From owner-svn-src-projects@freebsd.org Fri Oct 30 14:42:02 2020
Return-Path: <owner-svn-src-projects@freebsd.org>
Delivered-To: svn-src-projects@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
by mailman.nyi.freebsd.org (Postfix) with ESMTP id E402945396D
for <svn-src-projects@mailman.nyi.freebsd.org>;
Fri, 30 Oct 2020 14:42:02 +0000 (UTC)
(envelope-from rmacklem@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
[IPv6:2610:1c1:1:606c::19:3])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
client-signature RSA-PSS (4096 bits) client-digest SHA256)
(Client CN "mxrelay.nyi.freebsd.org",
Issuer "Let's Encrypt Authority X3" (verified OK))
by mx1.freebsd.org (Postfix) with ESMTPS id 4CN4lG450zz43wy;
Fri, 30 Oct 2020 14:42:02 +0000 (UTC)
(envelope-from rmacklem@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
[IPv6:2610:1c1:1:6068::e6a:0])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client did not present a certificate)
by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 6F7D3180BC;
Fri, 30 Oct 2020 14:42:02 +0000 (UTC)
(envelope-from rmacklem@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 09UEg2Z6081897;
Fri, 30 Oct 2020 14:42:02 GMT (envelope-from rmacklem@FreeBSD.org)
Received: (from rmacklem@localhost)
by repo.freebsd.org (8.15.2/8.15.2/Submit) id 09UEg2jJ081881;
Fri, 30 Oct 2020 14:42:02 GMT (envelope-from rmacklem@FreeBSD.org)
Message-Id: <202010301442.09UEg2jJ081881@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: rmacklem set sender to
rmacklem@FreeBSD.org using -f
From: Rick Macklem <rmacklem@FreeBSD.org>
Date: Fri, 30 Oct 2020 14:42:02 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-projects@freebsd.org
Subject: svn commit: r367172 - projects/nfs-over-tls
X-SVN-Group: projects
X-SVN-Commit-Author: rmacklem
X-SVN-Commit-Paths: projects/nfs-over-tls
X-SVN-Commit-Revision: 367172
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-projects@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: "SVN commit messages for the src " projects"
tree" <svn-src-projects.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-projects>,
<mailto:svn-src-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-projects/>
List-Post: <mailto:svn-src-projects@freebsd.org>
List-Help: <mailto:svn-src-projects-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-projects>,
<mailto:svn-src-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Oct 2020 14:42:03 -0000
Author: rmacklem
Date: Fri Oct 30 14:42:02 2020
New Revision: 367172
URL: https://svnweb.freebsd.org/changeset/base/367172
Log:
Fix the doc so that utilities can be built without kernel sources under
/usr/nfs-over-tls.
Modified:
projects/nfs-over-tls/nfs-over-tls-setup.txt
Modified: projects/nfs-over-tls/nfs-over-tls-setup.txt
==============================================================================
--- projects/nfs-over-tls/nfs-over-tls-setup.txt Fri Oct 30 14:41:19 2020 (r367171)
+++ projects/nfs-over-tls/nfs-over-tls-setup.txt Fri Oct 30 14:42:02 2020 (r367172)
@@ -77,6 +77,10 @@ Now, you need to patch the include files in /usr/ktls/
# patch -p0 < /usr/nfs-over-tls/openssl3.patch
And now you should be able to build/install the utilities.
+First, make a symlink to your kernel sources in /usr/nfs-over-tls.
+# cd /usr/nfs-over-tls
+# ln -s /usr/src/sys sys
+Then the makes should work.
# cd /usr/nfs-over-tls/usr.sbin/rpc.tlsservd
# make SRCTOP=/usr/nfs-over-tls
# cp rpc.tlsservd /usr/sbin
From owner-svn-src-projects@freebsd.org Sat Oct 31 02:47:40 2020
Return-Path: <owner-svn-src-projects@freebsd.org>
Delivered-To: svn-src-projects@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
by mailman.nyi.freebsd.org (Postfix) with ESMTP id 74129465D11
for <svn-src-projects@mailman.nyi.freebsd.org>;
Sat, 31 Oct 2020 02:47:40 +0000 (UTC)
(envelope-from rmacklem@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
[IPv6:2610:1c1:1:606c::19:3])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
client-signature RSA-PSS (4096 bits) client-digest SHA256)
(Client CN "mxrelay.nyi.freebsd.org",
Issuer "Let's Encrypt Authority X3" (verified OK))
by mx1.freebsd.org (Postfix) with ESMTPS id 4CNNrX2XhKz3c4V;
Sat, 31 Oct 2020 02:47:40 +0000 (UTC)
(envelope-from rmacklem@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
[IPv6:2610:1c1:1:6068::e6a:0])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client did not present a certificate)
by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 3B941208F7;
Sat, 31 Oct 2020 02:47:40 +0000 (UTC)
(envelope-from rmacklem@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 09V2leYj028666;
Sat, 31 Oct 2020 02:47:40 GMT (envelope-from rmacklem@FreeBSD.org)
Received: (from rmacklem@localhost)
by repo.freebsd.org (8.15.2/8.15.2/Submit) id 09V2ldjW028663;
Sat, 31 Oct 2020 02:47:39 GMT (envelope-from rmacklem@FreeBSD.org)
Message-Id: <202010310247.09V2ldjW028663@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: rmacklem set sender to
rmacklem@FreeBSD.org using -f
From: Rick Macklem <rmacklem@FreeBSD.org>
Date: Sat, 31 Oct 2020 02:47:39 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-projects@freebsd.org
Subject: svn commit: r367191 - projects/nfs-over-tls/rc.d
X-SVN-Group: projects
X-SVN-Commit-Author: rmacklem
X-SVN-Commit-Paths: projects/nfs-over-tls/rc.d
X-SVN-Commit-Revision: 367191
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-projects@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: "SVN commit messages for the src " projects"
tree" <svn-src-projects.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-projects>,
<mailto:svn-src-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-projects/>
List-Post: <mailto:svn-src-projects@freebsd.org>
List-Help: <mailto:svn-src-projects-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-projects>,
<mailto:svn-src-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 31 Oct 2020 02:47:40 -0000
Author: rmacklem
Date: Sat Oct 31 02:47:39 2020
New Revision: 367191
URL: https://svnweb.freebsd.org/changeset/base/367191
Log:
Add a new rc.d script that enables the kernel tls and make the other
scripts depend on it.
Added:
projects/nfs-over-tls/rc.d/ktls
Modified:
projects/nfs-over-tls/rc.d/tlsclntd
projects/nfs-over-tls/rc.d/tlsservd
Added: projects/nfs-over-tls/rc.d/ktls
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ projects/nfs-over-tls/rc.d/ktls Sat Oct 31 02:47:39 2020 (r367191)
@@ -0,0 +1,39 @@
+#!/bin/sh
+#
+# $FreeBSD$
+#
+
+# PROVIDE: ktls
+# REQUIRE: NETWORKING
+# KEYWORD: shutdown
+
+. /etc/rc.subr
+
+name="ktls"
+desc="Enable Kernel TLS"
+rcvar="ktls_enable"
+start_cmd="${name}_start"
+stop_cmd=":"
+
+ktls_start()
+{
+
+ sysctl -q kern.ipc.tls.enable=1 > /dev/null
+ err=$?
+ if [ "${err}" -ne 0 ]; then
+ warn "kernel must be built with options KERN_TLS for ktls"
+ return "${err}"
+ fi
+ sysctl kern.ipc.mb_use_ext_pgs=1 > /dev/null
+
+ #
+ # Load ktls_ocf and optionally aesni
+ #
+ load_kld ktls_ocf
+ if checkyesno ktls_aesni_enable; then
+ load_kld aesni
+ fi
+}
+
+load_rc_config $name
+run_rc_command "$1"
Modified: projects/nfs-over-tls/rc.d/tlsclntd
==============================================================================
--- projects/nfs-over-tls/rc.d/tlsclntd Sat Oct 31 01:12:35 2020 (r367190)
+++ projects/nfs-over-tls/rc.d/tlsclntd Sat Oct 31 02:47:39 2020 (r367191)
@@ -4,7 +4,7 @@
#
# PROVIDE: tlsclntd
-# REQUIRE: NETWORKING
+# REQUIRE: NETWORKING root mountcritlocal ktls
# KEYWORD: nojail shutdown
. /etc/rc.subr
Modified: projects/nfs-over-tls/rc.d/tlsservd
==============================================================================
--- projects/nfs-over-tls/rc.d/tlsservd Sat Oct 31 01:12:35 2020 (r367190)
+++ projects/nfs-over-tls/rc.d/tlsservd Sat Oct 31 02:47:39 2020 (r367191)
@@ -4,7 +4,7 @@
#
# PROVIDE: tlsservd
-# REQUIRE: NETWORKING
+# REQUIRE: NETWORKING root mountcritlocal ktls
# KEYWORD: nojail shutdown
. /etc/rc.subr
From owner-svn-src-projects@freebsd.org Sat Oct 31 02:49:03 2020
Return-Path: <owner-svn-src-projects@freebsd.org>
Delivered-To: svn-src-projects@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
by mailman.nyi.freebsd.org (Postfix) with ESMTP id 7C7C9465C5A
for <svn-src-projects@mailman.nyi.freebsd.org>;
Sat, 31 Oct 2020 02:49:03 +0000 (UTC)
(envelope-from rmacklem@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
[IPv6:2610:1c1:1:606c::19:3])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
client-signature RSA-PSS (4096 bits) client-digest SHA256)
(Client CN "mxrelay.nyi.freebsd.org",
Issuer "Let's Encrypt Authority X3" (verified OK))
by mx1.freebsd.org (Postfix) with ESMTPS id 4CNNt72fr5z3bxh;
Sat, 31 Oct 2020 02:49:03 +0000 (UTC)
(envelope-from rmacklem@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
[IPv6:2610:1c1:1:6068::e6a:0])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client did not present a certificate)
by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 25AB920B70;
Sat, 31 Oct 2020 02:49:03 +0000 (UTC)
(envelope-from rmacklem@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 09V2n3Rh028768;
Sat, 31 Oct 2020 02:49:03 GMT (envelope-from rmacklem@FreeBSD.org)
Received: (from rmacklem@localhost)
by repo.freebsd.org (8.15.2/8.15.2/Submit) id 09V2n3IC028767;
Sat, 31 Oct 2020 02:49:03 GMT (envelope-from rmacklem@FreeBSD.org)
Message-Id: <202010310249.09V2n3IC028767@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: rmacklem set sender to
rmacklem@FreeBSD.org using -f
From: Rick Macklem <rmacklem@FreeBSD.org>
Date: Sat, 31 Oct 2020 02:49:03 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-projects@freebsd.org
Subject: svn commit: r367192 - projects/nfs-over-tls
X-SVN-Group: projects
X-SVN-Commit-Author: rmacklem
X-SVN-Commit-Paths: projects/nfs-over-tls
X-SVN-Commit-Revision: 367192
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-projects@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: "SVN commit messages for the src " projects"
tree" <svn-src-projects.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-projects>,
<mailto:svn-src-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-projects/>
List-Post: <mailto:svn-src-projects@freebsd.org>
List-Help: <mailto:svn-src-projects-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-projects>,
<mailto:svn-src-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 31 Oct 2020 02:49:03 -0000
Author: rmacklem
Date: Sat Oct 31 02:49:02 2020
New Revision: 367192
URL: https://svnweb.freebsd.org/changeset/base/367192
Log:
Remove openssl3.patch, since it is no longer needed for openssl-3.0.0-alpha7.
Deleted:
projects/nfs-over-tls/openssl3.patch
From owner-svn-src-projects@freebsd.org Sat Oct 31 02:53:16 2020
Return-Path: <owner-svn-src-projects@freebsd.org>
Delivered-To: svn-src-projects@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
by mailman.nyi.freebsd.org (Postfix) with ESMTP id 6B2F2465CEC
for <svn-src-projects@mailman.nyi.freebsd.org>;
Sat, 31 Oct 2020 02:53:16 +0000 (UTC)
(envelope-from rmacklem@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
[IPv6:2610:1c1:1:606c::19:3])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
client-signature RSA-PSS (4096 bits) client-digest SHA256)
(Client CN "mxrelay.nyi.freebsd.org",
Issuer "Let's Encrypt Authority X3" (verified OK))
by mx1.freebsd.org (Postfix) with ESMTPS id 4CNNz02CY2z3cWH;
Sat, 31 Oct 2020 02:53:16 +0000 (UTC)
(envelope-from rmacklem@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
[IPv6:2610:1c1:1:6068::e6a:0])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client did not present a certificate)
by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 2F16B20E9A;
Sat, 31 Oct 2020 02:53:16 +0000 (UTC)
(envelope-from rmacklem@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 09V2rGrQ034716;
Sat, 31 Oct 2020 02:53:16 GMT (envelope-from rmacklem@FreeBSD.org)
Received: (from rmacklem@localhost)
by repo.freebsd.org (8.15.2/8.15.2/Submit) id 09V2rFrX034714;
Sat, 31 Oct 2020 02:53:15 GMT (envelope-from rmacklem@FreeBSD.org)
Message-Id: <202010310253.09V2rFrX034714@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: rmacklem set sender to
rmacklem@FreeBSD.org using -f
From: Rick Macklem <rmacklem@FreeBSD.org>
Date: Sat, 31 Oct 2020 02:53:15 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-projects@freebsd.org
Subject: svn commit: r367193 - in projects/nfs-over-tls/usr.sbin: rpc.tlsclntd
rpc.tlsservd
X-SVN-Group: projects
X-SVN-Commit-Author: rmacklem
X-SVN-Commit-Paths: in projects/nfs-over-tls/usr.sbin: rpc.tlsclntd
rpc.tlsservd
X-SVN-Commit-Revision: 367193
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-projects@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: "SVN commit messages for the src " projects"
tree" <svn-src-projects.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-projects>,
<mailto:svn-src-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-projects/>
List-Post: <mailto:svn-src-projects@freebsd.org>
List-Help: <mailto:svn-src-projects-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-projects>,
<mailto:svn-src-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 31 Oct 2020 02:53:16 -0000
Author: rmacklem
Date: Sat Oct 31 02:53:15 2020
New Revision: 367193
URL: https://svnweb.freebsd.org/changeset/base/367193
Log:
Delete the code that loads modules and just check to see if the kernel
supported KERN_TLS. The module loading is now handled by rc.d/ktls.
Modified:
projects/nfs-over-tls/usr.sbin/rpc.tlsclntd/rpc.tlsclntd.c
projects/nfs-over-tls/usr.sbin/rpc.tlsservd/rpc.tlsservd.c
Modified: projects/nfs-over-tls/usr.sbin/rpc.tlsclntd/rpc.tlsclntd.c
==============================================================================
--- projects/nfs-over-tls/usr.sbin/rpc.tlsclntd/rpc.tlsclntd.c Sat Oct 31 02:49:02 2020 (r367192)
+++ projects/nfs-over-tls/usr.sbin/rpc.tlsclntd/rpc.tlsclntd.c Sat Oct 31 02:53:15 2020 (r367193)
@@ -38,6 +38,7 @@ __FBSDID("$FreeBSD$");
#include <sys/linker.h>
#include <sys/module.h>
#include <sys/stat.h>
+#include <sys/sysctl.h>
#include <sys/syslog.h>
#include <sys/time.h>
#include <err.h>
@@ -124,10 +125,11 @@ main(int argc, char **argv)
struct sockaddr_un sun;
int ch, fd, oldmask;
SVCXPRT *xprt;
- bool cert;
+ bool cert, tls_enable;
struct timeval tm;
struct timezone tz;
pid_t otherpid;
+ size_t tls_enable_len;
/* Check that another rpctlscd isn't already running. */
rpctls_pfh = pidfile_open(_PATH_RPCTLSCDPID, 0600, &otherpid);
@@ -137,15 +139,11 @@ main(int argc, char **argv)
warn("cannot open or create pidfile");
}
- if (modfind("ktls_ocf") < 0) {
- /* Not present in kernel, try loading it */
- if (kldload("ktls_ocf") < 0 || modfind("ktls_ocf") < 0)
- errx(1, "Cannot load ktls_ocf");
- }
- if (modfind("aesni") < 0) {
- /* Not present in kernel, try loading it */
- kldload("aesni");
- }
+ /* Check to see that the ktls is enabled. */
+ tls_enable_len = sizeof(tls_enable);
+ if (sysctlbyname("kern.ipc.tls.enable", &tls_enable, &tls_enable_len,
+ NULL, 0) != 0 || !tls_enable)
+ errx(1, "Kernel TLS not enabled");
/* Get the time when this daemon is started. */
gettimeofday(&tm, &tz);
Modified: projects/nfs-over-tls/usr.sbin/rpc.tlsservd/rpc.tlsservd.c
==============================================================================
--- projects/nfs-over-tls/usr.sbin/rpc.tlsservd/rpc.tlsservd.c Sat Oct 31 02:49:02 2020 (r367192)
+++ projects/nfs-over-tls/usr.sbin/rpc.tlsservd/rpc.tlsservd.c Sat Oct 31 02:53:15 2020 (r367193)
@@ -38,6 +38,7 @@ __FBSDID("$FreeBSD$");
#include <sys/module.h>
#include <sys/queue.h>
#include <sys/stat.h>
+#include <sys/sysctl.h>
#include <sys/syslog.h>
#include <sys/time.h>
#include <err.h>
@@ -144,6 +145,8 @@ main(int argc, char **argv)
struct timezone tz;
char hostname[MAXHOSTNAMELEN + 2];
pid_t otherpid;
+ bool tls_enable;
+ size_t tls_enable_len;
/* Check that another rpctlssd isn't already running. */
rpctls_pfh = pidfile_open(_PATH_RPCTLSSDPID, 0600, &otherpid);
@@ -153,15 +156,11 @@ main(int argc, char **argv)
warn("cannot open or create pidfile");
}
- if (modfind("ktls_ocf") < 0) {
- /* Not present in kernel, try loading it */
- if (kldload("ktls_ocf") < 0 || modfind("ktls_ocf") < 0)
- errx(1, "Cannot load ktls_ocf");
- }
- if (modfind("aesni") < 0) {
- /* Not present in kernel, try loading it */
- kldload("aesni");
- }
+ /* Check to see that the ktls is enabled. */
+ tls_enable_len = sizeof(tls_enable);
+ if (sysctlbyname("kern.ipc.tls.enable", &tls_enable, &tls_enable_len,
+ NULL, 0) != 0 || !tls_enable)
+ errx(1, "Kernel TLS not enabled");
/* Get the time when this daemon is started. */
gettimeofday(&tm, &tz);
From owner-svn-src-projects@freebsd.org Sat Oct 31 02:57:54 2020
Return-Path: <owner-svn-src-projects@freebsd.org>
Delivered-To: svn-src-projects@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
by mailman.nyi.freebsd.org (Postfix) with ESMTP id 07570465E6F
for <svn-src-projects@mailman.nyi.freebsd.org>;
Sat, 31 Oct 2020 02:57:54 +0000 (UTC)
(envelope-from rmacklem@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
[IPv6:2610:1c1:1:606c::19:3])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
client-signature RSA-PSS (4096 bits) client-digest SHA256)
(Client CN "mxrelay.nyi.freebsd.org",
Issuer "Let's Encrypt Authority X3" (verified OK))
by mx1.freebsd.org (Postfix) with ESMTPS id 4CNP4K6Spjz3cdv;
Sat, 31 Oct 2020 02:57:53 +0000 (UTC)
(envelope-from rmacklem@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
[IPv6:2610:1c1:1:6068::e6a:0])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client did not present a certificate)
by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id C103020E76;
Sat, 31 Oct 2020 02:57:53 +0000 (UTC)
(envelope-from rmacklem@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 09V2vrdl034973;
Sat, 31 Oct 2020 02:57:53 GMT (envelope-from rmacklem@FreeBSD.org)
Received: (from rmacklem@localhost)
by repo.freebsd.org (8.15.2/8.15.2/Submit) id 09V2vrSt034972;
Sat, 31 Oct 2020 02:57:53 GMT (envelope-from rmacklem@FreeBSD.org)
Message-Id: <202010310257.09V2vrSt034972@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: rmacklem set sender to
rmacklem@FreeBSD.org using -f
From: Rick Macklem <rmacklem@FreeBSD.org>
Date: Sat, 31 Oct 2020 02:57:53 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-projects@freebsd.org
Subject: svn commit: r367194 - projects/nfs-over-tls
X-SVN-Group: projects
X-SVN-Commit-Author: rmacklem
X-SVN-Commit-Paths: projects/nfs-over-tls
X-SVN-Commit-Revision: 367194
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-projects@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: "SVN commit messages for the src " projects"
tree" <svn-src-projects.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-projects>,
<mailto:svn-src-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-projects/>
List-Post: <mailto:svn-src-projects@freebsd.org>
List-Help: <mailto:svn-src-projects-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-projects>,
<mailto:svn-src-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 31 Oct 2020 02:57:54 -0000
Author: rmacklem
Date: Sat Oct 31 02:57:53 2020
New Revision: 367194
URL: https://svnweb.freebsd.org/changeset/base/367194
Log:
Update nfs-over-tls-setup.txt to reflect the changes to using
openssl-3.0.0-alpha7 instead of jhb@'s patched openssl3.
It also has a fix for building the daemons identified by a tester.
Modified:
projects/nfs-over-tls/nfs-over-tls-setup.txt
Modified: projects/nfs-over-tls/nfs-over-tls-setup.txt
==============================================================================
--- projects/nfs-over-tls/nfs-over-tls-setup.txt Sat Oct 31 02:53:15 2020 (r367193)
+++ projects/nfs-over-tls/nfs-over-tls-setup.txt Sat Oct 31 02:57:53 2020 (r367194)
@@ -51,18 +51,14 @@ to it.
# make buildkernel
# make installkernel
-Now, you need jhb@'s patched openssl3 source tree, so you can build it.
-- If you don't already have one, get a github account.
- (If you don't have git anywhere, I think "pkg install git" will get it
- installed.)
- - You will need perl5.
+Now, you will need a recent openssl3 source tree, which has been patched
+for ktls.
+I downloaded the openssl-3.0.0-alpha7.tar.gz tarball from www.openssl.org.
+- You will need perl5.
# pkg install perl5
# cd /usr
-# mkdir openssl
-# cd openssl
-# git clone https://github.com/bsdjhb/openssl.git
-# cd openssl (or not, I can't remember if you end up with another openssl dir?)
-# git checkout ktls_rx
+# zcat openssl-3.0.0-alpha7.tar.gz | tar xBf -
+# cd openssl-3.0.0-alpha7
# mkdir obj
# cd obj
# ../config --prefix=/usr/ktls --openssldir=/usr/ktls enable-ktls
@@ -71,11 +67,6 @@ Now, you need jhb@'s patched openssl3 source tree, so
- This installs the patched openssl3 under /usr/ktls. I only use this
stuff for linking the daemons and use the regular openssl1.1.1 otherwise.
-Now, you need to patch the include files in /usr/ktls/include/openssl.
-(clang doesn't like the DEFINE_OR_DECLARE_STACK_OF(XX) before the typedef for XX.)
-# cd /usr/ktls/include/openssl
-# patch -p0 < /usr/nfs-over-tls/openssl3.patch
-
And now you should be able to build/install the utilities.
First, make a symlink to your kernel sources in /usr/nfs-over-tls.
# cd /usr/nfs-over-tls
@@ -92,14 +83,9 @@ Then the makes should work.
You can copy the rc.d scripts as follows:
# cd /usr/nfs-over-tls/rc.d
-# cp tlsclntd tlsservd /etc/rc.d
-# chmod 555 /etc/rc.d/tlsclntd /etc/rc.d/tlsservd
+# cp tlsclntd tlsservd ktls /etc/rc.d
+# chmod 555 /etc/rc.d/tlsclntd /etc/rc.d/tlsservd /etc/rc.d/ktls
-Almost done. Here's a few more things you need to do:
-# cd /etc
-- edit sysctl.conf and add these two lines
-kern.ipc.tls.enable=1
-kern.ipc.mb_use_ext_pgs=1
Then reboot the system.
You should now be finally ready to configure and run a TLS mount.
@@ -162,11 +148,10 @@ Certificate Revocation List (CRL).
Now, you should be ready to create/sign certificates for the NFS server/client(s).
3 - Create a key for the certificate.
# openssl genrsa -out key.pem
-(If this certificate is for a client laptop, you might want to use the "-aes256"
- option, so the key.pem file is encrypted using a passphrase.
- This implies that the passphrase will need to be entered when the
- rpc.tlsclntd(8) daemon is started on the client, but that the key cannot
- be used without the passphrase, if it is compromised.)
+(For now, do not create a certificate that requires a passphrase, since
+ that makes rpc.tlsclntd crash upon startup. It worked for a previous
+ openssl3 patched source tree, but crashes for openssl-3.0.0-alpha7.
+ In other words, don't use the "-aes256" command line option, or similar.)
4 - Create a Certificate Signing Request (CSR).
# openssl req -new -key key.pem -addext "subjectAltName=<name_val>" -out req.pem
@@ -341,10 +326,14 @@ it will log a lot of other stuff, as well.
Once you have set things up, you can add line(s) to your /etc/rc.conf
for the daemon(s):
For the client:
+ktls_enable="YES"
+ktls_aesni_enable="YES"
tlsclntd_enable="YES"
tlsclntd_env="LD_LIBRARY_PATH=/usr/ktls/lib"
For the server:
+ktls_enable="YES"
+ktls_aesni_enable="YES"
tlsservd_enable="YES"
tlsservd_env="LD_LIBRARY_PATH=/usr/ktls/lib"
From owner-svn-src-projects@freebsd.org Sat Oct 31 23:20:00 2020
Return-Path: <owner-svn-src-projects@freebsd.org>
Delivered-To: svn-src-projects@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
by mailman.nyi.freebsd.org (Postfix) with ESMTP id 8CA34458C7E
for <svn-src-projects@mailman.nyi.freebsd.org>;
Sat, 31 Oct 2020 23:20:00 +0000 (UTC)
(envelope-from rmacklem@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
[IPv6:2610:1c1:1:606c::19:3])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
client-signature RSA-PSS (4096 bits) client-digest SHA256)
(Client CN "mxrelay.nyi.freebsd.org",
Issuer "Let's Encrypt Authority X3" (verified OK))
by mx1.freebsd.org (Postfix) with ESMTPS id 4CNwBS2wWVz45w5;
Sat, 31 Oct 2020 23:20:00 +0000 (UTC)
(envelope-from rmacklem@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
[IPv6:2610:1c1:1:6068::e6a:0])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client did not present a certificate)
by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 47BE8F390;
Sat, 31 Oct 2020 23:20:00 +0000 (UTC)
(envelope-from rmacklem@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 09VNK00T090228;
Sat, 31 Oct 2020 23:20:00 GMT (envelope-from rmacklem@FreeBSD.org)
Received: (from rmacklem@localhost)
by repo.freebsd.org (8.15.2/8.15.2/Submit) id 09VNK0b5090227;
Sat, 31 Oct 2020 23:20:00 GMT (envelope-from rmacklem@FreeBSD.org)
Message-Id: <202010312320.09VNK0b5090227@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: rmacklem set sender to
rmacklem@FreeBSD.org using -f
From: Rick Macklem <rmacklem@FreeBSD.org>
Date: Sat, 31 Oct 2020 23:20:00 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-projects@freebsd.org
Subject: svn commit: r367242 - projects/nfs-over-tls/usr.sbin/rpc.tlsclntd
X-SVN-Group: projects
X-SVN-Commit-Author: rmacklem
X-SVN-Commit-Paths: projects/nfs-over-tls/usr.sbin/rpc.tlsclntd
X-SVN-Commit-Revision: 367242
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-projects@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: "SVN commit messages for the src " projects"
tree" <svn-src-projects.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-projects>,
<mailto:svn-src-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-projects/>
List-Post: <mailto:svn-src-projects@freebsd.org>
List-Help: <mailto:svn-src-projects-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-projects>,
<mailto:svn-src-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 31 Oct 2020 23:20:00 -0000
Author: rmacklem
Date: Sat Oct 31 23:19:59 2020
New Revision: 367242
URL: https://svnweb.freebsd.org/changeset/base/367242
Log:
Fix obvious typos.
Modified:
projects/nfs-over-tls/usr.sbin/rpc.tlsclntd/rpc.tlsclntd.c
Modified: projects/nfs-over-tls/usr.sbin/rpc.tlsclntd/rpc.tlsclntd.c
==============================================================================
--- projects/nfs-over-tls/usr.sbin/rpc.tlsclntd/rpc.tlsclntd.c Sat Oct 31 22:20:42 2020 (r367241)
+++ projects/nfs-over-tls/usr.sbin/rpc.tlsclntd/rpc.tlsclntd.c Sat Oct 31 23:19:59 2020 (r367242)
@@ -205,10 +205,10 @@ main(int argc, char **argv)
rpctls_ctx = rpctls_setupcl_ssl(cert);
if (rpctls_ctx == NULL) {
if (rpctls_debug_level == 0) {
- syslog(LOG_ERR, "Can't set up TSL context");
+ syslog(LOG_ERR, "Can't set up TLS context");
exit(1);
}
- err(1, "Can't set up TSL context");
+ err(1, "Can't set up TLS context");
}
LIST_INIT(&rpctls_ssllist);