From nobody Sun May 15 18:53:39 2022 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 48BD21AD2F39; Sun, 15 May 2022 18:53:40 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4L1WkD1Wqpz4XPl; Sun, 15 May 2022 18:53:40 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1652640820; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=8KcK4gWpJLId/0kQRB+byO0FKAXkuOKriPZnozrkJ8M=; b=TldXT0xN5QVsGE42ts901mx3206lJntDp2XjeeWxcYUoAZS2bVcONN9H5GEwNP+GrNCUfy NrGLEOlGRZtlcnCGZUmjwMI6eDVIQOD+XE8rLP4KaVJRSf2KMGobhah+ZeU2EzYxYXw4Xq G7l1dHCXwqI8TrrTTHpqjEyO8YoLmfnO9TPXy+3PjFLVlQjKBuCcSnXRKfj8bwuy7T/yiV Gp0UpoCrirgyccOX2TXmsb/M5UTSGD+iCkX7zBJxMwWmRyLsGKcrWfEyZIJnA8ZmRAxnl9 Uq5CkKxtu9+B9j1JO2xWK9XSPQjpaori4gv56O+mM1HXjropfbn0Bj/d2dlWQw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 147841174F; Sun, 15 May 2022 18:53:40 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 24FIrdgr036271; Sun, 15 May 2022 18:53:39 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 24FIrd1F036270; Sun, 15 May 2022 18:53:39 GMT (envelope-from git) Date: Sun, 15 May 2022 18:53:39 GMT Message-Id: <202205151853.24FIrd1F036270@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Rick Macklem Subject: git: 0b4f2ab0e913 - main - krpc: Fix NFS-over-TLS for KTLS1.3 List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: rmacklem X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 0b4f2ab0e91307bd1fa6e884b0fccef9d10d5a2d Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1652640820; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=8KcK4gWpJLId/0kQRB+byO0FKAXkuOKriPZnozrkJ8M=; b=szQI83jT1a8Oxqdnq3f2Pr5QUPWuPZhZtH7dwsGkqy9jzUvM61ZMHZOS2RNEBQfblm+aam aNJL31SjPXvHl9HcE9PpeuexpWJLTaUtUji5IU5FK28Rorx/tiDs4aOyiKx7JudxvRuKmP IclmWEGIBO41olFBOr7XdWUAHqkutfFSpVcavcmQBfUNilYcgQr2q96/vWAr2czyIeGUZK 3O6/RrMBh67sQ+MQX6htrtK1iPqH6gt0LAB6M8C0WtMnnJqNbWQbajuBUptPR7fY88oj5a NmQebhYAsQy3qZj3SxGXYvei/lZtXoI+5NSrzmwgFDCoobUnP0d1KTT+cPfnvg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1652640820; a=rsa-sha256; cv=none; b=pCRHXbyW0bg24EwGMznKEm7CM5E15fTcTqonqapugs39aGehHUiOyTVaSNrS+kK5Uv9vNv JhygQ7YnCnGRfj/6AvSUa0Tm4aVkb2tYgMADYvXoEwBs+lc+rKRfNZtFg42N46OoFAQSSD +tdJ8UdehuZXEiy1UGBIQ6sjq+3IPxkYhPKExE8818FB30KevaVo6E5pi3zs65fSjKcla7 B5fSwQZe3/BN289o84IjNjpXffyjbwYW9EOpRyPj0zXgrOdX+yGR2BdzQiTze/Hg1/Iqvg siaOwnrrxYre25EKtVcc4gwow+mG4GAKdwwWKrSc4Z8Bs3IJK0Z8ctu3cqZV6Q== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by rmacklem: URL: https://cgit.FreeBSD.org/src/commit/?id=0b4f2ab0e91307bd1fa6e884b0fccef9d10d5a2d commit 0b4f2ab0e91307bd1fa6e884b0fccef9d10d5a2d Author: Rick Macklem AuthorDate: 2022-05-15 18:51:56 +0000 Commit: Rick Macklem CommitDate: 2022-05-15 18:51:56 +0000 krpc: Fix NFS-over-TLS for KTLS1.3 When NFS-over-TLS uses KTLS1.3, the client can receive post-handshake handshake records. These records can be safely thown away, but are not handled correctly via the rpctls_ct_handlerecord() upcall to the daemon. Commit 373511338d95 changed soreceive_generic() so that it will only return ENXIO for Alert records when MSG_TLSAPPDATA is specified. As such, the post-handshake handshake records will be returned to the krpc. This patch modifies the krpc so that it will