From owner-svn-src-projects@freebsd.org  Sun Mar 29 23:33:32 2020
Return-Path: <owner-svn-src-projects@freebsd.org>
Delivered-To: svn-src-projects@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 063D226825E
 for <svn-src-projects@mailman.nyi.freebsd.org>;
 Sun, 29 Mar 2020 23:33:32 +0000 (UTC)
 (envelope-from ngie@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 48rBjk13d7z3GZV;
 Sun, 29 Mar 2020 23:33:30 +0000 (UTC)
 (envelope-from ngie@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 3ADE8918B;
 Sun, 29 Mar 2020 23:33:20 +0000 (UTC)
 (envelope-from ngie@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 02TNXJSO006966;
 Sun, 29 Mar 2020 23:33:19 GMT (envelope-from ngie@FreeBSD.org)
Received: (from ngie@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id 02TNXCRo006926;
 Sun, 29 Mar 2020 23:33:12 GMT (envelope-from ngie@FreeBSD.org)
Message-Id: <202003292333.02TNXCRo006926@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: ngie set sender to
 ngie@FreeBSD.org using -f
From: Enji Cooper <ngie@FreeBSD.org>
Date: Sun, 29 Mar 2020 23:33:12 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-projects@freebsd.org
Subject: svn commit: r359430 - in projects/kyua-use-googletest-test-interface:
 bin/sh cddl/contrib/opensolaris/cmd/zfs cddl/contrib/opensolaris/cmd/zpool
 contrib/binutils/gas contrib/ipfilter contrib/ipfilt...
X-SVN-Group: projects
X-SVN-Commit-Author: ngie
X-SVN-Commit-Paths: in projects/kyua-use-googletest-test-interface: bin/sh
 cddl/contrib/opensolaris/cmd/zfs cddl/contrib/opensolaris/cmd/zpool
 contrib/binutils/gas contrib/ipfilter contrib/ipfilter/tools
 contrib/openbsm/...
X-SVN-Commit-Revision: 359430
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-projects@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "SVN commit messages for the src &quot; projects&quot;
 tree" <svn-src-projects.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-projects>, 
 <mailto:svn-src-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-projects/>
List-Post: <mailto:svn-src-projects@freebsd.org>
List-Help: <mailto:svn-src-projects-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-projects>, 
 <mailto:svn-src-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 29 Mar 2020 23:33:32 -0000

Author: ngie
Date: Sun Mar 29 23:33:12 2020
New Revision: 359430
URL: https://svnweb.freebsd.org/changeset/base/359430

Log:
  MFhead@r359429

Added:
  projects/kyua-use-googletest-test-interface/tests/sys/net/routing/generic_cleanup.sh
     - copied unchanged from r359429, head/tests/sys/net/routing/generic_cleanup.sh
  projects/kyua-use-googletest-test-interface/tests/sys/net/routing/params.h
     - copied unchanged from r359429, head/tests/sys/net/routing/params.h
Modified:
  projects/kyua-use-googletest-test-interface/bin/sh/input.c
  projects/kyua-use-googletest-test-interface/cddl/contrib/opensolaris/cmd/zfs/zfs_util.h
  projects/kyua-use-googletest-test-interface/cddl/contrib/opensolaris/cmd/zpool/zpool_main.c
  projects/kyua-use-googletest-test-interface/cddl/contrib/opensolaris/cmd/zpool/zpool_util.h
  projects/kyua-use-googletest-test-interface/contrib/binutils/gas/dwarf2dbg.h
  projects/kyua-use-googletest-test-interface/contrib/ipfilter/ipf.h
  projects/kyua-use-googletest-test-interface/contrib/ipfilter/tools/ipnat.c
  projects/kyua-use-googletest-test-interface/contrib/openbsm/bin/auditreduce/auditreduce.1
  projects/kyua-use-googletest-test-interface/contrib/openbsm/bin/auditreduce/auditreduce.c
  projects/kyua-use-googletest-test-interface/contrib/openbsm/bin/auditreduce/auditreduce.h
  projects/kyua-use-googletest-test-interface/contrib/tcsh/tc.sig.c
  projects/kyua-use-googletest-test-interface/contrib/telnet/telnetd/ext.h
  projects/kyua-use-googletest-test-interface/contrib/telnet/telnetd/global.c
  projects/kyua-use-googletest-test-interface/contrib/telnet/telnetd/sys_term.c
  projects/kyua-use-googletest-test-interface/contrib/telnet/telnetd/telnetd.c
  projects/kyua-use-googletest-test-interface/crypto/openssh/session.c
  projects/kyua-use-googletest-test-interface/sbin/fsck_ffs/fsck.h
  projects/kyua-use-googletest-test-interface/sbin/fsck_ffs/gjournal.c
  projects/kyua-use-googletest-test-interface/sbin/fsck_ffs/globs.c
  projects/kyua-use-googletest-test-interface/sbin/fsck_ffs/setup.c
  projects/kyua-use-googletest-test-interface/sbin/fsdb/fsdb.c
  projects/kyua-use-googletest-test-interface/sbin/iscontrol/iscontrol.c
  projects/kyua-use-googletest-test-interface/sbin/iscontrol/iscontrol.h
  projects/kyua-use-googletest-test-interface/share/man/man4/tcp.4
  projects/kyua-use-googletest-test-interface/share/man/man7/arch.7
  projects/kyua-use-googletest-test-interface/stand/efi/libefi/efi_console.c
  projects/kyua-use-googletest-test-interface/stand/libsa/stand.h
  projects/kyua-use-googletest-test-interface/stand/libsa/zfs/zfs.c
  projects/kyua-use-googletest-test-interface/stand/userboot/userboot/libuserboot.h
  projects/kyua-use-googletest-test-interface/sys/arm/include/atomic-v6.h
  projects/kyua-use-googletest-test-interface/sys/dev/evdev/cdev.c
  projects/kyua-use-googletest-test-interface/sys/dev/sound/pci/hda/hdac.c
  projects/kyua-use-googletest-test-interface/sys/netinet/sctp_cc_functions.c
  projects/kyua-use-googletest-test-interface/sys/netinet/sctp_constants.h
  projects/kyua-use-googletest-test-interface/sys/netinet/sctp_input.c
  projects/kyua-use-googletest-test-interface/sys/netinet/sctp_pcb.c
  projects/kyua-use-googletest-test-interface/sys/netinet/sctp_timer.c
  projects/kyua-use-googletest-test-interface/sys/netinet/sctp_usrreq.c
  projects/kyua-use-googletest-test-interface/sys/netinet/sctputil.c
  projects/kyua-use-googletest-test-interface/sys/netinet/sctputil.h
  projects/kyua-use-googletest-test-interface/sys/vm/vm_page.c
  projects/kyua-use-googletest-test-interface/tests/sys/net/routing/Makefile
  projects/kyua-use-googletest-test-interface/tests/sys/net/routing/rtsock_common.h
  projects/kyua-use-googletest-test-interface/tests/sys/net/routing/rtsock_config.h
  projects/kyua-use-googletest-test-interface/tests/sys/net/routing/test_rtsock_l3.c
  projects/kyua-use-googletest-test-interface/tests/sys/net/routing/test_rtsock_lladdr.c
  projects/kyua-use-googletest-test-interface/usr.bin/calendar/calendars/calendar.holiday
  projects/kyua-use-googletest-test-interface/usr.bin/kyua/Makefile
  projects/kyua-use-googletest-test-interface/usr.bin/locate/locate/locate.c
  projects/kyua-use-googletest-test-interface/usr.bin/locate/locate/locate.h
  projects/kyua-use-googletest-test-interface/usr.bin/ncal/ncal.1
  projects/kyua-use-googletest-test-interface/usr.bin/ncal/ncal.c
  projects/kyua-use-googletest-test-interface/usr.bin/systat/swap.c
  projects/kyua-use-googletest-test-interface/usr.sbin/config/config.h
  projects/kyua-use-googletest-test-interface/usr.sbin/config/main.c
Directory Properties:
  projects/kyua-use-googletest-test-interface/   (props changed)
  projects/kyua-use-googletest-test-interface/cddl/   (props changed)
  projects/kyua-use-googletest-test-interface/cddl/contrib/opensolaris/   (props changed)
  projects/kyua-use-googletest-test-interface/cddl/contrib/opensolaris/cmd/zfs/   (props changed)
  projects/kyua-use-googletest-test-interface/contrib/binutils/   (props changed)
  projects/kyua-use-googletest-test-interface/contrib/ipfilter/   (props changed)
  projects/kyua-use-googletest-test-interface/contrib/openbsm/   (props changed)
  projects/kyua-use-googletest-test-interface/contrib/tcsh/   (props changed)
  projects/kyua-use-googletest-test-interface/crypto/openssh/   (props changed)

