From: Chuck Lever <cel@kernel.org>
To: <kernel-tls-handshake@lists.linux.dev>
Cc: Xin Long <lucien.xin@gmail.com>
Subject: [PATCH v1 02/16] tlshd: leave session_status as EIO on GnuTLS failure in QUIC session setup
Date: Thu, 25 Sep 2025 21:21:51 -0400 [thread overview]
Message-ID: <20250926012207.3642990-3-cel@kernel.org> (raw)
In-Reply-To: <20250926012207.3642990-1-cel@kernel.org>
From: Xin Long <lucien.xin@gmail.com>
Align the QUIC session setup error handling with the TLS 1.3 code paths:
- tlshd_tls13_client_x509_handshake()
- tlshd_tls13_client_psk_handshake()
- tlshd_tls13_server_x509_handshake()
- tlshd_tls13_server_psk_handshake()
The QUIC session setup functions:
- tlshd_quic_client_set_x509_session()
- tlshd_quic_client_set_psk_session()
- tlshd_quic_server_set_x509_session()
- tlshd_quic_server_set_psk_session()
will no longer return an error directly. Instead, if a GnuTLS API call
fails, session_status is left as EIO after logging the Gnutls errors.
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
---
src/tlshd/client.c | 42 ++++++++++++++++++++----------------------
src/tlshd/server.c | 29 +++++++++++++----------------
2 files changed, 33 insertions(+), 38 deletions(-)
diff --git a/src/tlshd/client.c b/src/tlshd/client.c
index ad9a7931a6cd..3415fddfa0c4 100644
--- a/src/tlshd/client.c
+++ b/src/tlshd/client.c
@@ -530,17 +530,17 @@ static int tlshd_quic_client_x509_verify_function(gnutls_session_t session)
#define TLSHD_QUIC_NO_CERT_AUTH 3
-static int tlshd_quic_client_set_x509_session(struct tlshd_quic_conn *conn)
+static void tlshd_quic_client_set_x509_session(struct tlshd_quic_conn *conn)
{
struct tlshd_handshake_parms *parms = conn->parms;
gnutls_certificate_credentials_t cred;
gnutls_session_t session;
- int ret = -EINVAL;
+ int ret;
if (conn->cert_req != TLSHD_QUIC_NO_CERT_AUTH) {
if (!tlshd_x509_client_get_certs(parms) || !tlshd_x509_client_get_privkey(parms)) {
- tlshd_log_error("cert/privkey get error %d", -ret);
- return ret;
+ tlshd_log_error("Failed to get cert or privkey");
+ return;
}
}
ret = gnutls_certificate_allocate_credentials(&cred);
@@ -581,7 +581,8 @@ static int tlshd_quic_client_set_x509_session(struct tlshd_quic_conn *conn)
goto err_session;
}
conn->session = session;
- return 0;
+ return;
+
err_session:
gnutls_deinit(session);
err_cred:
@@ -590,29 +591,28 @@ err:
tlshd_x509_client_put_privkey();
tlshd_x509_client_put_certs();
tlshd_log_gnutls_error(ret);
- return ret;
}
-static int tlshd_quic_client_set_anon_session(struct tlshd_quic_conn *conn)
+static void tlshd_quic_client_set_anon_session(struct tlshd_quic_conn *conn)
{
conn->cert_req = TLSHD_QUIC_NO_CERT_AUTH;
- return tlshd_quic_client_set_x509_session(conn);
+ tlshd_quic_client_set_x509_session(conn);
}
-static int tlshd_quic_client_set_psk_session(struct tlshd_quic_conn *conn)
+static void tlshd_quic_client_set_psk_session(struct tlshd_quic_conn *conn)
{
key_serial_t peerid = g_array_index(conn->parms->peerids, key_serial_t, 0);
gnutls_psk_client_credentials_t cred;
gnutls_session_t session;
char *identity = NULL;
gnutls_datum_t key;
- int ret = -EINVAL;
+ int ret;
if (!tlshd_keyring_get_psk_username(peerid, &identity) ||
!tlshd_keyring_get_psk_key(peerid, &key)) {
free(identity);
- tlshd_log_error("identity/key get error %d", -ret);
- return ret;
+ tlshd_log_error("Failed to get key identity or read key");
+ return;
}
ret = gnutls_psk_allocate_client_credentials(&cred);
@@ -630,7 +630,8 @@ static int tlshd_quic_client_set_psk_session(struct tlshd_quic_conn *conn)
if (ret)
goto err_session;
conn->session = session;
- return 0;
+ return;
+
err_session:
gnutls_deinit(session);
err_cred:
@@ -638,7 +639,6 @@ err_cred:
err:
free(identity);
tlshd_log_gnutls_error(ret);
- return ret;
}
/**
@@ -659,26 +659,24 @@ void tlshd_quic_clienthello_handshake(struct tlshd_handshake_parms *parms)
switch (parms->auth_mode) {
case HANDSHAKE_AUTH_UNAUTH:
- ret = tlshd_quic_client_set_anon_session(conn);
+ tlshd_quic_client_set_anon_session(conn);
break;
case HANDSHAKE_AUTH_X509:
- ret = tlshd_quic_client_set_x509_session(conn);
+ tlshd_quic_client_set_x509_session(conn);
break;
case HANDSHAKE_AUTH_PSK:
- ret = tlshd_quic_client_set_psk_session(conn);
+ tlshd_quic_client_set_psk_session(conn);
break;
default:
- ret = -EINVAL;
tlshd_log_debug("Unrecognized auth mode (%d)", parms->auth_mode);
}
- if (ret) {
- conn->errcode = -ret;
+
+ if (!conn->session)
goto out;
- }
tlshd_quic_start_handshake(conn);
-out:
parms->session_status = conn->errcode;
+out:
tlshd_quic_conn_destroy(conn);
}
#else
diff --git a/src/tlshd/server.c b/src/tlshd/server.c
index 6531f0819d2b..8bb769ff9f74 100644
--- a/src/tlshd/server.c
+++ b/src/tlshd/server.c
@@ -562,17 +562,17 @@ found:
return 0;
}
-static int tlshd_quic_server_set_x509_session(struct tlshd_quic_conn *conn)
+static void tlshd_quic_server_set_x509_session(struct tlshd_quic_conn *conn)
{
struct tlshd_handshake_parms *parms = conn->parms;
gnutls_certificate_credentials_t cred;
gnutls_datum_t ticket_key;
gnutls_session_t session;
- int ret = -EINVAL;
+ int ret;
if (!tlshd_x509_server_get_certs(parms) || !tlshd_x509_server_get_privkey(parms)) {
- tlshd_log_error("cert/privkey get error %d", -ret);
- return ret;
+ tlshd_log_error("Failed to get cert or privkey");
+ return;
}
ret = gnutls_certificate_allocate_credentials(&cred);
@@ -619,7 +619,8 @@ static int tlshd_quic_server_set_x509_session(struct tlshd_quic_conn *conn)
conn->is_serv = 1;
conn->session = session;
- return 0;
+ return;
+
err_session:
gnutls_deinit(session);
err_cred:
@@ -628,10 +629,9 @@ err:
tlshd_x509_server_put_privkey();
tlshd_x509_server_put_certs();
tlshd_log_gnutls_error(ret);
- return ret;
}
-static int tlshd_quic_server_set_psk_session(struct tlshd_quic_conn *conn)
+static void tlshd_quic_server_set_psk_session(struct tlshd_quic_conn *conn)
{
gnutls_psk_server_credentials_t cred;
gnutls_session_t session;
@@ -654,14 +654,14 @@ static int tlshd_quic_server_set_psk_session(struct tlshd_quic_conn *conn)
conn->is_serv = 1;
conn->session = session;
- return 0;
+ return;
+
err_session:
gnutls_deinit(session);
err_cred:
gnutls_psk_free_server_credentials(cred);
err:
tlshd_log_gnutls_error(ret);
- return ret;
}
/**
@@ -682,23 +682,20 @@ void tlshd_quic_serverhello_handshake(struct tlshd_handshake_parms *parms)
switch (parms->auth_mode) {
case HANDSHAKE_AUTH_X509:
- ret = tlshd_quic_server_set_x509_session(conn);
+ tlshd_quic_server_set_x509_session(conn);
break;
case HANDSHAKE_AUTH_PSK:
- ret = tlshd_quic_server_set_psk_session(conn);
+ tlshd_quic_server_set_psk_session(conn);
break;
default:
- ret = -EINVAL;
tlshd_log_debug("Unrecognized auth mode (%d)", parms->auth_mode);
}
- if (ret) {
- conn->errcode = -ret;
+ if (!conn->session)
goto out;
- }
tlshd_quic_start_handshake(conn);
-out:
parms->session_status = conn->errcode;
+out:
tlshd_quic_conn_destroy(conn);
}
#else
--
2.51.0
next prev parent reply other threads:[~2025-09-26 1:22 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-26 1:21 [PATCH v1 00/16] Create gh-pages for ktls-utils Chuck Lever
2025-09-26 1:21 ` [PATCH v1 01/16] tlshd: Add kernel's quic.h Chuck Lever
2025-09-26 1:21 ` Chuck Lever [this message]
2025-09-26 1:21 ` [PATCH v1 03/16] tlshd: set conn errcode to EACCES on GnuTLS failure in QUIC handshake Chuck Lever
2025-09-26 1:21 ` [PATCH v1 04/16] tlshd: Translate kernel-style Doxygen comments in src/tlshd/client.c Chuck Lever
2025-09-26 1:21 ` [PATCH v1 05/16] tlshd: Translate kernel-style Doxygen comments in src/tlshd/config.c Chuck Lever
2025-09-26 1:21 ` [PATCH v1 06/16] tlshd: Translate kernel-style Doxygen comments in src/tlshd/handshake.c Chuck Lever
2025-09-26 1:21 ` [PATCH v1 07/16] tlshd: Translate kernel-style Doxygen comments in src/tlshd/keyring.c Chuck Lever
2025-09-26 1:21 ` [PATCH v1 08/16] tlshd: Translate kernel-style Doxygen comments in src/tlshd/ktls.c Chuck Lever
2025-09-26 1:21 ` [PATCH v1 09/16] tlshd: Translate kernel-style Doxygen comments in src/tlshd/log.c Chuck Lever
2025-09-26 1:21 ` [PATCH v1 10/16] tlshd: Translate kernel-style Doxygen comments in src/tlshd/main.c Chuck Lever
2025-09-26 1:22 ` [PATCH v1 11/16] tlshd: Translate kernel-style Doxygen comments in src/tlshd/netlink.c Chuck Lever
2025-09-26 1:22 ` [PATCH v1 12/16] tlshd: Translate kernel-style Doxygen comments in src/tlshd/quic.c Chuck Lever
2025-09-26 1:22 ` [PATCH v1 13/16] tlshd: Translate kernel-style Doxygen comments in src/tlshd/server.c Chuck Lever
2025-09-26 1:22 ` [PATCH v1 14/16] tlshd: Translate kernel-style Doxygen comments in src/tlshd/tlshd.h Chuck Lever
2025-09-26 1:22 ` [PATCH v1 15/16] Build Doxygen web site Chuck Lever
2025-09-26 1:22 ` [PATCH v1 16/16] workflows: Generate gh-pages automatically Chuck Lever
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250926012207.3642990-3-cel@kernel.org \
--to=cel@kernel.org \
--cc=kernel-tls-handshake@lists.linux.dev \
--cc=lucien.xin@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox