1 }, /* set SSL curve suite */
        { "ecdhe",                 ssl_bind_parse_ecdhe,            1 }, /* defines named curve for elliptic curve Diffie-Hellman */
+       { "ktls",                  ssl_bind_parse_ktls,             1 }, /* enables or disables kTLS */
        { "no-alpn",               ssl_bind_parse_no_alpn,          0 }, /* disable sending ALPN */
        { "no-ca-names",           ssl_bind_parse_no_ca_names,      0 }, /* do not send ca names to clients (ca_file related) */
        { "npn",                   ssl_bind_parse_npn,              1 }, /* set NPN supported protocols */
@@ -2486,6 +2543,7 @@ static struct bind_kw_list bind_kws = { "SSL", { }, {
        { "force-tlsv12",          bind_parse_tls_method_options, 0 }, /* force TLSv12 */
        { "force-tlsv13",          bind_parse_tls_method_options, 0 }, /* force TLSv13 */
        { "generate-certificates", bind_parse_generate_certs,     0 }, /* enable the server certificates generation */
+       { "ktls",                  bind_parse_ktls,               1 }, /* enable or disable kTLS */
        { "no-alpn",               bind_parse_no_alpn,            0 }, /* disable sending ALPN */
        { "no-ca-names",           bind_parse_no_ca_names,        0 }, /* do not send ca names to clients (ca_file related) */
        { "no-sslv3",              bind_parse_tls_method_options, 0 }, /* disable SSLv3 */
@@ -2535,6 +2593,7 @@ static struct srv_kw_list srv_kws = { "SSL", { }, {
        { "force-tlsv11",            srv_parse_tls_method_options, 0, 1, 1 }, /* force TLSv11 */
        { "force-tlsv12",            srv_parse_tls_method_options, 0, 1, 1 }, /* force TLSv12 */
        { "force-tlsv13",            srv_parse_tls_method_options, 0, 1, 1 }, /* force TLSv13 */
+       { "ktls",                    srv_parse_ktls,               1, 1, 1 }, /* enable or disable kTLS */
        { "no-check-ssl",            srv_parse_no_check_ssl,       0, 1, 0 }, /* disable SSL for health checks */
        { "no-renegotiate",          srv_parse_renegotiate,        0, 1, 1 }, /* Disable renegotiation */
        { "no-send-proxy-v2-ssl",    srv_parse_no_send_proxy_ssl,  0, 1, 0 }, /* do not send PROXY protocol header v2 with SSL info */