Date: Sun, 3 May 2020 00:15:19 +0000 (UTC) From: Rick Macklem <rmacklem@FreeBSD.org> To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r360580 - in projects/nfs-over-tls/usr.sbin: rpctlscd rpctlssd Message-ID: <202005030015.0430FJK8097417@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: rmacklem Date: Sun May 3 00:15:18 2020 New Revision: 360580 URL: https://svnweb.freebsd.org/changeset/base/360580 Log: Fix the daemons so they actually work with jhb@'s patched openssl3. The code now has passed a trivial test, where an NFS mount was TLS1.2 encrypted on the wire. I will be updating the setup document, so others will be able to set up system(s) for testing. I have not yet decided what the correct way to handle a failure to set up the ktls is. For the server, I suspect it is clearing of the flags that say "handshake complete". For the client, I am not sure if the mount should continue unencrypted or the mount attempt should fail? At this time, the daemons build, but report warnings that SSL_CTX_load_XXX is deprecated. It works until I figure out what the preferred OpenSSL 3 call is. Modified: projects/nfs-over-tls/usr.sbin/rpctlscd/Makefile projects/nfs-over-tls/usr.sbin/rpctlscd/rpctlscd.c projects/nfs-over-tls/usr.sbin/rpctlssd/Makefile projects/nfs-over-tls/usr.sbin/rpctlssd/rpctlssd.c Modified: projects/nfs-over-tls/usr.sbin/rpctlscd/Makefile ============================================================================== --- projects/nfs-over-tls/usr.sbin/rpctlscd/Makefile Sun May 3 00:12:56 2020 (r360579) +++ projects/nfs-over-tls/usr.sbin/rpctlscd/Makefile Sun May 3 00:15:18 2020 (r360580) @@ -8,7 +8,10 @@ SRCS= rpctlscd.c rpctlscd.h rpctlscd_svc.c rpctlscd_xd CFLAGS+= -I. -LIBADD= ssl crypto +CFLAGS+= -I/usr/ktls/include +LDFLAGS+= -L/usr/ktls/lib + +LIBADD= ssl crypto util CLEANFILES= rpctlscd_svc.c rpctlscd_xdr.c rpctlscd.h Modified: projects/nfs-over-tls/usr.sbin/rpctlscd/rpctlscd.c ============================================================================== --- projects/nfs-over-tls/usr.sbin/rpctlscd/rpctlscd.c Sun May 3 00:12:56 2020 (r360579) +++ projects/nfs-over-tls/usr.sbin/rpctlscd/rpctlscd.c Sun May 3 00:15:18 2020 (r360580) @@ -55,6 +55,7 @@ __FBSDID("$FreeBSD$"); #include <rpc/rpc_com.h> #include <rpc/rpcsec_tls.h> +#include <openssl/opensslconf.h> #include <openssl/bio.h> #include <openssl/ssl.h> #include <openssl/err.h> @@ -72,7 +73,7 @@ __FBSDID("$FreeBSD$"); #define _PATH_RPCTLSCDPID "/var/run/rpctlscd.pid" #endif #ifndef _PREFERRED_CIPHERS -#define _PREFERRED_CIPHERS "SHA384:SHA256:!CAMELLIA" +#define _PREFERRED_CIPHERS "AES128-GCM-SHA256" #endif static struct pidfh *rpctls_pfh = NULL; @@ -382,7 +383,6 @@ rpctlscd_disconnect_1_svc(struct rpctlscd_disconnect_a rpctlscd_verbose_out("rpctlscd_disconnect: fd=%d closed\n", slp->s); LIST_REMOVE(slp, next); - SSL_shutdown(slp->ssl); SSL_free(slp->ssl); /* * For RPC-over-TLS, this upcall is