From nobody Fri Jun 03 02:10:36 2022
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 70EA81B4A213;
	Fri,  3 Jun 2022 02:10:36 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4LDmZ42lBWz3lbd;
	Fri,  3 Jun 2022 02:10:36 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1654222236;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=lHHyNqnmbWrRn7cB7DXTkgivsszlRV1MwyskNSx+jHc=;
	b=h3J59h0KIrLtydF1z3Jk5xf2xHwS2DzLmYC+hsVhnQ6QEuMnxSiv+kVASglX7jdBCo3BV0
	D2QSYO4Ho8kO0VJzaB4gX9IoSwy5ohLLyvNydsAGlXNBpSjcOBD53LnG25p1VW+X6KzXme
	aV07Tk+jU8af1QsSsV3DFkBRSslNq2EejXieN01UJQByZOIWamBj35vbBjT3oTndF/cbTP
	0SOl2JhV24mSpp9cqpJ5ap6DcYy61VrPk0vJs+4gn1VkFP+UEIhPKMrhbi3UsJA1E0TTiF
	BlbL/a8+mOQlQAyhft+fMNS799HdtP+Io7RFQAB3/6YpOO+7+1NSvKCndTnFIA==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 3F64F2031F;
	Fri,  3 Jun 2022 02:10:36 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 2532AaWw028848;
	Fri, 3 Jun 2022 02:10:36 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 2532Aa7w028847;
	Fri, 3 Jun 2022 02:10:36 GMT
	(envelope-from git)
Date: Fri, 3 Jun 2022 02:10:36 GMT
Message-Id: <202206030210.2532Aa7w028847@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Rick Macklem <rmacklem@FreeBSD.org>
Subject: git: 146e1dbbf6b9 - stable/13 - rpc.tlsservd: Add a -C command line option for preferred_ciphers
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-all@freebsd.org
X-BeenThere: dev-commits-src-all@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: rmacklem
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/13
X-Git-Reftype: branch
X-Git-Commit: 146e1dbbf6b9634a5cd06e1b5ff81d417627fcae
Auto-Submitted: auto-generated
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1654222236;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=lHHyNqnmbWrRn7cB7DXTkgivsszlRV1MwyskNSx+jHc=;
	b=vxXeuFYiAWoZqlXae1gNSmD7Mj7q5BnsPB3CS8E9ZZRcfarqCR9tb+ppBNosGKYh+mvRxo
	U6RQc+2C/SkvfLbGoXqXU5WvD3qx3liY+PvuqWBRTaX583rGSlS7Dg4z8+2Wv5vMTNkwri
	owdZJ+jXDnTY1Q10M4+rz4T+03urISGwiLR43yPKobx5SO89Fh2XMz6F5yp+tqule40WEv
	h8BtU75NNLywAFq8uTv7WZpeTZhdwVj9DMIywVleC3IlIjYfbpVx8awqbg5au7ScQnwlWu
	ZT/cmgFdlTIg2Ppf50rEj11D/CZN6yFbNCbBq1+hG2eXaLD8s6sVuG97O/Njeg==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1654222236; a=rsa-sha256; cv=none;
	b=UWvuAfWc1hXDdh29PJVKMRcq8NAR8GHNS/EJtg7yAkKaGgZ8YmVTzhsRmVDXUSwRDgYh0k
	TIVIsFHWS0IlCsICqJp7l08lRVkFmw7BT1AjcDHXbptxclO8WkgUEpafB9KHnHBT+v/KRM
	az4TNiuWmC6Db3F7ZTn50bN/7/76v3wqOvPUnHOwxgPJenVAenI+AwOhlwa1dQoMHGyTi2
	CEK9d3C10a6nLX1t1zJpeMsKiRPqSzHb4eX01DPlIJxyG/ajpPwqi4odSnc9RnvOB+Pzzk
	cLj7m3fgopozGj8278+tsg7MeMa4w0rx7rP0DHw9KnGLmqqSl1df96GC1mKqAQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
X-ThisMailContainsUnwantedMimeParts: N

The branch stable/13 has been updated by rmacklem:

URL: https://cgit.FreeBSD.org/src/commit/?id=146e1dbbf6b9634a5cd06e1b5ff81d417627fcae

commit 146e1dbbf6b9634a5cd06e1b5ff81d417627fcae
Author:     Rick Macklem <rmacklem@FreeBSD.org>
AuthorDate: 2022-05-05 22:54:14 +0000
Commit:     Rick Macklem <rmacklem@FreeBSD.org>
CommitDate: 2022-06-03 02:09:41 +0000

    rpc.tlsservd: Add a -C command line option for preferred_ciphers
    
    rpc.tlsclntd has a -C command line option for setting
    preferred_ciphers.  Testing at a recent IETF NFSv4 testing
    event showed that setting preferred_ciphers is not normally
    needed for the rpc.tlsservd.
    
