From owner-svn-src-projects@freebsd.org Wed Jul 1 02:11:17 2020 Return-Path: Delivered-To: svn-src-projects@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 1A6EA35ACB1 for ; Wed, 1 Jul 2020 02:11:17 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 49xPpr71YHz4CpC; Wed, 1 Jul 2020 02:11:16 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id D2FCF2200F; Wed, 1 Jul 2020 02:11:16 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 0612BGeY098825; Wed, 1 Jul 2020 02:11:16 GMT (envelope-from rmacklem@FreeBSD.org) Received: (from rmacklem@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 0612BG0u098822; Wed, 1 Jul 2020 02:11:16 GMT (envelope-from rmacklem@FreeBSD.org) Message-Id: <202007010211.0612BG0u098822@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: rmacklem set sender to rmacklem@FreeBSD.org using -f From: Rick Macklem Date: Wed, 1 Jul 2020 02:11:16 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r362820 - projects/nfs-over-tls/sys/rpc X-SVN-Group: projects X-SVN-Commit-Author: rmacklem X-SVN-Commit-Paths: projects/nfs-over-tls/sys/rpc X-SVN-Commit-Revision: 362820 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Jul 2020 02:11:17 -0000 Author: rmacklem Date: Wed Jul 1 02:11:15 2020 New Revision: 362820 URL: https://svnweb.freebsd.org/changeset/base/362820 Log: Use a reserved value for ssl refno to indicate that a handshake is in progress. This is needed so clnt_vc_destroy() will not do a soclose() on the socket, since the daemon may still be in SSL_connect(). Modified: projects/nfs-over-tls/sys/rpc/clnt_rc.c projects/nfs-over-tls/sys/rpc/clnt_vc.c projects/nfs-over-tls/sys/rpc/rpcsec_tls.h Modified: projects/nfs-over-tls/sys/rpc/clnt_rc.c ============================================================================== --- projects/nfs-over-tls/sys/rpc/clnt_rc.c Wed Jul 1 01:12:23 2020 (r362819) +++ projects/nfs-over-tls/sys/rpc/clnt_rc.c Wed Jul 1 02:11:15 2020 (r362820) @@ -198,6 +198,16 @@ clnt_reconnect_connect(CLIENT *cl) (struct sockaddr *) &rc->rc_addr, rc->rc_prog, rc->rc_vers, rc->rc_sendsz, rc->rc_recvsz, rc->rc_intr); if (rc->rc_tls && newclient != NULL) { + /* + * Set ssl refno so that clnt_vc_destroy() will not + * close the socket and will leave that for the + * daemon to do. It is possible that the upcall + * will time out, so that closing the socket via + * the CLNT_CLOSE() below would happen too soon. + */ + ssl[0] = ssl[1] = 0; + ssl[2] = RPCTLS_REFNO_HANDSHAKE; + CLNT_CONTROL(newclient, CLSET_TLS, ssl); printf("at rpctls_connect\n"); stat = rpctls_connect(newclient, so, ssl, &reterr); printf("aft rpctls_connect=%d ssl=%jd\n", stat, (uintmax_t)ssl[2]); Modified: projects/nfs-over-tls/sys/rpc/clnt_vc.c ============================================================================== --- projects/nfs-over-tls/sys/rpc/clnt_vc.c Wed Jul 1 01:12:23 2020 (r362819) +++ projects/nfs-over-tls/sys/rpc/clnt_vc.c Wed Jul 1 02:11:15 2020 (r362820) @@ -775,12 +775,15 @@ printf("backch tls=0x%x xprt=%p\n", xprt->xp_tls, xprt ct->ct_sslsec = *p++; ct->ct_sslusec = *p++; ct->ct_sslrefno = *p; - mtx_unlock(&ct->ct_lock); - /* Start the kthread that handles upcalls. */ - error = kthread_add(clnt_vc_dotlsupcall, ct, - NULL, NULL, 0, 0, "krpctls%u", thrdnum++); - if (error != 0) - panic("Can't add KRPC thread error %d", error); + if (ct->ct_sslrefno != RPCTLS_REFNO_HANDSHAKE) { + mtx_unlock(&ct->ct_lock); + /* Start the kthread that handles upcalls. */ + error = kthread_add(clnt_vc_dotlsupcall, ct, + NULL, NULL, 0, 0, "krpctls%u", thrdnum++); + if (error != 0) + panic("Can't add KRPC thread error %d", error); + } else + mtx_unlock(&ct->ct_lock); return (TRUE); case CLSET_BLOCKRCV: @@ -892,24 +895,22 @@ clnt_vc_destroy(CLIENT *cl) if (so) { if (ct->ct_sslrefno != 0) { /* - * If the upcall fails, the socket has - * probably been closed via the rpctlscd - * daemon having crashed or been - * restarted, so ignore return stat. + * If the TLS handshake is in progress, the upcall + * will fail, but the socket should be closed by the + * daemon, since the connect upcall has just failed. */ - stat = rpctls_cl_disconnect(ct->ct_sslsec, - ct->ct_sslusec, ct->ct_sslrefno, - &reterr); - } else if ((ct->ct_rcvstate & RPCRCVSTATE_TLSHANDSHAKE) == 0) { - /* - * If the TLS handshake is in progress, leave the - * socket so that it will closed by the daemon. - * This can only occur if the daemon is waiting for - * an openssl call like SSL_connect() for a long - * time. The call will normally eventually fail and - * then the daemon will close the socket, so do not - * do it here. - */ + if (ct->ct_sslrefno != RPCTLS_REFNO_HANDSHAKE) { + /* + * If the upcall fails, the socket has + * probably been closed via the rpctlscd + * daemon having crashed or been + * restarted, so ignore return stat. + */ + stat = rpctls_cl_disconnect(ct->ct_sslsec, + ct->ct_sslusec, ct->ct_sslrefno, + &reterr); + } + } else { soshutdown(so, SHUT_WR); soclose(so); } @@ -1293,7 +1294,8 @@ clnt_vc_dotlsupcall(void *data) if ((ct->ct_rcvstate & RPCRCVSTATE_UPCALLNEEDED) != 0) { ct->ct_rcvstate &= ~RPCRCVSTATE_UPCALLNEEDED; ct->ct_rcvstate |= RPCRCVSTATE_UPCALLINPROG; - if (ct->ct_sslrefno != 0) { + if (ct->ct_sslrefno != 0 && ct->ct_sslrefno != + RPCTLS_REFNO_HANDSHAKE) { mtx_unlock(&ct->ct_lock); printf("at handlerecord\n"); ret = rpctls_cl_handlerecord(ct->ct_sslsec, Modified: projects/nfs-over-tls/sys/rpc/rpcsec_tls.h ============================================================================== --- projects/nfs-over-tls/sys/rpc/rpcsec_tls.h Wed Jul 1 01:12:23 2020 (r362819) +++ projects/nfs-over-tls/sys/rpc/rpcsec_tls.h Wed Jul 1 02:11:15 2020 (r362820) @@ -78,6 +78,9 @@ bool rpctls_getinfo(u_int *maxlen, bool rpctlscd_run, /* String for AUTH_TLS reply verifier. */ #define RPCTLS_START_STRING "STARTTLS" +/* ssl refno value to indicate TLS handshake being done. */ +#define RPCTLS_REFNO_HANDSHAKE 0xFFFFFFFFFFFFFFFFULL + #endif /* _KERNEL */ #endif /* _RPC_RPCSEC_TLS_H_ */