Date: Sun, 22 Mar 2020 20:00:12 +0000 (UTC) From: Rick Macklem <rmacklem@FreeBSD.org> To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r359226 - in projects/nfs-over-tls/sys/fs: nfs nfsclient nfsserver Message-ID: <202003222000.02MK0CSZ034030@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: rmacklem Date: Sun Mar 22 20:00:12 2020 New Revision: 359226 URL: https://svnweb.freebsd.org/changeset/base/359226 Log: Add kernel support for the new "-tls" and "-tlscert" export options. Most of the editting was renaming ND_EXTPG to ND_NOMAP so that it did not start with ND_EX, which might have been confused for an exports related flag. Modified: projects/nfs-over-tls/sys/fs/nfs/nfs.h projects/nfs-over-tls/sys/fs/nfs/nfs_commonsubs.c projects/nfs-over-tls/sys/fs/nfs/nfsdport.h projects/nfs-over-tls/sys/fs/nfs/nfsm_subs.h projects/nfs-over-tls/sys/fs/nfsclient/nfs_clcomsubs.c projects/nfs-over-tls/sys/fs/nfsclient/nfs_clkrpc.c projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdkrpc.c projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdport.c projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdserv.c projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdsubs.c Modified: projects/nfs-over-tls/sys/fs/nfs/nfs.h ============================================================================== --- projects/nfs-over-tls/sys/fs/nfs/nfs.h Sun Mar 22 19:31:12 2020 (r359225) +++ projects/nfs-over-tls/sys/fs/nfs/nfs.h Sun Mar 22 20:00:12 2020 (r359226) @@ -716,8 +716,11 @@ struct nfsrv_descript { #define ND_SAVEDCURSTATEID 0x100000000 #define ND_HASSLOTID 0x200000000 #define ND_NFSV42 0x400000000 -#define ND_EXTPG 0x800000000 +#define ND_NOMAP 0x800000000 #define ND_TLS 0x1000000000 +#define ND_TLSCERT 0x2000000000 +#define ND_EXTLS 0x4000000000 +#define ND_EXTLSCERT 0x8000000000 /* * ND_GSS should be the "or" of all GSS type authentications. Modified: projects/nfs-over-tls/sys/fs/nfs/nfs_commonsubs.c ============================================================================== --- projects/nfs-over-tls/sys/fs/nfs/nfs_commonsubs.c Sun Mar 22 19:31:12 2020 (r359225) +++ projects/nfs-over-tls/sys/fs/nfs/nfs_commonsubs.c Sun Mar 22 20:00:12 2020 (r359226) @@ -369,7 +369,7 @@ nfscl_reqstart(struct nfsrv_descript *nd, int procnum, nd->nd_repstat = 0; nd->nd_maxextsiz = 16384; if (use_ext && PMAP_HAS_DMAP != 0) { - nd->nd_flag |= ND_EXTPG; + nd->nd_flag |= ND_NOMAP; #ifdef KERN_TLS nd->nd_maxextsiz = min(TLS_MAX_MSG_SIZE_V10_2, ktls_maxlen); @@ -379,7 +379,7 @@ nfscl_reqstart(struct nfsrv_descript *nd, int procnum, /* * Get the first mbuf for the request. */ - if ((nd->nd_flag & ND_EXTPG) != 0) { + if ((nd->nd_flag & ND_NOMAP) != 0) { mb = mb_alloc_ext_plus_pages(PAGE_SIZE, M_WAITOK, false, mb_free_mext_pgs); nd->nd_mreq = nd->nd_mb = mb; @@ -872,22 +872,22 @@ nfsm_strtom(struct nfsrv_descript *nd, const char *cp, bytesize = NFSX_UNSIGNED + siz + rem; m2 = nd->nd_mb; cp2 = nd->nd_bpos; - if ((nd->nd_flag & ND_EXTPG) != 0) + if ((nd->nd_flag & ND_NOMAP) != 0) left = nd->nd_bextpgsiz; else left = M_TRAILINGSPACE(m2); KASSERT(((m2->m_flags & (M_EXT | M_NOMAP)) == - (M_EXT | M_NOMAP) && (nd->nd_flag & ND_EXTPG) != 