svn commit: r360580 - in projects/nfs-over-tls/usr.sbin: rpctlscd rpctlssd
Rick Macklem
rmacklem at FreeBSD.org
Sun May 3 00:15:20 UTC 2020
Author: rmacklem
Date: Sun May 3 00:15:18 2020
New Revision: 360580
URL: https://svnweb.freebsd.org/changeset/base/360580
Log:
Fix the daemons so they actually work with jhb@'s patched openssl3.
The code now has passed a trivial test, where an NFS mount was TLS1.2
encrypted on the wire.
I will be updating the setup document, so others will be able to set
up system(s) for testing.
I have not yet decided what the correct way to handle a failure
to set up the ktls is. For the server, I suspect it is clearing of
the flags that say "handshake complete".
For the client, I am not sure if the mount should continue unencrypted
or the mount attempt should fail?
At this time, the daemons build, but report warnings that
SSL_CTX_load_XXX is deprecated. It works until I figure out what the
preferred OpenSSL 3 call is.
Modified:
projects/nfs-over-tls/usr.sbin/rpctlscd/Makefile
projects/nfs-over-tls/usr.sbin/rpctlscd/rpctlscd.c
projects/nfs-over-tls/usr.sbin/rpctlssd/Makefile
projects/nfs-over-tls/usr.sbin/rpctlssd/rpctlssd.c
Modified: projects/nfs-over-tls/usr.sbin/rpctlscd/Makefile
==============================================================================
--- projects/nfs-over-tls/usr.sbin/rpctlscd/Makefile Sun May 3 00:12:56 2020 (r360579)
+++ projects/nfs-over-tls/usr.sbin/rpctlscd/Makefile Sun May 3 00:15:18 2020 (r360580)
@@ -8,7 +8,10 @@ SRCS= rpctlscd.c rpctlscd.h rpctlscd_svc.c rpctlscd_xd
CFLAGS+= -I.
-LIBADD= ssl crypto
+CFLAGS+= -I/usr/ktls/include
+LDFLAGS+= -L/usr/ktls/lib
+
+LIBADD= ssl crypto util
CLEANFILES= rpctlscd_svc.c rpctlscd_xdr.c rpctlscd.h
Modified: projects/nfs-over-tls/usr.sbin/rpctlscd/rpctlscd.c
==============================================================================
--- projects/nfs-over-tls/usr.sbin/rpctlscd/rpctlscd.c Sun May 3 00:12:56 2020 (r360579)
+++ projects/nfs-over-tls/usr.sbin/rpctlscd/rpctlscd.c Sun May 3 00:15:18 2020 (r360580)
@@ -55,6 +55,7 @@ __FBSDID("$FreeBSD$");
#include <rpc/rpc_com.h>
#include <rpc/rpcsec_tls.h>
+#include <openssl/opensslconf.h>
#include <openssl/bio.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
@@ -72,7 +73,7 @@ __FBSDID("$FreeBSD$");
#define _PATH_RPCTLSCDPID "/var/run/rpctlscd.pid"
#endif
#ifndef _PREFERRED_CIPHERS
-#define _PREFERRED_CIPHERS "SHA384:SHA256:!CAMELLIA"
+#define _PREFERRED_CIPHERS "AES128-GCM-SHA256"
#endif
static struct pidfh *rpctls_pfh = NULL;
@@ -382,7 +383,6 @@ rpctlscd_disconnect_1_svc(struct rpctlscd_disconnect_a
rpctlscd_verbose_out("rpctlscd_disconnect: fd=%d closed\n",
slp->s);
LIST_REMOVE(slp, next);
- SSL_shutdown(slp->ssl);
SSL_free(slp->ssl);
/*
* For RPC-over-TLS, this upcall is expected
@@ -560,7 +560,6 @@ rpctls_connect(SSL_CTX *ctx, int s)
