From owner-svn-src-projects@freebsd.org Sat May 16 05:26:17 2020 Return-Path: Delivered-To: svn-src-projects@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 81FAA2E5C27 for ; Sat, 16 May 2020 05:26:17 +0000 (UTC) (envelope-from bjkfbsd@gmail.com) Received: from mail-ot1-x32f.google.com (mail-ot1-x32f.google.com [IPv6:2607:f8b0:4864:20::32f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 49PDK52M3Wz3xXk; Sat, 16 May 2020 05:26:17 +0000 (UTC) (envelope-from bjkfbsd@gmail.com) Received: by mail-ot1-x32f.google.com with SMTP id t3so3743877otp.3; Fri, 15 May 2020 22:26:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=tJm0cgR8WvJ/FXjbM74M5PZ3RYFb1xVp1C7SLRHlSpM=; b=jt3CBhCnDBQzu/TJy3oyJzOijwnC1zNhRR9bD/aAOD+4SinRmd849HFBkRA87Ay3lC tk7dVqURPbJYDMp47acLsdeLzj7qbnuVNlmYX459x5pEh4OozPw9n0FPUCDfO4f5xzmS TJnIgRvBwJ/DwF3a52767+/mw/uxdSIRo7Ry1jsVmCqNqq+BNP3WdcxqJjDl2YCrhJ1U xAJqpySQSAjxBPMzZIdVfkNXyFupKmxgiQhntoREm+tezqQHufgUZ1h9NBXS5dljTHUo rTF8oDpanDZccRT/TMYjxXc06CuvRy3ybficXQy2QMAHOx1JZXeXzdpnL6yoSaf2nL2H N8ZQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=tJm0cgR8WvJ/FXjbM74M5PZ3RYFb1xVp1C7SLRHlSpM=; b=ia/ZTjcgt/DgMBe8QGzWKkx6rpwnMqSVEKYIH2GKaVOvVk6bRh+c+q8Ecd54nqA7L/ nzPWs0HYW3qxSLXkL7TRHs7bgSnnSPtKYGKQ0SEly75fvxP+Xq8vUah83tYPWKVo0IbB GWARJ0O5eVhwBQGlh0T1XSsXn2+2Yyhq/Ud3W5vTlGrInIIX04amxb0aBR0cpjiGVXK7 I6Clp1T1es9UkPlKX/Kxj17lK/4i5YsXOMqypaFisvjLXD1YfPxHncYqVmqAgL72gbMI 8MKT4EycH+hZgDd17wqdYifqK5e1ylNR9lsCHmRWlFFT4pc7e3FvD08KTo3B8IGWunTI 4ldw== X-Gm-Message-State: AOAM530GyS2PuAfhHXsK8OeErDb6YNRkAq0y+A4XWBAfiyBx9d25lvnu V1gOZdYIuPQjrSZsqpKesXmJHgnEH2/nSlkvInj5rd99 X-Google-Smtp-Source: ABdhPJxy747j9pcv4b8iPR29yOZ7za3Yw714W6aV8a8P8pYyOkf9QnCpKNFjWT/jDndmmhIN9IijEyDbwQg+L+rPlI8= X-Received: by 2002:a05:6830:1b63:: with SMTP id d3mr4521221ote.269.1589606775793; Fri, 15 May 2020 22:26:15 -0700 (PDT) MIME-Version: 1.0 References: <202005160243.04G2hSIn006010@repo.freebsd.org> In-Reply-To: <202005160243.04G2hSIn006010@repo.freebsd.org> From: Benjamin Kaduk Date: Fri, 15 May 2020 22:26:04 -0700 Message-ID: Subject: Re: svn commit: r361101 - projects/nfs-over-tls/sys/rpc To: Rick Macklem Cc: src-committers , svn-src-projects@freebsd.org X-Rspamd-Queue-Id: 49PDK52M3Wz3xXk X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-6.00 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-0.996,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; REPLY(-4.00)[] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.33 X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 May 2020 05:26:17 -0000 On Fri, May 15, 2020 at 7:43 PM Rick Macklem wrote: > Author: rmacklem > Date: Sat May 16 02:43:27 2020 > New Revision: 361101 > URL: https://svnweb.freebsd.org/changeset/base/361101 > > Log: > Add support for doing upcalls to the rpctlscd daemon to the krpc client > when TLS non-application data records are received. > > This is similar to code added to the krpc server side. However, since > soreceive() is called in a socket upcall where it cannot sleep, the > code needed to get a thread that is in clnt_vc_call() to do the > upcall. > The ct_dontrcv boolean was changed to a 5 state variable to indicate > when/if an upcall is done. > > This code hasn't really been tested, since I don't know how to get > TLS1.2 to put a non-application data record in the stream, except when > doing SSL_shutdown() (a close alert) and this is initiated by the > client when the socket is closing. > > A typical way to do so is to perform renegotiation (e.g., send a ClientHello in the encrypted stream). Renegotiation has some pretty weird properties to it and isn't in TLS 1.3 at all, but it should get you non-application-data records in a TLS 1.2 connection. In openssl look at the SSL_renegotiate() API. -Ben