From: Chuck Lever <cel@kernel.org>
To: <kernel-tls-handshake@lists.linux.dev>
Cc: Xin Long <lucien.xin@gmail.com>
Subject: [PATCH v1 02/16] tlshd: leave session_status as EIO on GnuTLS failure in QUIC session setup
Date: Thu, 25 Sep 2025 21:21:51 -0400 [thread overview]
Message-ID: <20250926012207.3642990-3-cel@kernel.org> (raw)
In-Reply-To: <20250926012207.3642990-1-cel@kernel.org>
From: Xin Long <lucien.xin@gmail.com>
Align the QUIC session setup error handling with the TLS 1.3 code paths:
- tlshd_tls13_client_x509_handshake()
- tlshd_tls13_client_psk_handshake()
- tlshd_tls13_server_x509_handshake()
- tlshd_tls13_server_psk_handshake()
The QUIC session setup functions:
- tlshd_quic_client_set_x509_session()
- tlshd_quic_client_set_psk_session()
- tlshd_quic_server_set_x509_session()
- tlshd_quic_server_set_psk_session()
will no longer return an error directly. Instead, if a GnuTLS API call
fails, session_status is left as EIO after logging the Gnutls errors.
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
---
src/tlshd/client.c | 42 ++++++++++++++++++++----------------------
src/tlshd/server.c | 29 +++++++++++++----------------
2 files changed, 33 insertions(+), 38 deletions(-)
diff --git a/src/tlshd/client.c b/src/tlshd/client.c
index ad9a7931a6cd..3415fddfa0c4 100644
--- a/src/tlshd/client.c
+++ b/src/tlshd/client.c
@@ -530,17 +530,17 @@ static int tlshd_quic_client_x509_verify_function(gnutls_session_t session)
#define TLSHD_QUIC_NO_CERT_AUTH 3
-static int tlshd_quic_client_set_x509_session(struct tlshd_quic_conn *conn)
+static void tlshd_quic_client_set_x509_session(struct tlshd_quic_conn *conn)
{
struct tlshd_handshake_parms *parms = conn->parms;
gnutls_certificate_credentials_t cred;
gnutls_session_t session;
- int ret = -EINVAL;
+ int ret;
if (conn->cert_req != TLSHD_QUIC_NO_CERT_AUTH) {
if (!tlshd_x509_client_get_certs(parms) || !tlshd_x509_client_get_privkey(parms)) {
- tlshd_log_error("cert/privkey get error %d", -ret);
- return ret;
+ tlshd_log_error("Failed to get cert or privkey");
+ return;
}
}
ret = gnutls_certificate_allocate_credentials(&cred);
@@ -581,7 +581,8 @@ static int tlshd_quic_client_set_x509_session(struct tlshd_quic_conn *conn)
goto err_session;
}
conn->session = session;
- return 0;
+ return;
+
err_session:
gnutls_deinit(session);
err_cred:
@@ -590,29 +591,28 @@ err:
tlshd_x509_client_put_privkey();
tlshd_x509_client_put_certs();
tlshd_log_gnutls_error(ret);
- return ret;
}
-static int tlshd_quic_client_set_anon_session(struct tlshd_quic_conn *conn)
+static void tlshd_quic_client_set_anon_session(struct tlshd_quic_conn *conn)
{
conn->cert_req = TLSHD_QUIC_NO_CERT_AUTH;
- return tlshd_quic_client_set_x509_session(conn);
+ tlshd_quic_client_set_x509_session(conn);
}
-static int tlshd_quic_client_set_psk_session(struct tlshd_quic_conn *conn)
+static void tlshd_quic_client_set_psk_session(struct tlshd_quic_conn *conn)
{
key_serial_t peerid = g_array_index(conn->parms->peerids, key_serial_t, 0);