Modified: projects/kyua-use-googletest-test-interface/bin/sh/input.c
==============================================================================
--- projects/kyua-use-googletest-test-interface/bin/sh/input.c	Sun Mar 29 23:01:36 2020	(r359429)
+++ projects/kyua-use-googletest-test-interface/bin/sh/input.c	Sun Mar 29 23:33:12 2020	(r359430)
@@ -102,8 +102,6 @@ static struct parsefile basepf = {	/* top level input 
 static struct parsefile *parsefile = &basepf;	/* current input file */
 int whichprompt;		/* 1 == PS1, 2 == PS2 */
 
-EditLine *el;			/* cookie for editline package */
-
 static void pushfile(void);
 static int preadfd(void);
 static void popstring(void);

Modified: projects/kyua-use-googletest-test-interface/cddl/contrib/opensolaris/cmd/zfs/zfs_util.h
==============================================================================
--- projects/kyua-use-googletest-test-interface/cddl/contrib/opensolaris/cmd/zfs/zfs_util.h	Sun Mar 29 23:01:36 2020	(r359429)
+++ projects/kyua-use-googletest-test-interface/cddl/contrib/opensolaris/cmd/zfs/zfs_util.h	Sun Mar 29 23:33:12 2020	(r359430)
@@ -33,7 +33,7 @@ extern "C" {
 
 void * safe_malloc(size_t size);
 void nomem(void);
-libzfs_handle_t *g_zfs;
+extern libzfs_handle_t *g_zfs;
 
 #ifdef	__cplusplus
 }

Modified: projects/kyua-use-googletest-test-interface/cddl/contrib/opensolaris/cmd/zpool/zpool_main.c
==============================================================================
--- projects/kyua-use-googletest-test-interface/cddl/contrib/opensolaris/cmd/zpool/zpool_main.c	Sun Mar 29 23:01:36 2020	(r359429)
+++ projects/kyua-use-googletest-test-interface/cddl/contrib/opensolaris/cmd/zpool/zpool_main.c	Sun Mar 29 23:33:12 2020	(r359430)
@@ -64,6 +64,8 @@
 
 #include "statcommon.h"
 
+libzfs_handle_t *g_zfs;
+
 static int zpool_do_create(int, char **);
 static int zpool_do_destroy(int, char **);
 

Modified: projects/kyua-use-googletest-test-interface/cddl/contrib/opensolaris/cmd/zpool/zpool_util.h
==============================================================================
--- projects/kyua-use-googletest-test-interface/cddl/contrib/opensolaris/cmd/zpool/zpool_util.h	Sun Mar 29 23:01:36 2020	(r359429)
+++ projects/kyua-use-googletest-test-interface/cddl/contrib/opensolaris/cmd/zpool/zpool_util.h	Sun Mar 29 23:33:12 2020	(r359430)
@@ -64,7 +64,7 @@ void pool_list_free(zpool_list_t *);
 int pool_list_count(zpool_list_t *);
 void pool_list_remove(zpool_list_t *, zpool_handle_t *);
 