throw these records away, which seems sufficient to make NFS-over-TLS work with KTLS1.3. This change has no effect on the use of KTLS1.2, since it does not generate post-handshake handshake records. MFC after: 2 weeks --- sys/rpc/clnt_vc.c | 21 +++++++++------------ sys/rpc/svc_vc.c | 12 ++++++------ 2 files changed, 15 insertions(+), 18 deletions(-) diff --git a/sys/rpc/clnt_vc.c b/sys/rpc/clnt_vc.c index f565de06f4bd..0c415d048141 100644 --- a/sys/rpc/clnt_vc.c +++ b/sys/rpc/clnt_vc.c @@ -944,7 +944,7 @@ clnt_vc_soupcall(struct socket *so, void *arg, int waitflag) { struct ct_data *ct = (struct ct_data *) arg; struct uio uio; - struct mbuf *m, *m2, **ctrlp; + struct mbuf *m, *m2; struct ct_request *cr; int error, rcvflag, foundreq; uint32_t xid_plus_direction[2], header; @@ -992,13 +992,10 @@ clnt_vc_soupcall(struct socket *so, void *arg, int waitflag) m2 = m = NULL; rcvflag = MSG_DONTWAIT | MSG_SOCALLBCK; if (ct->ct_sslrefno != 0 && (ct->ct_rcvstate & - RPCRCVSTATE_NORMAL) != 0) { + RPCRCVSTATE_NORMAL) != 0) rcvflag |= MSG_TLSAPPDATA; - ctrlp = NULL; - } else - ctrlp = &m2; SOCKBUF_UNLOCK(&so->so_rcv); - error = soreceive(so, NULL, &uio, &m, ctrlp, &rcvflag); + error = soreceive(so, NULL, &uio, &m, &m2, &rcvflag); SOCKBUF_LOCK(&so->so_rcv); if (error == EWOULDBLOCK) { @@ -1023,8 +1020,8 @@ clnt_vc_soupcall(struct socket *so, void *arg, int waitflag) } /* - * A return of ENXIO indicates that there is a - * non-application data record at the head of the + * A return of ENXIO indicates that there is an + * alert record at the head of the * socket's receive queue, for TLS connections. * This record needs to be handled in userland * via an SSL_read() call, so do an upcall to the daemon. @@ -1051,10 +1048,10 @@ clnt_vc_soupcall(struct socket *so, void *arg, int waitflag) cmsg->cmsg_len == CMSG_LEN(sizeof(tgr))) { memcpy(&tgr, CMSG_DATA(cmsg), sizeof(tgr)); /* - * This should have been handled by - * setting RPCRCVSTATE_UPCALLNEEDED in - * ct_rcvstate but if not, all we can do - * is toss it away. + * TLS_RLTYPE_ALERT records should be handled + * since soreceive() would have returned + * ENXIO. Just throw any other + * non-TLS_RLTYPE_APP records away. */ if (tgr.tls_type != TLS_RLTYPE_APP) { m_freem(m); diff --git a/sys/rpc/svc_vc.c b/sys/rpc/svc_vc.c index f0e0ee5d4d62..43d14c702d4e 100644 --- a/sys/rpc/svc_vc.c +++ b/sys/rpc/svc_vc.c @@ -804,8 +804,8 @@ tryagain: } /* - * A return of ENXIO indicates that there is a - * non-application data record at the head of the + * A return of ENXIO indicates that there is an + * alert record at the head of the * socket's receive queue, for TLS connections. * This record needs to be handled in userland * via an SSL_read() call, so do an upcall to the daemon. @@ -863,10 +863,10 @@ tryagain: cmsg->cmsg_len == CMSG_LEN(sizeof(tgr))) { memcpy(&tgr, CMSG_DATA(cmsg), sizeof(tgr)); /* - * This should have been handled by - * the rpctls_svc_handlerecord() - * upcall. If not, all we can do is - * toss it away. + * TLS_RLTYPE_ALERT records should be handled + * since soreceive() would have returned + * ENXIO. Just throw any other + * non-TLS_RLTYPE_APP records away. */ if (tgr.tls_type != TLS_RLTYPE_APP) { m_freem(m);