From owner-svn-src-projects@freebsd.org Fri Oct 30 14:42:02 2020 Return-Path: Delivered-To: svn-src-projects@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id E402945396D for ; Fri, 30 Oct 2020 14:42:02 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CN4lG450zz43wy; Fri, 30 Oct 2020 14:42:02 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 6F7D3180BC; Fri, 30 Oct 2020 14:42:02 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 09UEg2Z6081897; Fri, 30 Oct 2020 14:42:02 GMT (envelope-from rmacklem@FreeBSD.org) Received: (from rmacklem@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 09UEg2jJ081881; Fri, 30 Oct 2020 14:42:02 GMT (envelope-from rmacklem@FreeBSD.org) Message-Id: <202010301442.09UEg2jJ081881@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: rmacklem set sender to rmacklem@FreeBSD.org using -f From: Rick Macklem Date: Fri, 30 Oct 2020 14:42:02 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r367172 - projects/nfs-over-tls X-SVN-Group: projects X-SVN-Commit-Author: rmacklem X-SVN-Commit-Paths: projects/nfs-over-tls X-SVN-Commit-Revision: 367172 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Oct 2020 14:42:03 -0000 Author: rmacklem Date: Fri Oct 30 14:42:02 2020 New Revision: 367172 URL: https://svnweb.freebsd.org/changeset/base/367172 Log: Fix the doc so that utilities can be built without kernel sources under /usr/nfs-over-tls. Modified: projects/nfs-over-tls/nfs-over-tls-setup.txt Modified: projects/nfs-over-tls/nfs-over-tls-setup.txt ============================================================================== --- projects/nfs-over-tls/nfs-over-tls-setup.txt Fri Oct 30 14:41:19 2020 (r367171) +++ projects/nfs-over-tls/nfs-over-tls-setup.txt Fri Oct 30 14:42:02 2020 (r367172) @@ -77,6 +77,10 @@ Now, you need to patch the include files in /usr/ktls/ # patch -p0 < /usr/nfs-over-tls/openssl3.patch And now you should be able to build/install the utilities. +First, make a symlink to your kernel sources in /usr/nfs-over-tls. +# cd /usr/nfs-over-tls +# ln -s /usr/src/sys sys +Then the makes should work. # cd /usr/nfs-over-tls/usr.sbin/rpc.tlsservd # make SRCTOP=/usr/nfs-over-tls # cp rpc.tlsservd /usr/sbin From owner-svn-src-projects@freebsd.org Sat Oct 31 02:47:40 2020 Return-Path: Delivered-To: svn-src-projects@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 74129465D11 for ; Sat, 31 Oct 2020 02:47:40 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CNNrX2XhKz3c4V; Sat, 31 Oct 2020 02:47:40 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 3B941208F7; Sat, 31 Oct 2020 02:47:40 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 09V2leYj028666; Sat, 31 Oct 2020 02:47:40 GMT (envelope-from rmacklem@FreeBSD.org) Received: (from rmacklem@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 09V2ldjW028663; Sat, 31 Oct 2020 02:47:39 GMT (envelope-from rmacklem@FreeBSD.org) Message-Id: <202010310247.09V2ldjW028663@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: rmacklem set sender to rmacklem@FreeBSD.org using -f From: Rick Macklem Date: Sat, 31 Oct 2020 02:47:39 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r367191 - projects/nfs-over-tls/rc.d X-SVN-Group: projects X-SVN-Commit-Author: rmacklem X-SVN-Commit-Paths: projects/nfs-over-tls/rc.d X-SVN-Commit-Revision: 367191 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 Oct 2020 02:47:40 -0000 Author: rmacklem Date: Sat Oct 31 02:47:39 2020 New Revision: 367191 URL: https://svnweb.freebsd.org/changeset/base/367191 Log: Add a new rc.d script that enables the kernel tls and make the other scripts depend on it. Added: projects/nfs-over-tls/rc.d/ktls Modified: projects/nfs-over-tls/rc.d/tlsclntd projects/nfs-over-tls/rc.d/tlsservd Added: projects/nfs-over-tls/rc.d/ktls ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ projects/nfs-over-tls/rc.d/ktls Sat Oct 31 02:47:39 2020 (r367191) @@ -0,0 +1,39 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# PROVIDE: ktls +# REQUIRE: NETWORKING +# KEYWORD: shutdown + +. /etc/rc.subr + +name="ktls" +desc="Enable Kernel TLS" +rcvar="ktls_enable" +start_cmd="${name}_start" +stop_cmd=":" + +ktls_start() +{ + + sysctl -q kern.ipc.tls.enable=1 > /dev/null + err=$? + if [ "${err}" -ne 0 ]; then + warn "kernel must be built with options KERN_TLS for ktls" + return "${err}" + fi + sysctl kern.ipc.mb_use_ext_pgs=1 > /dev/null + + # + # Load ktls_ocf and optionally aesni + # + load_kld ktls_ocf + if checkyesno ktls_aesni_enable; then + load_kld aesni + fi +} + +load_rc_config $name +run_rc_command "$1" Modified: projects/nfs-over-tls/rc.d/tlsclntd ============================================================================== --- projects/nfs-over-tls/rc.d/tlsclntd Sat Oct 31 01:12:35 2020 (r367190) +++ projects/nfs-over-tls/rc.d/tlsclntd Sat Oct 31 02:47:39 2020 (r367191) @@ -4,7 +4,7 @@ # # PROVIDE: tlsclntd -# REQUIRE: NETWORKING +# REQUIRE: NETWORKING root mountcritlocal ktls # KEYWORD: nojail shutdown . /etc/rc.subr Modified: projects/nfs-over-tls/rc.d/tlsservd ============================================================================== --- projects/nfs-over-tls/rc.d/tlsservd Sat Oct 31 01:12:35 2020 (r367190) +++ projects/nfs-over-tls/rc.d/tlsservd Sat Oct 31 02:47:39 2020 (r367191) @@ -4,7 +4,7 @@ # # PROVIDE: tlsservd -# REQUIRE: NETWORKING +# REQUIRE: NETWORKING root mountcritlocal ktls # KEYWORD: nojail shutdown . /etc/rc.subr From owner-svn-src-projects@freebsd.org Sat Oct 31 02:49:03 2020 Return-Path: Delivered-To: svn-src-projects@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 7C7C9465C5A for ; Sat, 31 Oct 2020 02:49:03 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CNNt72fr5z3bxh; Sat, 31 Oct 2020 02:49:03 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 25AB920B70; Sat, 31 Oct 2020 02:49:03 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 09V2n3Rh028768; Sat, 31 Oct 2020 02:49:03 GMT (envelope-from rmacklem@FreeBSD.org) Received: (from rmacklem@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 09V2n3IC028767; Sat, 31 Oct 2020 02:49:03 GMT (envelope-from rmacklem@FreeBSD.org) Message-Id: <202010310249.09V2n3IC028767@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: rmacklem set sender to rmacklem@FreeBSD.org using -f From: Rick Macklem Date: Sat, 31 Oct 2020 02:49:03 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r367192 - projects/nfs-over-tls X-SVN-Group: projects X-SVN-Commit-Author: rmacklem X-SVN-Commit-Paths: projects/nfs-over-tls X-SVN-Commit-Revision: 367192 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 Oct 2020 02:49:03 -0000 Author: rmacklem Date: Sat Oct 31 02:49:02 2020 New Revision: 367192 URL: https://svnweb.freebsd.org/changeset/base/367192 Log: Remove openssl3.patch, since it is no longer needed for openssl-3.0.0-alpha7. Deleted: projects/nfs-over-tls/openssl3.patch From owner-svn-src-projects@freebsd.org Sat Oct 31 02:53:16 2020 Return-Path: Delivered-To: svn-src-projects@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 6B2F2465CEC for ; Sat, 31 Oct 2020 02:53:16 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CNNz02CY2z3cWH; Sat, 31 Oct 2020 02:53:16 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 2F16B20E9A; Sat, 31 Oct 2020 02:53:16 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 09V2rGrQ034716; Sat, 31 Oct 2020 02:53:16 GMT (envelope-from rmacklem@FreeBSD.org) Received: (from rmacklem@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 09V2rFrX034714; Sat, 31 Oct 2020 02:53:15 GMT (envelope-from