-libzfs_handle_t *g_zfs;
+extern libzfs_handle_t *g_zfs;
 
 #ifdef	__cplusplus
 }

Modified: projects/kyua-use-googletest-test-interface/contrib/binutils/gas/dwarf2dbg.h
==============================================================================
--- projects/kyua-use-googletest-test-interface/contrib/binutils/gas/dwarf2dbg.h	Sun Mar 29 23:01:36 2020	(r359429)
+++ projects/kyua-use-googletest-test-interface/contrib/binutils/gas/dwarf2dbg.h	Sun Mar 29 23:33:12 2020	(r359430)
@@ -78,7 +78,7 @@ extern void dwarf2_emit_label (symbolS *);
 /* True when we're supposed to set the basic block mark whenever a label
    is seen.  Unless the target is doing Something Weird, just call 
    dwarf2_emit_label.  */
-bfd_boolean dwarf2_loc_mark_labels;
+extern bfd_boolean dwarf2_loc_mark_labels;
 
 extern void dwarf2_finish (void);
 

Modified: projects/kyua-use-googletest-test-interface/contrib/ipfilter/ipf.h
==============================================================================
--- projects/kyua-use-googletest-test-interface/contrib/ipfilter/ipf.h	Sun Mar 29 23:01:36 2020	(r359429)
+++ projects/kyua-use-googletest-test-interface/contrib/ipfilter/ipf.h	Sun Mar 29 23:33:12 2020	(r359430)
@@ -191,7 +191,7 @@ typedef	int	(* addfunc_t) __P((int, ioctlfunc_t, void 
 typedef	int	(* copyfunc_t) __P((void *, void *, size_t));
 
 
-extern	char	thishost[];
+extern	char	thishost[MAXHOSTNAMELEN];
 extern	char	flagset[];
 extern	u_char	flags[];
 extern	struct ipopt_names ionames[];

Modified: projects/kyua-use-googletest-test-interface/contrib/ipfilter/tools/ipnat.c
==============================================================================
--- projects/kyua-use-googletest-test-interface/contrib/ipfilter/tools/ipnat.c	Sun Mar 29 23:01:36 2020	(r359429)
+++ projects/kyua-use-googletest-test-interface/contrib/ipfilter/tools/ipnat.c	Sun Mar 29 23:33:12 2020	(r359430)
@@ -60,7 +60,6 @@ static const char rcsid[] = "@(#)$Id$";
 #define	bzero(a,b)	memset(a,0,b)
 #endif
 int	use_inet6 = 0;
-char	thishost[MAXHOSTNAMELEN];
 
 extern	char	*optarg;
 

Modified: projects/kyua-use-googletest-test-interface/contrib/openbsm/bin/auditreduce/auditreduce.1
==============================================================================
--- projects/kyua-use-googletest-test-interface/contrib/openbsm/bin/auditreduce/auditreduce.1	Sun Mar 29 23:01:36 2020	(r359429)
+++ projects/kyua-use-googletest-test-interface/contrib/openbsm/bin/auditreduce/auditreduce.1	Sun Mar 29 23:33:12 2020	(r359430)
@@ -25,7 +25,7 @@
 .\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd January 24, 2004
+.Dd February 20, 2020
 .Dt AUDITREDUCE 1
 .Os
 .Sh NAME
@@ -47,6 +47,7 @@
 .Op Fl r Ar ruid
 .Op Fl u Ar auid
 .Op Fl v
+.Op Fl z Ar zone
 .Op Ar
 .Sh DESCRIPTION
 The
@@ -129,6 +130,10 @@ Select records with the given real user ID or name.
 Select records with the given audit ID.
 .It Fl v
 Invert sense of matching, to select records that do not match.
+.It Fl z Ar zone
+Select records from the given zone(s).
+.Ar zone
+is a glob for zones to match.
 .El
 .Sh EXAMPLES
 To select all records associated with effective user ID root from the audit

Modified: projects/kyua-use-googletest-test-interface/contrib/openbsm/bin/auditreduce/auditreduce.c
==============================================================================
--- projects/kyua-use-googletest-test-interface/contrib/openbsm/bin/auditreduce/auditreduce.c	Sun Mar 29 23:01:36 2020	(r359429)
+++ projects/kyua-use-googletest-test-interface/contrib/openbsm/bin/auditreduce/auditreduce.c	Sun Mar 29 23:33:12 2020	(r359430)
@@ -62,6 +62,7 @@
 #include <bsm/libbsm.h>
 
 #include <err.h>
+#include <fnmatch.h>
 #include <grp.h>
 #include <pwd.h>
 #include <stdio.h>
@@ -94,6 +95,7 @@ static int		 p_egid;	/* Effective group id. */ 
 static int		 p_rgid;	/* Real group id. */ 
 static int		 p_ruid;	/* Real user id. */ 
 static int		 p_subid;	/* Subject id. */
+static const char	*p_zone;	/* Zone. */
 
 /*
  * Maintain a dynamically sized array of events for -m
@@ -114,6 +116,8 @@ static char	*p_sockobj = NULL; 
 
 static uint32_t opttochk = 0;
 
+static int	select_zone(const char *zone, uint32_t *optchkd);
+
 static void
 parse_regexp(char *re_string)
 {
@@ -186,6 +190,7 @@ usage(const char *msg)
 	fprintf(stderr, "\t-r <uid|name> : real user\n");
 	fprintf(stderr, "\t-u <uid|name> : audit user\n");
 	fprintf(stderr, "\t-v : select non-matching records\n");
+	fprintf(stderr, "\t-z <zone> : zone name\n");
 	exit(EX_USAGE);
 }
 
