Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 1 Jul 2020 21:19:33 +0000 (UTC)
From:      Rick Macklem <rmacklem@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-projects@freebsd.org
Subject:   svn commit: r362865 - in projects/nfs-over-tls/sys/rpc: . rpcsec_tls
Message-ID:  <202007012119.061LJXeL007672@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: rmacklem
Date: Wed Jul  1 21:19:32 2020
New Revision: 362865
URL: https://svnweb.freebsd.org/changeset/base/362865

Log:
  Add a new xp_tls flag to indicate handshake failure.
  
  This new flag is used to disable the kernel code from closing the socket
  upon handshake failure, so that the daemon can close it once SSL_accept()
  has returned failure.

Modified:
  projects/nfs-over-tls/sys/rpc/rpcsec_tls.h
  projects/nfs-over-tls/sys/rpc/rpcsec_tls/rpctls_impl.c
  projects/nfs-over-tls/sys/rpc/svc_vc.c

Modified: projects/nfs-over-tls/sys/rpc/rpcsec_tls.h
==============================================================================
--- projects/nfs-over-tls/sys/rpc/rpcsec_tls.h	Wed Jul  1 20:45:26 2020	(r362864)
+++ projects/nfs-over-tls/sys/rpc/rpcsec_tls.h	Wed Jul  1 21:19:32 2020	(r362865)
@@ -48,6 +48,7 @@ int	rpctls_syscall(int, const char *);
 #define	RPCTLS_FLAGS_VERIFIED	0x08
 #define	RPCTLS_FLAGS_DISABLED	0x10
 #define	RPCTLS_FLAGS_CERTUSER	0x20
+#define	RPCTLS_FLAGS_HANDSHFAIL	0x40
 
 /* Error return values for upcall rpcs. */
 #define	RPCTLSERR_OK		0

Modified: projects/nfs-over-tls/sys/rpc/rpcsec_tls/rpctls_impl.c
==============================================================================
--- projects/nfs-over-tls/sys/rpc/rpcsec_tls/rpctls_impl.c	Wed Jul  1 20:45:26 2020	(r362864)
+++ projects/nfs-over-tls/sys/rpc/rpcsec_tls/rpctls_impl.c	Wed Jul  1 21:19:32 2020	(r362865)
@@ -704,8 +704,10 @@ printf("authtls: null reply=%d\n", call_stat);
 			xprt->xp_gidp = gidp;
 printf("got uid=%d ngrps=%d gidp=%p\n", uid, ngrps, gidp);
 		}
-	} else if (stat == RPC_TIMEDOUT)
-		xprt->xp_upcallset = 0;	/* upcall cleared by soshutdown(). */
+	} else {
+		/* Mark that TLS handshake failed. */
+		xprt->xp_tls = RPCTLS_FLAGS_HANDSHFAIL;
+	}
 	sx_xunlock(&xprt->xp_lock);
 	xprt_active(xprt);		/* Harmless if already active. */
 printf("authtls: aft handshake stat=%d\n", stat);

Modified: projects/nfs-over-tls/sys/rpc/svc_vc.c
==============================================================================
--- projects/nfs-over-tls/sys/rpc/svc_vc.c	Wed Jul  1 20:45:26 2020	(r362864)
+++ projects/nfs-over-tls/sys/rpc/svc_vc.c	Wed Jul  1 21:19:32 2020	(r362865)
@@ -455,18 +455,20 @@ svc_vc_destroy_common(SVCXPRT *xprt)
 	uint32_t reterr;
 
 	if (xprt->xp_socket) {
-		if ((xprt->xp_tls & RPCTLS_FLAGS_HANDSHAKE) != 0) {
+		if ((xprt->xp_tls & (RPCTLS_FLAGS_HANDSHAKE |
+		    RPCTLS_FLAGS_HANDSHFAIL)) == 0)
+			(void)soclose(xprt->xp_socket);
+		else if ((xprt->xp_tls & RPCTLS_FLAGS_HANDSHAKE) != 0) {
 			/*
 			 * If the upcall fails, the socket has
 			 * probably been closed via the rpctlssd
 			 * daemon having crashed or been
-			 * restarted.
+			 * restarted, so just ignore returned stat.
 			 */
 			stat = rpctls_srv_disconnect(xprt->xp_sslsec,
 			    xprt->xp_sslusec, xprt->xp_sslrefno,
 			    &reterr);
-		} else
-			(void)soclose(xprt->xp_socket);
+		}
 	}
 
 	if (xprt->xp_netid)

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202007012119.061LJXeL007672>