From owner-svn-src-projects@freebsd.org Sat Jun 27 01:08:30 2020 Return-Path: Delivered-To: svn-src-projects@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 1864E3635C8 for ; Sat, 27 Jun 2020 01:08:30 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 49twcF6ThTz45NV; Sat, 27 Jun 2020 01:08:29 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id D543C1C863; Sat, 27 Jun 2020 01:08:29 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 05R18T06077017; Sat, 27 Jun 2020 01:08:29 GMT (envelope-from rmacklem@FreeBSD.org) Received: (from rmacklem@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 05R18Rx5077006; Sat, 27 Jun 2020 01:08:27 GMT (envelope-from rmacklem@FreeBSD.org) Message-Id: <202006270108.05R18Rx5077006@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: rmacklem set sender to rmacklem@FreeBSD.org using -f From: Rick Macklem Date: Sat, 27 Jun 2020 01:08:27 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r362668 - in projects/nfs-over-tls/sys: fs/nfs fs/nfsclient fs/nfsserver rpc rpc/rpcsec_tls X-SVN-Group: projects X-SVN-Commit-Author: rmacklem X-SVN-Commit-Paths: in projects/nfs-over-tls/sys: fs/nfs fs/nfsclient fs/nfsserver rpc rpc/rpcsec_tls X-SVN-Commit-Revision: 362668 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 Jun 2020 01:08:30 -0000 Author: rmacklem Date: Sat Jun 27 01:08:27 2020 New Revision: 362668 URL: https://svnweb.freebsd.org/changeset/base/362668 Log: Add options to rpctls_getinfo() to check if the daemons are running. When both of the new options are "false", the behaviour does not change. When either option is true, rpctls_getinfo() checks to see if the corresponding daemon is connected to the socket for server upcalls. It returns false if it is not connected. This allows the NFS client and server to fail attempts to use TLS when the required daemon is not running and connected to the upcall socekt. This patch also assumes that rpctls_getinfo() will return an appropriate maximum size for the ext_pgs mbufs in the list required by sosend() for TLS, so it no longer bothers to do a min() with the 16K default in the NFS code. Modified: projects/nfs-over-tls/sys/fs/nfs/nfs_commonsubs.c projects/nfs-over-tls/sys/fs/nfsclient/nfs_clkrpc.c projects/nfs-over-tls/sys/fs/nfsclient/nfs_clrpcops.c projects/nfs-over-tls/sys/fs/nfsclient/nfs_clvfsops.c projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdkrpc.c projects/nfs-over-tls/sys/rpc/clnt_bck.c projects/nfs-over-tls/sys/rpc/clnt_vc.c projects/nfs-over-tls/sys/rpc/rpcsec_tls.h projects/nfs-over-tls/sys/rpc/rpcsec_tls/rpctls_impl.c projects/nfs-over-tls/sys/rpc/svc_vc.c Modified: projects/nfs-over-tls/sys/fs/nfs/nfs_commonsubs.c ============================================================================== --- projects/nfs-over-tls/sys/fs/nfs/nfs_commonsubs.c Sat Jun 27 00:57:48 2020 (r362667) +++ projects/nfs-over-tls/sys/fs/nfs/nfs_commonsubs.c Sat Jun 27 01:08:27 2020 (r362668) @@ -361,15 +361,13 @@ nfscl_reqstart(struct nfsrv_descript *nd, int procnum, } nd->nd_procnum = procnum; nd->nd_repstat = 0; - nd->nd_maxextsiz = 16384; - if (use_ext && PMAP_HAS_DMAP != 0) { - nd->nd_flag |= ND_EXTPG; + nd->nd_maxextsiz = 0; #ifdef KERN_TLS - if (rpctls_getinfo(&maxlen)) - nd->nd_maxextsiz = min(TLS_MAX_MSG_SIZE_V10_2, - maxlen); -#endif + if (use_ext && rpctls_getinfo(&maxlen, false, false)) { + nd->nd_flag |= ND_EXTPG; + nd->nd_maxextsiz = maxlen; } +#endif /* * Get the first mbuf for the request. Modified: projects/nfs-over-tls/sys/fs/nfsclient/nfs_clkrpc.c ============================================================================== --- projects/nfs-over-tls/sys/fs/nfsclient/nfs_clkrpc.c Sat Jun 27 00:57:48 2020 (r362667) +++ projects/nfs-over-tls/sys/fs/nfsclient/nfs_clkrpc.c Sat Jun 27 01:08:27 2020 (r362668) @@ -116,17 +116,13 @@ printf("cbreq nd_md=%p\n", nd.nd_md); mac_cred_associate_nfsd(nd.nd_cred); #endif #endif - if (((xprt->xp_tls & RPCTLS_FLAGS_HANDSHAKE) != 0 || - nfs_use_ext_pgs) && PMAP_HAS_DMAP != 0) { - nd.nd_flag |= ND_EXTPG; - nd.nd_maxextsiz = 16384; #ifdef KERN_TLS - if ((xprt->xp_tls & RPCTLS_FLAGS_HANDSHAKE) != 0 && - rpctls_getinfo(&maxlen)) - nd.nd_maxextsiz = min(TLS_MAX_MSG_SIZE_V10_2, - maxlen); -#endif + if ((xprt->xp_tls & RPCTLS_FLAGS_HANDSHAKE) != 0 && + rpctls_getinfo(&maxlen, false, false)) { + nd.nd_flag |= ND_EXTPG; + nd.nd_maxextsiz = maxlen; } +#endif cacherep = nfs_cbproc(&nd, rqst->rq_xid); } else { NFSMGET(nd.nd_mreq); Modified: projects/nfs-over-tls/sys/fs/nfsclient/nfs_clrpcops.c ============================================================================== --- projects/nfs-over-tls/sys/fs/nfsclient/nfs_clrpcops.c Sat Jun 27 00:57:48 2020 (r362667) +++ projects/nfs-over-tls/sys/fs/nfsclient/nfs_clrpcops.c Sat Jun 27 01:08:27 2020 (r362668) @@ -5877,19 +5877,14 @@ nfscl_doiods(vnode_t vp, struct uio *uiop, int *iomode iovlen = uiop->uio_iov->iov_len; doextpgs = false; maxextsiz = 0; - if ((NFSHASTLS(nmp) || - (nfs_use_ext_pgs && - xfer > MCLBYTES)) && - PMAP_HAS_DMAP != 0) { - doextpgs = true; - maxextsiz = 16384; #ifdef KERN_TLS - if (rpctls_getinfo(&maxlen)) - maxextsiz = min( - TLS_MAX_MSG_SIZE_V10_2, - maxlen); -#endif + if (NFSHASTLS(nmp) && + rpctls_getinfo(&maxlen, + false, false)) { + doextpgs = true; + maxextsiz = maxlen; } +#endif m = nfsm_uiombuflist(doextpgs, maxextsiz, uiop, len, NULL, NULL); Modified: projects/nfs-over-tls/sys/fs/nfsclient/nfs_clvfsops.c ============================================================================== --- projects/nfs-over-tls/sys/fs/nfsclient/nfs_clvfsops.c Sat Jun 27 00:57:48 2020 (r362667) +++ projects/nfs-over-tls/sys/fs/nfsclient/nfs_clvfsops.c Sat Jun 27 01:08:27 2020 (r362668) @@ -77,6 +77,8 @@ __FBSDID("$FreeBSD$"); #include #include +#include + FEATURE(nfscl, "NFSv4 client"); extern int nfscl_ticks; @@ -1394,6 +1396,9 @@ mountnfs(struct nfs_args *argp, struct mount *mp, stru struct nfsclds *dsp, *tdsp; uint32_t lease; static u_int64_t clval = 0; +#ifdef KERN_TLS + u_int maxlen; +#endif NFSCL_DEBUG(3, "in mnt\n"); clp = NULL; @@ -1403,11 +1408,11 @@ mountnfs(struct