From e8674658aec306ca29870e7e75558e58cd0a5d69 Mon Sep 17 00:00:00 2001
From: Olivier Houchard <ohouchard@haproxy.com>
Date: Thu, 3 Jul 2025 17:27:36 +0200
Subject: [PATCH] MINOR: cfgparse: Add a new "ktls" option to bind and server.

Add a new "ktls" option to bind and server. Valid values are "on" and
"off".
It currently does nothing, but when kTLS will be implemented, it will
enable or disable kTLS for the corresponding sockets.
It is marked as experimental for now.
---
 doc/configuration.txt        | 13 ++++++++
 include/haproxy/listener-t.h |  1 +
 include/haproxy/server-t.h   |  1 +
 src/cfgparse-ssl.c           | 59 ++++++++++++++++++++++++++++++++++++
 4 files changed, 74 insertions(+)

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 84800a2cf..50269e8b4 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -12178,6 +12178,7 @@ ssl-f-use [<sslbindconf> ...]*
     - crl-file
     - curves
     - ecdhe
+    - ktls
     - no-alpn
     - no-ca-names
     - npn
@@ -16752,6 +16753,11 @@ interface <interface>
   client IP addresses need to be able to reach frontends hosted on different
   interfaces.
 
+ktls <on|off> [ EXPERIMENTAL ]
+  Enables or disables ktls for those sockets. If enabled, kTLS will be used
+  if the kernel supports it and the cipher is compatible.
+  This is only available on linux.
+
 label <label>
   Sets an optional label for these sockets. It could be used group sockets by
   label, independently of where the bind lines were declared.
@@ -17925,6 +17931,13 @@ init-state { fully-up | up | down | fully-down }
 
 See also: "option tcp-check", "option httpchk"
 
+ktls <on|off> [ EXPERIMENTAL ]
+  May be used in the following contexts: tcp, http, log, peers, ring
+
+  Enables or disables ktls for those sockets. If enabled, kTLS will be used
+  if the kernel supports it and the cipher is compatible.
+  This is only available on Linux.
+
 log-bufsize <bufsize>
   May be used in the following contexts: log
 
diff --git a/include/haproxy/listener-t.h b/include/haproxy/listener-t.h
index 37840790e..ce7e85019 100644
--- a/include/haproxy/listener-t.h
+++ b/include/haproxy/listener-t.h
@@ -140,6 +140,7 @@ struct ssl_bind_conf {
 	unsigned int verify:3;     /* verify method (set of SSL_VERIFY_* flags) */
 	unsigned int no_ca_names:1;/* do not send ca names to clients (ca_file related) */
 	unsigned int early_data:1; /* early data allowed */
+	unsigned int ktls:1;       /* use kTLS if available */
 	char *ca_file;             /* CAfile to use on verify and ca-names */
 	char *ca_verify_file;      /* CAverify file to use on verify only */
 	char *crl_file;            /* CRLfile to use on verify */
diff --git a/include/haproxy/server-t.h b/include/haproxy/server-t.h
index f0afac7dc..0584d92df 100644
--- a/include/haproxy/server-t.h
+++ b/include/haproxy/server-t.h
@@ -204,6 +204,7 @@ enum srv_init_state {
 #define SRV_SSL_O_NO_TLS_TICKETS 0x0100 /* disable session resumption tickets */
 #define SRV_SSL_O_NO_REUSE       0x200  /* disable session reuse */
 #define SRV_SSL_O_EARLY_DATA     0x400  /* Allow using early data */
+#define SRV_SSL_O_KTLS           0x800  /* Use kTLS if available */
 
 /* log servers ring's protocols options */
 enum srv_log_proto {
diff --git a/src/cfgparse-ssl.c b/src/cfgparse-ssl.c
index 611d29bcf..e1bb7096e 100644
--- a/src/cfgparse-ssl.c
+++ b/src/cfgparse-ssl.c
@@ -874,6 +874,36 @@ static int bind_parse_curves(char **args, int cur_arg, struct proxy *px, struct
 	return ssl_bind_parse_curves(args, cur_arg, px, &conf->ssl_conf, 0, err);
 }
 
+/* parse the "ktls" bind keyword */
+static int ssl_bind_parse_ktls(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, int from_cli, char **err)
+{
+	if (!*args[cur_arg + 1]) {
+		memprintf(err, "'%s' expects \"on\" or \"off\" as an argument.",
+			  args[cur_arg]);
+		return ERR_ALERT | ERR_FATAL;
+	}
+	if (!experimental_directives_allowed) {
+		memprintf(err, "'%s' directive is experimental, must be allowed via a global 'expose-experimental-directive'", args[cur_arg]);
+		return ERR_ALERT | ERR_FATAL;
+	}
+	if (!strcasecmp(args[cur_arg + 1], "on")) {
+		conf->ktls = 1;
+	} else if (!strcasecmp(args[cur_arg + 1], "off")) {
+		conf->ktls = 0;
+	} else {
+		memprintf(err, "'%s' expects \"on\" or \"off\" as an argument, got '%s'.",
+			  args[cur_arg], args[cur_arg + 1]);
+		return ERR_ALERT | ERR_FATAL;
+	}
+	return 0;
+
+}
+
+static int bind_parse_ktls(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
+{
+	return ssl_bind_parse_ktls(args, cur_arg, px, &conf->ssl_conf, 0, err);
+}
+
 /* parse the "sigalgs" bind keyword */
 static int ssl_bind_parse_sigalgs(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, int from_cli, char **err)
 {
@@ -1890,6 +1920,32 @@ static int srv_parse_no_ssl(char **args, int *cur_arg, struct proxy *px, struct
 	return 0;
 }
 