gnutls_psk_client_credentials_t cred;
gnutls_session_t session;
char *identity = NULL;
gnutls_datum_t key;
- int ret = -EINVAL;
+ int ret;
if (!tlshd_keyring_get_psk_username(peerid, &identity) ||
!tlshd_keyring_get_psk_key(peerid, &key)) {
free(identity);
- tlshd_log_error("identity/key get error %d", -ret);
- return ret;
+ tlshd_log_error("Failed to get key identity or read key");
+ return;
}
ret = gnutls_psk_allocate_client_credentials(&cred);
@@ -630,7 +630,8 @@ static int tlshd_quic_client_set_psk_session(struct tlshd_quic_conn *conn)
if (ret)
goto err_session;
conn->session = session;
- return 0;
+ return;
+
err_session:
gnutls_deinit(session);
err_cred:
@@ -638,7 +639,6 @@ err_cred:
err:
free(identity);
tlshd_log_gnutls_error(ret);
- return ret;
}
/**
@@ -659,26 +659,24 @@ void tlshd_quic_clienthello_handshake(struct tlshd_handshake_parms *parms)
switch (parms->auth_mode) {
case HANDSHAKE_AUTH_UNAUTH:
- ret = tlshd_quic_client_set_anon_session(conn);
+ tlshd_quic_client_set_anon_session(conn);
break;
case HANDSHAKE_AUTH_X509:
- ret = tlshd_quic_client_set_x509_session(conn);
+ tlshd_quic_client_set_x509_session(conn);
break;
case HANDSHAKE_AUTH_PSK:
- ret = tlshd_quic_client_set_psk_session(conn);
+ tlshd_quic_client_set_psk_session(conn);
break;
default:
- ret = -EINVAL;
tlshd_log_debug("Unrecognized auth mode (%d)", parms->auth_mode);
}
- if (ret) {
- conn->errcode = -ret;
+
+ if (!conn->session)
goto out;
- }
tlshd_quic_start_handshake(conn);
-out:
parms->session_status = conn->errcode;
+out:
tlshd_quic_conn_destroy(conn);
}
#else
diff --git a/src/tlshd/server.c b/src/tlshd/server.c
index 6531f0819d2b..8bb769ff9f74 100644
--- a/src/tlshd/server.c
+++ b/src/tlshd/server.c
@@ -562,17 +562,17 @@ found:
return 0;
}
-static int tlshd_quic_server_set_x509_session(struct tlshd_quic_conn *conn)
+static void tlshd_quic_server_set_x509_session(struct tlshd_quic_conn *conn)
{
struct tlshd_handshake_parms *parms = conn->parms;
gnutls_certificate_credentials_t cred;
gnutls_datum_t ticket_key;
gnutls_session_t session;
- int ret = -EINVAL;
+ int ret;
if (!tlshd_x509_server_get_certs(parms) || !tlshd_x509_server_get_privkey(parms)) {
- tlshd_log_error("cert/privkey get error %d", -ret);
- return ret;
+ tlshd_log_error("Failed to get cert or privkey");
+ return;
}
ret = gnutls_certificate_allocate_credentials(&cred);
@@ -619,7 +619,8 @@ static int tlshd_quic_server_set_x509_session(struct tlshd_quic_conn *conn)
conn->is_serv = 1;
conn->session = session;
- return 0;
+ return;
+
err_session:
gnutls_deinit(session);
err_cred:
@@ -628,10 +629,9 @@ err:
tlshd_x509_server_put_privkey();
tlshd_x509_server_put_certs();
tlshd_log_gnutls_error(ret);
- return ret;
}
-static int tlshd_quic_server_set_psk_session(struct tlshd_quic_conn *conn)
+static void tlshd_quic_server_set_psk_session(struct tlshd_quic_conn *conn)
{
gnutls_psk_server_credentials_t cred;
gnutls_session_t session;
@@ -654,14 +654,14 @@ static int tlshd_quic_server_set_psk_session(struct tlshd_quic_conn *conn)
