svn commit: r360580 - in projects/nfs-over-tls/usr.sbin: rpctlscd rpctlssd

Sun May 3 00:15:20 UTC 2020

Author: rmacklem
Date: Sun May  3 00:15:18 2020
New Revision: 360580
URL: https://svnweb.freebsd.org/changeset/base/360580

Log:
  Fix the daemons so they actually work with jhb@'s patched openssl3.
  
  The code now has passed a trivial test, where an NFS mount was TLS1.2
  encrypted on the wire.
  I will be updating the setup document, so others will be able to set
  up system(s) for testing.
  
  I have not yet decided what the correct way to handle a failure
  to set up the ktls is. For the server, I suspect it is clearing of
  the flags that say "handshake complete".
  For the client, I am not sure if the mount should continue unencrypted
  or the mount attempt should fail?
  
  At this time, the daemons build, but report warnings that
  SSL_CTX_load_XXX is deprecated. It works until I figure out what the
  preferred OpenSSL 3 call is.

Modified:
  projects/nfs-over-tls/usr.sbin/rpctlscd/Makefile
  projects/nfs-over-tls/usr.sbin/rpctlscd/rpctlscd.c
  projects/nfs-over-tls/usr.sbin/rpctlssd/Makefile
  projects/nfs-over-tls/usr.sbin/rpctlssd/rpctlssd.c

Modified: projects/nfs-over-tls/usr.sbin/rpctlscd/Makefile
==============================================================================

--- projects/nfs-over-tls/usr.sbin/rpctlscd/Makefile	Sun May  3 00:12:56 2020	(r360579)
+++ projects/nfs-over-tls/usr.sbin/rpctlscd/Makefile	Sun May  3 00:15:18 2020	(r360580)
@@ -8,7 +8,10 @@ SRCS=	rpctlscd.c rpctlscd.h rpctlscd_svc.c rpctlscd_xd
 
 CFLAGS+= -I.
 
-LIBADD=	ssl crypto
+CFLAGS+= -I/usr/ktls/include
+LDFLAGS+= -L/usr/ktls/lib
+
+LIBADD=	ssl crypto util
 
 CLEANFILES= rpctlscd_svc.c rpctlscd_xdr.c rpctlscd.h
 

Modified: projects/nfs-over-tls/usr.sbin/rpctlscd/rpctlscd.c
==============================================================================
--- projects/nfs-over-tls/usr.sbin/rpctlscd/rpctlscd.c	Sun May  3 00:12:56 2020	(r360579)
+++ projects/nfs-over-tls/usr.sbin/rpctlscd/rpctlscd.c	Sun May  3 00:15:18 2020	(r360580)
@@ -55,6 +55,7 @@ __FBSDID("$FreeBSD$");
 #include <rpc/rpc_com.h>
 #include <rpc/rpcsec_tls.h>
 
+#include <openssl/opensslconf.h>
 #include <openssl/bio.h>
 #include <openssl/ssl.h>
 #include <openssl/err.h>
@@ -72,7 +73,7 @@ __FBSDID("$FreeBSD$");
 #define	_PATH_RPCTLSCDPID	"/var/run/rpctlscd.pid"
 #endif
 #ifndef	_PREFERRED_CIPHERS
-#define	_PREFERRED_CIPHERS	"SHA384:SHA256:!CAMELLIA"
+#define	_PREFERRED_CIPHERS	"AES128-GCM-SHA256"
 #endif
 
 static struct pidfh	*rpctls_pfh = NULL;
@@ -382,7 +383,6 @@ rpctlscd_disconnect_1_svc(struct rpctlscd_disconnect_a
 		rpctlscd_verbose_out("rpctlscd_disconnect: fd=%d closed\n",
 		    slp->s);
 		LIST_REMOVE(slp, next);
-		SSL_shutdown(slp->ssl);
 		SSL_free(slp->ssl);
 		/*
 		 * For RPC-over-TLS, this upcall is expected
@@ -560,7 +560,6 @@ rpctls_connect(SSL_CTX *ctx, int s)
 	if (cert == NULL) {
 		rpctlscd_verbose_out("rpctls_connect: get peer"
 		    " certificate failed\n");
-		SSL_shutdown(ssl);
 		SSL_free(ssl);
 		return (NULL);
 	}
@@ -585,17 +584,24 @@ rpctls_connect(SSL_CTX *ctx, int s)
 			    "failed %s\n", hostnam, cp, cp2,
 			    X509_verify_cert_error_string(ret));
 		}
-		SSL_shutdown(ssl);
 		SSL_free(ssl);
 		return (NULL);
 	}
 
