system config disable KTLS

Added option for system config `ktls = false` to disable ktls
system-wide

Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>

5 files changed, 23 insertions, 5 deletions

diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
index 26d2373c80..fd04a42613 100644
--- a/lib/gnutls_int.h
+++ b/lib/gnutls_int.h
@@ -1643,4 +1643,6 @@ get_certificate_type(gnutls_session_t session,
 
 extern unsigned int _gnutls_global_version;
 
+bool _gnutls_config_is_ktls_disabled(void);
+
 #endif /* GNUTLS_LIB_GNUTLS_INT_H */
diff --git a/lib/handshake.c b/lib/handshake.c
index 44c4cc3402..f3edbbdacb 100644
--- a/lib/handshake.c
+++ b/lib/handshake.c
@@ -2813,8 +2813,10 @@ int gnutls_handshake(gnutls_session_t session)
 	const version_entry_st *vers = get_version(session);
 	int ret;
 
+	session->internals.ktls_enabled = 0;
 #ifdef ENABLE_KTLS
-	_gnutls_ktls_enable(session);
+	if (_gnutls_config_is_ktls_disabled() == false)
+		_gnutls_ktls_enable(session);
 #endif
 
 	if (unlikely(session->internals.initial_negotiation_completed)) {
@@ -2913,11 +2915,9 @@ int gnutls_handshake(gnutls_session_t session)
 	}
 
 #ifdef ENABLE_KTLS
-	if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_RECV) || IS_KTLS_ENABLED(session, GNUTLS_KTLS_SEND)) {
+	if (IS_KTLS_ENABLED(session, GNUTLS_KTLS_DUPLEX)) {
 		_gnutls_ktls_set_keys(session);
 	}
-#else
-	session->internals.ktls_enabled = 0;
 #endif
 
 	return 0;
diff --git a/lib/includes/gnutls/socket.h b/lib/includes/gnutls/socket.h
index 8c21b9a382..4df7bb2e0f 100644
--- a/lib/includes/gnutls/socket.h
+++ b/lib/includes/gnutls/socket.h
@@ -54,6 +54,7 @@ typedef enum {
 	GNUTLS_KTLS_DUPLEX = GNUTLS_KTLS_RECV | GNUTLS_KTLS_SEND,
 } gnutls_transport_ktls_enable_flags_t;
 
+
 gnutls_transport_ktls_enable_flags_t
 gnutls_transport_is_ktls_enabled(gnutls_session_t session);
 
diff --git a/lib/priority.c b/lib/priority.c
index 7142401245..34bf3d2950 100644
--- a/lib/priority.c
+++ b/lib/priority.c
@@ -1017,6 +1017,7 @@ static void dummy_func(gnutls_priority_t c)
 
 struct cfg {
 	bool allowlisting;
+	bool ktls_disabled;
 
 	name_val_array_t priority_strings;
 	char *priority_string;
@@ -1129,6 +1130,7 @@ cfg_steal(struct cfg *dst, struct cfg *src)
 	src->default_priority_string = NULL;
 
 	dst->allowlisting = src->allowlisting;
+	dst->ktls_disabled = src->ktls_disabled;
 	memcpy(dst->ciphers, src->ciphers, sizeof(src->ciphers));
 	memcpy(dst->macs, src->macs, sizeof(src->macs));
 	memcpy(dst->groups, src->groups, sizeof(src->groups));
@@ -1254,6 +1256,16 @@ static int global_ini_handler(void *ctx, const char *section, const char *name,
 				if (fail_on_invalid_config)
 					return 0;
 			}
+		} else if (c_strcasecmp(name, "ktls") == 0) {
+			p = clear_spaces(value, str);
+			if (c_strcasecmp(p, "false") == 0) {
+				cfg->ktls_disabled = true;
+			} else {
+				_gnutls_debug_log("cfg: unknown ktls mode %s\n",
+					p);
+				if (fail_on_invalid_config)
+					return 0;
+			}
 		} else {
 			_gnutls_debug_log("unknown parameter %s\n", name);
 			if (fail_on_invalid_config)
@@ -3467,3 +3479,7 @@ gnutls_priority_string_list(unsigned iter, unsigned int flags)
 	}
 	return NULL;
 }
+
+bool _gnutls_config_is_ktls_disabled(void){
+	return system_wide_config.ktls_disabled;
+}
diff --git a/lib/system/ktls.c b/lib/system/ktls.c
index 92c5b36073..b9f7a73fb5 100644
--- a/lib/system/ktls.c
+++ b/lib/system/ktls.c
@@ -57,7 +57,6 @@ gnutls_transport_is_ktls_enabled(gnutls_session_t session){
 void _gnutls_ktls_enable(gnutls_session_t session)
 {
 	int sockin, sockout;
-	session->internals.ktls_enabled = 0;
 	gnutls_transport_get_int2(session, &sockin, &sockout);
 
 	if (setsockopt(sockin, SOL_TCP, TCP_ULP, "tls", sizeof ("tls")) == 0)