expected @@ -560,7 +560,6 @@ rpctls_connect(SSL_CTX *ctx, int s) if (cert == NULL) { rpctlscd_verbose_out("rpctls_connect: get peer" " certificate failed\n"); - SSL_shutdown(ssl); SSL_free(ssl); return (NULL); } @@ -585,17 +584,24 @@ rpctls_connect(SSL_CTX *ctx, int s) "failed %s\n", hostnam, cp, cp2, X509_verify_cert_error_string(ret)); } - SSL_shutdown(ssl); SSL_free(ssl); return (NULL); } -#ifdef notnow + /* Check to see if ktls is enabled on the connection. */ ret = BIO_get_ktls_send(SSL_get_wbio(ssl)); - fprintf(stderr, "ktls_send=%d\n", ret); - ret = BIO_get_ktls_recv(SSL_get_rbio(ssl)); - fprintf(stderr, "ktls_recv=%d\n", ret); + rpctlscd_verbose_out("rpctls_connect: BIO_get_ktls_send=%d\n", ret); + if (ret != 0) { + ret = BIO_get_ktls_recv(SSL_get_rbio(ssl)); + rpctlscd_verbose_out("rpctls_connect: BIO_get_ktls_recv=%d\n", ret); + } +#ifdef notnow + if (ret == 0) { + SSL_free(ssl); + return (NULL); + } #endif + return (ssl); } Modified: projects/nfs-over-tls/usr.sbin/rpctlssd/Makefile ============================================================================== --- projects/nfs-over-tls/usr.sbin/rpctlssd/Makefile Sun May 3 00:12:56 2020 (r360579) +++ projects/nfs-over-tls/usr.sbin/rpctlssd/Makefile Sun May 3 00:15:18 2020 (r360580) @@ -8,7 +8,10 @@ SRCS= rpctlssd.c rpctlssd.h rpctlssd_svc.c rpctlssd_xd CFLAGS+= -I. -LIBADD= ssl crypto +CFLAGS+= -I/usr/ktls/include +LDFLAGS+= -L/usr/ktls/lib + +LIBADD= ssl crypto util CLEANFILES= rpctlssd_svc.c rpctlssd_xdr.c rpctlssd.h Modified: projects/nfs-over-tls/usr.sbin/rpctlssd/rpctlssd.c ============================================================================== --- projects/nfs-over-tls/usr.sbin/rpctlssd/rpctlssd.c Sun May 3 00:12:56 2020 (r360579) +++ projects/nfs-over-tls/usr.sbin/rpctlssd/rpctlssd.c Sun May 3 00:15:18 2020 (r360580) @@ -56,6 +56,7 @@ __FBSDID("$FreeBSD$"); #include <rpc/rpc_com.h> #include <rpc/rpcsec_tls.h> +#include <openssl/opensslconf.h> #include <openssl/bio.h> #include <openssl/ssl.h> #include <openssl/err.h> @@ -74,7 +75,7 @@ __FBSDID("$FreeBSD$"); #define _PATH_RPCTLSSDPID "/var/run/rpctlssd.pid" #endif #ifndef _PREFERRED_CIPHERS -#define _PREFERRED_CIPHERS "SHA384:SHA256:!CAMELLIA" +#define _PREFERRED_CIPHERS "AES128-GCM-SHA256" #endif static struct pidfh *rpctls_pfh = NULL; @@ -663,6 +664,21 @@ rpctlssd_verbose_out("%s\n", cp2); rpctlssd_verbose_out("rpctls_server: " "No peer certificate\n"); } + + /* Check to see that ktls is working for the connection. */ + ret = BIO_get_ktls_send(SSL_get_wbio(ssl)); + rpctlssd_verbose_out("rpctls_server: BIO_get_ktls_send=%d\n", ret); + if (ret != 0) { + ret = BIO_get_ktls_recv(SSL_get_rbio(ssl)); + rpctlssd_verbose_out("rpctls_server: BIO_get_ktls_recv=%d\n", ret); + } +#ifdef notnow + if (ret == 0) { + SSL_free(ssl); + return (NULL); + } +#endif + return (ssl); }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202005030015.0430FJK8097417>