rmacklem@FreeBSD.org) Message-Id: <202010310253.09V2rFrX034714@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: rmacklem set sender to rmacklem@FreeBSD.org using -f From: Rick Macklem Date: Sat, 31 Oct 2020 02:53:15 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r367193 - in projects/nfs-over-tls/usr.sbin: rpc.tlsclntd rpc.tlsservd X-SVN-Group: projects X-SVN-Commit-Author: rmacklem X-SVN-Commit-Paths: in projects/nfs-over-tls/usr.sbin: rpc.tlsclntd rpc.tlsservd X-SVN-Commit-Revision: 367193 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 Oct 2020 02:53:16 -0000 Author: rmacklem Date: Sat Oct 31 02:53:15 2020 New Revision: 367193 URL: https://svnweb.freebsd.org/changeset/base/367193 Log: Delete the code that loads modules and just check to see if the kernel supported KERN_TLS. The module loading is now handled by rc.d/ktls. Modified: projects/nfs-over-tls/usr.sbin/rpc.tlsclntd/rpc.tlsclntd.c projects/nfs-over-tls/usr.sbin/rpc.tlsservd/rpc.tlsservd.c Modified: projects/nfs-over-tls/usr.sbin/rpc.tlsclntd/rpc.tlsclntd.c ============================================================================== --- projects/nfs-over-tls/usr.sbin/rpc.tlsclntd/rpc.tlsclntd.c Sat Oct 31 02:49:02 2020 (r367192) +++ projects/nfs-over-tls/usr.sbin/rpc.tlsclntd/rpc.tlsclntd.c Sat Oct 31 02:53:15 2020 (r367193) @@ -38,6 +38,7 @@ __FBSDID("$FreeBSD$"); #include #include #include +#include #include #include #include @@ -124,10 +125,11 @@ main(int argc, char **argv) struct sockaddr_un sun; int ch, fd, oldmask; SVCXPRT *xprt; - bool cert; + bool cert, tls_enable; struct timeval tm; struct timezone tz; pid_t otherpid; + size_t tls_enable_len; /* Check that another rpctlscd isn't already running. */ rpctls_pfh = pidfile_open(_PATH_RPCTLSCDPID, 0600, &otherpid); @@ -137,15 +139,11 @@ main(int argc, char **argv) warn("cannot open or create pidfile"); } - if (modfind("ktls_ocf") < 0) { - /* Not present in kernel, try loading it */ - if (kldload("ktls_ocf") < 0 || modfind("ktls_ocf") < 0) - errx(1, "Cannot load ktls_ocf"); - } - if (modfind("aesni") < 0) { - /* Not present in kernel, try loading it */ - kldload("aesni"); - } + /* Check to see that the ktls is enabled. */ + tls_enable_len = sizeof(tls_enable); + if (sysctlbyname("kern.ipc.tls.enable", &tls_enable, &tls_enable_len, + NULL, 0) != 0 || !tls_enable) + errx(1, "Kernel TLS not enabled"); /* Get the time when this daemon is started. */ gettimeofday(&tm, &tz); Modified: projects/nfs-over-tls/usr.sbin/rpc.tlsservd/rpc.tlsservd.c ============================================================================== --- projects/nfs-over-tls/usr.sbin/rpc.tlsservd/rpc.tlsservd.c Sat Oct 31 02:49:02 2020 (r367192) +++ projects/nfs-over-tls/usr.sbin/rpc.tlsservd/rpc.tlsservd.c Sat Oct 31 02:53:15 2020 (r367193) @@ -38,6 +38,7 @@ __FBSDID("$FreeBSD$"); #include #include #include +#include #include #include #include @@ -144,6 +145,8 @@ main(int argc, char **argv) struct timezone tz; char hostname[MAXHOSTNAMELEN + 2]; pid_t otherpid; + bool tls_enable; + size_t tls_enable_len; /* Check that another rpctlssd isn't already running. */ rpctls_pfh = pidfile_open(_PATH_RPCTLSSDPID, 0600, &otherpid); @@ -153,15 +156,11 @@ main(int argc, char **argv) warn("cannot open or create pidfile"); } - if (modfind("ktls_ocf") < 0) { - /* Not present in kernel, try loading it */ - if (kldload("ktls_ocf") < 0 || modfind("ktls_ocf") < 0) - errx(1, "Cannot load ktls_ocf"); - } - if (modfind("aesni") < 0) { - /* Not present in kernel, try loading it */ - kldload("aesni"); - } + /* Check to see that the ktls is enabled. */ + tls_enable_len = sizeof(tls_enable); + if (sysctlbyname("kern.ipc.tls.enable", &tls_enable, &tls_enable_len, + NULL, 0) != 0 || !tls_enable) + errx(1, "Kernel TLS not enabled"); /* Get the time when this daemon is started. */ gettimeofday(&tm, &tz); From owner-svn-src-projects@freebsd.org Sat Oct 31 02:57:54 2020 Return-Path: Delivered-To: svn-src-projects@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 07570465E6F for ; Sat, 31 Oct 2020 02:57:54 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CNP4K6Spjz3cdv; Sat, 31 Oct 2020 02:57:53 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id C103020E76; Sat, 31 Oct 2020 02:57:53 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 09V2vrdl034973; Sat, 31 Oct 2020 02:57:53 GMT (envelope-from rmacklem@FreeBSD.org) Received: (from rmacklem@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 09V2vrSt034972; Sat, 31 Oct 2020 02:57:53 GMT (envelope-from rmacklem@FreeBSD.org) Message-Id: <202010310257.09V2vrSt034972@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: rmacklem set sender to rmacklem@FreeBSD.org using -f From: Rick Macklem Date: Sat, 31 Oct 2020 02:57:53 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r367194 - projects/nfs-over-tls X-SVN-Group: projects X-SVN-Commit-Author: rmacklem X-SVN-Commit-Paths: projects/nfs-over-tls X-SVN-Commit-Revision: 367194 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 Oct 2020 02:57:54 -0000 Author: rmacklem Date: Sat Oct 31 02:57:53 2020 New Revision: 367194 URL: https://svnweb.freebsd.org/changeset/base/367194 Log: Update nfs-over-tls-setup.txt to reflect the changes to using openssl-3.0.0-alpha7 instead of jhb@'s patched openssl3. It also has a fix for building the daemons identified by a tester. Modified: projects/nfs-over-tls/nfs-over-tls-setup.txt Modified: projects/nfs-over-tls/nfs-over-tls-setup.txt ============================================================================== --- projects/nfs-over-tls/nfs-over-tls-setup.txt Sat Oct 31 02:53:15 2020 (r367193) +++ projects/nfs-over-tls/nfs-over-tls-setup.txt Sat Oct 31 02:57:53 2020 (r367194) @@ -51,18 +51,14 @@ to it. # make buildkernel # make installkernel -Now, you need jhb@'s patched openssl3 source tree, so you can build it. -- If you don't already have one, get a github account. - (If you don't have git anywhere, I think "pkg install git" will get it - installed.) - - You will need perl5. +Now, you will need a recent openssl3 source tree, which has been patched +for ktls. +I downloaded the openssl-3.0.0-alpha7.tar.gz tarball from www.openssl.org. +- You will need perl5. # pkg install perl5 # cd /usr -# mkdir openssl -# cd openssl -# git clone https://github.com/bsdjhb/openssl.git -# cd openssl (or not, I can't remember if you end up with another openssl dir?) -# git checkout ktls_rx +# zcat openssl-3.0.0-alpha7.tar.gz | tar xBf - +# cd openssl-3.0.0-alpha7 # mkdir obj # cd obj # ../config --prefix=/usr/ktls --openssldir=/usr/ktls enable-ktls @@ -71,11 +67,6 @@ Now, you need jhb@'s patched openssl3 source tree, so - This installs the patched openssl3 under /usr/ktls. I only use this stuff for linking the daemons and use the regular openssl1.1.1 otherwise. -Now, you need to patch the include files in /usr/ktls/include/openssl. -(clang doesn't like the DEFINE_OR_DECLARE_STACK_OF(XX) before the typedef for XX.) -# cd /usr/ktls/include/openssl -# patch -p0 < /usr/nfs-over-tls/openssl3.patch - And now you should be able to build/install the utilities. First, make a symlink to your kernel sources in /usr/nfs-over-tls. # cd /usr/nfs-over-tls @@ -92,14 +83,9 @@ Then the makes should work. You can copy the rc.d scripts as follows: # cd /usr/nfs-over-tls/rc.d -# cp tlsclntd tlsservd /etc/rc.d -# chmod 555 /etc/rc.d/tlsclntd /etc/rc.d/tlsservd +# cp tlsclntd tlsservd ktls /etc/rc.d +# chmod 555 /etc/rc.d/tlsclntd /etc/rc.d/tlsservd /etc/rc.d/ktls -Almost done. Here's a few more things you need to do: -# cd /etc -- edit sysctl.conf and add these two lines -kern.ipc.tls.enable=1 -kern.ipc.mb_use_ext_pgs=1 Then reboot the system. You should now be finally ready to configure and run a TLS mount. @@ -162,11 +148,10 @@ Certificate Revocation List (CRL). Now, you should be ready to create/sign certificates for the NFS server/client(s). 