@@ -493,6 +498,21 @@ select_subj32(tokenstr_t tok, uint32_t *optchkd)
 }
 
 /*
+ * Check if the given zone matches the selection criteria.
+  */
+static int
+select_zone(const char *zone, uint32_t *optchkd)
+{
+
+	SETOPT((*optchkd), OPT_z);
+	if (ISOPTSET(opttochk, OPT_z) && p_zone != NULL) {
+		if (fnmatch(p_zone, zone, FNM_PATHNAME) != 0)
+			return (0);
+	}
+	return (1);
+}
+
+/*
  * Read each record from the audit trail.  Check if it is selected after
  * passing through each of the options 
  */
@@ -559,6 +579,10 @@ select_records(FILE *fp)
 				    tok_hdr32_copy, &optchkd);
 				break;
 
+			case AUT_ZONENAME:
+				selected = select_zone(tok.tt.zonename.zonename, &optchkd);
+				break;
+
 			default:
 				break;
 			}
@@ -629,7 +653,7 @@ main(int argc, char **argv)
 
 	converr = NULL;
 
-	while ((ch = getopt(argc, argv, "Aa:b:c:d:e:f:g:j:m:o:r:u:v")) != -1) {
+	while ((ch = getopt(argc, argv, "Aa:b:c:d:e:f:g:j:m:o:r:u:vz:")) != -1) {
 		switch(ch) {
 		case 'A':
 			SETOPT(opttochk, OPT_A);
@@ -781,6 +805,11 @@ main(int argc, char **argv)
 
 		case 'v':
 			SETOPT(opttochk, OPT_v);
+			break;
+
+		case 'z':
+			p_zone = optarg;
+			SETOPT(opttochk, OPT_z);
 			break;
 
 		case '?':

Modified: projects/kyua-use-googletest-test-interface/contrib/openbsm/bin/auditreduce/auditreduce.h
==============================================================================
--- projects/kyua-use-googletest-test-interface/contrib/openbsm/bin/auditreduce/auditreduce.h	Sun Mar 29 23:01:36 2020	(r359429)
+++ projects/kyua-use-googletest-test-interface/contrib/openbsm/bin/auditreduce/auditreduce.h	Sun Mar 29 23:33:12 2020	(r359430)
@@ -57,6 +57,7 @@ struct re_entry {
 #define OPT_u	0x00010000
 #define OPT_A	0x00020000
 #define OPT_v	0x00040000
+#define OPT_z	0x00080000
 
 #define FILEOBJ "file"
 #define MSGQIDOBJ "msgqid"

Modified: projects/kyua-use-googletest-test-interface/contrib/tcsh/tc.sig.c
==============================================================================
--- projects/kyua-use-googletest-test-interface/contrib/tcsh/tc.sig.c	Sun Mar 29 23:01:36 2020	(r359429)
+++ projects/kyua-use-googletest-test-interface/contrib/tcsh/tc.sig.c	Sun Mar 29 23:33:12 2020	(r359430)
@@ -56,7 +56,6 @@ int alrmcatch_disabled; /* = 0; */
 int phup_disabled; /* = 0; */
 int pchild_disabled; /* = 0; */
 int pintr_disabled; /* = 0; */
-int handle_interrupt; /* = 0; */
 
 int
 handle_pending_signals(void)

Modified: projects/kyua-use-googletest-test-interface/contrib/telnet/telnetd/ext.h
==============================================================================
--- projects/kyua-use-googletest-test-interface/contrib/telnet/telnetd/ext.h	Sun Mar 29 23:01:36 2020	(r359429)
+++ projects/kyua-use-googletest-test-interface/contrib/telnet/telnetd/ext.h	Sun Mar 29 23:33:12 2020	(r359430)
@@ -30,53 +30,57 @@
  * $FreeBSD$
  */
 
+#ifndef EXTERN
+#define	EXTERN	extern
+#endif
+
 /*
  * Telnet server variable declarations
  */
-extern char	options[256];
-extern char	do_dont_resp[256];
-extern char	will_wont_resp[256];
-extern int	linemode;	/* linemode on/off */
+EXTERN char	options[256];
+EXTERN char	do_dont_resp[256];
+EXTERN char	will_wont_resp[256];
+EXTERN int	linemode;	/* linemode on/off */
 #ifdef	LINEMODE
-extern int	uselinemode;	/* what linemode to use (on/off) */
-extern int	editmode;	/* edit modes in use */
-extern int	useeditmode;	/* edit modes to use */
-extern int	alwayslinemode;	/* command line option */
-extern int	lmodetype;	/* Client support for linemode */
+EXTERN int	uselinemode;	/* what linemode to use (on/off) */
+EXTERN int	editmode;	/* edit modes in use */
+EXTERN int	useeditmode;	/* edit modes to use */
+EXTERN int	alwayslinemode;	/* command line option */
+EXTERN int	lmodetype;	/* Client support for linemode */
 #endif	/* LINEMODE */
-extern int	flowmode;	/* current flow control state */
-extern int	restartany;	/* restart output on any character state */
+EXTERN int	flowmode;	/* current flow control state */
+EXTERN int	restartany;	/* restart output on any character state */
 #ifdef DIAGNOSTICS
-extern int	diagnostic;	/* telnet diagnostic capabilities */
+EXTERN int	diagnostic;	/* telnet diagnostic capabilities */
 #endif /* DIAGNOSTICS */
 #ifdef BFTPDAEMON
-extern int	bftpd;		/* behave as bftp daemon */
+EXTERN int	bftpd;		/* behave as bftp daemon */
 #endif /* BFTPDAEMON */
 #ifdef	AUTHENTICATION
-extern int	auth_level;
+EXTERN int	auth_level;
 #endif
 
-extern slcfun	slctab[NSLC + 1];	/* slc mapping table */
+EXTERN slcfun	slctab[NSLC + 1];	/* slc mapping table */
 
-char	*terminaltype;
+EXTERN char	*terminaltype;
 
 /*
  * I/O data buffers, pointers, and counters.
  */
-extern char	ptyobuf[BUFSIZ+NETSLOP], *pfrontp, *pbackp;
+EXTERN char	ptyobuf[BUFSIZ+NETSLOP], *pfrontp, *pbackp;
 
-extern char	netibuf[BUFSIZ], *netip;
+EXTERN char	netibuf[BUFSIZ], *netip;
 
-extern char	netobuf[BUFSIZ], *nfrontp, *nbackp;
-extern char	*neturg;		/* one past last bye of urgent data */
+EXTERN char	netobuf[BUFSIZ], *nfrontp, *nbackp;
+EXTERN char	*neturg;		/* one past last bye of urgent data */
 
-extern int	pcc, ncc;
+EXTERN int	pcc, ncc;
 
-extern int	pty, net;
-extern char	line[32];
-extern int	SYNCHing;		/* we are in TELNET SYNCH mode */
+EXTERN int	pty, net;
+EXTERN char	line[32];
+EXTERN int	SYNCHing;		/* we are in TELNET SYNCH mode */
 
-extern void
+EXTERN void
 	_termstat(void),
 	add_slc(char, char, cc_t),
 	check_slc(void),
@@ -133,7 +137,7 @@ extern void
 	tty_binaryin(int),
 	tty_binaryout(int);
 
-extern int
+EXTERN int
 	end_slc(unsigned char **),
 	getnpty(void),
 #ifndef convex
@@ -158,7 +162,7 @@ extern int
 	tty_istrapsig(void),
 	tty_linemode(void);
 
-extern void
+EXTERN void
 	tty_rspeed(int),
 	tty_setecho(int),
 	tty_setedit(int),
@@ -177,7 +181,7 @@ void	startslave(char *, int, char *);
 #ifdef	ENCRYPTION
 extern void	(*encrypt_output)(unsigned char *, int);
 extern int	(*decrypt_input)(int);
-extern char	*nclearto;
+EXTERN char	*nclearto;
 #endif	/* ENCRYPTION */
 
 
@@ -186,7 +190,7 @@ extern char	*nclearto;
  * the relationship between various variables.
  */
 
-extern struct {
+EXTERN struct {
     int
 	system,			/* what the current time is */
 	echotoggle,		/* last time user entered echo character */

Modified: projects/kyua-use-googletest-test-interface/contrib/telnet/telnetd/global.c
==============================================================================
--- projects/kyua-use-googletest-test-interface/contrib/telnet/telnetd/global.c	Sun Mar 29 23:01:36 2020	(r359429)
+++ projects/kyua-use-googletest-test-interface/contrib/telnet/telnetd/global.c	Sun Mar 29 23:33:12 2020	(r359430)
@@ -44,5 +44,5 @@ __FBSDID("$FreeBSD$");
  */
 
 #include "defs.h"
-#define extern
+#define EXTERN
 #include "ext.h"

Modified: projects/kyua-use-googletest-test-interface/contrib/telnet/telnetd/sys_term.c
==============================================================================
--- projects/kyua-use-googletest-test-interface/contrib/telnet/telnetd/sys_term.c	Sun Mar 29 23:01:36 2020	(r359429)
+++ projects/kyua-use-googletest-test-interface/contrib/telnet/telnetd/sys_term.c	Sun Mar 29 23:33:12 2020	(r359430)
@@ -376,8 +376,6 @@ spcset(int func, cc_t *valp, cc_t **valpp)
  *
  * Returns the file descriptor of the opened pty.
  */
-char line[32];
-
 int
 getpty(int *ptynum __unused)
 {

Modified: projects/kyua-use-googletest-test-interface/contrib/telnet/telnetd/telnetd.c
==============================================================================
--- projects/kyua-use-googletest-test-interface/contrib/telnet/telnetd/telnetd.c	Sun Mar 29 23:01:36 2020	(r359429)
+++ projects/kyua-use-googletest-test-interface/contrib/telnet/telnetd/telnetd.c	Sun Mar 29 23:33:12 2020	(r359430)
@@ -48,7 +48,6 @@ __FBSDID("$FreeBSD$");
 
 #ifdef	AUTHENTICATION
 #include <libtelnet/auth.h>
-int	auth_level = 0;
 #endif
 #ifdef	ENCRYPTION
 #include <libtelnet/encrypt.h>

Modified: projects/kyua-use-googletest-test-interface/crypto/openssh/session.c
==============================================================================
--- projects/kyua-use-googletest-test-interface/crypto/openssh/session.c	Sun Mar 29 23:01:36 2020	(r359429)
+++ projects/kyua-use-googletest-test-interface/crypto/openssh/session.c	Sun Mar 29 23:33:12 2020	(r359430)
@@ -143,7 +143,7 @@ extern int startup_pipe;
 extern void destroy_sensitive_data(void);
 extern struct sshbuf *loginmsg;
 extern struct sshauthopt *auth_opts;
-char *tun_fwd_ifnames; /* serverloop.c */
+extern char *tun_fwd_ifnames; /* serverloop.c */
 
 /* original command from peer. */
 const char *original_command = NULL;

Modified: projects/kyua-use-googletest-test-interface/sbin/fsck_ffs/fsck.h
==============================================================================
--- projects/kyua-use-googletest-test-interface/sbin/fsck_ffs/fsck.h	Sun Mar 29 23:01:36 2020	(r359429)
+++ projects/kyua-use-googletest-test-interface/sbin/fsck_ffs/fsck.h	Sun Mar 29 23:33:12 2020	(r359430)
@@ -127,7 +127,7 @@ struct inostat {
  * Inode state information is contained on per cylinder group lists
  * which are described by the following structure.
  */
-struct inostatlist {
+extern struct inostatlist {
 	long	il_numalloced;	/* number of inodes allocated in this cg */
 	struct inostat *il_stat;/* inostat info for this cylinder group */
 } *inostathead;
@@ -271,13 +271,13 @@ struct dups {
 	struct dups *next;
 	ufs2_daddr_t dup;
 };
-struct dups *duplist;		/* head of dup list */
-struct dups *muldup;		/* end of unique duplicate dup block numbers */
+extern struct dups *duplist;		/* head of dup list */
+extern struct dups *muldup;		/* end of unique duplicate dup block numbers */
 
 /*
  * Inode cache data structures.
  */
-struct inoinfo {
+extern struct inoinfo {
 	struct	inoinfo *i_nexthash;	/* next entry in hash chain */
 	ino_t	i_number;		/* inode number of this entry */
 	ino_t	i_parent;		/* inode number of parent */

Modified: projects/kyua-use-googletest-test-interface/sbin/fsck_ffs/gjournal.c
==============================================================================
--- projects/kyua-use-googletest-test-interface/sbin/fsck_ffs/gjournal.c	Sun Mar 29 23:01:36 2020	(r359429)
+++ projects/kyua-use-googletest-test-interface/sbin/fsck_ffs/gjournal.c	Sun Mar 29 23:33:12 2020	(r359430)
@@ -93,7 +93,6 @@ static LIST_HEAD(, cgchain) cglist = LIST_HEAD_INITIAL
 static const char *devnam;
 static struct uufsd *diskp = NULL;
 static struct fs *fs = NULL;
-struct ufs2_dinode ufs2_zino;
 
 static void putcgs(void);
 

Modified: projects/kyua-use-googletest-test-interface/sbin/fsck_ffs/globs.c
==============================================================================
--- projects/kyua-use-googletest-test-interface/sbin/fsck_ffs/globs.c	Sun Mar 29 23:01:36 2020	(r359429)
+++ projects/kyua-use-googletest-test-interface/sbin/fsck_ffs/globs.c	Sun Mar 29 23:33:12 2020	(r359430)
@@ -117,6 +117,10 @@ volatile sig_atomic_t	got_sigalarm;	/* received a SIGA
 struct	ufs1_dinode ufs1_zino;
 struct	ufs2_dinode ufs2_zino;
 
+struct dups *duplist;
+struct dups *muldup;
+struct inostatlist *inostathead;
+
 void
 fsckinit(void)
 {

Modified: projects/kyua-use-googletest-test-interface/sbin/fsck_ffs/setup.c
==============================================================================
--- projects/kyua-use-googletest-test-interface/sbin/fsck_ffs/setup.c	Sun Mar 29 23:01:36 2020	(r359429)
+++ projects/kyua-use-googletest-test-interface/sbin/fsck_ffs/setup.c	Sun Mar 29 23:33:12 2020	(r359430)
@@ -58,6 +58,8 @@ __FBSDID("$FreeBSD$");
 
 #include "fsck.h"
 
+struct inoinfo **inphead, **inpsort;
+
 struct uufsd disk;
 struct bufarea asblk;
 #define altsblock (*asblk.b_un.b_fs)

Modified: projects/kyua-use-googletest-test-interface/sbin/fsdb/fsdb.c
==============================================================================
--- projects/kyua-use-googletest-test-interface/sbin/fsdb/fsdb.c	Sun Mar 29 23:01:36 2020	(r359429)
+++ projects/kyua-use-googletest-test-interface/sbin/fsdb/fsdb.c	Sun Mar 29 23:33:12 2020	(r359430)
@@ -70,9 +70,6 @@ usage(void)
 	exit(1);
 }
 
-int returntosingle;
-char nflag;
-
 /*
  * We suck in lots of fsck code, and just pick & choose the stuff we want.
  *

Modified: projects/kyua-use-googletest-test-interface/sbin/iscontrol/iscontrol.c
==============================================================================
--- projects/kyua-use-googletest-test-interface/sbin/iscontrol/iscontrol.c	Sun Mar 29 23:01:36 2020	(r359429)
+++ projects/kyua-use-googletest-test-interface/sbin/iscontrol/iscontrol.c	Sun Mar 29 23:33:12 2020	(r359430)
@@ -82,6 +82,9 @@ token_t	DigestMethods[] = {
      {0, 0}
 };
 
+int	vflag;
+char	*iscsidev;
+
 u_char	isid[6 + 6];
 /*
  | Default values

Modified: projects/kyua-use-googletest-test-interface/sbin/iscontrol/iscontrol.h
==============================================================================
--- projects/kyua-use-googletest-test-interface/sbin/iscontrol/iscontrol.h	Sun Mar 29 23:01:36 2020	(r359429)
+++ projects/kyua-use-googletest-test-interface/sbin/iscontrol/iscontrol.h	Sun Mar 29 23:33:12 2020	(r359430)
@@ -149,8 +149,8 @@ int	recvpdu(isess_t *sess, pdu_t *pp);
 
 int	lookup(token_t *tbl, char *m);
 
-int	vflag;
-char	*iscsidev;
+extern int	vflag;
+extern char	*iscsidev;
 
 void	parseArgs(int nargs, char **args, isc_opt_t *op);
 void	parseConfig(FILE *fd, char *key, isc_opt_t *op);

