svn commit: r359625 - in projects/nfs-over-tls/sys/fs: nfs nfsserver
Rick Macklem
rmacklem at FreeBSD.org
Fri Apr 3 23:00:38 UTC 2020
Author: rmacklem
Date: Fri Apr 3 23:00:26 2020
New Revision: 359625
URL: https://svnweb.freebsd.org/changeset/base/359625
Log:
Fix up the handling of the "tls" and "tlscert" export options and
add support for the "tlscertuser" export option.
Modified:
projects/nfs-over-tls/sys/fs/nfs/nfs.h
projects/nfs-over-tls/sys/fs/nfs/nfsdport.h
projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdkrpc.c
projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdport.c
projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdsubs.c
Modified: projects/nfs-over-tls/sys/fs/nfs/nfs.h
==============================================================================
--- projects/nfs-over-tls/sys/fs/nfs/nfs.h Fri Apr 3 22:46:08 2020 (r359624)
+++ projects/nfs-over-tls/sys/fs/nfs/nfs.h Fri Apr 3 23:00:26 2020 (r359625)
@@ -719,8 +719,10 @@ struct nfsrv_descript {
#define ND_NOMAP 0x800000000
#define ND_TLS 0x1000000000
#define ND_TLSCERT 0x2000000000
-#define ND_EXTLS 0x4000000000
-#define ND_EXTLSCERT 0x8000000000
+#define ND_TLSCNUSER 0x4000000000
+#define ND_EXTLS 0x8000000000
+#define ND_EXTLSCERT 0x10000000000
+#define ND_EXTLSCNUSER 0x20000000000
/*
* ND_GSS should be the "or" of all GSS type authentications.
Modified: projects/nfs-over-tls/sys/fs/nfs/nfsdport.h
==============================================================================
--- projects/nfs-over-tls/sys/fs/nfs/nfsdport.h Fri Apr 3 22:46:08 2020 (r359624)
+++ projects/nfs-over-tls/sys/fs/nfs/nfsdport.h Fri Apr 3 23:00:26 2020 (r359625)
@@ -83,6 +83,7 @@ struct nfsexstuff {
#define NFSVNO_EXV4ONLY(e) ((e)->nes_exflag & MNT_EXV4ONLY)
#define NFSVNO_EXTLS(e) ((e)->nes_exflag & MNTEX_TLS)
#define NFSVNO_EXTLSCERT(e) ((e)->nes_exflag & MNTEX_TLSCERT)
+#define NFSVNO_EXTLSCNUSER(e) ((e)->nes_exflag & MNTEX_TLSCNUSER)
#define NFSVNO_SETEXRDONLY(e) ((e)->nes_exflag = (MNT_EXPORTED|MNT_EXRDONLY))
Modified: projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdkrpc.c
==============================================================================
--- projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdkrpc.c Fri Apr 3 22:46:08 2020 (r359624)
+++ projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdkrpc.c Fri Apr 3 23:00:26 2020 (r359625)
@@ -243,6 +243,8 @@ nfssvc_program(struct svc_req *rqst, SVCXPRT *xprt)
nd.nd_flag |= ND_TLS;
if ((xprt->xp_tls & RPCTLS_FLAGS_VERIFIED) != 0)
nd.nd_flag |= ND_TLSCERT;
+ if ((xprt->xp_tls & RPCTLS_FLAGS_CNUSER) != 0)
+ nd.nd_flag |= ND_TLSCNUSER;
}
nd.nd_maxextsiz = 16384;
#ifdef MAC
Modified: projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdport.c
==============================================================================
--- projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdport.c Fri Apr 3 22:46:08 2020 (r359624)
+++ projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdport.c Fri Apr 3 23:00:26 2020 (r359625)
@@ -3351,14 +3351,14 @@ nfsd_fhtovp(struct nfsrv_descript *nd, struct nfsrvfh
/*
* If TLS is required by the export, check the flags in nd_flag.
*/
-printf("ndflag=0x%jx exflags=0x%x\n", (uintmax_t)nd->nd_flag, exp->nes_exflag);
if (nd->nd_repstat == 0 && ((NFSVNO_EXTLS(exp) &&
(nd->nd_flag & ND_TLS) == 0) ||
(NFSVNO_EXTLSCERT(exp) &&
- (nd->nd_flag & ND_TLSCERT) == 0))) {
+ (nd->nd_flag & ND_TLSCERT) == 0) ||
+ (NFSVNO_EXTLSCNUSER(exp) &&
+ (nd->nd_flag & ND_TLSCNUSER) == 0))) {
vput(*vpp);
nd->nd_repstat = NFSERR_ACCES;
-printf("set eacces\n");
}
/*
@@ -3625,11 +3625,12 @@ nfsvno_v4rootexport(struct nfsrv_descript *nd)
}
/* And set ND_EXxx flags for TLS. */
-printf("v4root exflags=0x%x\n", exflags);
- if ((exflags & RPCTLS_FLAGS_HANDSHAKE) != 0) {
+ if ((exflags & MNTEX_TLS) != 0) {
nd->nd_flag |= ND_EXTLS;
- if ((exflags & RPCTLS_FLAGS_VERIFIED) != 0)
+ if ((exflags & MNTEX_TLSCERT) != 0)
nd->nd_flag |= ND_EXTLSCERT;
+ if ((exflags & MNTEX_TLSCNUSER) != 0)
+ nd->nd_flag |= ND_EXTLSCNUSER;
}
out:
Modified: projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdsubs.c
==============================================================================
--- projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdsubs.c Fri Apr 3 22:46:08 2020 (r359624)
+++ projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdsubs.c Fri Apr 3 23:00:26 2020 (r359625)
@@ -2130,21 +2130,28 @@ nfsd_checkrootexp(struct nfsrv_descript *nd)
{
if ((nd->nd_flag & (ND_GSS | ND_EXAUTHSYS)) == ND_EXAUTHSYS)
- return (0);
+ goto checktls;
if ((nd->nd_flag & (ND_GSSINTEGRITY | ND_EXGSSINTEGRITY)) ==
(ND_GSSINTEGRITY | ND_EXGSSINTEGRITY))
- return (0);
+ goto checktls;
if ((nd->nd_flag & (ND_GSSPRIVACY | ND_EXGSSPRIVACY)) ==
(ND_GSSPRIVACY | ND_EXGSSPRIVACY))
- return (0);
+ goto checktls;
if ((nd->nd_flag & (ND_GSS | ND_GSSINTEGRITY | ND_GSSPRIVACY |
ND_EXGSS)) == (ND_GSS | ND_EXGSS))
+ goto checktls;
+ return (1);
+checktls:
+ if ((nd->nd_flag & ND_EXTLS) == 0)
return (0);
- if ((nd->nd_flag & (ND_TLSCERT | ND_EXTLSCERT)) ==
+ if ((nd->nd_flag & (ND_TLSCNUSER | ND_EXTLSCNUSER)) ==
+ (ND_TLSCNUSER | ND_EXTLSCNUSER))
+ return (0);
+ if ((nd->nd_flag & (ND_TLSCERT | ND_EXTLSCERT | ND_EXTLSCNUSER)) ==
(ND_TLSCERT | ND_EXTLSCERT))
return (0);
- if ((nd->nd_flag & (ND_EXTLSCERT | ND_EXTLS | ND_TLS)) ==
- (ND_EXTLS | ND_TLS))
+ if ((nd->nd_flag & (ND_TLS | ND_EXTLSCNUSER | ND_EXTLSCERT)) ==
+ ND_TLS)
return (0);
return (1);
}
More information about the svn-src-projects
mailing list