svn commit: r359226 - in projects/nfs-over-tls/sys/fs: nfs nfsclient nfsserver
Rick Macklem
rmacklem at FreeBSD.org
Sun Mar 22 20:00:14 UTC 2020
Author: rmacklem
Date: Sun Mar 22 20:00:12 2020
New Revision: 359226
URL: https://svnweb.freebsd.org/changeset/base/359226
Log:
Add kernel support for the new "-tls" and "-tlscert" export options.
Most of the editting was renaming ND_EXTPG to ND_NOMAP so that it
did not start with ND_EX, which might have been confused for an
exports related flag.
Modified:
projects/nfs-over-tls/sys/fs/nfs/nfs.h
projects/nfs-over-tls/sys/fs/nfs/nfs_commonsubs.c
projects/nfs-over-tls/sys/fs/nfs/nfsdport.h
projects/nfs-over-tls/sys/fs/nfs/nfsm_subs.h
projects/nfs-over-tls/sys/fs/nfsclient/nfs_clcomsubs.c
projects/nfs-over-tls/sys/fs/nfsclient/nfs_clkrpc.c
projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdkrpc.c
projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdport.c
projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdserv.c
projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdsubs.c
Modified: projects/nfs-over-tls/sys/fs/nfs/nfs.h
==============================================================================
--- projects/nfs-over-tls/sys/fs/nfs/nfs.h Sun Mar 22 19:31:12 2020 (r359225)
+++ projects/nfs-over-tls/sys/fs/nfs/nfs.h Sun Mar 22 20:00:12 2020 (r359226)
@@ -716,8 +716,11 @@ struct nfsrv_descript {
#define ND_SAVEDCURSTATEID 0x100000000
#define ND_HASSLOTID 0x200000000
#define ND_NFSV42 0x400000000
-#define ND_EXTPG 0x800000000
+#define ND_NOMAP 0x800000000
#define ND_TLS 0x1000000000
+#define ND_TLSCERT 0x2000000000
+#define ND_EXTLS 0x4000000000
+#define ND_EXTLSCERT 0x8000000000
/*
* ND_GSS should be the "or" of all GSS type authentications.
Modified: projects/nfs-over-tls/sys/fs/nfs/nfs_commonsubs.c
==============================================================================
--- projects/nfs-over-tls/sys/fs/nfs/nfs_commonsubs.c Sun Mar 22 19:31:12 2020 (r359225)
+++ projects/nfs-over-tls/sys/fs/nfs/nfs_commonsubs.c Sun Mar 22 20:00:12 2020 (r359226)
@@ -369,7 +369,7 @@ nfscl_reqstart(struct nfsrv_descript *nd, int procnum,
nd->nd_repstat = 0;
nd->nd_maxextsiz = 16384;
if (use_ext && PMAP_HAS_DMAP != 0) {
- nd->nd_flag |= ND_EXTPG;
+ nd->nd_flag |= ND_NOMAP;
#ifdef KERN_TLS
nd->nd_maxextsiz = min(TLS_MAX_MSG_SIZE_V10_2,
ktls_maxlen);
@@ -379,7 +379,7 @@ nfscl_reqstart(struct nfsrv_descript *nd, int procnum,
/*
* Get the first mbuf for the request.
