svn commit: r360615 - in projects/nfs-over-tls/usr.sbin: rpctlscd rpctlssd

[Rick Macklem]

Author: rmacklem
Date: Sun May  3 21:59:40 2020
New Revision: 360615
URL: https://svnweb.freebsd.org/changeset/base/360615

Log:
  Fix handling of ktls not enabled in the daemons.
  
  Also, fix a case in the client daemon where it did not obey the "-d"
  option properly.

Modified:
  projects/nfs-over-tls/usr.sbin/rpctlscd/rpctlscd.c
  projects/nfs-over-tls/usr.sbin/rpctlssd/rpctlssd.c

Modified: projects/nfs-over-tls/usr.sbin/rpctlscd/rpctlscd.c
==============================================================================
--- projects/nfs-over-tls/usr.sbin/rpctlscd/rpctlscd.c	Sun May  3 18:46:03 2020	(r360614)
+++ projects/nfs-over-tls/usr.sbin/rpctlscd/rpctlscd.c	Sun May  3 21:59:40 2020	(r360615)
@@ -579,10 +579,18 @@ rpctls_connect(SSL_CTX *ctx, int s)
 			    NULL, 0);
 			cp2 = X509_NAME_oneline(X509_get_subject_name(cert),
 			    NULL, 0);
-			syslog(LOG_INFO | LOG_DAEMON, "rpctls_connect: client"
-			    " IP %s issuerName=%s subjectName=%s verify "
-			    "failed %s\n", hostnam, cp, cp2,
-			    X509_verify_cert_error_string(ret));
+			if (rpctls_debug_level == 0)
+				syslog(LOG_INFO | LOG_DAEMON,
+				    "rpctls_connect: client IP %s "
+				    "issuerName=%s subjectName=%s verify "
+				    "failed %s\n", hostnam, cp, cp2,
+				    X509_verify_cert_error_string(ret));
+			else
+				fprintf(stderr,
+				    "rpctls_connect: client IP %s "
+				    "issuerName=%s subjectName=%s verify "
+				    "failed %s\n", hostnam, cp, cp2,
+				    X509_verify_cert_error_string(ret));
 		}
 		SSL_free(ssl);
 		return (NULL);
@@ -595,12 +603,14 @@ rpctls_connect(SSL_CTX *ctx, int s)
 		ret = BIO_get_ktls_recv(SSL_get_rbio(ssl));
 		rpctlscd_verbose_out("rpctls_connect: BIO_get_ktls_recv=%d\n", ret);
 	}
-#ifdef notnow
 	if (ret == 0) {
+		if (rpctls_debug_level == 0)
+			syslog(LOG_ERR, "ktls not working\n");
+		else
+			fprintf(stderr, "ktls not working\n");
 		SSL_free(ssl);
 		return (NULL);
 	}
-#endif
 
 	return (ssl);
 }

Modified: projects/nfs-over-tls/usr.sbin/rpctlssd/rpctlssd.c
==============================================================================
--- projects/nfs-over-tls/usr.sbin/rpctlssd/rpctlssd.c	Sun May  3 18:46:03 2020	(r360614)
+++ projects/nfs-over-tls/usr.sbin/rpctlssd/rpctlssd.c	Sun May  3 21:59:40 2020	(r360615)
@@ -672,12 +672,17 @@ rpctlssd_verbose_out("%s\n", cp2);
 		ret = BIO_get_ktls_recv(SSL_get_rbio(ssl));
 		rpctlssd_verbose_out("rpctls_server: BIO_get_ktls_recv=%d\n", ret);
 	}
-#ifdef notnow
 	if (ret == 0) {
-		SSL_free(ssl);
-		return (NULL);
+		if (rpctls_debug_level == 0)
+			syslog(LOG_ERR, "ktls not working\n");
+		else
+			fprintf(stderr, "ktls not working\n");
+		/*
+		 * The handshake has completed, so all that can be
+		 * done is disable the connection.
+		 */
+		*flags |= RPCTLS_FLAGS_DISABLED;
 	}
-#endif
 
 	return (ssl);
 }