3 - Create a key for the certificate. # openssl genrsa -out key.pem -(If this certificate is for a client laptop, you might want to use the "-aes256" - option, so the key.pem file is encrypted using a passphrase. - This implies that the passphrase will need to be entered when the - rpc.tlsclntd(8) daemon is started on the client, but that the key cannot - be used without the passphrase, if it is compromised.) +(For now, do not create a certificate that requires a passphrase, since + that makes rpc.tlsclntd crash upon startup. It worked for a previous + openssl3 patched source tree, but crashes for openssl-3.0.0-alpha7. + In other words, don't use the "-aes256" command line option, or similar.) 4 - Create a Certificate Signing Request (CSR). # openssl req -new -key key.pem -addext "subjectAltName=" -out req.pem @@ -341,10 +326,14 @@ it will log a lot of other stuff, as well. Once you have set things up, you can add line(s) to your /etc/rc.conf for the daemon(s): For the client: +ktls_enable="YES" +ktls_aesni_enable="YES" tlsclntd_enable="YES" tlsclntd_env="LD_LIBRARY_PATH=/usr/ktls/lib" For the server: +ktls_enable="YES" +ktls_aesni_enable="YES" tlsservd_enable="YES" tlsservd_env="LD_LIBRARY_PATH=/usr/ktls/lib" From owner-svn-src-projects@freebsd.org Sat Oct 31 23:20:00 2020 Return-Path: Delivered-To: svn-src-projects@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 8CA34458C7E for ; Sat, 31 Oct 2020 23:20:00 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CNwBS2wWVz45w5; Sat, 31 Oct 2020 23:20:00 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 47BE8F390; Sat, 31 Oct 2020 23:20:00 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 09VNK00T090228; Sat, 31 Oct 2020 23:20:00 GMT (envelope-from rmacklem@FreeBSD.org) Received: (from rmacklem@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 09VNK0b5090227; Sat, 31 Oct 2020 23:20:00 GMT (envelope-from rmacklem@FreeBSD.org) Message-Id: <202010312320.09VNK0b5090227@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: rmacklem set sender to rmacklem@FreeBSD.org using -f From: Rick Macklem Date: Sat, 31 Oct 2020 23:20:00 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r367242 - projects/nfs-over-tls/usr.sbin/rpc.tlsclntd X-SVN-Group: projects X-SVN-Commit-Author: rmacklem X-SVN-Commit-Paths: projects/nfs-over-tls/usr.sbin/rpc.tlsclntd X-SVN-Commit-Revision: 367242 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 Oct 2020 23:20:00 -0000 Author: rmacklem Date: Sat Oct 31 23:19:59 2020 New Revision: 367242 URL: https://svnweb.freebsd.org/changeset/base/367242 Log: Fix obvious typos. Modified: projects/nfs-over-tls/usr.sbin/rpc.tlsclntd/rpc.tlsclntd.c Modified: projects/nfs-over-tls/usr.sbin/rpc.tlsclntd/rpc.tlsclntd.c ============================================================================== --- projects/nfs-over-tls/usr.sbin/rpc.tlsclntd/rpc.tlsclntd.c Sat Oct 31 22:20:42 2020 (r367241) +++ projects/nfs-over-tls/usr.sbin/rpc.tlsclntd/rpc.tlsclntd.c Sat Oct 31 23:19:59 2020 (r367242) @@ -205,10 +205,10 @@ main(int argc, char **argv) rpctls_ctx = rpctls_setupcl_ssl(cert); if (rpctls_ctx == NULL) { if (rpctls_debug_level == 0) { - syslog(LOG_ERR, "Can't set up TSL context"); + syslog(LOG_ERR, "Can't set up TLS context"); exit(1); } - err(1, "Can't set up TSL context"); + err(1, "Can't set up TLS context"); } LIST_INIT(&rpctls_ssllist);