From owner-svn-src-projects@freebsd.org Sun May 3 00:15:20 2020 Return-Path: Delivered-To: svn-src-projects@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 350272C9C26 for ; Sun, 3 May 2020 00:15:20 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 49F62J0hZPz3P4p; Sun, 3 May 2020 00:15:20 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id ECDED20A2; Sun, 3 May 2020 00:15:19 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 0430FJLW097421; Sun, 3 May 2020 00:15:19 GMT (envelope-from rmacklem@FreeBSD.org) Received: (from rmacklem@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 0430FJK8097417; Sun, 3 May 2020 00:15:19 GMT (envelope-from rmacklem@FreeBSD.org) Message-Id: <202005030015.0430FJK8097417@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: rmacklem set sender to rmacklem@FreeBSD.org using -f From: Rick Macklem Date: Sun, 3 May 2020 00:15:19 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r360580 - in projects/nfs-over-tls/usr.sbin: rpctlscd rpctlssd X-SVN-Group: projects X-SVN-Commit-Author: rmacklem X-SVN-Commit-Paths: in projects/nfs-over-tls/usr.sbin: rpctlscd rpctlssd X-SVN-Commit-Revision: 360580 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 May 2020 00:15:20 -0000 Author: rmacklem Date: Sun May 3 00:15:18 2020 New Revision: 360580 URL: https://svnweb.freebsd.org/changeset/base/360580 Log: Fix the daemons so they actually work with jhb@'s patched openssl3. The code now has passed a trivial test, where an NFS mount was TLS1.2 encrypted on the wire. I will be updating the setup document, so others will be able to set up system(s) for testing. I have not yet decided what the correct way to handle a failure to set up the ktls is. For the server, I suspect it is clearing of the flags that say "handshake complete". For the client, I am not sure if the mount should continue unencrypted or the mount attempt should fail? At this time, the daemons build, but report warnings that SSL_CTX_load_XXX is deprecated. It works until I figure out what the preferred OpenSSL 3 call is. Modified: projects/nfs-over-tls/usr.sbin/rpctlscd/Makefile projects/nfs-over-tls/usr.sbin/rpctlscd/rpctlscd.c projects/nfs-over-tls/usr.sbin/rpctlssd/Makefile projects/nfs-over-tls/usr.sbin/rpctlssd/rpctlssd.c Modified: projects/nfs-over-tls/usr.sbin/rpctlscd/Makefile ============================================================================== --- projects/nfs-over-tls/usr.sbin/rpctlscd/Makefile Sun May 3 00:12:56 2020 (r360579) +++ projects/nfs-over-tls/usr.sbin/rpctlscd/Makefile Sun May 3 00:15:18 2020 (r360580) @@ -8,7 +8,10 @@ SRCS= rpctlscd.c rpctlscd.h rpctlscd_svc.c rpctlscd_xd CFLAGS+= -I. -LIBADD= ssl crypto +CFLAGS+= -I/usr/ktls/include +LDFLAGS+= -L/usr/ktls/lib + +LIBADD= ssl crypto util CLEANFILES= rpctlscd_svc.c rpctlscd_xdr.c rpctlscd.h Modified: projects/nfs-over-tls/usr.sbin/rpctlscd/rpctlscd.c ============================================================================== --- projects/nfs-over-tls/usr.sbin/rpctlscd/rpctlscd.c Sun May 3 00:12:56 2020 (r360579) +++ projects/nfs-over-tls/usr.sbin/rpctlscd/rpctlscd.c Sun May 3 00:15:18 2020 (r360580) @@ -55,6 +55,7 @@ __FBSDID("$FreeBSD$"); #include #include +#include #include #include #include @@ -72,7 +73,7 @@ __FBSDID("$FreeBSD$"); #define _PATH_RPCTLSCDPID "/var/run/rpctlscd.pid" #endif #ifndef _PREFERRED_CIPHERS -#define _PREFERRED_CIPHERS "SHA384:SHA256:!CAMELLIA" +#define _PREFERRED_CIPHERS "AES128-GCM-SHA256" #endif static struct pidfh *rpctls_pfh = NULL; @@ -382,7 +383,6 @@ rpctlscd_disconnect_1_svc(struct rpctlscd_disconnect_a rpctlscd_verbose_out("rpctlscd_disconnect: fd=%d closed\n", slp->s); LIST_REMOVE(slp, next); - SSL_shutdown(slp->ssl); SSL_free(slp->ssl); /* * For RPC-over-TLS, this upcall is expected @@ -560,7 +560,6 @@ rpctls_connect(SSL_CTX *ctx, int s) if (cert == NULL) { rpctlscd_verbose_out("rpctls_connect: get peer" " certificate failed\n"); - SSL_shutdown(ssl); SSL_free(ssl); return (NULL); } @@ -585,17 +584,24 @@ rpctls_connect(SSL_CTX *ctx, int s) "failed %s\n", hostnam, cp, cp2, X509_verify_cert_error_string(ret)); } - SSL_shutdown(ssl); SSL_free(ssl); return (NULL); } -#ifdef notnow + /* Check to see if ktls is enabled on the connection. */ ret = BIO_get_ktls_send(SSL_get_wbio(ssl)); - fprintf(stderr, "ktls_send=%d\n", ret); - ret = BIO_get_ktls_recv(SSL_get_rbio(ssl)); - fprintf(stderr, "ktls_recv=%d\n", ret); + rpctlscd_verbose_out("rpctls_connect: BIO_get_ktls_send=%d\n", ret); + if (ret != 0) { + ret = BIO_get_ktls_recv(SSL_get_rbio(ssl)); + rpctlscd_verbose_out("rpctls_connect: BIO_get_ktls_recv=%d\n", ret); + } +#ifdef notnow + if (ret == 0) { + SSL_free(ssl); + return (NULL); + } #endif + return (ssl); } Modified: projects/nfs-over-tls/usr.sbin/rpctlssd/Makefile ============================================================================== --- projects/nfs-over-tls/usr.sbin/rpctlssd/Makefile Sun May 3 00:12:56 2020 (r360579) +++ projects/nfs-over-tls/usr.sbin/rpctlssd/Makefile Sun May 3 00:15:18 2020 (r360580) @@ -8,7 +8,10 @@ SRCS= rpctlssd.c rpctlssd.h rpctlssd_svc.c rpctlssd_xd CFLAGS+= -I. -LIBADD= ssl crypto +CFLAGS+= -I/usr/ktls/include +LDFLAGS+= -L/usr/ktls/lib + +LIBADD= ssl crypto util CLEANFILES= rpctlssd_svc.c rpctlssd_xdr.c rpctlssd.h Modified: projects/nfs-over-tls/usr.sbin/rpctlssd/rpctlssd.c ============================================================================== --- projects/nfs-over-tls/usr.sbin/rpctlssd/rpctlssd.c Sun May 3 00:12:56 2020 (r360579) +++ projects/nfs-over-tls/usr.sbin/rpctlssd/rpctlssd.c Sun May 3 00:15:18 2020 (r360580) @@ -56,6 +56,7 @@ __FBSDID("$FreeBSD$"); #include #include +#include #include #include #include @@ -74,7 +75,7 @@ __FBSDID("$FreeBSD$"); #define _PATH_RPCTLSSDPID "/var/run/rpctlssd.pid" #endif #ifndef _PREFERRED_CIPHERS -#define _PREFERRED_CIPHERS "SHA384:SHA256:!CAMELLIA" +#define _PREFERRED_CIPHERS "AES128-GCM-SHA256" #endif static struct pidfh *rpctls_pfh = NULL; @@ -663,6 +664,21 @@ rpctlssd_verbose_out("%s\n", cp2); rpctlssd_verbose_out("rpctls_server: " "No peer certificate\n"); } + + /* Check to see that ktls is working for the connection. */ + ret = BIO_get_ktls_send(SSL_get_wbio(ssl)); + rpctlssd_verbose_out("rpctls_server: BIO_get_ktls_send=%d\n", ret); + if (ret != 0) { + ret = BIO_get_ktls_recv(SSL_get_rbio(ssl)); + rpctlssd_verbose_out("rpctls_server: BIO_get_ktls_recv=%d\n", ret); + } +#ifdef notnow + if (ret == 0) { + SSL_free(ssl); + return (NULL); + } +#endif + return (ssl); }