MEDIUM: ssl: Add kTLS support for OpenSSL.

Modify the SSL code to enable kTLS with OpenSSL. It mostly requires our internal BIO to be able to handle the various kTLS-specific controls in ha_ssl_ctrl(), as well as being able to use recvmsg() and sendmsg() from ha_ssl_read() and ha_ssl_write().
2026-02-12 21:41:22 +02:00 · 2025-07-03 18:14:43 +02:00
parent 6270073072
commit ed7d20afc8
3 changed files with 242 additions and 4 deletions
--- a/include/haproxy/openssl-compat.h
+++ b/include/haproxy/openssl-compat.h
@@ -554,4 +554,30 @@ static inline unsigned long ERR_peek_error_func(const char **func)
 #endif

 #endif /* USE_OPENSSL */
+
+#ifdef USE_KTLS
+
+#ifdef __linux__
+#include <linux/tls.h>
+#endif
+
+#if defined(HAVE_VANILLA_OPENSSL) && (OPENSSL_VERSION_NUMBER >= 0x3000000fL)
+#define HA_USE_KTLS
+/*
+ * Only provided by internal/bio.h, but we need it
+ */
+#ifndef BIO_CTRL_SET_KTLS
+#define BIO_CTRL_SET_KTLS	72
+#endif
+#ifndef BIO_CTRL_SET_KTLS_TX_SEND_CTRL_MSG
+#define BIO_CTRL_SET_KTLS_TX_SEND_CTRL_MSG 74
+#endif
+#ifndef BIO_CTRL_CLEAR_KTLS_TX_CTRL_MSG
+#define BIO_CTRL_CLEAR_KTLS_TX_CTRL_MSG 75
+#endif
+
+#endif /* HAVE_VANILLA_OPENSSL && OPENSSL_VERSION_NUMBER >= 0x3000000fL */
+
+#endif /* USE_KTLS */
+
 #endif /* _HAPROXY_OPENSSL_COMPAT_H */
--- a/include/haproxy/ssl_sock-t.h
+++ b/include/haproxy/ssl_sock-t.h
@@ -250,6 +250,10 @@ struct ssl_keylog {
 * ssl_sock_ctx flags
 */
 #define SSL_SOCK_F_EARLY_ENABLED	(1 << 0) /* We did not start the handshake yet so we can send early data */
+#define SSL_SOCK_F_KTLS_ENABLED         (1 << 1) /* We can use KTLS on that socket */
+#define SSL_SOCK_F_KTLS_SEND            (1 << 2) /* kTLS send is configured on that socket */
+#define SSL_SOCK_F_KTLS_RECV            (1 << 3) /* kTLS receive is configure on that socket */
+#define SSL_SOCK_F_CTRL_SEND            (1 << 4) /* We want to send a kTLS control message for that socket */

 struct ssl_sock_ctx {
 	struct connection *conn;
@@ -264,6 +268,9 @@ struct ssl_sock_ctx {
 	struct buffer early_buf;      /* buffer to store the early data received */
 	int sent_early_data;          /* Amount of early data we sent so far */
 	int flags;                    /* Various flags for the ssl_sock_ctx */
+#ifdef HA_USE_KTLS
+	char record_type;             /* Record type to use if not just sending application data */
+#endif

 #ifdef USE_QUIC
 	struct quic_conn *qc;