nfs_args *argp, struct mount *mp, stru free(nam, M_SONAME); return (0); } else { - /* NFS-over-TLS requires "options KERN_TLS" and a DMAP. */ + /* NFS-over-TLS requires that rpctls be functioning. */ if ((newflag & NFSMNT_TLS) != 0) { error = EINVAL; #ifdef KERN_TLS - if (PMAP_HAS_DMAP != 0) + if (rpctls_getinfo(&maxlen, true, false)) error = 0; #endif if (error != 0) { Modified: projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdkrpc.c ============================================================================== --- projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdkrpc.c Sat Jun 27 00:57:48 2020 (r362667) +++ projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdkrpc.c Sat Jun 27 01:08:27 2020 (r362668) @@ -283,9 +283,8 @@ nfssvc_program(struct svc_req *rqst, SVCXPRT *xprt) #ifdef KERN_TLS if ((xprt->xp_tls & RPCTLS_FLAGS_HANDSHAKE) != 0 && - rpctls_getinfo(&maxlen)) - nd.nd_maxextsiz = min(TLS_MAX_MSG_SIZE_V10_2, - maxlen); + rpctls_getinfo(&maxlen, false, false)) + nd.nd_maxextsiz = maxlen; #endif cacherep = nfs_proc(&nd, rqst->rq_xid, xprt, &rp); NFSLOCKV4ROOTMUTEX(); Modified: projects/nfs-over-tls/sys/rpc/clnt_bck.c ============================================================================== --- projects/nfs-over-tls/sys/rpc/clnt_bck.c Sat Jun 27 00:57:48 2020 (r362667) +++ projects/nfs-over-tls/sys/rpc/clnt_bck.c Sat Jun 27 01:08:27 2020 (r362668) @@ -311,7 +311,7 @@ call_again: */ maxextsiz = TLS_MAX_MSG_SIZE_V10_2; #ifdef KERN_TLS - if (rpctls_getinfo(&maxlen)) + if (rpctls_getinfo(&maxlen, false, false)) maxextsiz = min(maxextsiz, maxlen); #endif mreq = _rpc_copym_into_ext_pgs(mreq, maxextsiz); Modified: projects/nfs-over-tls/sys/rpc/clnt_vc.c ============================================================================== --- projects/nfs-over-tls/sys/rpc/clnt_vc.c Sat Jun 27 00:57:48 2020 (r362667) +++ projects/nfs-over-tls/sys/rpc/clnt_vc.c Sat Jun 27 01:08:27 2020 (r362668) @@ -434,7 +434,7 @@ call_again: */ maxextsiz = TLS_MAX_MSG_SIZE_V10_2; #ifdef KERN_TLS - if (rpctls_getinfo(&maxlen)) + if (rpctls_getinfo(&maxlen, false, false)) maxextsiz = min(maxextsiz, maxlen); #endif mreq = _rpc_copym_into_ext_pgs(mreq, maxextsiz); Modified: projects/nfs-over-tls/sys/rpc/rpcsec_tls.h ============================================================================== --- projects/nfs-over-tls/sys/rpc/rpcsec_tls.h Sat Jun 27 00:57:48 2020 (r362667) +++ projects/nfs-over-tls/sys/rpc/rpcsec_tls.h Sat Jun 27 01:08:27 2020 (r362668) @@ -72,7 +72,8 @@ enum clnt_stat rpctls_srv_disconnect(uint64_t sec, uin int rpctls_init(void); /* Get TLS information function. */ -bool rpctls_getinfo(u_int *maxlen); +bool rpctls_getinfo(u_int *maxlen, bool rpctlscd_run, + bool rpctlssd_run); /* String for AUTH_TLS reply verifier. */ #define RPCTLS_START_STRING "STARTTLS" Modified: projects/nfs-over-tls/sys/rpc/rpcsec_tls/rpctls_impl.c ============================================================================== --- projects/nfs-over-tls/sys/rpc/rpcsec_tls/rpctls_impl.c Sat Jun 27 