0) || + (M_EXT | M_NOMAP) && (nd->nd_flag & ND_NOMAP) != 0) || ((m2->m_flags & (M_EXT | M_NOMAP)) != - (M_EXT | M_NOMAP) && (nd->nd_flag & ND_EXTPG) == 0), + (M_EXT | M_NOMAP) && (nd->nd_flag & ND_NOMAP) == 0), ("nfsm_strtom: ext_pgs and non-ext_pgs mbufs mixed")); /* * Loop around copying the string to mbuf(s). */ while (siz > 0) { if (left == 0) { - if ((nd->nd_flag & ND_EXTPG) != 0) { + if ((nd->nd_flag & ND_NOMAP) != 0) { m2 = nfsm_add_ext_pgs(m2, nd->nd_maxextsiz, &nd->nd_bextpg); cp2 = (char *)(void *)PHYS_TO_DMAP( @@ -915,7 +915,7 @@ nfsm_strtom(struct nfsrv_descript *nd, const char *cp, m2->m_len += xfer; siz -= xfer; left -= xfer; - if ((nd->nd_flag & ND_EXTPG) != 0) { + if ((nd->nd_flag & ND_NOMAP) != 0) { nd->nd_bextpgsiz -= xfer; m2->m_ext.ext_pgs->last_pg_len += xfer; } @@ -925,14 +925,14 @@ nfsm_strtom(struct nfsrv_descript *nd, const char *cp, NFSBZERO(cp2, rem); m2->m_len += rem; cp2 += rem; - if ((nd->nd_flag & ND_EXTPG) != 0) { + if ((nd->nd_flag & ND_NOMAP) != 0) { nd->nd_bextpgsiz -= rem; m2->m_ext.ext_pgs->last_pg_len += rem; } } } nd->nd_mb = m2; - if ((nd->nd_flag & ND_EXTPG) != 0) + if ((nd->nd_flag & ND_NOMAP) != 0) nd->nd_bpos = cp2; else nd->nd_bpos = mtod(m2, char *) + m2->m_len; @@ -4475,7 +4475,7 @@ nfsrvd_rephead(struct nfsrv_descript *nd) { mbuf_t mreq; - if ((nd->nd_flag & ND_EXTPG) != 0) { + if ((nd->nd_flag & ND_NOMAP) != 0) { mreq = mb_alloc_ext_plus_pages(PAGE_SIZE, M_WAITOK, false, mb_free_mext_pgs); nd->nd_mreq = nd->nd_mb = mreq; Modified: projects/nfs-over-tls/sys/fs/nfs/nfsdport.h ============================================================================== --- projects/nfs-over-tls/sys/fs/nfs/nfsdport.h Sun Mar 22 19:31:12 2020 (r359225) +++ projects/nfs-over-tls/sys/fs/nfs/nfsdport.h Sun Mar 22 20:00:12 2020 (r359226) @@ -81,6 +81,8 @@ struct nfsexstuff { #define NFSVNO_EXPORTANON(e) ((e)->nes_exflag & MNT_EXPORTANON) #define NFSVNO_EXSTRICTACCESS(e) ((e)->nes_exflag & MNT_EXSTRICTACCESS) #define NFSVNO_EXV4ONLY(e) ((e)->nes_exflag & MNT_EXV4ONLY) +#define NFSVNO_EXTLS(e) ((e)->nes_exflag & MNTEX_TLS) +#define NFSVNO_EXTLSCERT(e) ((e)->nes_exflag & MNTEX_TLSCERT) #define NFSVNO_SETEXRDONLY(e) ((e)->nes_exflag = (MNT_EXPORTED|MNT_EXRDONLY)) Modified: projects/nfs-over-tls/sys/fs/nfs/nfsm_subs.h ============================================================================== --- projects/nfs-over-tls/sys/fs/nfs/nfsm_subs.h Sun Mar 22 19:31:12 2020 (r359225) +++ projects/nfs-over-tls/sys/fs/nfs/nfsm_subs.h Sun Mar 22 20:00:12 2020 (r359226) @@ -57,7 +57,7 @@ * Replace most of the macro with an inline function, to minimize * the machine code. The inline functions in lower case can be called * directly, bypassing the macro. - * For ND_EXTPG, if there is not enough contiguous space left in + * For ND_NOMAP, if there is not enough contiguous space left in * the mbuf page, allocate a regular mbuf. The data in these regular * mbufs will need to be copied into pages later, since the data must * be filled pages. This should only happen after a write request or @@ -69,7 +69,7 @@ nfsm_build(struct nfsrv_descript *nd, int siz) void *retp; struct mbuf *mb2; - if ((nd->nd_flag & ND_EXTPG) == 0 && + if ((nd->nd_flag & ND_NOMAP) == 0 && siz > M_TRAILINGSPACE(nd->nd_mb)) { NFSMCLGET(mb2, M_NOWAIT); if (siz > MLEN) @@ -78,7 +78,7 @@ nfsm_build(struct nfsrv_descript *nd, int siz) nd->nd_bpos = mtod(mb2, char *); nd->nd_mb->m_next = mb2; nd->nd_mb = mb2; - } else if ((nd->nd_flag & ND_EXTPG) != 0) { + } else if ((nd->nd_flag & ND_NOMAP) != 0) { if (siz > nd->nd_bextpgsiz) { mb2 = mb_alloc_ext_plus_pages(PAGE_SIZE, M_WAITOK, false, mb_free_mext_pgs); Modified: projects/nfs-over-tls/sys/fs/nfsclient/nfs_clcomsubs.c ============================================================================== --- projects/nfs-over-tls/sys/fs/nfsclient/nfs_clcomsubs.c Sun Mar 22 19:31:12 2020 (r359225) +++ projects/nfs-over-tls/sys/fs/nfsclient/nfs_clcomsubs.c Sun Mar 22 20:00:12 2020 (r359226) @@ -82,12 +82,12 @@ nfsm_uiombuf(struct nfsrv_descript *nd, struct uio *ui left = siz; uiosiz = left; while (left > 0) { - if ((nd->nd_flag & ND_EXTPG) != 0) + if ((nd->nd_flag & ND_NOMAP) != 0) mlen = nd->nd_bextpgsiz; else mlen = M_TRAILINGSPACE(mp); if (mlen == 0) { - if ((nd->nd_flag & ND_EXTPG) != 0) { + if ((nd->nd_flag & ND_NOMAP) != 0) { mp = nfsm_add_ext_pgs(mp, nd->nd_maxextsiz, &nd->nd_bextpg); mcp = (char *)(void *)PHYS_TO_DMAP( @@ -114,7 +114,7 @@ nfsm_uiombuf(struct nfsrv_descript *nd, struct uio *ui left -= xfer; uiocp += xfer; mcp += xfer; - if ((nd->nd_flag & ND_EXTPG) != 0) { + if ((nd->nd_flag & ND_NOMAP) != 0) { nd->nd_bextpgsiz -= xfer; mp->m_ext.ext_pgs->last_pg_len += xfer; } @@ -128,13 +128,13 @@ nfsm_uiombuf(struct nfsrv_descript *nd, struct uio *ui siz -= uiosiz; } if (rem > 0) { - if ((nd->nd_flag & ND_EXTPG) == 0 && rem > + if ((nd->nd_flag & ND_NOMAP) == 0 && rem > M_TRAILINGSPACE(mp)) { NFSMGET(mp); mp->m_len = 0; mp2->m_next = mp; mcp = mtod(mp, char *); - } else if ((nd->nd_flag & ND_EXTPG) != 0 && rem > + } else if ((nd->nd_flag & ND_NOMAP) != 0 && rem > nd->nd_bextpgsiz) { mp = nfsm_add_ext_pgs(mp, nd->nd_maxextsiz, &nd->nd_bextpg); @@ -146,7 +146,7 @@ nfsm_uiombuf(struct nfsrv_descript *nd, struct uio *ui *mcp++ = '\0'; mp->m_len += rem; nd->nd_bpos = mcp; - if ((nd->nd_flag & ND_EXTPG) != 0) { + if ((nd->nd_flag & ND_NOMAP) != 0) { nd->nd_bextpgsiz -= rem; mp->m_ext.ext_pgs->last_pg_len += rem; } Modified: projects/nfs-over-tls/sys/fs/nfsclient/nfs_clkrpc.c ============================================================================== --- projects/nfs-over-tls/sys/fs/nfsclient/nfs_clkrpc.c Sun Mar 22 19:31:12 2020 (r359225) +++ projects/nfs-over-tls/sys/fs/nfsclient/nfs_clkrpc.c Sun Mar 22 20:00:12 2020 (r359226) @@ -42,8 +42,9 @@ __FBSDID("$FreeBSD$"); #include <fs/nfs/nfsport.h> #include <rpc/rpc.h> -#include <rpc/rpcsec_gss.h> #include <rpc/replay.h> +#include <rpc/rpcsec_gss.h> +#include <rpc/rpcsec_tls.h> NFSDLOCKMUTEX; @@ -115,11 +116,12 @@ printf("cbreq nd_md=%p offs=%d\n", nd.nd_md, rqst->rq_ mac_cred_associate_nfsd(nd.nd_cred); #endif #endif - if ((xprt->xp_tls || nfs_use_ext_pgs) && PMAP_HAS_DMAP != 0) { - nd.nd_flag |= ND_EXTPG; + if (((xprt->xp_tls & RPCTLS_FLAGS_HANDSHAKE) != 0 || + nfs_use_ext_pgs) && PMAP_HAS_DMAP != 0) { + nd.nd_flag |= ND_NOMAP; nd.nd_maxextsiz = 16384; #ifdef