if (cert == NULL) {
rpctlscd_verbose_out("rpctls_connect: get peer"
" certificate failed\n");
- SSL_shutdown(ssl);
SSL_free(ssl);
return (NULL);
}
@@ -585,17 +584,24 @@ rpctls_connect(SSL_CTX *ctx, int s)
"failed %s\n", hostnam, cp, cp2,
X509_verify_cert_error_string(ret));
}
- SSL_shutdown(ssl);
SSL_free(ssl);
return (NULL);
}
-#ifdef notnow
+ /* Check to see if ktls is enabled on the connection. */
ret = BIO_get_ktls_send(SSL_get_wbio(ssl));
- fprintf(stderr, "ktls_send=%d\n", ret);
- ret = BIO_get_ktls_recv(SSL_get_rbio(ssl));
- fprintf(stderr, "ktls_recv=%d\n", ret);
+ rpctlscd_verbose_out("rpctls_connect: BIO_get_ktls_send=%d\n", ret);
+ if (ret != 0) {
+ ret = BIO_get_ktls_recv(SSL_get_rbio(ssl));
+ rpctlscd_verbose_out("rpctls_connect: BIO_get_ktls_recv=%d\n", ret);
+ }
+#ifdef notnow
+ if (ret == 0) {
+ SSL_free(ssl);
+ return (NULL);
+ }
#endif
+
return (ssl);
}
Modified: projects/nfs-over-tls/usr.sbin/rpctlssd/Makefile
==============================================================================
--- projects/nfs-over-tls/usr.sbin/rpctlssd/Makefile Sun May 3 00:12:56 2020 (r360579)
+++ projects/nfs-over-tls/usr.sbin/rpctlssd/Makefile Sun May 3 00:15:18 2020 (r360580)
@@ -8,7 +8,10 @@ SRCS= rpctlssd.c rpctlssd.h rpctlssd_svc.c rpctlssd_xd
CFLAGS+= -I.
-LIBADD= ssl crypto
+CFLAGS+= -I/usr/ktls/include
+LDFLAGS+= -L/usr/ktls/lib
+
+LIBADD= ssl crypto util
CLEANFILES= rpctlssd_svc.c rpctlssd_xdr.c rpctlssd.h
Modified: projects/nfs-over-tls/usr.sbin/rpctlssd/rpctlssd.c
==============================================================================
--- projects/nfs-over-tls/usr.sbin/rpctlssd/rpctlssd.c Sun May 3 00:12:56 2020 (r360579)
+++ projects/nfs-over-tls/usr.sbin/rpctlssd/rpctlssd.c Sun May 3 00:15:18 2020 (r360580)
@@ -56,6 +56,7 @@ __FBSDID("$FreeBSD$");
#include <rpc/rpc_com.h>
#include <rpc/rpcsec_tls.h>
+#include <openssl/opensslconf.h>
#include <openssl/bio.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
@@ -74,7 +75,7 @@ __FBSDID("$FreeBSD$");
#define _PATH_RPCTLSSDPID "/var/run/rpctlssd.pid"
#endif
#ifndef _PREFERRED_CIPHERS
-#define _PREFERRED_CIPHERS "SHA384:SHA256:!CAMELLIA"
+#define _PREFERRED_CIPHERS "AES128-GCM-SHA256"
#endif
static struct pidfh *rpctls_pfh = NULL;
@@ -663,6 +664,21 @@ rpctlssd_verbose_out("%s\n", cp2);
rpctlssd_verbose_out("rpctls_server: "
"No peer certificate\n");
}
+
+ /* Check to see that ktls is working for the connection. */
+ ret = BIO_get_ktls_send(SSL_get_wbio(ssl));
+ rpctlssd_verbose_out("rpctls_server: BIO_get_ktls_send=%d\n", ret);
+ if (ret != 0) {
+ ret = BIO_get_ktls_recv(SSL_get_rbio(ssl));
+ rpctlssd_verbose_out("rpctls_server: BIO_get_ktls_recv=%d\n", ret);
+ }
+#ifdef notnow
+ if (ret == 0) {
+ SSL_free(ssl);
+ return (NULL);
+ }
+#endif
+
return (ssl);
}
More information about the svn-src-projects
mailing list