svn commit: r359623 - projects/nfs-over-tls/sys/rpc

[Rick Macklem]

Author: rmacklem
Date: Fri Apr  3 22:38:13 2020
New Revision: 359623
URL: https://svnweb.freebsd.org/changeset/base/359623

Log:
  Update the files in sys/rpc to add handling of certuser.
  
  certuser refers to using an otherName in the subjectAltName of the
  client's certificate to create machine credentials that are used
  to perform the RPCs instead of the user credentials in the RPC header.
  These changes require the changes in sys/rpc/rpcsec_tls which will
  be committed soon.

Modified:
  projects/nfs-over-tls/sys/rpc/rpcsec_tls.h
  projects/nfs-over-tls/sys/rpc/svc.c
  projects/nfs-over-tls/sys/rpc/svc.h
  projects/nfs-over-tls/sys/rpc/svc_auth.c

Modified: projects/nfs-over-tls/sys/rpc/rpcsec_tls.h
==============================================================================
--- projects/nfs-over-tls/sys/rpc/rpcsec_tls.h	Fri Apr  3 22:36:22 2020	(r359622)
+++ projects/nfs-over-tls/sys/rpc/rpcsec_tls.h	Fri Apr  3 22:38:13 2020	(r359623)
@@ -41,6 +41,7 @@
 #define	RPCTLS_FLAGS_SELFSIGNED	0x04
 #define	RPCTLS_FLAGS_VERIFIED	0x08
 #define	RPCTLS_FLAGS_DISABLED	0x10
+#define	RPCTLS_FLAGS_CNUSER	0x20
 
 #ifdef _KERNEL
 /* Functions that perform upcalls to the rpctlsd daemon. */

Modified: projects/nfs-over-tls/sys/rpc/svc.c
==============================================================================
--- projects/nfs-over-tls/sys/rpc/svc.c	Fri Apr  3 22:36:22 2020	(r359622)
+++ projects/nfs-over-tls/sys/rpc/svc.c	Fri Apr  3 22:38:13 2020	(r359623)
@@ -902,6 +902,8 @@ svc_xprt_free(SVCXPRT *xprt)
 {
 
 	mem_free(xprt->xp_p3, sizeof(SVCXPRT_EXT));
+	/* The size argument is ignored, so 0 is ok. */
+	mem_free(xprt->xp_gidp, 0);
 	mem_free(xprt, sizeof(SVCXPRT));
 }
 

Modified: projects/nfs-over-tls/sys/rpc/svc.h
==============================================================================
--- projects/nfs-over-tls/sys/rpc/svc.h	Fri Apr  3 22:36:22 2020	(r359622)
+++ projects/nfs-over-tls/sys/rpc/svc.h	Fri Apr  3 22:38:13 2020	(r359623)
@@ -181,6 +181,9 @@ typedef struct __rpc_svcxprt {
 	uint64_t	xp_sslsec;	/* Userland SSL * */
 	uint64_t	xp_sslusec;
 	uint64_t	xp_sslrefno;
+	int		xp_ngrps;	/* Cred. from TLS cert. */
+	uid_t		xp_uid;
+	gid_t		*xp_gidp;
 #else
 	int		xp_fd;
 	u_short		xp_port;	 /* associated port number */

Modified: projects/nfs-over-tls/sys/rpc/svc_auth.c
==============================================================================
--- projects/nfs-over-tls/sys/rpc/svc_auth.c	Fri Apr  3 22:36:22 2020	(r359622)
+++ projects/nfs-over-tls/sys/rpc/svc_auth.c	Fri Apr  3 22:38:13 2020	(r359623)
@@ -179,10 +179,29 @@ svc_getcred(struct svc_req *rqst, struct ucred **crp, 
 	struct ucred *cr = NULL;
 	int flavor;
 	struct xucred *xcr;
+	SVCXPRT *xprt = rqst->rq_xprt;
 
 	flavor = rqst->rq_cred.oa_flavor;
 	if (flavorp)
 		*flavorp = flavor;
+
+	/*
+	 * If there are credentials acquired via a TLS
+	 * certificate for this TCP connection, use those
+	 * instead of what is in the RPC header.
+	 */
+	if ((xprt->xp_tls & (RPCTLS_FLAGS_CNUSER |
+	    RPCTLS_FLAGS_DISABLED)) == RPCTLS_FLAGS_CNUSER &&
+	    flavor == AUTH_UNIX) {
+		cr = crget();
+		cr->cr_uid = cr->cr_ruid = cr->cr_svuid = xprt->xp_uid;
+		crsetgroups(cr, xprt->xp_ngrps, xprt->xp_gidp);
+		cr->cr_rgid = cr->cr_svgid = xprt->xp_gidp[0];
+		cr->cr_prison = &prison0;
+		prison_hold(cr->cr_prison);
+		*crp = cr;
+		return (TRUE);
+	}
 
 	switch (flavor) {
 	case AUTH_UNIX: