tlshd: Return a non-zero peerid

chucklever · chucklever · commit 239ff5d19a3c · 2025-07-31T14:34:04.000-04:00
NFSD depends on seeing a non-zero peerid to know when the session
has been authenticated (mTLS). Currently NFSD does not read or
parse the remote peer's certificate.

If tlshd fails to link the certificate onto the USER_SPEC keyring,
it still needs to return a peerid that is non-zero to show that
the remote peer presented a trusted certificate.

Hack city. But this "fix" is compatible with older kernels and
ktls-utils releases. A more complete fix is forthcoming.

Signed-off-by: Chuck Lever &lt;chuck.lever@oracle.com&gt;
diff --git a/src/tlshd/server.c b/src/tlshd/server.c
@@ -224,6 +224,8 @@ static int tlshd_server_x509_verify_function(gnutls_session_t session,
 			return GNUTLS_E_CERTIFICATE_ERROR;
 		}
 		peerid = tlshd_keyring_create_cert(cert, parms->peername);
+		if (peerid == TLS_NO_PEERID)
+			peerid = UINT_MAX;
 		g_array_append_val(parms->remote_peerids, peerid);
 		gnutls_x509_crt_deinit(cert);
 	}

Original file line number	Diff line number	Diff line change
`@@ -224,6 +224,8 @@ static int tlshd_server_x509_verify_function(gnutls_session_t session,`
`224`	`224`	`return GNUTLS_E_CERTIFICATE_ERROR;`
`225`	`225`	`}`
`226`	`226`	`peerid = tlshd_keyring_create_cert(cert, parms->peername);`
	`227`	`+ if (peerid == TLS_NO_PEERID)`
	`228`	`+ peerid = UINT_MAX;`
`227`	`229`	`g_array_append_val(parms->remote_peerids, peerid);`
`228`	`230`	`gnutls_x509_crt_deinit(cert);`
`229`	`231`	`}`