From owner-svn-src-projects@freebsd.org Wed Jul 1 21:19:34 2020 Return-Path: Delivered-To: svn-src-projects@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 0C4CB35B9FE for ; Wed, 1 Jul 2020 21:19:34 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 49xvHn6Wx5z3Y6t; Wed, 1 Jul 2020 21:19:33 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id AA069FC80; Wed, 1 Jul 2020 21:19:33 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 061LJXpb007674; Wed, 1 Jul 2020 21:19:33 GMT (envelope-from rmacklem@FreeBSD.org) Received: (from rmacklem@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 061LJXeL007672; Wed, 1 Jul 2020 21:19:33 GMT (envelope-from rmacklem@FreeBSD.org) Message-Id: <202007012119.061LJXeL007672@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: rmacklem set sender to rmacklem@FreeBSD.org using -f From: Rick Macklem Date: Wed, 1 Jul 2020 21:19:33 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r362865 - in projects/nfs-over-tls/sys/rpc: . rpcsec_tls X-SVN-Group: projects X-SVN-Commit-Author: rmacklem X-SVN-Commit-Paths: in projects/nfs-over-tls/sys/rpc: . rpcsec_tls X-SVN-Commit-Revision: 362865 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Jul 2020 21:19:34 -0000 Author: rmacklem Date: Wed Jul 1 21:19:32 2020 New Revision: 362865 URL: https://svnweb.freebsd.org/changeset/base/362865 Log: Add a new xp_tls flag to indicate handshake failure. This new flag is used to disable the kernel code from closing the socket upon handshake failure, so that the daemon can close it once SSL_accept() has returned failure. Modified: projects/nfs-over-tls/sys/rpc/rpcsec_tls.h projects/nfs-over-tls/sys/rpc/rpcsec_tls/rpctls_impl.c projects/nfs-over-tls/sys/rpc/svc_vc.c Modified: projects/nfs-over-tls/sys/rpc/rpcsec_tls.h ============================================================================== --- projects/nfs-over-tls/sys/rpc/rpcsec_tls.h Wed Jul 1 20:45:26 2020 (r362864) +++ projects/nfs-over-tls/sys/rpc/rpcsec_tls.h Wed Jul 1 21:19:32 2020 (r362865) @@ -48,6 +48,7 @@ int rpctls_syscall(int, const char *); #define RPCTLS_FLAGS_VERIFIED 0x08 #define RPCTLS_FLAGS_DISABLED 0x10 #define RPCTLS_FLAGS_CERTUSER 0x20 +#define RPCTLS_FLAGS_HANDSHFAIL 0x40 /* Error return values for upcall rpcs. */ #define RPCTLSERR_OK 0 Modified: projects/nfs-over-tls/sys/rpc/rpcsec_tls/rpctls_impl.c ============================================================================== --- projects/nfs-over-tls/sys/rpc/rpcsec_tls/rpctls_impl.c Wed Jul 1 20:45:26 2020 (r362864) +++ projects/nfs-over-tls/sys/rpc/rpcsec_tls/rpctls_impl.c Wed Jul 1 21:19:32 2020 (r362865) @@ -704,8 +704,10 @@ printf("authtls: null reply=%d\n", call_stat); xprt->xp_gidp = gidp; printf("got uid=%d ngrps=%d gidp=%p\n", uid, ngrps, gidp); } - } else if (stat == RPC_TIMEDOUT) - xprt->xp_upcallset = 0; /* upcall cleared by soshutdown(). */ + } else { + /* Mark that TLS handshake failed. */ + xprt->xp_tls = RPCTLS_FLAGS_HANDSHFAIL; + } sx_xunlock(&xprt->xp_lock); xprt_active(xprt); /* Harmless if already active. */ printf("authtls: aft handshake stat=%d\n", stat); Modified: projects/nfs-over-tls/sys/rpc/svc_vc.c ============================================================================== --- projects/nfs-over-tls/sys/rpc/svc_vc.c Wed Jul 1 20:45:26 2020 (r362864) +++ projects/nfs-over-tls/sys/rpc/svc_vc.c Wed Jul 1 21:19:32 2020 (r362865) @@ -455,18 +455,20 @@ svc_vc_destroy_common(SVCXPRT *xprt) uint32_t reterr; if (xprt->xp_socket) { - if ((xprt->xp_tls & RPCTLS_FLAGS_HANDSHAKE) != 0) { + if ((xprt->xp_tls & (RPCTLS_FLAGS_HANDSHAKE | + RPCTLS_FLAGS_HANDSHFAIL)) == 0) + (void)soclose(xprt->xp_socket); + else if ((xprt->xp_tls & RPCTLS_FLAGS_HANDSHAKE) != 0) { /* * If the upcall fails, the socket has * probably been closed via the rpctlssd * daemon having crashed or been - * restarted. + * restarted, so just ignore returned stat. */ stat = rpctls_srv_disconnect(xprt->xp_sslsec, xprt->xp_sslusec, xprt->xp_sslrefno, &reterr); - } else - (void)soclose(xprt->xp_socket); + } } if (xprt->xp_netid)