svn commit: r362865 - in projects/nfs-over-tls/sys/rpc: . rpcsec_tls
Rick Macklem
rmacklem at FreeBSD.org
Wed Jul 1 21:19:34 UTC 2020
Author: rmacklem
Date: Wed Jul 1 21:19:32 2020
New Revision: 362865
URL: https://svnweb.freebsd.org/changeset/base/362865
Log:
Add a new xp_tls flag to indicate handshake failure.
This new flag is used to disable the kernel code from closing the socket
upon handshake failure, so that the daemon can close it once SSL_accept()
has returned failure.
Modified:
projects/nfs-over-tls/sys/rpc/rpcsec_tls.h
projects/nfs-over-tls/sys/rpc/rpcsec_tls/rpctls_impl.c
projects/nfs-over-tls/sys/rpc/svc_vc.c
Modified: projects/nfs-over-tls/sys/rpc/rpcsec_tls.h
==============================================================================
--- projects/nfs-over-tls/sys/rpc/rpcsec_tls.h Wed Jul 1 20:45:26 2020 (r362864)
+++ projects/nfs-over-tls/sys/rpc/rpcsec_tls.h Wed Jul 1 21:19:32 2020 (r362865)
@@ -48,6 +48,7 @@ int rpctls_syscall(int, const char *);
#define RPCTLS_FLAGS_VERIFIED 0x08
#define RPCTLS_FLAGS_DISABLED 0x10
#define RPCTLS_FLAGS_CERTUSER 0x20
+#define RPCTLS_FLAGS_HANDSHFAIL 0x40
/* Error return values for upcall rpcs. */
#define RPCTLSERR_OK 0
Modified: projects/nfs-over-tls/sys/rpc/rpcsec_tls/rpctls_impl.c
==============================================================================
--- projects/nfs-over-tls/sys/rpc/rpcsec_tls/rpctls_impl.c Wed Jul 1 20:45:26 2020 (r362864)
+++ projects/nfs-over-tls/sys/rpc/rpcsec_tls/rpctls_impl.c Wed Jul 1 21:19:32 2020 (r362865)
@@ -704,8 +704,10 @@ printf("authtls: null reply=%d\n", call_stat);
xprt->xp_gidp = gidp;
printf("got uid=%d ngrps=%d gidp=%p\n", uid, ngrps, gidp);
}
- } else if (stat == RPC_TIMEDOUT)
- xprt->xp_upcallset = 0; /* upcall cleared by soshutdown(). */
+ } else {
+ /* Mark that TLS handshake failed. */
+ xprt->xp_tls = RPCTLS_FLAGS_HANDSHFAIL;
+ }
sx_xunlock(&xprt->xp_lock);
xprt_active(xprt); /* Harmless if already active. */
printf("authtls: aft handshake stat=%d\n", stat);
Modified: projects/nfs-over-tls/sys/rpc/svc_vc.c
==============================================================================
--- projects/nfs-over-tls/sys/rpc/svc_vc.c Wed Jul 1 20:45:26 2020 (r362864)
+++ projects/nfs-over-tls/sys/rpc/svc_vc.c Wed Jul 1 21:19:32 2020 (r362865)
@@ -455,18 +455,20 @@ svc_vc_destroy_common(SVCXPRT *xprt)
uint32_t reterr;
if (xprt->xp_socket) {
- if ((xprt->xp_tls & RPCTLS_FLAGS_HANDSHAKE) != 0) {
+ if ((xprt->xp_tls & (RPCTLS_FLAGS_HANDSHAKE |
+ RPCTLS_FLAGS_HANDSHFAIL)) == 0)
+ (void)soclose(xprt->xp_socket);
+ else if ((xprt->xp_tls & RPCTLS_FLAGS_HANDSHAKE) != 0) {
/*
* If the upcall fails, the socket has
* probably been closed via the rpctlssd
* daemon having crashed or been
- * restarted.
+ * restarted, so just ignore returned stat.
*/
stat = rpctls_srv_disconnect(xprt->xp_sslsec,
xprt->xp_sslusec, xprt->xp_sslrefno,
&reterr);
- } else
- (void)soclose(xprt->xp_socket);
+ }
}
if (xprt->xp_netid)
More information about the svn-src-projects
mailing list