git: 712aac1389e8 - main - rpc.tlsservd: Add a -C command line option for preferred_ciphers

From: Rick Macklem <rmacklem_at_FreeBSD.org>
Date: Thu, 05 May 2022 22:55:33 UTC
The branch main has been updated by rmacklem:

URL: https://cgit.FreeBSD.org/src/commit/?id=712aac1389e8476ff3da98fd7ec80bf71fc601f4

commit 712aac1389e8476ff3da98fd7ec80bf71fc601f4
Author:     Rick Macklem <rmacklem@FreeBSD.org>
AuthorDate: 2022-05-05 22:54:14 +0000
Commit:     Rick Macklem <rmacklem@FreeBSD.org>
CommitDate: 2022-05-05 22:54:14 +0000

    rpc.tlsservd: Add a -C command line option for preferred_ciphers
    
    rpc.tlsclntd has a -C command line option for setting
    preferred_ciphers.  Testing at a recent IETF NFSv4 testing
    event showed that setting preferred_ciphers is not normally
    needed for the rpc.tlsservd.
    
    This patch modifies rpc.tlsservd to not specify preferred_ciphers
    by default, but provides the same -C option as rpc.tlsclntd to
    set preferred_ciphers, in case it is needed.
    
    The man page update will be done as a separate commit.
    
    MFC after:      2 weeks
---
 usr.sbin/rpc.tlsservd/rpc.tlsservd.c | 31 ++++++++++++++++++++-----------
 1 file changed, 20 insertions(+), 11 deletions(-)

diff --git a/usr.sbin/rpc.tlsservd/rpc.tlsservd.c b/usr.sbin/rpc.tlsservd/rpc.tlsservd.c
index db829be68334..2726ba84fd3b 100644
--- a/usr.sbin/rpc.tlsservd/rpc.tlsservd.c
+++ b/usr.sbin/rpc.tlsservd/rpc.tlsservd.c
@@ -104,6 +104,7 @@ static uint64_t		rpctls_ssl_usec = 0;
 static bool		rpctls_cnuser = false;
 static char		*rpctls_dnsname;
 static const char	*rpctls_cnuseroid = "1.3.6.1.4.1.2238.1.1.1";
+static const char	*rpctls_ciphers = NULL;
 
 static void		rpctlssd_terminate(int);
 static SSL_CTX		*rpctls_setup_ssl(const char *certdir);
@@ -118,6 +119,7 @@ static void		rpctls_huphandler(int sig __unused);
 extern void		rpctlssd_1(struct svc_req *rqstp, SVCXPRT *transp);
 
 static struct option longopts[] = {
+	{ "ciphers",		required_argument,	NULL,	'C' },
 	{ "certdir",		required_argument,	NULL,	'D' },
 	{ "debuglevel",		no_argument,		NULL,	'd' },
 	{ "checkhost",		no_argument,		NULL,	'h' },
@@ -178,9 +180,12 @@ main(int argc, char **argv)
 	}
 
 	rpctls_verbose = false;
-	while ((ch = getopt_long(argc, argv, "D:dhl:n:mp:r:uvWw", longopts,
+	while ((ch = getopt_long(argc, argv, "CD:dhl:n:mp:r:uvWw", longopts,
 	    NULL)) != -1) {
 		switch (ch) {
+		case 'C':
+			rpctls_ciphers = optarg;
+			break;
 		case 'D':
 			rpctls_certdir = optarg;
 			break;
@@ -558,16 +563,20 @@ rpctls_setup_ssl(const char *certdir)
 	}
 	SSL_CTX_set_ecdh_auto(ctx, 1);
 
-	/*
-	 * Set preferred ciphers, since KERN_TLS only supports a
-	 * few of them.
-	 */
-	ret = SSL_CTX_set_cipher_list(ctx, _PREFERRED_CIPHERS);
-	if (ret == 0) {
-		rpctls_verbose_out("rpctls_setup_ssl: "
-		    "SSL_CTX_set_cipher_list failed to set any ciphers\n");
-		SSL_CTX_free(ctx);
-		return (NULL);
+	if (rpctls_ciphers != NULL) {
+		/*
+		 * Set preferred ciphers, since KERN_TLS only supports a
+		 * few of them.  Normally, not doing this should be ok,
+		 * since the library defaults will work.
+		 */
+		ret = SSL_CTX_set_cipher_list(ctx, rpctls_ciphers);
+		if (ret == 0) {
+			rpctls_verbose_out("rpctls_setup_ssl: "
+			    "SSL_CTX_set_cipher_list failed: %s\n",
+			    rpctls_ciphers);
+			SSL_CTX_free(ctx);
+			return (NULL);
+		}
 	}
 
 	/* Get the cert.pem and certkey.pem files from the directory certdir. */