[mod_openssl] FreeBSD: check "kern.ipc.tls.enable"

FreeBSD: check sysctl "kern.ipc.tls.enable" before attempting KTLS
(avoid setsockopt() if KTLS is not enabled in running FreeBSD kernel)

1 files changed, 24 insertions, 0 deletions

diff --git a/src/mod_openssl.c b/src/mod_openssl.c
index 462456ef..9d5c1521 100644
--- a/src/mod_openssl.c
+++ b/src/mod_openssl.c
@@ -37,6 +37,10 @@
 #include <stdlib.h>
 #include <string.h>
 
+#ifdef __FreeBSD__
+#include <sys/sysctl.h> /* sysctlbyname() */
+#endif
+
 /*(not needed)*/
 /* correction; needed for:
  *   SSL_load_client_CA_file()
@@ -170,6 +174,9 @@ typedef struct {
 } plugin_data;
 
 static int ssl_is_init;
+#ifdef __FreeBSD__
+static int ktls_enable;
+#endif
 /* need assigned p->id for deep access of module handler_ctx for connection
  *   i.e. handler_ctx *hctx = con->plugin_ctx[plugin_data_singleton->id]; */
 static plugin_data *plugin_data_singleton;
@@ -2276,6 +2283,10 @@ network_init_ssl (server *srv, plugin_config_socket *s, plugin_data *p)
       #endif
       #ifdef SSL_OP_ENABLE_KTLS /* openssl 3.0.0 */
         ssloptions |= SSL_OP_ENABLE_KTLS;
+       #ifdef __FreeBSD__
+        if (!ktls_enable)
+            ssloptions &= ~SSL_OP_ENABLE_KTLS;
+       #endif
       #ifdef SSL_OP_ENABLE_KTLS_TX_ZEROCOPY_SENDFILE
         ssloptions |= SSL_OP_ENABLE_KTLS_TX_ZEROCOPY_SENDFILE;
       #endif
@@ -2985,6 +2996,19 @@ SETDEFAULTS_FUNC(mod_openssl_set_defaults)
       "security patches from openssl.org");
   #endif
 
+  #ifdef SSL_OP_ENABLE_KTLS /* openssl 3.0.0 */
+   #ifdef __FreeBSD__
+    size_t ktls_sz = sizeof(ktls_enable);
+    if (0 != sysctlbyname("kern.ipc.tls.enable",
+                          &ktls_enable, &ktls_sz, NULL, 0)) {
+      #if 0 /*(not present on kernels < FreeBSD 13 unless backported)*/
+        log_perror(srv->errh, __FILE__, __LINE__,
+          "sysctl(\"kern.ipc.tls.enable\")");
+      #endif
+    }
+   #endif
+  #endif
+
     return mod_openssl_set_defaults_sockets(srv, p);
 }