From owner-svn-src-projects@freebsd.org Fri Apr 3 22:38:22 2020 Return-Path: Delivered-To: svn-src-projects@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 9B9A8274F60 for ; Fri, 3 Apr 2020 22:38:22 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 48vFFp0QPWz4bWk; Fri, 3 Apr 2020 22:38:21 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 599EAD2F1; Fri, 3 Apr 2020 22:38:14 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 033McEN4017914; Fri, 3 Apr 2020 22:38:14 GMT (envelope-from rmacklem@FreeBSD.org) Received: (from rmacklem@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 033McDZL017909; Fri, 3 Apr 2020 22:38:13 GMT (envelope-from rmacklem@FreeBSD.org) Message-Id: <202004032238.033McDZL017909@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: rmacklem set sender to rmacklem@FreeBSD.org using -f From: Rick Macklem Date: Fri, 3 Apr 2020 22:38:13 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r359623 - projects/nfs-over-tls/sys/rpc X-SVN-Group: projects X-SVN-Commit-Author: rmacklem X-SVN-Commit-Paths: projects/nfs-over-tls/sys/rpc X-SVN-Commit-Revision: 359623 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Apr 2020 22:38:22 -0000 Author: rmacklem Date: Fri Apr 3 22:38:13 2020 New Revision: 359623 URL: https://svnweb.freebsd.org/changeset/base/359623 Log: Update the files in sys/rpc to add handling of certuser. certuser refers to using an otherName in the subjectAltName of the client's certificate to create machine credentials that are used to perform the RPCs instead of the user credentials in the RPC header. These changes require the changes in sys/rpc/rpcsec_tls which will be committed soon. Modified: projects/nfs-over-tls/sys/rpc/rpcsec_tls.h projects/nfs-over-tls/sys/rpc/svc.c projects/nfs-over-tls/sys/rpc/svc.h projects/nfs-over-tls/sys/rpc/svc_auth.c Modified: projects/nfs-over-tls/sys/rpc/rpcsec_tls.h ============================================================================== --- projects/nfs-over-tls/sys/rpc/rpcsec_tls.h Fri Apr 3 22:36:22 2020 (r359622) +++ projects/nfs-over-tls/sys/rpc/rpcsec_tls.h Fri Apr 3 22:38:13 2020 (r359623) @@ -41,6 +41,7 @@ #define RPCTLS_FLAGS_SELFSIGNED 0x04 #define RPCTLS_FLAGS_VERIFIED 0x08 #define RPCTLS_FLAGS_DISABLED 0x10 +#define RPCTLS_FLAGS_CNUSER 0x20 #ifdef _KERNEL /* Functions that perform upcalls to the rpctlsd daemon. */ Modified: projects/nfs-over-tls/sys/rpc/svc.c ============================================================================== --- projects/nfs-over-tls/sys/rpc/svc.c Fri Apr 3 22:36:22 2020 (r359622) +++ projects/nfs-over-tls/sys/rpc/svc.c Fri Apr 3 22:38:13 2020 (r359623) @@ -902,6 +902,8 @@ svc_xprt_free(SVCXPRT *xprt) { mem_free(xprt->xp_p3, sizeof(SVCXPRT_EXT)); + /* The size argument is ignored, so 0 is ok. */ + mem_free(xprt->xp_gidp, 0); mem_free(xprt, sizeof(SVCXPRT)); } Modified: projects/nfs-over-tls/sys/rpc/svc.h ============================================================================== --- projects/nfs-over-tls/sys/rpc/svc.h Fri Apr 3 22:36:22 2020 (r359622) +++ projects/nfs-over-tls/sys/rpc/svc.h Fri Apr 3 22:38:13 2020 (r359623) @@ -181,6 +181,9 @@ typedef struct __rpc_svcxprt { uint64_t xp_sslsec; /* Userland SSL * */ uint64_t xp_sslusec; uint64_t xp_sslrefno; + int xp_ngrps; /* Cred. from TLS cert. */ + uid_t xp_uid; + gid_t *xp_gidp; #else int xp_fd; u_short xp_port; /* associated port number */ Modified: projects/nfs-over-tls/sys/rpc/svc_auth.c ============================================================================== --- projects/nfs-over-tls/sys/rpc/svc_auth.c Fri Apr 3 22:36:22 2020 (r359622) +++ projects/nfs-over-tls/sys/rpc/svc_auth.c Fri Apr 3 22:38:13 2020 (r359623) @@ -179,10 +179,29 @@ svc_getcred(struct svc_req *rqst, struct ucred **crp, struct ucred *cr = NULL; int flavor; struct xucred *xcr; + SVCXPRT *xprt = rqst->rq_xprt; flavor = rqst->rq_cred.oa_flavor; if (flavorp) *flavorp = flavor; + + /* + * If there are credentials acquired via a TLS + * certificate for this TCP connection, use those + * instead of what is in the RPC header. + */ + if ((xprt->xp_tls & (RPCTLS_FLAGS_CNUSER | + RPCTLS_FLAGS_DISABLED)) == RPCTLS_FLAGS_CNUSER && + flavor == AUTH_UNIX) { + cr = crget(); + cr->cr_uid = cr->cr_ruid = cr->cr_svuid = xprt->xp_uid; + crsetgroups(cr, xprt->xp_ngrps, xprt->xp_gidp); + cr->cr_rgid = cr->cr_svgid = xprt->xp_gidp[0]; + cr->cr_prison = &prison0; + prison_hold(cr->cr_prison); + *crp = cr; + return (TRUE); + } switch (flavor) { case AUTH_UNIX: