From owner-svn-src-projects@freebsd.org Fri Apr 3 23:05:55 2020 Return-Path: Delivered-To: svn-src-projects@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 51891275CDA for ; Fri, 3 Apr 2020 23:05:55 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 48vFsY45bvz3J6Q; Fri, 3 Apr 2020 23:05:53 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 0EDA8D51F; Fri, 3 Apr 2020 22:46:09 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 033Mk867023950; Fri, 3 Apr 2020 22:46:08 GMT (envelope-from rmacklem@FreeBSD.org) Received: (from rmacklem@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 033Mk8to023949; Fri, 3 Apr 2020 22:46:08 GMT (envelope-from rmacklem@FreeBSD.org) Message-Id: <202004032246.033Mk8to023949@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: rmacklem set sender to rmacklem@FreeBSD.org using -f From: Rick Macklem Date: Fri, 3 Apr 2020 22:46:08 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r359624 - projects/nfs-over-tls/sys/rpc/rpcsec_tls X-SVN-Group: projects X-SVN-Commit-Author: rmacklem X-SVN-Commit-Paths: projects/nfs-over-tls/sys/rpc/rpcsec_tls X-SVN-Commit-Revision: 359624 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Apr 2020 23:05:55 -0000 Author: rmacklem Date: Fri Apr 3 22:46:08 2020 New Revision: 359624 URL: https://svnweb.freebsd.org/changeset/base/359624 Log: Add support for certuser to the files in sys/rpc/rpcsec_tls. Modified: projects/nfs-over-tls/sys/rpc/rpcsec_tls/rpctls_impl.c projects/nfs-over-tls/sys/rpc/rpcsec_tls/rpctlssd.x Modified: projects/nfs-over-tls/sys/rpc/rpcsec_tls/rpctls_impl.c ============================================================================== --- projects/nfs-over-tls/sys/rpc/rpcsec_tls/rpctls_impl.c Fri Apr 3 22:38:13 2020 (r359623) +++ projects/nfs-over-tls/sys/rpc/rpcsec_tls/rpctls_impl.c Fri Apr 3 22:46:08 2020 (r359624) @@ -90,7 +90,8 @@ static struct opaque_auth rpctls_null_verf; static CLIENT *rpctls_connect_client(void); static CLIENT *rpctls_server_client(void); static enum clnt_stat rpctls_server(struct socket *so, - uint32_t *flags, uint64_t *sslp); + uint32_t *flags, uint64_t *sslp, + uid_t *uid, int *ngrps, gid_t **gids); static void rpctls_init(void *dummy) @@ -425,11 +426,15 @@ printf("aft srv disconnect upcall=%d\n", stat); /* Do an upcall for a new server socket using TLS. */ static enum clnt_stat -rpctls_server(struct socket *so, uint32_t *flags, uint64_t *sslp) +rpctls_server(struct socket *so, uint32_t *flags, uint64_t *sslp, + uid_t *uid, int *ngrps, gid_t **gids) { enum clnt_stat stat; CLIENT *cl; struct rpctlssd_connect_res res; + gid_t *gidp; + uint32_t *gidv; + int i; static bool rpctls_server_busy = false; printf("In rpctls_server\n"); @@ -455,6 +460,16 @@ printf("rpctls_conect so=%p\n", so); *sslp++ = res.sec; *sslp++ = res.usec; *sslp = res.ssl; + if ((*flags & (RPCTLS_FLAGS_CNUSER | + RPCTLS_FLAGS_DISABLED)) == RPCTLS_FLAGS_CNUSER) { + *ngrps = res.gid.gid_len; + *uid = res.uid; + *gids = gidp = mem_alloc(*ngrps * sizeof(gid_t)); + gidv = res.gid.gid_val; +printf("got uid=%d ngrps=%d gidv=%p gids=%p\n", *uid, *ngrps, gidv, gids); + for (i = 0; i < *ngrps; i++) + *gidp++ = *gidv++; + } } printf("aft server upcall stat=%d flags=0x%x\n", stat, res.flags); CLNT_RELEASE(cl); @@ -484,6 +499,9 @@ _svcauth_rpcsec_tls(struct svc_req *rqst, struct rpc_m SVCXPRT *xprt; uint32_t flags; uint64_t ssl[3]; + int ngrps; + uid_t uid; + gid_t *gidp; /* Initialize reply. */ rqst->rq_verf = rpctls_null_verf; @@ -531,7 +549,7 @@ printf("authtls: null reply=%d\n", call_stat); /* Do an upcall to do the TLS handshake. */ stat = rpctls_server(rqst->rq_xprt->xp_socket, &flags, - ssl); + ssl, &uid, &ngrps, &gidp); /* Re-enable reception on the socket within the krpc. */ sx_xlock(&xprt->xp_lock); @@ -541,6 +559,13 @@ printf("authtls: null reply=%d\n", call_stat); xprt->xp_sslsec = ssl[0]; xprt->xp_sslusec = ssl[1]; xprt->xp_sslrefno = ssl[2]; + if ((flags & (RPCTLS_FLAGS_CNUSER | + RPCTLS_FLAGS_DISABLED)) == RPCTLS_FLAGS_CNUSER) { + xprt->xp_ngrps = ngrps; + xprt->xp_uid = uid; + xprt->xp_gidp = gidp; +printf("got uid=%d ngrps=%d gidp=%p\n", uid, ngrps, gidp); + } } sx_xunlock(&xprt->xp_lock); xprt_active(xprt); /* Harmless if already active. */ Modified: projects/nfs-over-tls/sys/rpc/rpcsec_tls/rpctlssd.x ============================================================================== --- projects/nfs-over-tls/sys/rpc/rpcsec_tls/rpctlssd.x Fri Apr 3 22:38:13 2020 (r359623) +++ projects/nfs-over-tls/sys/rpc/rpcsec_tls/rpctlssd.x Fri Apr 3 22:46:08 2020 (r359624) @@ -27,13 +27,15 @@ /* Modified from gssd.x for the server side of RPC-over-TLS. */ -/* $FreeBSD:$ */ +/* $FreeBSD$ */ struct rpctlssd_connect_res { uint32_t flags; uint64_t sec; uint64_t usec; uint64_t ssl; + uint32_t uid; + uint32_t gid<>; }; struct rpctlssd_disconnect_arg {