svn commit: r359223 - in projects/nfs-over-tls/sys/rpc: . rpcsec_tls
Rick Macklem
rmacklem at FreeBSD.org
Sun Mar 22 19:01:46 UTC 2020
Author: rmacklem
Date: Sun Mar 22 19:01:43 2020
New Revision: 359223
URL: https://svnweb.freebsd.org/changeset/base/359223
Log:
Add support for doing upcalls to the rpctlssd and rpctlscd daemons after
the TLS handshake. For now, the only one of these is disconnect when
the connection is done.
The userland "SSL *" is referenced by a refno (uint64_t) and the time
at which the daemon was started.
If a daemon is restarted, the connections are then "orphaned" and no
further upcalls will work for them.
As such, restarting the daemons should be avoided.
Modified:
projects/nfs-over-tls/sys/rpc/clnt_rc.c
projects/nfs-over-tls/sys/rpc/clnt_vc.c
projects/nfs-over-tls/sys/rpc/krpc.h
projects/nfs-over-tls/sys/rpc/rpcsec_tls.h
projects/nfs-over-tls/sys/rpc/rpcsec_tls/rpctls_impl.c
projects/nfs-over-tls/sys/rpc/rpcsec_tls/rpctlscd.x
projects/nfs-over-tls/sys/rpc/rpcsec_tls/rpctlssd.x
projects/nfs-over-tls/sys/rpc/svc.c
projects/nfs-over-tls/sys/rpc/svc.h
projects/nfs-over-tls/sys/rpc/svc_vc.c
Modified: projects/nfs-over-tls/sys/rpc/clnt_rc.c
==============================================================================
--- projects/nfs-over-tls/sys/rpc/clnt_rc.c Sun Mar 22 18:41:51 2020 (r359222)
+++ projects/nfs-over-tls/sys/rpc/clnt_rc.c Sun Mar 22 19:01:43 2020 (r359223)
@@ -109,6 +109,7 @@ clnt_reconnect_create(
rc->rc_closed = FALSE;
rc->rc_ucred = crdup(curthread->td_ucred);
rc->rc_client = NULL;
+ rc->rc_tls = false;
cl->cl_refs = 1;
cl->cl_ops = &clnt_reconnect_ops;
@@ -130,6 +131,7 @@ clnt_reconnect_connect(CLIENT *cl)
int one = 1;
struct ucred *oldcred;
CLIENT *newclient = NULL;
+ uint64_t ssl[3];
mtx_lock(&rc->rc_lock);
while (rc->rc_connecting) {
@@ -194,10 +196,10 @@ clnt_reconnect_connect(CLIENT *cl)
newclient = clnt_vc_create(so,
(struct sockaddr *) &rc->rc_addr, rc->rc_prog, rc->rc_vers,
rc->rc_sendsz, rc->rc_recvsz, rc->rc_intr);
- if (rc->rc_tls != 0 && newclient != NULL) {
+ if (rc->rc_tls && newclient != NULL) {
printf("at rpctls_connect\n");
- stat = rpctls_connect(newclient, so);
-printf("aft rpctls_connect=%d\n", stat);
+ stat = rpctls_connect(newclient, so, ssl);
+printf("aft rpctls_connect=%d ssl=%jd\n", stat, (uintmax_t)ssl[2]);
if (stat != RPC_SUCCESS) {
stat = rpc_createerr.cf_stat = stat;
rpc_createerr.cf_error.re_errno = 0;
@@ -224,8 +226,8 @@ printf("aft rpctls_connect=%d\n", stat);
CLNT_CONTROL(newclient, CLSET_RETRY_TIMEOUT, &rc->rc_retry);
CLNT_CONTROL(newclient, CLSET_WAITCHAN, rc->rc_waitchan);
CLNT_CONTROL(newclient, CLSET_INTERRUPTIBLE, &rc->rc_intr);
- if (rc->rc_tls != 0)
- CLNT_CONTROL(newclient, CLSET_TLS, &one);
+ if (rc->rc_tls)
+ CLNT_CONTROL(newclient, CLSET_TLS, ssl);
if (rc->rc_backchannel != NULL)
CLNT_CONTROL(newclient, CLSET_BACKCHANNEL, rc->rc_backchannel);
stat = RPC_SUCCESS;
@@ -490,7 +492,7 @@ clnt_reconnect_control(CLIENT *cl, u_int request, void
break;
case CLSET_TLS:
- rc->rc_tls = 1;
+ rc->rc_tls = true;
break;
default:
Modified: projects/nfs-over-tls/sys/rpc/clnt_vc.c
==============================================================================
--- projects/nfs-over-tls/sys/rpc/clnt_vc.c Sun Mar 22 18:41:51 2020 (r359222)
+++ projects/nfs-over-tls/sys/rpc/clnt_vc.c Sun Mar 22 19:01:43 2020 (r359223)
@@ -417,7 +417,7 @@ call_again:
TAILQ_INSERT_TAIL(&ct->ct_pending, cr, cr_link);
mtx_unlock(&ct->ct_lock);
- if (ct->ct_tls) {
+ if (ct->ct_sslrefno != 0) {
/*
* Copy the mbuf chain to a chain of ext_pgs mbuf(s)
* as required by KERN_TLS.
@@ -655,6 +655,7 @@ clnt_vc_control(CLIENT *cl, u_int request, void *info)
struct ct_data *ct = (struct ct_data *)cl->cl_private;
void *infop = info;
SVCXPRT *xprt;
+ uint64_t *p;
mtx_lock(&ct->ct_lock);
@@ -770,7 +771,7 @@ clnt_vc_control(CLIENT *cl, u_int request, void *info)
xprt = (SVCXPRT *)info;
if (ct->ct_backchannelxprt == NULL) {
xprt->xp_p2 = ct;
- if (ct->ct_tls)
+ if (ct->ct_sslrefno != 0)
xprt->xp_tls = RPCTLS_FLAGS_HANDSHAKE;
ct->ct_backchannelxprt = xprt;
printf("backch tls=0x%x xprt=%p\n", xprt->xp_tls, xprt);
@@ -778,7 +779,10 @@ printf("backch tls=0x%x xprt=%p\n", xprt->xp_tls, xprt
break;
case CLSET_TLS:
- ct->ct_tls = TRUE;
+ p = (uint64_t *)info;
+ ct->ct_sslsec = *p++;
+ ct->ct_sslusec = *p++;
+ ct->ct_sslrefno = *p;
break;
case CLSET_BLOCKRCV:
@@ -854,6 +858,7 @@ clnt_vc_destroy(CLIENT *cl)
struct ct_data *ct = (struct ct_data *) cl->cl_private;
struct socket *so = NULL;
SVCXPRT *xprt;
+ enum clnt_stat stat;
clnt_vc_close(cl);
@@ -878,8 +883,14 @@ clnt_vc_destroy(CLIENT *cl)
mtx_destroy(&ct->ct_lock);
if (so) {
- soshutdown(so, SHUT_WR);
- soclose(so);
+ stat = RPC_FAILED;
+ if (ct->ct_sslrefno != 0)
+ stat = rpctls_cl_disconnect(ct->ct_sslsec,
+ ct->ct_sslusec, ct->ct_sslrefno);
+ if (stat != RPC_SUCCESS) {
+ soshutdown(so, SHUT_WR);
+ soclose(so);
+ }
}
mem_free(ct, sizeof(struct ct_data));
if (cl->cl_netid && cl->cl_netid[0])
Modified: projects/nfs-over-tls/sys/rpc/krpc.h
==============================================================================
--- projects/nfs-over-tls/sys/rpc/krpc.h Sun Mar 22 18:41:51 2020 (r359222)
+++ projects/nfs-over-tls/sys/rpc/krpc.h Sun Mar 22 19:01:43 2020 (r359223)
@@ -79,7 +79,7 @@ struct rc_data {
CLIENT* rc_client; /* underlying RPC client */
struct rpc_err rc_err;
void *rc_backchannel;
- int rc_tls; /* Enable TLS on connection */
+ bool rc_tls; /* Enable TLS on connection */
};
struct ct_data {
@@ -103,7 +103,9 @@ struct ct_data {
struct ct_request_list ct_pending;
int ct_upcallrefs; /* Ref cnt of upcalls in prog. */
SVCXPRT *ct_backchannelxprt; /* xprt for backchannel */
- bool_t ct_tls; /* Enable RPC-over-TLS support. */
+ uint64_t ct_sslsec; /* RPC-over-TLS connection. */
+ uint64_t ct_sslusec;
+ uint64_t ct_sslrefno;
bool_t ct_dontrcv; /* TRUE to block receiving */
};
Modified: projects/nfs-over-tls/sys/rpc/rpcsec_tls.h
==============================================================================
--- projects/nfs-over-tls/sys/rpc/rpcsec_tls.h Sun Mar 22 18:41:51 2020 (r359222)
+++ projects/nfs-over-tls/sys/rpc/rpcsec_tls.h Sun Mar 22 19:01:43 2020 (r359223)
@@ -44,7 +44,10 @@
#ifdef _KERNEL
/* Functions that perform upcalls to the rpctlsd daemon. */
-enum clnt_stat rpctls_connect(CLIENT *newclient, struct socket *so);
+enum clnt_stat rpctls_connect(CLIENT *newclient, struct socket *so,
+ uint64_t *sslp);
+enum clnt_stat rpctls_cl_disconnect(uint64_t sec, uint64_t usec, uint64_t ssl);
+enum clnt_stat rpctls_srv_disconnect(uint64_t sec, uint64_t usec, uint64_t ssl);
/* String for AUTH_TLS reply verifier. */
#define RPCTLS_START_STRING "STARTTLS"
Modified: projects/nfs-over-tls/sys/rpc/rpcsec_tls/rpctls_impl.c
==============================================================================
--- projects/nfs-over-tls/sys/rpc/rpcsec_tls/rpctls_impl.c Sun Mar 22 18:41:51 2020 (r359222)
+++ projects/nfs-over-tls/sys/rpc/rpcsec_tls/rpctls_impl.c Sun Mar 22 19:01:43 2020 (r359223)
@@ -82,19 +82,15 @@ struct rpctls_syscall_args {
static CLIENT *rpctls_connect_handle;
static struct mtx rpctls_connect_lock;
static struct socket *rpctls_connect_so = NULL;
-static struct file *rpctls_connect_fp = NULL;
-static int rpctls_connect_fd = -1;
static CLIENT *rpctls_server_handle;
static struct mtx rpctls_server_lock;
static struct socket *rpctls_server_so = NULL;
-static struct file *rpctls_server_fp = NULL;
-static int rpctls_server_fd = -1;
static struct opaque_auth rpctls_null_verf;
static CLIENT *rpctls_connect_client(void);
static CLIENT *rpctls_server_client(void);
static enum clnt_stat rpctls_server(struct socket *so,
- uint32_t *flags);
+ uint32_t *flags, uint64_t *sslp);
static void
rpctls_init(void *dummy)
@@ -227,13 +223,6 @@ printf("In connect\n");
if (PMAP_HAS_DMAP != 0)
error = 0;
#endif
- if (error == 0) {
- mtx_lock(&rpctls_connect_lock);
- if (rpctls_connect_so == NULL ||
- rpctls_connect_fd != -1)
- error = EINVAL;
- mtx_unlock(&rpctls_connect_lock);
- }
if (error == 0)
error = falloc(td, &fp, &fd, 0);
if (error == 0) {
@@ -241,35 +230,11 @@ printf("falloc=%d fd=%d\n", error, fd);
mtx_lock(&rpctls_connect_lock);
so = rpctls_connect_so;
rpctls_connect_so = NULL;
- rpctls_connect_fp = fp;
- rpctls_connect_fd = fd;
mtx_unlock(&rpctls_connect_lock);
finit(fp, FREAD | FWRITE, DTYPE_SOCKET, so, &socketops);
td->td_retval[0] = fd;
}
printf("returning=%d\n", fd);
- } else if (path[0] == 'D') {
-printf("In EOconnect\n");
- mtx_lock(&rpctls_connect_lock);
- fd = rpctls_connect_fd;
- rpctls_connect_fd = -1;
- fp = rpctls_connect_fp;
- rpctls_connect_fp = NULL;
- mtx_unlock(&rpctls_connect_lock);
-printf("fd=%d\n", fd);
- if (fd >= 0) {
- /*
- * Since the daemon will not be using the fd any
- * more, we want to close the fd, but we do not
- * want to soclose() the associated socket.