KERN_TLS - if (xprt->xp_tls) + if ((xprt->xp_tls & RPCTLS_FLAGS_HANDSHAKE) != 0) nd.nd_maxextsiz = min(TLS_MAX_MSG_SIZE_V10_2, ktls_maxlen); #endif Modified: projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdkrpc.c ============================================================================== --- projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdkrpc.c Sun Mar 22 19:31:12 2020 (r359225) +++ projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdkrpc.c Sun Mar 22 20:00:12 2020 (r359226) @@ -44,6 +44,7 @@ __FBSDID("$FreeBSD$"); #include <rpc/rpc.h> #include <rpc/rpcsec_gss.h> +#include <rpc/rpcsec_tls.h> #include <fs/nfsserver/nfs_fha_new.h> @@ -238,6 +239,12 @@ nfssvc_program(struct svc_req *rqst, SVCXPRT *xprt) goto out; } + if ((xprt->xp_tls & RPCTLS_FLAGS_HANDSHAKE) != 0) { + nd.nd_flag |= ND_TLS; + if ((xprt->xp_tls & RPCTLS_FLAGS_VERIFIED) != 0) + nd.nd_flag |= ND_TLSCERT; + } + nd.nd_maxextsiz = 16384; #ifdef MAC mac_cred_associate_nfsd(nd.nd_cred); #endif @@ -272,11 +279,8 @@ nfssvc_program(struct svc_req *rqst, SVCXPRT *xprt) } } - if (xprt->xp_tls) - nd.nd_flag |= ND_TLS; - nd.nd_maxextsiz = 16384; #ifdef KERN_TLS - if (xprt->xp_tls) + if ((xprt->xp_tls & RPCTLS_FLAGS_HANDSHAKE) != 0) nd.nd_maxextsiz = min(TLS_MAX_MSG_SIZE_V10_2, ktls_maxlen); #endif Modified: projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdport.c ============================================================================== --- projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdport.c Sun Mar 22 19:31:12 2020 (r359225) +++ projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdport.c Sun Mar 22 20:00:12 2020 (r359226) @@ -52,6 +52,7 @@ __FBSDID("$FreeBSD$"); #include <sys/sysctl.h> #include <nlm/nlm_prot.h> #include <nlm/nlm.h> +#include <rpc/rpcsec_tls.h> FEATURE(nfsd, "NFSv4 server"); @@ -3344,10 +3345,23 @@ nfsd_fhtovp(struct nfsrv_descript *nd, struct nfsrvfh if (!nd->nd_repstat && exp->nes_exflag == 0 && !(nd->nd_flag & ND_NFSV4)) { vput(*vpp); - nd->nd_repstat = EACCES; + nd->nd_repstat = NFSERR_ACCES; } /* + * If TLS is required by the export, check the flags in nd_flag. + */ +printf("ndflag=0x%jx exflags=0x%x\n", (uintmax_t)nd->nd_flag, exp->nes_exflag); + if (nd->nd_repstat == 0 && ((NFSVNO_EXTLS(exp) && + (nd->nd_flag & ND_TLS) == 0) || + (NFSVNO_EXTLSCERT(exp) && + (nd->nd_flag & ND_TLSCERT) == 0))) { + vput(*vpp); + nd->nd_repstat = NFSERR_ACCES; +printf("set eacces\n"); + } + + /* * Personally, I've never seen any point in requiring a * reserved port#, since only in the rare case where the * clients are all boxes with secure system privileges, @@ -3610,6 +3624,14 @@ nfsvno_v4rootexport(struct nfsrv_descript *nd) nd->nd_flag |= ND_EXGSSPRIVACY; } + /* And set ND_EXxx flags for TLS. */ +printf("v4root exflags=0x%x\n", exflags); + if ((exflags & RPCTLS_FLAGS_HANDSHAKE) != 0) { + nd->nd_flag |= ND_EXTLS; + if ((exflags & RPCTLS_FLAGS_VERIFIED) != 0) + nd->nd_flag |= ND_EXTLSCERT; + } + out: NFSEXITCODE(error); return (error); @@ -5268,7 +5290,7 @@ nfsrv_writedsdorpc(struct nfsmount *nmp, fhandle_t *fh /* Put data in mbuf chain. */ nd->nd_mb->m_next = m; if ((m->m_flags & M_NOMAP) != 