Date: Sat, 27 Jun 2020 01:08:27 +0000 (UTC) From: Rick Macklem <rmacklem@FreeBSD.org> To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r362668 - in projects/nfs-over-tls/sys: fs/nfs fs/nfsclient fs/nfsserver rpc rpc/rpcsec_tls Message-ID: <202006270108.05R18Rx5077006@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: rmacklem Date: Sat Jun 27 01:08:27 2020 New Revision: 362668 URL: https://svnweb.freebsd.org/changeset/base/362668 Log: Add options to rpctls_getinfo() to check if the daemons are running. When both of the new options are "false", the behaviour does not change. When either option is true, rpctls_getinfo() checks to see if the corresponding daemon is connected to the socket for server upcalls. It returns false if it is not connected. This allows the NFS client and server to fail attempts to use TLS when the required daemon is not running and connected to the upcall socekt. This patch also assumes that rpctls_getinfo() will return an appropriate maximum size for the ext_pgs mbufs in the list required by sosend() for TLS, so it no longer bothers to do a min() with the 16K default in the NFS code. Modified: projects/nfs-over-tls/sys/fs/nfs/nfs_commonsubs.c projects/nfs-over-tls/sys/fs/nfsclient/nfs_clkrpc.c projects/nfs-over-tls/sys/fs/nfsclient/nfs_clrpcops.c projects/nfs-over-tls/sys/fs/nfsclient/nfs_clvfsops.c projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdkrpc.c projects/nfs-over-tls/sys/rpc/clnt_bck.c projects/nfs-over-tls/sys/rpc/clnt_vc.c projects/nfs-over-tls/sys/rpc/rpcsec_tls.h projects/nfs-over-tls/sys/rpc/rpcsec_tls/rpctls_impl.c projects/nfs-over-tls/sys/rpc/svc_vc.c Modified: projects/nfs-over-tls/sys/fs/nfs/nfs_commonsubs.c ============================================================================== --- projects/nfs-over-tls/sys/fs/nfs/nfs_commonsubs.c Sat Jun 27 00:57:48 2020 (r362667) +++ projects/nfs-over-tls/sys/fs/nfs/nfs_commonsubs.c Sat Jun 27 01:08:27 2020 (r362668) @@ -361,15 +361,13 @@ nfscl_reqstart(struct nfsrv_descript *nd, int procnum, } nd->nd_procnum = procnum; nd->nd_repstat = 0; - nd->nd_maxextsiz = 16384; - if (use_ext && PMAP_HAS_DMAP != 0) { - nd->nd_flag |= ND_EXTPG; + nd->nd_maxextsiz = 0; #ifdef KERN_TLS - if (rpctls_getinfo(&maxlen)) - nd->nd_maxextsiz = min(TLS_MAX_MSG_SIZE_V10_2, - maxlen); -#endif + if (use_ext && rpctls_getinfo(&maxlen, false, false)) { + nd->nd_flag |= ND_EXTPG; + nd->nd_maxextsiz = maxlen; } +#endif /* * Get the first mbuf for the request. Modified: projects/nfs-over-tls/sys/fs/nfsclient/nfs_clkrpc.c ============================================================================== --- projects/nfs-over-tls/sys/fs/nfsclient/nfs_clkrpc.c Sat Jun 27 00:57:48 2020 (r362667) +++ projects/nfs-over-tls/sys/fs/nfsclient/nfs_clkrpc.c Sat Jun 27 01:08:27 2020 (r362668) @@ -116,17 +116,13 @@ printf("cbreq nd_md=%p\n", nd.nd_md); mac_cred_associate_nfsd(nd.nd_cred); #endif #endif - if (((xprt->xp_tls & RPCTLS_FLAGS_HANDSHAKE) != 0 || - nfs_use_ext_pgs) && PMAP_HAS_DMAP != 0) { - nd.nd_flag |= ND_EXTPG; - nd.nd_maxextsiz = 16384; #ifdef KERN_TLS - if ((xprt->xp_tls & RPCTLS_FLAGS_HANDSHAKE) != 0 && - rpctls_getinfo(&maxlen)) - nd.nd_maxextsiz = min(TLS_MAX_MSG_SIZE_V10_2, - maxlen); -#endif + if ((xprt->xp_tls & RPCTLS_FLAGS_HANDSHAKE) != 0 && + rpctls_getinfo(&maxlen, false, false)) { + nd.nd_flag |= ND_EXTPG; + nd.nd_maxextsiz = maxlen; } +#endif cacherep = nfs_cbproc(&nd, rqst->rq_xid); } else { NFSMGET(nd.nd_mreq); Modified: projects/nfs-over-tls/sys/fs/nfsclient/nfs_clrpcops.c ============================================================================== --- projects/nfs-over-tls/sys/fs/nfsclient/nfs_clrpcops.c Sat Jun 27 00:57:48 2020 (r362667) +++ projects/nfs-over-tls/sys/fs/nfsclient/nfs_clrpcops.c Sat Jun 27 01:08:27 2020 (r362668) @@ -5877,19 +5877,14 @@ nfscl_doiods(vnode_t vp, struct uio *uiop, int *iomode iovlen = uiop->uio_iov->iov_len; doextpgs = false; maxextsiz = 0; - if ((NFSHASTLS(nmp) || - (nfs_use_ext_pgs && - xfer > MCLBYTES)) && - PMAP_HAS_DMAP != 0) { - doextpgs = true; - maxextsiz = 16384; #ifdef KERN_TLS - if (rpctls_getinfo(&maxlen)) - maxextsiz = min( - TLS_MAX_MSG_SIZE_V10_2, - maxlen); -#endif + if (NFSHASTLS(nmp) && + rpctls_getinfo(&maxlen, + false, false)) { + doextpgs = true; + maxextsiz = maxlen; } +#endif m = nfsm_uiombuflist(doextpgs, maxextsiz, uiop, len, NULL, NULL); Modified: projects/nfs-over-tls/sys/fs/nfsclient/nfs_clvfsops.c ============================================================================== --- projects/nfs-over-tls/sys/fs/nfsclient/nfs_clvfsops.c Sat Jun 27 00:57:48 2020 (r362667) +++ projects/nfs-over-tls/sys/fs/nfsclient/nfs_clvfsops.c Sat Jun 27 01:08:27 2020 (r362668) @@ -77,6 +77,8 @@ __FBSDID("$FreeBSD$"); #include <fs/nfsclient/nfs.h> #include <nfs/nfsdiskless.h> +#include <rpc/rpcsec_tls.h> + FEATURE(nfscl, "NFSv4 client"); extern int nfscl_ticks; @@ -1394,6 +1396,9 @@ mountnfs(struct nfs_args *argp, struct mount *mp, stru struct nfsclds *dsp, *tdsp; uint32_t lease; static u_int64_t clval = 0; +#ifdef KERN_TLS + u_int maxlen; +#endif NFSCL_DEBUG(3, "in mnt\n"); clp = NULL; @@ -1403,11 +1408,11 @@ mountnfs(struct nfs_args *argp, struct mount *mp, stru free(nam, M_SONAME); return (0); } else { - /* NFS-over-TLS requires "options KERN_TLS" and a DMAP. */ + /* NFS-over-TLS requires that rpctls be functioning. */ if ((newflag & NFSMNT_TLS) != 0) { error = EINVAL; #ifdef KERN_TLS - if (PMAP_HAS_DMAP != 0) + if (rpctls_getinfo(&maxlen, true, false)) error = 0; #endif if (error != 0) { Modified: projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdkrpc.c ============================================================================== --- projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdkrpc.c Sat Jun 27 00:57:48 2020 (r362667) +++ projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdkrpc.c Sat Jun 27 01:08:27 2020 (r362668) @@ -283,9 +283,8 @@ nfssvc_program(struct svc_req *rqst, SVCXPRT *xprt) #ifdef KERN_TLS if ((xprt->xp_tls & RPCTLS_FLAGS_HANDSHAKE) != 0 && - rpctls_getinfo(&maxlen)) - nd.nd_maxextsiz = min(TLS_MAX_MSG_SIZE_V10_2, - maxlen); + rpctls_getinfo(&maxlen, false, false)) + nd.nd_maxextsiz = maxlen; #endif cacherep = nfs_proc(&nd, rqst->rq_xid, xprt, &rp); NFSLOCKV4ROOTMUTEX(); Modified: projects/nfs-over-tls/sys/rpc/clnt_bck.c ============================================================================== --- projects/nfs-over-tls/sys/rpc/clnt_bck.c Sat Jun 27 00:57:48 2020 (r362667) +++ projects/nfs-over-tls/sys/rpc/clnt_bck.c Sat Jun 27 01:08:27 2020 (r362668) @@ -311,7 +311,7 @@ call_again: */ maxextsiz = TLS_MAX_MSG_SIZE_V10_2; #ifdef KERN_TLS - if (rpctls_getinfo(&maxlen)) + if (rpctls_getinfo(&maxlen, false, false)) maxextsiz = min(maxextsiz, maxlen); #endif mreq = _rpc_copym_into_ext_pgs(mreq, maxextsiz); Modified: projects/nfs-over-tls/sys/rpc/clnt_vc.c ============================================================================== --- projects/nfs-over-tls/sys/rpc/clnt_vc.c Sat Jun 27 00:57:48 2020 (r362667) +++ projects/nfs-over-tls/sys/rpc/clnt_vc.c Sat Jun 27 01:08:27 2020 (r362668) @@ -434,7 +434,7 @@ call_again: */ maxextsiz = TLS_MAX_MSG_SIZE_V10_2; #ifdef KERN_TLS - if (rpctls_getinfo(&maxlen)) + if (rpctls_getinfo(&maxlen, false, false)) maxextsiz = min(maxextsiz, maxlen); #endif mreq = _rpc_copym_into_ext_pgs(mreq, maxextsiz); Modified: projects/nfs-over-tls/sys/rpc/rpcsec_tls.h ============================================================================== --- projects/nfs-over-tls/sys/rpc/rpcsec_tls.h Sat Jun 27 00:57:48 2020 (r362667) +++ projects/nfs-over-tls/sys/rpc/rpcsec_tls.h Sat Jun 27 01:08:27 2020 (r362668) @@ -72,7 +72,8 @@ enum clnt_stat rpctls_srv_disconnect(uint64_t sec, uin int rpctls_init(void); /* Get TLS information function. */ -bool rpctls_getinfo(u_int *maxlen); +bool rpctls_getinfo(u_int *maxlen, bool rpctlscd_run, + bool rpctlssd_run); /* String for AUTH_TLS reply verifier. */ #define RPCTLS_START_STRING "STARTTLS" Modified: projects/nfs-over-tls/sys/rpc/rpcsec_tls/rpctls_impl.c ============================================================================== --- projects/nfs-over-tls/sys/rpc/rpcsec_tls/rpctls_impl.c Sat Jun 27 00:57:48 2020 (r362667) +++ projects/nfs-over-tls/sys/rpc/rpcsec_tls/rpctls_impl.c Sat Jun 27 01:08:27 2020 (r362668) @@ -133,8 +133,7 @@ printf("setting err=%d path=%s\n", error, path); if (error == 0) { error = ENXIO; #ifdef KERN_TLS - if (PMAP_HAS_DMAP != 0 && mb_use_ext_pgs && - rpctls_getinfo(&maxlen)) + if (rpctls_getinfo(&maxlen, false, false)) error = 0; #endif } @@ -182,8 +181,7 @@ printf("setting err=%d path=%s\n", error, path); if (error == 0) { error = ENXIO; #ifdef KERN_TLS - if (PMAP_HAS_DMAP != 0 && mb_use_ext_pgs && - rpctls_getinfo(&maxlen)) + if (rpctls_getinfo(&maxlen, false, false)) error = 0; #endif } @@ -592,6 +590,9 @@ _svcauth_rpcsec_tls(struct svc_req *rqst, struct rpc_m int ngrps; uid_t uid; gid_t *gidp; +#ifdef KERN_TLS + u_int maxlen; +#endif /* Initialize reply. */ rqst->rq_verf = rpctls_null_verf; @@ -607,13 +608,14 @@ printf("authtls proc=%d\n", rqst->rq_proc); if (rqst->rq_proc != NULLPROC) return (AUTH_REJECTEDCRED); - if (PMAP_HAS_DMAP == 0 || !mb_use_ext_pgs) + call_stat = FALSE; +#ifdef KERN_TLS + if (rpctls_getinfo(&maxlen, false, true)) + call_stat = TRUE; +#endif + if (!call_stat) return (AUTH_REJECTEDCRED); -#ifndef KERN_TLS - return (AUTH_REJECTEDCRED); -#endif - /* * Disable reception for the krpc so that the TLS handshake can * be done on the socket in the rpctlssd daemon. @@ -668,13 +670,15 @@ printf("authtls: aft handshake stat=%d\n", stat); * Get kern.ipc.tls.enable and kern.ipc.tls.maxlen. */ bool -rpctls_getinfo(u_int *maxlenp) +rpctls_getinfo(u_int *maxlenp, bool rpctlscd_run, bool rpctlssd_run) { u_int maxlen; bool enable; int error; size_t siz; + if (PMAP_HAS_DMAP == 0 || !mb_use_ext_pgs) + return (false); siz = sizeof(enable); error = kernel_sysctlbyname(curthread, "kern.ipc.tls.enable", &enable, &siz, NULL, 0, NULL, 0); @@ -684,6 +688,10 @@ rpctls_getinfo(u_int *maxlenp) error = kernel_sysctlbyname(curthread, "kern.ipc.tls.maxlen", &maxlen, &siz, NULL, 0, NULL, 0); if (error != 0) + return (false); + if (rpctlscd_run && rpctls_connect_handle == NULL) + return (false); + if (rpctlssd_run && rpctls_server_handle == NULL) return (false); *maxlenp = maxlen; return (enable); Modified: projects/nfs-over-tls/sys/rpc/svc_vc.c ============================================================================== --- projects/nfs-over-tls/sys/rpc/svc_vc.c Sat Jun 27 00:57:48 2020 (r362667) +++ projects/nfs-over-tls/sys/rpc/svc_vc.c Sat Jun 27 01:08:27 2020 (r362668) @@ -968,7 +968,7 @@ svc_vc_reply(SVCXPRT *xprt, struct rpc_msg *msg, */ maxextsiz = TLS_MAX_MSG_SIZE_V10_2; #ifdef KERN_TLS - if (rpctls_getinfo(&maxlen)) + if (rpctls_getinfo(&maxlen, false, false)) maxextsiz = min(maxextsiz, maxlen); #endif mrep = _rpc_copym_into_ext_pgs(mrep, maxextsiz); @@ -1045,7 +1045,7 @@ svc_vc_backchannel_reply(SVCXPRT *xprt, struct rpc_msg */ maxextsiz = TLS_MAX_MSG_SIZE_V10_2; #ifdef KERN_TLS - if (rpctls_getinfo(&maxlen)) + if (rpctls_getinfo(&maxlen, false, false)) maxextsiz = min(maxextsiz, maxlen); #endif mrep = _rpc_copym_into_ext_pgs(mrep, maxextsiz);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202006270108.05R18Rx5077006>