- * Set f_ops == badfileops so that kern_close() will
- * not do a soclose().
- */
- fp->f_ops = &badfileops;
- kern_close(td, fd);
-printf("aft kern_close\n");
- } else
- printf("rpctlsc fd -1\n");
} else if (path[0] == 'E') {
printf("In srvconnect\n");
error = EINVAL;
@@ -277,13 +242,6 @@ printf("In srvconnect\n");
if (PMAP_HAS_DMAP != 0)
error = 0;
#endif
- if (error == 0) {
- mtx_lock(&rpctls_server_lock);
- if (rpctls_server_so == NULL ||
- rpctls_server_fd != -1)
- error = EINVAL;
- mtx_unlock(&rpctls_server_lock);
- }
if (error == 0)
error = falloc(td, &fp, &fd, 0);
if (error == 0) {
@@ -291,8 +249,6 @@ printf("srv falloc=%d fd=%d\n", error, fd);
mtx_lock(&rpctls_server_lock);
so = rpctls_server_so;
rpctls_server_so = NULL;
- rpctls_server_fp = fp;
- rpctls_server_fd = fd;
mtx_unlock(&rpctls_server_lock);
finit(fp, FREAD | FWRITE, DTYPE_SOCKET, so, &socketops);
td->td_retval[0] = fd;
@@ -300,26 +256,15 @@ printf("srv falloc=%d fd=%d\n", error, fd);
printf("srv returning=%d\n", fd);
} else if (path[0] == 'F') {
printf("In EOserver\n");
- mtx_lock(&rpctls_server_lock);
- fd = rpctls_server_fd;
- rpctls_server_fd = -1;
- fp = rpctls_server_fp;
- rpctls_server_fp = NULL;
- mtx_unlock(&rpctls_server_lock);
+ fd = strtol(&path[1], NULL, 10);
printf("srv fd=%d\n", fd);
if (fd >= 0) {
- /*
- * Since the daemon will not be using the fd any
- * more, we want to close the fd, but we do not
- * want to soclose() the associated socket.
- * Set f_ops == badfileops so that kern_close() will
- * not do a soclose().