0) - nd->nd_flag |= ND_EXTPG; + nd->nd_flag |= ND_NOMAP; /* Set nd_mb and nd_bpos to end of data. */ while (m->m_next != NULL) @@ -6398,9 +6420,9 @@ nfsvno_getxattr(struct vnode *vp, char *name, uint32_t /* * If the cnt is larger than MCLBYTES, use ext_pgs if * possible. - * Always use ext_pgs if ND_EXTPG is set. + * Always use ext_pgs if ND_NOMAP is set. */ - if ((flag & ND_EXTPG) != 0 || (tlen > MCLBYTES && + if ((flag & ND_NOMAP) != 0 || (tlen > MCLBYTES && PMAP_HAS_DMAP != 0 && ((flag & ND_TLS) != 0 || nfs_use_ext_pgs))) uiop->uio_iovcnt = nfsrv_createiovec_extpgs(tlen, maxextsiz, &m, &m2, &iv); Modified: projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdserv.c ============================================================================== --- projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdserv.c Sun Mar 22 19:31:12 2020 (r359225) +++ projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdserv.c Sun Mar 22 20:00:12 2020 (r359226) @@ -680,7 +680,7 @@ nfsrvd_readlink(struct nfsrv_descript *nd, __unused in nd->nd_repstat = EINVAL; } if (nd->nd_repstat == 0) { - if ((nd->nd_flag & ND_EXTPG) != 0) + if ((nd->nd_flag & ND_NOMAP) != 0) nd->nd_repstat = nfsvno_readlink(vp, nd->nd_cred, nd->nd_maxextsiz, p, &mp, &mpend, &len); else @@ -859,9 +859,9 @@ nfsrvd_read(struct nfsrv_descript *nd, __unused int is /* * If the cnt is larger than MCLBYTES, use ext_pgs if * possible. - * Always use ext_pgs if ND_EXTPG is set. + * Always use ext_pgs if ND_NOMAP is set. */ - if ((nd->nd_flag & ND_EXTPG) != 0 || (PMAP_HAS_DMAP != 0 && + if ((nd->nd_flag & ND_NOMAP) != 0 || (PMAP_HAS_DMAP != 0 && ((nd->nd_flag & ND_TLS) != 0 || (nfs_use_ext_pgs && cnt > MCLBYTES)))) nd->nd_repstat = nfsvno_read(vp, off, cnt, nd->nd_cred, @@ -904,7 +904,7 @@ nfsrvd_read(struct nfsrv_descript *nd, __unused int is nd->nd_mb->m_next = m3; nd->nd_mb = m2; if ((m2->m_flags & M_NOMAP) != 0) { - nd->nd_flag |= ND_EXTPG; + nd->nd_flag |= ND_NOMAP; pgs = m2->m_ext.ext_pgs; nd->nd_bextpg = pgs->npgs - 1; nd->nd_bpos = (char *)(void *) @@ -5586,7 +5586,7 @@ nfsrvd_getxattr(struct nfsrv_descript *nd, __unused in nd->nd_mb->m_next = mp; nd->nd_mb = mpend; if ((mpend->m_flags & M_NOMAP) != 0) { - nd->nd_flag |= ND_EXTPG; + nd->nd_flag |= ND_NOMAP; pgs = mpend->m_ext.ext_pgs; nd->nd_bextpg = pgs->npgs - 1; nd->nd_bpos = (char *)(void *) Modified: projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdsubs.c ============================================================================== --- projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdsubs.c Sun Mar 22 19:31:12 2020 (r359225) +++ projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdsubs.c Sun Mar 22 20:00:12 2020 (r359226) @@ -2140,6 +2140,12 @@ nfsd_checkrootexp(struct nfsrv_descript *nd) if ((nd->nd_flag & (ND_GSS | ND_GSSINTEGRITY | ND_GSSPRIVACY | ND_EXGSS)) == (ND_GSS | ND_EXGSS)) return (0); + if ((nd->nd_flag & (ND_TLSCERT | ND_EXTLSCERT)) == + (ND_TLSCERT | ND_EXTLSCERT)) + return (0); + if ((nd->nd_flag & (ND_EXTLSCERT | ND_EXTLS | ND_TLS)) == + (ND_EXTLS | ND_TLS)) + return (0); return (1); }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202003222000.02MK0CSZ034030>