conn->is_serv = 1;
conn->session = session;
- return 0;
+ return;
+
err_session:
gnutls_deinit(session);
err_cred:
gnutls_psk_free_server_credentials(cred);
err:
tlshd_log_gnutls_error(ret);
- return ret;
}
/**
@@ -682,23 +682,20 @@ void tlshd_quic_serverhello_handshake(struct tlshd_handshake_parms *parms)
switch (parms->auth_mode) {
case HANDSHAKE_AUTH_X509:
- ret = tlshd_quic_server_set_x509_session(conn);
+ tlshd_quic_server_set_x509_session(conn);
break;
case HANDSHAKE_AUTH_PSK:
- ret = tlshd_quic_server_set_psk_session(conn);
+ tlshd_quic_server_set_psk_session(conn);
break;
default:
- ret = -EINVAL;
tlshd_log_debug("Unrecognized auth mode (%d)", parms->auth_mode);
}
- if (ret) {
- conn->errcode = -ret;
+ if (!conn->session)
goto out;
- }
tlshd_quic_start_handshake(conn);
-out:
parms->session_status = conn->errcode;
+out:
tlshd_quic_conn_destroy(conn);
}
#else
--
2.51.0
next prev parent reply other threads:[~2025-09-26 1:22 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-26 1:21 [PATCH v1 00/16] Create gh-pages for ktls-utils Chuck Lever
2025-09-26 1:21 ` [PATCH v1 01/16] tlshd: Add kernel's quic.h Chuck Lever
2025-09-26 1:21 ` Chuck Lever [this message]
2025-09-26 1:21 ` [PATCH v1 03/16] tlshd: set conn errcode to EACCES on GnuTLS failure in QUIC handshake Chuck Lever
2025-09-26 1:21 ` [PATCH v1 04/16] tlshd: Translate kernel-style Doxygen comments in src/tlshd/client.c Chuck Lever
2025-09-26 1:21 ` [PATCH v1 05/16] tlshd: Translate kernel-style Doxygen comments in src/tlshd/config.c Chuck Lever
2025-09-26 1:21 ` [PATCH v1 06/16] tlshd: Translate kernel-style Doxygen comments in src/tlshd/handshake.c Chuck Lever
2025-09-26 1:21 ` [PATCH v1 07/16] tlshd: Translate kernel-style Doxygen comments in src/tlshd/keyring.c Chuck Lever
2025-09-26 1:21 ` [PATCH v1 08/16] tlshd: Translate kernel-style Doxygen comments in src/tlshd/ktls.c Chuck Lever
2025-09-26 1:21 ` [PATCH v1 09/16] tlshd: Translate kernel-style Doxygen comments in src/tlshd/log.c Chuck Lever
2025-09-26 1:21 ` [PATCH v1 10/16] tlshd: Translate kernel-style Doxygen comments in src/tlshd/main.c Chuck Lever
2025-09-26 1:22 ` [PATCH v1 11/16] tlshd: Translate kernel-style Doxygen comments in src/tlshd/netlink.c Chuck Lever
2025-09-26 1:22 ` [PATCH v1 12/16] tlshd: Translate kernel-style Doxygen comments in src/tlshd/quic.c Chuck Lever
2025-09-26 1:22 ` [PATCH v1 13/16] tlshd: Translate kernel-style Doxygen comments in src/tlshd/server.c Chuck Lever
2025-09-26 1:22 ` [PATCH v1 14/16] tlshd: Translate kernel-style Doxygen comments in src/tlshd/tlshd.h Chuck Lever
2025-09-26 1:22 ` [PATCH v1 15/16] Build Doxygen web site Chuck Lever
2025-09-26 1:22 ` [PATCH v1 16/16] workflows: Generate gh-pages automatically Chuck Lever
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250926012207.3642990-3-cel@kernel.org \
--to=cel@kernel.org \
--cc=kernel-tls-handshake@lists.linux.dev \
--cc=lucien.xin@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.