*/
- if ((nd->nd_flag & ND_EXTPG) != 0) {
+ if ((nd->nd_flag & ND_NOMAP) != 0) {
mb = mb_alloc_ext_plus_pages(PAGE_SIZE, M_WAITOK, false,
mb_free_mext_pgs);
nd->nd_mreq = nd->nd_mb = mb;
@@ -872,22 +872,22 @@ nfsm_strtom(struct nfsrv_descript *nd, const char *cp,
bytesize = NFSX_UNSIGNED + siz + rem;
m2 = nd->nd_mb;
cp2 = nd->nd_bpos;
- if ((nd->nd_flag & ND_EXTPG) != 0)
+ if ((nd->nd_flag & ND_NOMAP) != 0)
left = nd->nd_bextpgsiz;
else
left = M_TRAILINGSPACE(m2);
KASSERT(((m2->m_flags & (M_EXT | M_NOMAP)) ==
- (M_EXT | M_NOMAP) && (nd->nd_flag & ND_EXTPG) != 0) ||
+ (M_EXT | M_NOMAP) && (nd->nd_flag & ND_NOMAP) != 0) ||
((m2->m_flags & (M_EXT | M_NOMAP)) !=
- (M_EXT | M_NOMAP) && (nd->nd_flag & ND_EXTPG) == 0),
+ (M_EXT | M_NOMAP) && (nd->nd_flag & ND_NOMAP) == 0),
("nfsm_strtom: ext_pgs and non-ext_pgs mbufs mixed"));
/*
* Loop around copying the string to mbuf(s).
*/
while (siz > 0) {
if (left == 0) {
- if ((nd->nd_flag & ND_EXTPG) != 0) {
+ if ((nd->nd_flag & ND_NOMAP) != 0) {
m2 = nfsm_add_ext_pgs(m2,
nd->nd_maxextsiz, &nd->nd_bextpg);
cp2 = (char *)(void *)PHYS_TO_DMAP(
@@ -915,7 +915,7 @@ nfsm_strtom(struct nfsrv_descript *nd, const char *cp,
m2->m_len += xfer;
siz -= xfer;
left -= xfer;
- if ((nd->nd_flag & ND_EXTPG) != 0) {
+ if ((nd->nd_flag & ND_NOMAP) != 0) {
nd->nd_bextpgsiz -= xfer;
m2->m_ext.ext_pgs->last_pg_len += xfer;
}
@@ -925,14 +925,14 @@ nfsm_strtom(struct nfsrv_descript *nd, const char *cp,
NFSBZERO(cp2, rem);
m2->m_len += rem;
cp2 += rem;
- if ((nd->nd_flag & ND_EXTPG) != 0) {
+ if ((nd->nd_flag & ND_NOMAP) != 0) {
nd->nd_bextpgsiz -= rem;
m2->m_ext.ext_pgs->last_pg_len += rem;
}
}
}
nd->nd_mb = m2;
- if ((nd->nd_flag & ND_EXTPG) != 0)
+ if ((nd->nd_flag & ND_NOMAP) != 0)
nd->nd_bpos = cp2;
else
nd->nd_bpos = mtod(m2, char *) + m2->m_len;
@@ -4475,7 +4475,7 @@ nfsrvd_rephead(struct nfsrv_descript *nd)
{
mbuf_t mreq;
- if ((nd->nd_flag & ND_EXTPG) != 0) {
+ if ((nd->nd_flag & ND_NOMAP) != 0) {
mreq = mb_alloc_ext_plus_pages(PAGE_SIZE, M_WAITOK, false,
mb_free_mext_pgs);
nd->nd_mreq = nd->nd_mb = mreq;
Modified: projects/nfs-over-tls/sys/fs/nfs/nfsdport.h
==============================================================================
--- projects/nfs-over-tls/sys/fs/nfs/nfsdport.h Sun Mar 22 19:31:12 2020 (r359225)
+++ projects/nfs-over-tls/sys/fs/nfs/nfsdport.h Sun Mar 22 20:00:12 2020 (r359226)
@@ -81,6 +81,8 @@ struct nfsexstuff {
#define NFSVNO_EXPORTANON(e) ((e)->nes_exflag & MNT_EXPORTANON)
#define NFSVNO_EXSTRICTACCESS(e) ((e)->nes_exflag & MNT_EXSTRICTACCESS)
#define NFSVNO_EXV4ONLY(e) ((e)->nes_exflag & MNT_EXV4ONLY)
+#define NFSVNO_EXTLS(e) ((e)->nes_exflag & MNTEX_TLS)
+#define NFSVNO_EXTLSCERT(e) ((e)->nes_exflag & MNTEX_TLSCERT)
#define NFSVNO_SETEXRDONLY(e) ((e)->nes_exflag = (MNT_EXPORTED|MNT_EXRDONLY))
Modified: projects/nfs-over-tls/sys/fs/nfs/nfsm_subs.h
==============================================================================
--- projects/nfs-over-tls/sys/fs/nfs/nfsm_subs.h Sun Mar 22 19:31:12 2020 (r359225)
+++ projects/nfs-over-tls/sys/fs/nfs/nfsm_subs.h Sun Mar 22 20:00:12 2020 (r359226)
@@ -57,7 +57,7 @@
* Replace most of the macro with an inline function, to minimize
* the machine code. The inline functions in lower case can be called
* directly, bypassing the macro.
- * For ND_EXTPG, if there is not enough contiguous space left in
+ * For ND_NOMAP, if there is not enough contiguous space left in
* the mbuf page, allocate a regular mbuf. The data in these regular
* mbufs will need to be copied into pages later, since the data must
* be filled pages. This should only happen after a write request or
@@ -69,7 +69,7 @@ nfsm_build(struct nfsrv_descript *nd, int siz)
void *retp;
struct mbuf *mb2;
- if ((nd->nd_flag & ND_EXTPG) == 0 &&
+ if ((nd->nd_flag & ND_NOMAP) == 0 &&
siz > M_TRAILINGSPACE(nd->nd_mb)) {
NFSMCLGET(mb2, M_NOWAIT);
if (siz > MLEN)
@@ -78,7 +78,7 @@ nfsm_build(struct nfsrv_descript *nd, int siz)
nd->nd_bpos = mtod(mb2, char *);
nd->nd_mb->m_next = mb2;
nd->nd_mb = mb2;
- } else if ((nd->nd_flag & ND_EXTPG) != 0) {
+ } else if ((nd->nd_flag & ND_NOMAP) != 0) {
if (siz > nd->nd_bextpgsiz) {
mb2 = mb_alloc_ext_plus_pages(PAGE_SIZE, M_WAITOK,
false, mb_free_mext_pgs);
Modified: projects/nfs-over-tls/sys/fs/nfsclient/nfs_clcomsubs.c
==============================================================================
--- projects/nfs-over-tls/sys/fs/nfsclient/nfs_clcomsubs.c Sun Mar 22 19:31:12 2020 (r359225)
+++ projects/nfs-over-tls/sys/fs/nfsclient/nfs_clcomsubs.c Sun Mar 22 20:00:12 2020 (r359226)
@@ -82,12 +82,12 @@ nfsm_uiombuf(struct nfsrv_descript *nd, struct uio *ui
left = siz;
uiosiz = left;
while (left > 0) {
- if ((nd->nd_flag & ND_EXTPG) != 0)
+ if ((nd->nd_flag & ND_NOMAP) != 0)
mlen = nd->nd_bextpgsiz;
else
mlen = M_TRAILINGSPACE(mp);
if (mlen == 0) {
- if ((nd->nd_flag & ND_EXTPG) != 0) {
+ if ((nd->nd_flag & ND_NOMAP) != 0) {
mp = nfsm_add_ext_pgs(mp,
nd->nd_maxextsiz, &nd->nd_bextpg);
mcp = (char *)(void *)PHYS_TO_DMAP(
@@ -114,7 +114,7 @@ nfsm_uiombuf(struct nfsrv_descript *nd, struct uio *ui
left -= xfer;
uiocp += xfer;
mcp += xfer;
- if ((nd->nd_flag & ND_EXTPG) != 0) {
+ if ((nd->nd_flag & ND_NOMAP) != 0) {
nd->nd_bextpgsiz -= xfer;
mp->m_ext.ext_pgs->last_pg_len += xfer;
}
@@ -128,13 +128,13 @@ nfsm_uiombuf(struct nfsrv_descript *nd, struct uio *ui
siz -= uiosiz;
}
if (rem > 0) {
- if ((nd->nd_flag & ND_EXTPG) == 0 && rem >
+ if ((nd->nd_flag & ND_NOMAP) == 0 && rem >
M_TRAILINGSPACE(mp)) {
NFSMGET(mp);
mp->m_len = 0;
mp2->m_next = mp;
mcp = mtod(mp, char *);
- } else if ((nd->nd_flag & ND_EXTPG) != 0 && rem >
+ } else if ((nd->nd_flag & ND_NOMAP) != 0 && rem >
nd->nd_bextpgsiz) {