    This patch modifies rpc.tlsservd to not specify preferred_ciphers
    by default, but provides the same -C option as rpc.tlsclntd to
    set preferred_ciphers, in case it is needed.
    
    The man page update will be done as a separate commit.
    
    (cherry picked from commit 712aac1389e8476ff3da98fd7ec80bf71fc601f4)
---
 usr.sbin/rpc.tlsservd/rpc.tlsservd.c | 31 ++++++++++++++++++++-----------
 1 file changed, 20 insertions(+), 11 deletions(-)

diff --git a/usr.sbin/rpc.tlsservd/rpc.tlsservd.c b/usr.sbin/rpc.tlsservd/rpc.tlsservd.c
index 16dd3e9c2d8b..2e27a112b6e2 100644
--- a/usr.sbin/rpc.tlsservd/rpc.tlsservd.c
+++ b/usr.sbin/rpc.tlsservd/rpc.tlsservd.c
@@ -104,6 +104,7 @@ static uint64_t		rpctls_ssl_usec = 0;
 static bool		rpctls_cnuser = false;
 static char		*rpctls_dnsname;
 static const char	*rpctls_cnuseroid = "1.3.6.1.4.1.2238.1.1.1";
+static const char	*rpctls_ciphers = NULL;
 
 static void		rpctlssd_terminate(int);
 static SSL_CTX		*rpctls_setup_ssl(const char *certdir);
@@ -118,6 +119,7 @@ static void		rpctls_huphandler(int sig __unused);
 extern void		rpctlssd_1(struct svc_req *rqstp, SVCXPRT *transp);
 
 static struct option longopts[] = {
+	{ "ciphers",		required_argument,	NULL,	'C' },
 	{ "certdir",		required_argument,	NULL,	'D' },
 	{ "debuglevel",		no_argument,		NULL,	'd' },
 	{ "checkhost",		no_argument,		NULL,	'h' },
@@ -179,9 +181,12 @@ main(int argc, char **argv)
 
 	debug = 0;
 	rpctls_verbose = false;
-	while ((ch = getopt_long(argc, argv, "D:dhl:n:mp:r:uvWw", longopts,
+	while ((ch = getopt_long(argc, argv, "CD:dhl:n:mp:r:uvWw", longopts,
 	    NULL)) != -1) {
 		switch (ch) {
+		case 'C':
+			rpctls_ciphers = optarg;
+			break;
 		case 'D':
 			rpctls_certdir = optarg;
 			break;
@@ -559,16 +564,20 @@ rpctls_setup_ssl(const char *certdir)
 	}
 	SSL_CTX_set_ecdh_auto(ctx, 1);
 
-	/*
-	 * Set preferred ciphers, since KERN_TLS only supports a
-	 * few of them.
-	 */
-	ret = SSL_CTX_set_cipher_list(ctx, _PREFERRED_CIPHERS);
-	if (ret == 0) {
-		rpctls_verbose_out("rpctls_setup_ssl: "
-		    "SSL_CTX_set_cipher_list failed to set any ciphers\n");
-		SSL_CTX_free(ctx);
-		return (NULL);
+	if (rpctls_ciphers != NULL) {
+		/*
+		 * Set preferred ciphers, since KERN_TLS only supports a
+		 * few of them.  Normally, not doing this should be ok,
+		 * since the library defaults will work.
+		 */
+		ret = SSL_CTX_set_cipher_list(ctx, rpctls_ciphers);
+		if (ret == 0) {
+			rpctls_verbose_out("rpctls_setup_ssl: "
+			    "SSL_CTX_set_cipher_list failed: %s\n",
+			    rpctls_ciphers);
+			SSL_CTX_free(ctx);
+			return (NULL);
+		}
 	}
 
 	/* Get the cert.pem and certkey.pem files from the directory certdir. */