From nobody Tue May 31 00:40:02 2022 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id A0AB61B48CA0; Tue, 31 May 2022 00:40:02 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4LBthy47GZz3DxK; Tue, 31 May 2022 00:40:02 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1653957602; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=qSBjS3LwQha/Tmy+a3RmSxeH4u9HPh9f1m5LpYO/+ok=; b=C5LVvxwshG8uzxwfoVqsRzh3/oV/6zLottCCHGZQbLM/OhToOoVnDRj06DgCnW/uXdZr8U WsfuXfyebwzC75tYmUCE5Lr30OLVcGVGl35khEaF8iL0U6OlpPT5aDCfgzNKi8nLyjyjy/ NJGo0bywfgnder1t8Xd1kfwVEQSaaEP/5d0AcPcEPH748zQteG8kejXiOxiIyhPKcA4XQp 4kauHFoYAlpwTza9HFGvO/zv1lULDDOxUpdG3eB7IqEioKTksblck3UcLs+qE79srHfWf2 It2ApZigQRFxf9pMfj/8c6Zp2mn0yB3pfSMtvFc3kYCyk8fPScHfCNeAm49cPw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 696A8217A5; Tue, 31 May 2022 00:40:02 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 24V0e2Pf076648; Tue, 31 May 2022 00:40:02 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 24V0e27f076645; Tue, 31 May 2022 00:40:02 GMT (envelope-from git) Date: Tue, 31 May 2022 00:40:02 GMT Message-Id: <202205310040.24V0e27f076645@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Rick Macklem Subject: git: 8908c590e365 - stable/13 - krpc: Fix NFS-over-TLS for KTLS1.3 List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-branches@freebsd.org X-BeenThere: dev-commits-src-branches@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: rmacklem X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: 8908c590e365584666532d59125fffd721b267d3 Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1653957602; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=qSBjS3LwQha/Tmy+a3RmSxeH4u9HPh9f1m5LpYO/+ok=; b=PXlXARXn8eGYELx9XmSpOCC9xjEIKnQjHpAkvwsk6+1SZlF55vbbEhtVV2LgeD1Fkds5bP SI1v+qRpgT2csa6xFV5voVSSOUQGFdoP/KL+KDJFEDwljYwQItIRx4wAarOi9VzX77SDHP NMAdPGxUKYCuxkBg9sZOtM5x5uMtvzPG3HTQrZ6uocVK5LLQgH1rpSdgssqdyWHHYNLdGE f4OMOq48saOBAbwn9BpmYHmqGtkGFh8jVTinW1m77x+MZXGCo//sjdH7njdF3fpoPMZLsT U8n+cxFEDBn7b+tuHaOYWWF8ZXmoD9yQ8Qe28eA7UarXt9lLcVJkyhA1nmjOwQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1653957602; a=rsa-sha256; cv=none; b=Yho50+sllEJK5x+9rrI0TximnUDE2GHl4KbFDkMi9RsNcn5EDRcQ/U0CfwCoMVNK9dCyP8 mBxrDa9EKbTyPvdJhjWT5bE5AwcaTsvJtWt+RyScYJyuAPepIo1AuOMhC+KG8+6cdbT3DP qvF+vJGQtOrNLUXeMYxE2QeYcm4T05OlQSxcBOpajP98ymc0QCFJHqfroXmGGzIeZauFKV Z3Aos+2cN+HQg4Jvs5h25oj576JLppxsR2npMzCrkM4qrHTuYbGAHSd1hmOilEs5ip9Mho rUWPLRarwM/UjSFp8e3JXauN/n5boHF24J+gpfsqy/wPggbN4nVUQrH/RmDaoA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch stable/13 has been updated by rmacklem: URL: https://cgit.FreeBSD.org/src/commit/?id=8908c590e365584666532d59125fffd721b267d3 commit 8908c590e365584666532d59125fffd721b267d3 Author: Rick Macklem AuthorDate: 2022-05-15 18:51:56 +0000 Commit: Rick Macklem CommitDate: 2022-05-31 00:38:43 +0000 krpc: Fix NFS-over-TLS for KTLS1.3 When NFS-over-TLS uses KTLS1.3, the client can receive post-handshake handshake records. These records can be safely thown away, but are not handled correctly via the rpctls_ct_handlerecord() upcall to the daemon. Commit 373511338d95 changed soreceive_generic() so that it will only return ENXIO for Alert records when MSG_TLSAPPDATA is specified. As such, the post-handshake handshake records will be returned to the