-#ifdef notnow
+	/* Check to see if ktls is enabled on the connection. */
 	ret = BIO_get_ktls_send(SSL_get_wbio(ssl));
-	fprintf(stderr, "ktls_send=%d\n", ret);
-	ret = BIO_get_ktls_recv(SSL_get_rbio(ssl));
-	fprintf(stderr, "ktls_recv=%d\n", ret);
+	rpctlscd_verbose_out("rpctls_connect: BIO_get_ktls_send=%d\n", ret);
+	if (ret != 0) {
+		ret = BIO_get_ktls_recv(SSL_get_rbio(ssl));
+		rpctlscd_verbose_out("rpctls_connect: BIO_get_ktls_recv=%d\n", ret);
+	}
+#ifdef notnow
+	if (ret == 0) {
+		SSL_free(ssl);
+		return (NULL);
+	}
 #endif
+
 	return (ssl);
 }
 

Modified: projects/nfs-over-tls/usr.sbin/rpctlssd/Makefile
==============================================================================
--- projects/nfs-over-tls/usr.sbin/rpctlssd/Makefile	Sun May  3 00:12:56 2020	(r360579)
+++ projects/nfs-over-tls/usr.sbin/rpctlssd/Makefile	Sun May  3 00:15:18 2020	(r360580)
@@ -8,7 +8,10 @@ SRCS=	rpctlssd.c rpctlssd.h rpctlssd_svc.c rpctlssd_xd
 
 CFLAGS+= -I.
 
-LIBADD=	ssl crypto
+CFLAGS+= -I/usr/ktls/include
+LDFLAGS+= -L/usr/ktls/lib
+
+LIBADD=	ssl crypto util
 
 CLEANFILES= rpctlssd_svc.c rpctlssd_xdr.c rpctlssd.h
 

Modified: projects/nfs-over-tls/usr.sbin/rpctlssd/rpctlssd.c
==============================================================================
--- projects/nfs-over-tls/usr.sbin/rpctlssd/rpctlssd.c	Sun May  3 00:12:56 2020	(r360579)
+++ projects/nfs-over-tls/usr.sbin/rpctlssd/rpctlssd.c	Sun May  3 00:15:18 2020	(r360580)
@@ -56,6 +56,7 @@ __FBSDID("$FreeBSD$");
 #include <rpc/rpc_com.h>
 #include <rpc/rpcsec_tls.h>
 
+#include <openssl/opensslconf.h>
 #include <openssl/bio.h>
 #include <openssl/ssl.h>
 #include <openssl/err.h>
@@ -74,7 +75,7 @@ __FBSDID("$FreeBSD$");
 #define	_PATH_RPCTLSSDPID	"/var/run/rpctlssd.pid"
 #endif
 #ifndef	_PREFERRED_CIPHERS
-#define	_PREFERRED_CIPHERS	"SHA384:SHA256:!CAMELLIA"
+#define	_PREFERRED_CIPHERS	"AES128-GCM-SHA256"
 #endif
 
 static struct pidfh	*rpctls_pfh = NULL;
@@ -663,6 +664,21 @@ rpctlssd_verbose_out("%s\n", cp2);
 			rpctlssd_verbose_out("rpctls_server: "
 			    "No peer certificate\n");
 	}
+
+	/* Check to see that ktls is working for the connection. */
+	ret = BIO_get_ktls_send(SSL_get_wbio(ssl));
+	rpctlssd_verbose_out("rpctls_server: BIO_get_ktls_send=%d\n", ret);
+	if (ret != 0) {
+		ret = BIO_get_ktls_recv(SSL_get_rbio(ssl));
+		rpctlssd_verbose_out("rpctls_server: BIO_get_ktls_recv=%d\n", ret);
+	}
+#ifdef notnow
+	if (ret == 0) {
+		SSL_free(ssl);
+		return (NULL);
+	}
+#endif
+
 	return (ssl);
 }
 