+/* parse the "ktls" server keywod */
+static int srv_parse_ktls(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
+{
+	if (!*args[*cur_arg + 1]) {
+		memprintf(err, "'%s' expects \"on\" or \"off\" as an argument.",
+			  args[*cur_arg]);
+		return ERR_ALERT | ERR_FATAL;
+	}
+
+	if (!experimental_directives_allowed) {
+		memprintf(err, "'%s' directive is experimental, must be allowed via a global 'expose-experimental-directive'", args[*cur_arg]);
+		return ERR_ALERT | ERR_FATAL;
+	}
+
+	if (!strcasecmp(args[*cur_arg + 1], "on")) {
+		newsrv->ssl_ctx.options |= SRV_SSL_O_KTLS;
+	} else if (!strcasecmp(args[*cur_arg + 1], "off")) {
+		newsrv->ssl_ctx.options &= ~SRV_SSL_O_KTLS;
+	} else {
+		memprintf(err, "'%s' expects \"on\" or \"off\" as an argument, got '%s'.",
+			  args[*cur_arg], args[*cur_arg + 1]);
+		return ERR_ALERT | ERR_FATAL;
+	}
+	return 0;
+}
+
 /* parse the "allow-0rtt" server keyword */
 static int srv_parse_allow_0rtt(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
 {
@@ -2450,6 +2506,7 @@ struct ssl_crtlist_kw ssl_crtlist_kws[] = {
 	{ "crl-file",              ssl_bind_parse_crl_file,         1 }, /* set certificate revocation list file use on client cert verify */
 	{ "curves",                ssl_bind_parse_curves,           1 }, /* set SSL curve suite */
 	{ "ecdhe",                 ssl_bind_parse_ecdhe,            1 }, /* defines named curve for elliptic curve Diffie-Hellman */
+	{ "ktls",                  ssl_bind_parse_ktls,             1 }, /* enables or disables kTLS */
 	{ "no-alpn",               ssl_bind_parse_no_alpn,          0 }, /* disable sending ALPN */
 	{ "no-ca-names",           ssl_bind_parse_no_ca_names,      0 }, /* do not send ca names to clients (ca_file related) */
 	{ "npn",                   ssl_bind_parse_npn,              1 }, /* set NPN supported protocols */
@@ -2486,6 +2543,7 @@ static struct bind_kw_list bind_kws = { "SSL", { }, {
 	{ "force-tlsv12",          bind_parse_tls_method_options, 0 }, /* force TLSv12 */
 	{ "force-tlsv13",          bind_parse_tls_method_options, 0 }, /* force TLSv13 */
 	{ "generate-certificates", bind_parse_generate_certs,     0 }, /* enable the server certificates generation */
+	{ "ktls",                  bind_parse_ktls,               1 }, /* enable or disable kTLS */
 	{ "no-alpn",               bind_parse_no_alpn,            0 }, /* disable sending ALPN */
 	{ "no-ca-names",           bind_parse_no_ca_names,        0 }, /* do not send ca names to clients (ca_file related) */
 	{ "no-sslv3",              bind_parse_tls_method_options, 0 }, /* disable SSLv3 */
@@ -2535,6 +2593,7 @@ static struct srv_kw_list srv_kws = { "SSL", { }, {
 	{ "force-tlsv11",            srv_parse_tls_method_options, 0, 1, 1 }, /* force TLSv11 */
 	{ "force-tlsv12",            srv_parse_tls_method_options, 0, 1, 1 }, /* force TLSv12 */
 	{ "force-tlsv13",            srv_parse_tls_method_options, 0, 1, 1 }, /* force TLSv13 */
+	{ "ktls",                    srv_parse_ktls,               1, 1, 1 }, /* enable or disable kTLS */
 	{ "no-check-ssl",            srv_parse_no_check_ssl,       0, 1, 0 }, /* disable SSL for health checks */
 	{ "no-renegotiate",          srv_parse_renegotiate,        0, 1, 1 }, /* Disable renegotiation */
 	{ "no-send-proxy-v2-ssl",    srv_parse_no_send_proxy_ssl,  0, 1, 0 }, /* do not send PROXY protocol header v2 with SSL info */