mp = nfsm_add_ext_pgs(mp, nd->nd_maxextsiz,
&nd->nd_bextpg);
@@ -146,7 +146,7 @@ nfsm_uiombuf(struct nfsrv_descript *nd, struct uio *ui
*mcp++ = '\0';
mp->m_len += rem;
nd->nd_bpos = mcp;
- if ((nd->nd_flag & ND_EXTPG) != 0) {
+ if ((nd->nd_flag & ND_NOMAP) != 0) {
nd->nd_bextpgsiz -= rem;
mp->m_ext.ext_pgs->last_pg_len += rem;
}
Modified: projects/nfs-over-tls/sys/fs/nfsclient/nfs_clkrpc.c
==============================================================================
--- projects/nfs-over-tls/sys/fs/nfsclient/nfs_clkrpc.c Sun Mar 22 19:31:12 2020 (r359225)
+++ projects/nfs-over-tls/sys/fs/nfsclient/nfs_clkrpc.c Sun Mar 22 20:00:12 2020 (r359226)
@@ -42,8 +42,9 @@ __FBSDID("$FreeBSD$");
#include <fs/nfs/nfsport.h>
#include <rpc/rpc.h>
-#include <rpc/rpcsec_gss.h>
#include <rpc/replay.h>
+#include <rpc/rpcsec_gss.h>
+#include <rpc/rpcsec_tls.h>
NFSDLOCKMUTEX;
@@ -115,11 +116,12 @@ printf("cbreq nd_md=%p offs=%d\n", nd.nd_md, rqst->rq_
mac_cred_associate_nfsd(nd.nd_cred);
#endif
#endif
- if ((xprt->xp_tls || nfs_use_ext_pgs) && PMAP_HAS_DMAP != 0) {
- nd.nd_flag |= ND_EXTPG;
+ if (((xprt->xp_tls & RPCTLS_FLAGS_HANDSHAKE) != 0 ||
+ nfs_use_ext_pgs) && PMAP_HAS_DMAP != 0) {
+ nd.nd_flag |= ND_NOMAP;
nd.nd_maxextsiz = 16384;
#ifdef KERN_TLS
- if (xprt->xp_tls)
+ if ((xprt->xp_tls & RPCTLS_FLAGS_HANDSHAKE) != 0)
nd.nd_maxextsiz = min(TLS_MAX_MSG_SIZE_V10_2,
ktls_maxlen);
#endif
Modified: projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdkrpc.c
==============================================================================
--- projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdkrpc.c Sun Mar 22 19:31:12 2020 (r359225)
+++ projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdkrpc.c Sun Mar 22 20:00:12 2020 (r359226)
@@ -44,6 +44,7 @@ __FBSDID("$FreeBSD$");
#include <rpc/rpc.h>
#include <rpc/rpcsec_gss.h>
+#include <rpc/rpcsec_tls.h>
#include <fs/nfsserver/nfs_fha_new.h>
@@ -238,6 +239,12 @@ nfssvc_program(struct svc_req *rqst, SVCXPRT *xprt)
goto out;
}
+ if ((xprt->xp_tls & RPCTLS_FLAGS_HANDSHAKE) != 0) {
+ nd.nd_flag |= ND_TLS;
+ if ((xprt->xp_tls & RPCTLS_FLAGS_VERIFIED) != 0)
+ nd.nd_flag |= ND_TLSCERT;
+ }
+ nd.nd_maxextsiz = 16384;
#ifdef MAC
mac_cred_associate_nfsd(nd.nd_cred);
#endif
@@ -272,11 +279,8 @@ nfssvc_program(struct svc_req *rqst, SVCXPRT *xprt)
}
}
- if (xprt->xp_tls)
- nd.nd_flag |= ND_TLS;
- nd.nd_maxextsiz = 16384;
#ifdef KERN_TLS
- if (xprt->xp_tls)
+ if ((xprt->xp_tls & RPCTLS_FLAGS_HANDSHAKE) != 0)
nd.nd_maxextsiz = min(TLS_MAX_MSG_SIZE_V10_2,
ktls_maxlen);
#endif
Modified: projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdport.c
==============================================================================
--- projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdport.c Sun Mar 22 19:31:12 2020 (r359225)
+++ projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdport.c Sun Mar 22 20:00:12 2020 (r359226)
@@ -52,6 +52,7 @@ __FBSDID("$FreeBSD$");
#include <sys/sysctl.h>
#include <nlm/nlm_prot.h>
#include <nlm/nlm.h>
+#include <rpc/rpcsec_tls.h>
FEATURE(nfsd, "NFSv4 server");
@@ -3344,10 +3345,23 @@ nfsd_fhtovp(struct nfsrv_descript *nd, struct nfsrvfh
if (!nd->nd_repstat && exp->nes_exflag == 0 &&
!(nd->nd_flag & ND_NFSV4)) {
vput(*vpp);
- nd->nd_repstat = EACCES;
+ nd->nd_repstat = NFSERR_ACCES;
}
/*
+ * If TLS is required by the export, check the flags in nd_flag.
+ */
+printf("ndflag=0x%jx exflags=0x%x\n", (uintmax_t)nd->nd_flag, exp->nes_exflag);
+ if (nd->nd_repstat == 0 && ((NFSVNO_EXTLS(exp) &&
+ (nd->nd_flag & ND_TLS) == 0) ||
+ (NFSVNO_EXTLSCERT(exp) &&
+ (nd->nd_flag & ND_TLSCERT) == 0))) {
+ vput(*vpp);
+ nd->nd_repstat = NFSERR_ACCES;
+printf("set eacces\n");
+ }
+
+ /*
* Personally, I've never seen any point in requiring a
* reserved port#, since only in the rare case where the
* clients are all boxes with secure system privileges,
@@ -3610,6 +3624,14 @@ nfsvno_v4rootexport(struct nfsrv_descript *nd)
nd->nd_flag |= ND_EXGSSPRIVACY;
}
+ /* And set ND_EXxx flags for TLS. */
+printf("v4root exflags=0x%x\n", exflags);
+ if ((exflags & RPCTLS_FLAGS_HANDSHAKE) != 0) {
+ nd->nd_flag |= ND_EXTLS;
+ if ((exflags & RPCTLS_FLAGS_VERIFIED) != 0)
+ nd->nd_flag |= ND_EXTLSCERT;
+ }
+
out:
NFSEXITCODE(error);
return (error);
@@ -5268,7 +5290,7 @@ nfsrv_writedsdorpc(struct nfsmount *nmp, fhandle_t *fh
/* Put data in mbuf chain. */
nd->nd_mb->m_next = m;
if ((m->m_flags & M_NOMAP) != 0)
- nd->nd_flag |= ND_EXTPG;
+ nd->nd_flag |= ND_NOMAP;
/* Set nd_mb and nd_bpos to end of data. */
while (m->m_next != NULL)
@@ -6398,9 +6420,9 @@ nfsvno_getxattr(struct vnode *vp, char *name, uint32_t
/*
* If the cnt is larger than MCLBYTES, use ext_pgs if
* possible.
- * Always use ext_pgs if ND_EXTPG is set.
+ * Always use ext_pgs if ND_NOMAP is set.
*/
- if ((flag & ND_EXTPG) != 0 || (tlen > MCLBYTES &&
+ if ((flag & ND_NOMAP) != 0 || (tlen > MCLBYTES &&
PMAP_HAS_DMAP != 0 && ((flag & ND_TLS) != 0 || nfs_use_ext_pgs)))
uiop->uio_iovcnt = nfsrv_createiovec_extpgs(tlen, maxextsiz,
&m, &m2, &iv);
Modified: projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdserv.c
==============================================================================
--- projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdserv.c Sun Mar 22 19:31:12 2020 (r359225)
+++ projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdserv.c Sun Mar 22 20:00:12 2020 (r359226)
@@ -680,7 +680,7 @@ nfsrvd_readlink(struct nfsrv_descript *nd, __unused in
nd->nd_repstat = EINVAL;
}
if (nd->nd_repstat == 0) {
- if ((nd->nd_flag & ND_EXTPG) != 0)
+ if ((nd->nd_flag & ND_NOMAP) != 0)
nd->nd_repstat = nfsvno_readlink(vp, nd->nd_cred,
nd->nd_maxextsiz, p, &mp, &mpend, &len);
else
@@ -859,9 +859,9 @@ nfsrvd_read(struct nfsrv_descript *nd, __unused int is
/*
* If the cnt is larger than MCLBYTES, use ext_pgs if
* possible.
- * Always use ext_pgs if ND_EXTPG is set.
+ * Always use ext_pgs if ND_NOMAP is set.
*/
- if ((nd->nd_flag & ND_EXTPG) != 0 || (PMAP_HAS_DMAP != 0 &&
+ if ((nd->nd_flag & ND_NOMAP) != 0 || (PMAP_HAS_DMAP != 0 &&
((nd->nd_flag & ND_TLS) != 0 || (nfs_use_ext_pgs &&
cnt > MCLBYTES))))
nd->nd_repstat = nfsvno_read(vp, off, cnt, nd->nd_cred,
@@ -904,7 +904,7 @@ nfsrvd_read(struct nfsrv_descript *nd, __unused int is
nd->nd_mb->m_next = m3;
nd->nd_mb = m2;
if ((m2->m_flags & M_NOMAP) != 0) {
- nd->nd_flag |= ND_EXTPG;
+ nd->nd_flag |= ND_NOMAP;
pgs = m2->m_ext.ext_pgs;
nd->nd_bextpg = pgs->npgs - 1;
nd->nd_bpos = (char *)(void *)
@@ -5586,7 +5586,7 @@ nfsrvd_getxattr(struct nfsrv_descript *nd, __unused in
nd->nd_mb->m_next = mp;
nd->nd_mb = mpend;
if ((mpend->m_flags & M_NOMAP) != 0) {
- nd->nd_flag |= ND_EXTPG;
+ nd->nd_flag |= ND_NOMAP;
pgs = mpend->m_ext.ext_pgs;
nd->nd_bextpg = pgs->npgs - 1;
nd->nd_bpos = (char *)(void *)
Modified: projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdsubs.c
==============================================================================
--- projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdsubs.c Sun Mar 22 19:31:12 2020 (r359225)
+++ projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdsubs.c Sun Mar 22 20:00:12 2020 (r359226)
@@ -2140,6 +2140,12 @@ nfsd_checkrootexp(struct nfsrv_descript *nd)
if ((nd->nd_flag & (ND_GSS | ND_GSSINTEGRITY | ND_GSSPRIVACY |
ND_EXGSS)) == (ND_GSS | ND_EXGSS))
return (0);
+ if ((nd->nd_flag & (ND_TLSCERT | ND_EXTLSCERT)) ==
+ (ND_TLSCERT | ND_EXTLSCERT))
+ return (0);
+ if ((nd->nd_flag & (ND_EXTLSCERT | ND_EXTLS | ND_TLS)) ==
+ (ND_EXTLS | ND_TLS))
+ return (0);
return (1);
}
More information about the svn-src-projects
mailing list