krpc. This patch modifies the krpc so that it will throw these records away, which seems sufficient to make NFS-over-TLS work with KTLS1.3. This change has no effect on the use of KTLS1.2, since it does not generate post-handshake handshake records. (cherry picked from commit 0b4f2ab0e91307bd1fa6e884b0fccef9d10d5a2d) --- sys/rpc/clnt_vc.c | 21 +++++++++------------ sys/rpc/svc_vc.c | 12 ++++++------ 2 files changed, 15 insertions(+), 18 deletions(-) diff --git a/sys/rpc/clnt_vc.c b/sys/rpc/clnt_vc.c index 7d22c670b017..8ad6746eb485 100644 --- a/sys/rpc/clnt_vc.c +++ b/sys/rpc/clnt_vc.c @@ -946,7 +946,7 @@ clnt_vc_soupcall(struct socket *so, void *arg, int waitflag) { struct ct_data *ct = (struct ct_data *) arg; struct uio uio; - struct mbuf *m, *m2, **ctrlp; + struct mbuf *m, *m2; struct ct_request *cr; int error, rcvflag, foundreq; uint32_t xid_plus_direction[2], header; @@ -994,13 +994,10 @@ clnt_vc_soupcall(struct socket *so, void *arg, int waitflag) m2 = m = NULL; rcvflag = MSG_DONTWAIT | MSG_SOCALLBCK; if (ct->ct_sslrefno != 0 && (ct->ct_rcvstate & - RPCRCVSTATE_NORMAL) != 0) { + RPCRCVSTATE_NORMAL) != 0) rcvflag |= MSG_TLSAPPDATA; - ctrlp = NULL; - } else - ctrlp = &m2; SOCKBUF_UNLOCK(&so->so_rcv); - error = soreceive(so, NULL, &uio, &m, ctrlp, &rcvflag); + error = soreceive(so, NULL, &uio, &m, &m2, &rcvflag); SOCKBUF_LOCK(&so->so_rcv); if (error == EWOULDBLOCK) { @@ -1025,8 +1022,8 @@ clnt_vc_soupcall(struct socket *so, void *arg, int waitflag) } /* - * A return of ENXIO indicates that there is a - * non-application data record at the head of the + * A return of ENXIO indicates that there is an + * alert record at the head of the * socket's receive queue, for TLS connections. * This record needs to be handled in userland * via an SSL_read() call, so do an upcall to the daemon. @@ -1053,10 +1050,10 @@ clnt_vc_soupcall(struct socket *so, void *arg, int waitflag) cmsg->cmsg_len == CMSG_LEN(sizeof(tgr))) { memcpy(&tgr, CMSG_DATA(cmsg), sizeof(tgr)); /* - * This should have been handled by - * setting RPCRCVSTATE_UPCALLNEEDED in - * ct_rcvstate but if not, all we can do - * is toss it away. + * TLS_RLTYPE_ALERT records should be handled + * since soreceive() would have returned + * ENXIO. Just throw any other + * non-TLS_RLTYPE_APP records away. */ if (tgr.tls_type != TLS_RLTYPE_APP) { m_freem(m); diff --git a/sys/rpc/svc_vc.c b/sys/rpc/svc_vc.c index 77452d906594..eb63cb1da4e4 100644 --- a/sys/rpc/svc_vc.c +++ b/sys/rpc/svc_vc.c @@ -806,8 +806,8 @@ tryagain: } /* - * A return of ENXIO indicates that there is a - * non-application data record at the head of the + * A return of ENXIO indicates that there is an + * alert record at the head of the * socket's receive queue, for TLS connections. * This record needs to be handled in userland * via an SSL_read() call, so do an upcall to the daemon. @@ -865,10 +865,10 @@ tryagain: cmsg->cmsg_len == CMSG_LEN(sizeof(tgr))) { memcpy(&tgr, CMSG_DATA(cmsg), sizeof(tgr)); /* - * This should have been handled by - * the rpctls_svc_handlerecord() - * upcall. If not, all we can do is - * toss it away. + * TLS_RLTYPE_ALERT records should be handled + * since soreceive() would have returned + * ENXIO. Just throw any other + * non-TLS_RLTYPE_APP records away. */ if (tgr.tls_type != TLS_RLTYPE_APP) { m_freem(m);