00:57:48 2020 (r362667) +++ projects/nfs-over-tls/sys/rpc/rpcsec_tls/rpctls_impl.c Sat Jun 27 01:08:27 2020 (r362668) @@ -133,8 +133,7 @@ printf("setting err=%d path=%s\n", error, path); if (error == 0) { error = ENXIO; #ifdef KERN_TLS - if (PMAP_HAS_DMAP != 0 && mb_use_ext_pgs && - rpctls_getinfo(&maxlen)) + if (rpctls_getinfo(&maxlen, false, false)) error = 0; #endif } @@ -182,8 +181,7 @@ printf("setting err=%d path=%s\n", error, path); if (error == 0) { error = ENXIO; #ifdef KERN_TLS - if (PMAP_HAS_DMAP != 0 && mb_use_ext_pgs && - rpctls_getinfo(&maxlen)) + if (rpctls_getinfo(&maxlen, false, false)) error = 0; #endif } @@ -592,6 +590,9 @@ _svcauth_rpcsec_tls(struct svc_req *rqst, struct rpc_m int ngrps; uid_t uid; gid_t *gidp; +#ifdef KERN_TLS + u_int maxlen; +#endif /* Initialize reply. */ rqst->rq_verf = rpctls_null_verf; @@ -607,13 +608,14 @@ printf("authtls proc=%d\n", rqst->rq_proc); if (rqst->rq_proc != NULLPROC) return (AUTH_REJECTEDCRED); - if (PMAP_HAS_DMAP == 0 || !mb_use_ext_pgs) + call_stat = FALSE; +#ifdef KERN_TLS + if (rpctls_getinfo(&maxlen, false, true)) + call_stat = TRUE; +#endif + if (!call_stat) return (AUTH_REJECTEDCRED); -#ifndef KERN_TLS - return (AUTH_REJECTEDCRED); -#endif - /* * Disable reception for the krpc so that the TLS handshake can * be done on the socket in the rpctlssd daemon. @@ -668,13 +670,15 @@ printf("authtls: aft handshake stat=%d\n", stat); * Get kern.ipc.tls.enable and kern.ipc.tls.maxlen. */ bool -rpctls_getinfo(u_int *maxlenp) +rpctls_getinfo(u_int *maxlenp, bool rpctlscd_run, bool rpctlssd_run) { u_int maxlen; bool enable; int error; size_t siz; + if (PMAP_HAS_DMAP == 0 || !mb_use_ext_pgs) + return (false); siz = sizeof(enable); error = kernel_sysctlbyname(curthread, "kern.ipc.tls.enable", &enable, &siz, NULL, 0, NULL, 0); @@ -684,6 +688,10 @@ rpctls_getinfo(u_int *maxlenp) error = kernel_sysctlbyname(curthread, "kern.ipc.tls.maxlen", &maxlen, &siz, NULL, 0, NULL, 0); if (error != 0) + return (false); + if (rpctlscd_run && rpctls_connect_handle == NULL) + return (false); + if (rpctlssd_run && rpctls_server_handle == NULL) return (false); *maxlenp = maxlen; return (enable); Modified: projects/nfs-over-tls/sys/rpc/svc_vc.c ============================================================================== --- projects/nfs-over-tls/sys/rpc/svc_vc.c Sat Jun 27 00:57:48 2020 (r362667) +++ projects/nfs-over-tls/sys/rpc/svc_vc.c Sat Jun 27 01:08:27 2020 (r362668) @@ -968,7 +968,7 @@ svc_vc_reply(SVCXPRT *xprt, struct rpc_msg *msg, */ maxextsiz = TLS_MAX_MSG_SIZE_V10_2; #ifdef KERN_TLS - if (rpctls_getinfo(&maxlen)) + if (rpctls_getinfo(&maxlen, false, false)) maxextsiz = min(maxextsiz, maxlen); #endif mrep = _rpc_copym_into_ext_pgs(mrep, maxextsiz); @@ -1045,7 +1045,7 @@ svc_vc_backchannel_reply(SVCXPRT *xprt, struct rpc_msg */ maxextsiz = TLS_MAX_MSG_SIZE_V10_2; #ifdef KERN_TLS - if (rpctls_getinfo(&maxlen)) + if (rpctls_getinfo(&maxlen, false, false)) maxextsiz = min(maxextsiz, maxlen); #endif mrep = _rpc_copym_into_ext_pgs(mrep, maxextsiz);