- */
- fp->f_ops = &badfileops;
- kern_close(td, fd);
-printf("srv aft kern_close\n");
- } else
- printf("rpctlss fd -1\n");
+ error = kern_close(td, fd);
+printf("srv aft kern_close=%d\n", error);
+ } else {
+ printf("rpctlss fd negative\n");
+ error = EINVAL;
+ }
}
return (error);
@@ -361,8 +306,9 @@ rpctls_server_client(void)
/* Do an upcall for a new socket connect using TLS. */
enum clnt_stat
-rpctls_connect(CLIENT *newclient, struct socket *so)
+rpctls_connect(CLIENT *newclient, struct socket *so, uint64_t *sslp)
{
+ struct rpctlscd_connect_res res;
struct rpc_callextra ext;
struct timeval utimeout;
enum clnt_stat stat;
@@ -406,8 +352,13 @@ printf("rpctls_conect so=%p\n", so);
CLNT_CONTROL(newclient, CLSET_BLOCKRCV, &val);
/* Do the connect handshake upcall. */
- stat = rpctlscd_connect_1(NULL, NULL, cl);
+ stat = rpctlscd_connect_1(NULL, &res, cl);
printf("aft connect upcall=%d\n", stat);
+ if (stat == RPC_SUCCESS) {
+ *sslp++ = res.sec;
+ *sslp++ = res.usec;
+ *sslp = res.ssl;
+ }
CLNT_RELEASE(cl);
/* Unblock reception. */
@@ -417,7 +368,6 @@ printf("aft connect upcall=%d\n", stat);
/* Once the upcall is done, the daemon is done with the fp and so. */
mtx_lock(&rpctls_connect_lock);
rpctls_connect_so = NULL;
- rpctls_connect_fd = -1;
rpctls_connect_busy = false;
wakeup(&rpctls_connect_busy);
mtx_unlock(&rpctls_connect_lock);
@@ -426,9 +376,56 @@ printf("aft wakeup\n");
return (stat);
}
+/* Do an upcall to shut down a socket using TLS. */
+enum clnt_stat
+rpctls_cl_disconnect(uint64_t sec, uint64_t usec, uint64_t ssl)
+{
+ struct rpctlscd_disconnect_arg arg;
+ enum clnt_stat stat;
+ CLIENT *cl;
+
+printf("In rpctls_cl_disconnect\n");
+ cl = rpctls_connect_client();
+printf("disconnect_client=%p\n", cl);
+ if (cl == NULL)
+ return (RPC_FAILED);
+
+ /* Do the disconnect upcall. */
+ arg.sec = sec;
+ arg.usec = usec;
+ arg.ssl = ssl;
+ stat = rpctlscd_disconnect_1(&arg, NULL, cl);
+printf("aft disconnect upcall=%d\n", stat);
+ CLNT_RELEASE(cl);
+ return (stat);
+}
+
+enum clnt_stat
+rpctls_srv_disconnect(uint64_t sec, uint64_t usec, uint64_t ssl)
+{
+ struct rpctlssd_disconnect_arg arg;
+ enum clnt_stat stat;
+ CLIENT *cl;
+
+printf("In rpctls_srv_disconnect\n");
+ cl = rpctls_server_client();
+printf("srv disconnect_client=%p\n", cl);
+ if (cl == NULL)
+ return (RPC_FAILED);
+
+ /* Do the disconnect upcall. */
+ arg.sec = sec;
+ arg.usec = usec;
+ arg.ssl = ssl;
+ stat = rpctlssd_disconnect_1(&arg, NULL, cl);
+printf("aft srv disconnect upcall=%d\n", stat);
+ CLNT_RELEASE(cl);
+ return (stat);
+}
+
/* Do an upcall for a new server socket using TLS. */
static enum clnt_stat
-rpctls_server(struct socket *so, uint32_t *flags)
+rpctls_server(struct socket *so, uint32_t *flags, uint64_t *sslp)
{
enum clnt_stat stat;
CLIENT *cl;
@@ -453,15 +450,18 @@ printf("rpctls_conect so=%p\n", so);
/* Do the server upcall. */
stat = rpctlssd_connect_1(NULL, &res, cl);
- if (stat == RPC_SUCCESS)
+ if (stat == RPC_SUCCESS) {
*flags = res.flags;
+ *sslp++ = res.sec;
+ *sslp++ = res.usec;
+ *sslp = res.ssl;
+ }
printf("aft server upcall stat=%d flags=0x%x\n", stat, res.flags);
CLNT_RELEASE(cl);
/* Once the upcall is done, the daemon is done with the fp and so. */
mtx_lock(&rpctls_server_lock);
rpctls_server_so = NULL;
- rpctls_server_fd = -1;
rpctls_server_busy = false;
wakeup(&rpctls_server_busy);
mtx_unlock(&rpctls_server_lock);
@@ -483,6 +483,7 @@ _svcauth_rpcsec_tls(struct svc_req *rqst, struct rpc_m
enum clnt_stat stat;
SVCXPRT *xprt;
uint32_t flags;
+ uint64_t ssl[3];
/* Initialize reply. */
rqst->rq_verf = rpctls_null_verf;
@@ -529,13 +530,18 @@ printf("authtls: null reply=%d\n", call_stat);
}
/* Do an upcall to do the TLS handshake. */
- stat = rpctls_server(rqst->rq_xprt->xp_socket, &flags);
+ stat = rpctls_server(rqst->rq_xprt->xp_socket, &flags,
+ ssl);
/* Re-enable reception on the socket within the krpc. */
sx_xlock(&xprt->xp_lock);
xprt->xp_dontrcv = FALSE;
- if (stat == RPC_SUCCESS)
+ if (stat == RPC_SUCCESS) {
xprt->xp_tls = flags;
+ xprt->xp_sslsec = ssl[0];
+ xprt->xp_sslusec = ssl[1];
+ xprt->xp_sslrefno = ssl[2];
+ }
sx_xunlock(&xprt->xp_lock);
xprt_active(xprt); /* Harmless if already active. */
printf("authtls: aft handshake stat=%d\n", stat);
Modified: projects/nfs-over-tls/sys/rpc/rpcsec_tls/rpctlscd.x
==============================================================================
--- projects/nfs-over-tls/sys/rpc/rpcsec_tls/rpctlscd.x Sun Mar 22 18:41:51 2020 (r359222)
+++ projects/nfs-over-tls/sys/rpc/rpcsec_tls/rpctlscd.x Sun Mar 22 19:01:43 2020 (r359223)
@@ -25,14 +25,29 @@
* SUCH DAMAGE.
*/
-/* $FreeBSD$ */
-
/* Modified from gssd.x for the client side of RPC-over-TLS. */
+/* $FreeBSD:$ */
+
+struct rpctlscd_connect_res {
+ uint64_t sec;
+ uint64_t usec;
+ uint64_t ssl;
+};
+
+struct rpctlscd_disconnect_arg {
+ uint64_t sec;
+ uint64_t usec;
+ uint64_t ssl;
+};
+
program RPCTLSCD {
version RPCTLSCDVERS {
void RPCTLSCD_NULL(void) = 0;
- void RPCTLSCD_CONNECT(void) = 1;
+ rpctlscd_connect_res
+ RPCTLSCD_CONNECT(void) = 1;
+
+ void RPCTLSCD_DISCONNECT(rpctlscd_disconnect_arg) = 2;
} = 1;
} = 0x40677374;
Modified: projects/nfs-over-tls/sys/rpc/rpcsec_tls/rpctlssd.x
==============================================================================
--- projects/nfs-over-tls/sys/rpc/rpcsec_tls/rpctlssd.x Sun Mar 22 18:41:51 2020 (r359222)
+++ projects/nfs-over-tls/sys/rpc/rpcsec_tls/rpctlssd.x Sun Mar 22 19:01:43 2020 (r359223)
@@ -25,19 +25,30 @@
* SUCH DAMAGE.
*/
-/* $FreeBSD$ */
-
/* Modified from gssd.x for the server side of RPC-over-TLS. */
+/* $FreeBSD:$ */
+
struct rpctlssd_connect_res {
uint32_t flags;
+ uint64_t sec;
+ uint64_t usec;
+ uint64_t ssl;
};
+struct rpctlssd_disconnect_arg {
+ uint64_t sec;
+ uint64_t usec;
+ uint64_t ssl;
+};
+
program RPCTLSSD {
version RPCTLSSDVERS {
void RPCTLSSD_NULL(void) = 0;
rpctlssd_connect_res
RPCTLSSD_CONNECT(void) = 1;
+
+ void RPCTLSSD_DISCONNECT(rpctlssd_disconnect_arg) = 2;
} = 1;
} = 0x40677375;
Modified: projects/nfs-over-tls/sys/rpc/svc.c
==============================================================================
--- projects/nfs-over-tls/sys/rpc/svc.c Sun Mar 22 18:41:51 2020 (r359222)
+++ projects/nfs-over-tls/sys/rpc/svc.c Sun Mar 22 19:01:43 2020 (r359223)
@@ -670,13 +670,10 @@ svc_sendreply_common(struct svc_req *rqstp, struct rpc
replay_setreply(xprt->xp_pool->sp_rcache,
rply, svc_getrpccaller(rqstp), body);
-printf("sendreply_common\n");
if (!SVCAUTH_WRAP(&rqstp->rq_auth, &body))
return (FALSE);
-printf("at SVC_REPLY\n");
ok = SVC_REPLY(xprt, rply, rqstp->rq_addr, body, &rqstp->rq_reply_seq);
-printf("aft SVC_REPLY ok=%d\n", ok);
if (rqstp->rq_addr) {
free(rqstp->rq_addr, M_SONAME);
rqstp->rq_addr = NULL;
@@ -817,7 +814,6 @@ svcerr_auth(struct svc_req *rqstp, enum auth_stat why)
if (xprt->xp_pool->sp_rcache)
replay_setreply(xprt->xp_pool->sp_rcache,
&rply, svc_getrpccaller(rqstp), NULL);
-printf("SVC SENDAUTHERR\n");
svc_sendreply_common(rqstp, &rply, NULL);
}
@@ -980,7 +976,6 @@ svc_getreq(SVCXPRT *xprt, struct svc_req **rqstp_ret)
* should not be dispatched to the
* application.
*/
-printf("AUTH FAILED=%d\n", why);
if (why != RPCSEC_GSS_NODISPATCH)
svcerr_auth(r, why);
goto call_done;
Modified: projects/nfs-over-tls/sys/rpc/svc.h
==============================================================================
--- projects/nfs-over-tls/sys/rpc/svc.h Sun Mar 22 18:41:51 2020 (r359222)
+++ projects/nfs-over-tls/sys/rpc/svc.h Sun Mar 22 19:01:43 2020 (r359223)
@@ -178,6 +178,9 @@ typedef struct __rpc_svcxprt {
u_int xp_mbufoffs; /* Offset into ext_pgs mbuf */
bool_t xp_dontrcv; /* Do not receive on the socket */
uint32_t xp_tls; /* RPC-over-TLS on socket */
+ uint64_t xp_sslsec; /* Userland SSL * */
+ uint64_t xp_sslusec;
+ uint64_t xp_sslrefno;
#else
int xp_fd;
u_short xp_port; /* associated port number */
Modified: projects/nfs-over-tls/sys/rpc/svc_vc.c
==============================================================================
--- projects/nfs-over-tls/sys/rpc/svc_vc.c Sun Mar 22 18:41:51 2020 (r359222)
+++ projects/nfs-over-tls/sys/rpc/svc_vc.c Sun Mar 22 19:01:43 2020 (r359223)
@@ -455,9 +455,16 @@ svc_vc_rendezvous_stat(SVCXPRT *xprt)
static void
svc_vc_destroy_common(SVCXPRT *xprt)
{
+ enum clnt_stat stat;
- if (xprt->xp_socket)
- (void)soclose(xprt->xp_socket);
+ if (xprt->xp_socket) {
+ stat = RPC_FAILED;
+ if ((xprt->xp_tls & RPCTLS_FLAGS_HANDSHAKE) != 0)
+ stat = rpctls_srv_disconnect(xprt->xp_sslsec,
+ xprt->xp_sslusec, xprt->xp_sslrefno);
+ if (stat != RPC_SUCCESS)
+ (void)soclose(xprt->xp_socket);
+ }
if (xprt->xp_netid)
(void) mem_free(xprt->xp_netid, strlen(xprt->xp_netid) + 1);
More information about the svn-src-projects
mailing list