Modified: projects/kyua-use-googletest-test-interface/share/man/man4/tcp.4
==============================================================================
--- projects/kyua-use-googletest-test-interface/share/man/man4/tcp.4	Sun Mar 29 23:01:36 2020	(r359429)
+++ projects/kyua-use-googletest-test-interface/share/man/man4/tcp.4	Sun Mar 29 23:33:12 2020	(r359430)
@@ -34,7 +34,7 @@
 .\"     From: @(#)tcp.4	8.1 (Berkeley) 6/5/93
 .\" $FreeBSD$
 .\"
-.Dd December 2, 2019
+.Dd March 29, 2020
 .Dt TCP 4
 .Os
 .Sh NAME
@@ -632,7 +632,12 @@ Turn on automatic path MTU blackhole detection.
 In case of retransmits OS will
 lower the MSS to check if it's MTU problem.
 If current MSS is greater than
-configured value to try, it will be set to configured value, otherwise,
+configured value to try
+.Po Va net.inet.tcp.pmtud_blackhole_mss
+and
+.Va net.inet.tcp.v6pmtud_blackhole_mss
+.Pc ,
+it will be set to this value, otherwise,
 MSS will be set to default values
 .Po Va net.inet.tcp.mssdflt
 and
@@ -642,13 +647,6 @@ and
 MSS to try for IPv4 if PMTU blackhole detection is turned on.
 .It Va v6pmtud_blackhole_mss
 MSS to try for IPv6 if PMTU blackhole detection is turned on.
-.It Va pmtud_blackhole_activated
-Number of times configured values were used in an attempt to downshift.
-.It Va pmtud_blackhole_activated_min_mss
-Number of times default MSS was used in an attempt to downshift.
-.It Va pmtud_blackhole_failed
-Number of connections for which retransmits continued even after MSS
-downshift.
 .It Va functions_available
 List of available TCP function blocks (TCP stacks).
 .It Va functions_default

Modified: projects/kyua-use-googletest-test-interface/share/man/man7/arch.7
==============================================================================
--- projects/kyua-use-googletest-test-interface/share/man/man7/arch.7	Sun Mar 29 23:01:36 2020	(r359429)
+++ projects/kyua-use-googletest-test-interface/share/man/man7/arch.7	Sun Mar 29 23:33:12 2020	(r359430)
@@ -26,7 +26,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd March 23, 2020
+.Dd March 28, 2020
 .Dt ARCH 7
 .Os
 .Sh NAME
@@ -287,36 +287,13 @@ is 8 bytes on all supported architectures except i386.
 uses
 .Xr clang 1
 as the default compiler on all supported CPU architectures,
-as well as ELF Tool Chain binary utilities such as
+LLVM's
+.Xr ld.lld 1
+as the default linker, and
+ELF Tool Chain binary utilities such as
 .Xr objcopy 1
 and
 .Xr readelf 1 .
-Most supported CPU architectures also use LLVM's
-.Xr ld.lld 1
-as the linker.
-This table shows the default tool chain for each architecture.
-.Bl -column -offset indent "Architecture" "Compiler" "Linker"
-.It Sy Architecture Ta Sy Compiler Ta Sy Linker
-.It aarch64     Ta Clang     Ta lld
-.It amd64       Ta Clang     Ta lld
-.It armv6       Ta Clang     Ta lld
-.It armv7       Ta Clang     Ta lld
-.It i386        Ta Clang     Ta lld
-.It mips        Ta Clang     Ta lld
-.It mipsel      Ta Clang     Ta lld
-.It mipselhf    Ta Clang     Ta lld
-.It mipshf      Ta Clang     Ta lld
-.It mipsn32     Ta Clang     Ta lld
-.It mips64      Ta Clang     Ta lld
-.It mips64el    Ta Clang     Ta lld
-.It mips64elhf  Ta Clang     Ta lld
-.It mips64hf    Ta Clang     Ta lld
-.It powerpc     Ta Clang     Ta lld
-.It powerpcspe  Ta Clang     Ta lld
-.It powerpc64   Ta Clang     Ta lld
-.It riscv64     Ta Clang     Ta lld
-.It riscv64sf   Ta Clang     Ta lld
-.El
 .Ss MACHINE_ARCH vs MACHINE_CPUARCH vs MACHINE
 .Dv MACHINE_CPUARCH
 should be preferred in Makefiles when the generic

Modified: projects/kyua-use-googletest-test-interface/stand/efi/libefi/efi_console.c
==============================================================================
--- projects/kyua-use-googletest-test-interface/stand/efi/libefi/efi_console.c	Sun Mar 29 23:01:36 2020	(r359429)
+++ projects/kyua-use-googletest-test-interface/stand/efi/libefi/efi_console.c	Sun Mar 29 23:33:12 2020	(r359430)
@@ -828,8 +828,9 @@ efi_cons_update_mode(void)
 {
 	UINTN cols, rows;
 	const teken_attr_t *a;
+	teken_attr_t attr;
 	EFI_STATUS status;
-	char env[8];
+	char env[8], *ptr;
 
 	status = conout->QueryMode(conout, conout->Mode->Mode, &cols, &rows);
 	if (EFI_ERROR(status) || cols * rows == 0) {
@@ -866,18 +867,35 @@ efi_cons_update_mode(void)
 		if (buffer != NULL) {
 			teken_set_winsize(&teken, &tp);
 			a = teken_get_defattr(&teken);
+			attr = *a;
 
-			snprintf(env, sizeof(env), "%d", a->ta_fgcolor);
-			env_setenv("teken.fg_color", EV_VOLATILE, env,
-			    efi_set_colors, env_nounset);
-			snprintf(env, sizeof(env), "%d", a->ta_bgcolor);
-			env_setenv("teken.bg_color", EV_VOLATILE, env,
-			    efi_set_colors, env_nounset);
+			/*
+			 * On first run, we set up the efi_set_colors()
+			 * callback. If the env is already set, we
+			 * pick up fg and bg color values from the environment.
+			 */
+			ptr = getenv("teken.fg_color");
+			if (ptr != NULL) {
+				attr.ta_fgcolor = strtol(ptr, NULL, 10);
+				ptr = getenv("teken.bg_color");
+				attr.ta_bgcolor = strtol(ptr, NULL, 10);
 
+				teken_set_defattr(&teken, &attr);
+			} else {
+				snprintf(env, sizeof(env), "%d",
+				    attr.ta_fgcolor);
+				env_setenv("teken.fg_color", EV_VOLATILE, env,
+				    efi_set_colors, env_nounset);
+				snprintf(env, sizeof(env), "%d",
+				    attr.ta_bgcolor);
+				env_setenv("teken.bg_color", EV_VOLATILE, env,
+				    efi_set_colors, env_nounset);
+			}
+
 			for (int row = 0; row < rows; row++) {
 				for (int col = 0; col < cols; col++) {
 					buffer[col + row * tp.tp_col].c = ' ';
-					buffer[col + row * tp.tp_col].a = *a;
+					buffer[col + row * tp.tp_col].a = attr;
 				}
 			}
 		}
@@ -907,9 +925,6 @@ static int
 efi_cons_init(int arg)
 {
 	EFI_STATUS status;
-
-	if (conin != NULL)
-		return (0);
 
 	conout->EnableCursor(conout, TRUE);
 	if (efi_cons_update_mode())

Modified: projects/kyua-use-googletest-test-interface/stand/libsa/stand.h
==============================================================================
--- projects/kyua-use-googletest-test-interface/stand/libsa/stand.h	Sun Mar 29 23:01:36 2020	(r359429)
+++ projects/kyua-use-googletest-test-interface/stand/libsa/stand.h	Sun Mar 29 23:33:12 2020	(r359430)
@@ -436,7 +436,14 @@ extern void	mallocstats(void);
 
 const char *x86_hypervisor(void);
 
-#ifdef DEBUG_MALLOC
+#ifdef USER_MALLOC
+extern void *malloc(size_t);
+extern void *memalign(size_t, size_t);
+extern void *calloc(size_t, size_t);
+extern void free(void *);
+extern void *realloc(void *, size_t);
+extern void *reallocf(void *, size_t);
+#elif defined(DEBUG_MALLOC)
 #define malloc(x)	Malloc(x, __FILE__, __LINE__)
 #define memalign(x, y)	Memalign(x, y, __FILE__, __LINE__)
 #define calloc(x, y)	Calloc(x, y, __FILE__, __LINE__)

Modified: projects/kyua-use-googletest-test-interface/stand/libsa/zfs/zfs.c
==============================================================================
--- projects/kyua-use-googletest-test-interface/stand/libsa/zfs/zfs.c	Sun Mar 29 23:01:36 2020	(r359429)
+++ projects/kyua-use-googletest-test-interface/stand/libsa/zfs/zfs.c	Sun Mar 29 23:33:12 2020	(r359430)
@@ -92,7 +92,7 @@ static int	zfs_env_count;
 SLIST_HEAD(zfs_be_list, zfs_be_entry) zfs_be_head = SLIST_HEAD_INITIALIZER(zfs_be_head);
 struct zfs_be_list *zfs_be_headp;
 struct zfs_be_entry {
-	const char *name;
+	char *name;
 	SLIST_ENTRY(zfs_be_entry) entries;
 } *zfs_be, *zfs_be_tmp;
 
@@ -906,6 +906,7 @@ zfs_bootenv_initial(const char *name)
 	while (!SLIST_EMPTY(&zfs_be_head)) {
 		zfs_be = SLIST_FIRST(&zfs_be_head);
 		SLIST_REMOVE_HEAD(&zfs_be_head, entries);
+		free(zfs_be->name);
 		free(zfs_be);
 	}
 
@@ -973,6 +974,7 @@ zfs_bootenv(const char *name)
 	while (!SLIST_EMPTY(&zfs_be_head)) {
 		zfs_be = SLIST_FIRST(&zfs_be_head);
 		SLIST_REMOVE_HEAD(&zfs_be_head, entries);
+		free(zfs_be->name);
 		free(zfs_be);
 	}
 
@@ -992,7 +994,11 @@ zfs_belist_add(const char *name, uint64_t value __unus
 	if (zfs_be == NULL) {
 		return (ENOMEM);
 	}
-	zfs_be->name = name;
+	zfs_be->name = strdup(name);
+	if (zfs_be->name == NULL) {
+		free(zfs_be);
+		return (ENOMEM);
+	}
 	SLIST_INSERT_HEAD(&zfs_be_head, zfs_be, entries);
 	zfs_env_count++;
 

Modified: projects/kyua-use-googletest-test-interface/stand/userboot/userboot/libuserboot.h
==============================================================================
--- projects/kyua-use-googletest-test-interface/stand/userboot/userboot/libuserboot.h	Sun Mar 29 23:01:36 2020	(r359429)
+++ projects/kyua-use-googletest-test-interface/stand/userboot/userboot/libuserboot.h	Sun Mar 29 23:33:12 2020	(r359430)
@@ -44,7 +44,7 @@ extern int userboot_disk_maxunit;
 extern struct devsw host_dev;
 
 /* access to host filesystem */
-struct fs_ops host_fsops;
+extern struct fs_ops host_fsops;
 
 struct bootinfo;
 struct preloaded_file;

Modified: projects/kyua-use-googletest-test-interface/sys/arm/include/atomic-v6.h
==============================================================================
--- projects/kyua-use-googletest-test-interface/sys/arm/include/atomic-v6.h	Sun Mar 29 23:01:36 2020	(r359429)
+++ projects/kyua-use-googletest-test-interface/sys/arm/include/atomic-v6.h	Sun Mar 29 23:33:12 2020	(r359430)
@@ -196,7 +196,7 @@ ATOMIC_ACQ_REL_LONG(clear)
                                                               \
 	__asm __volatile(                                     \
 	    "1: ldrex" SUF "   %[tmp], [%[ptr]]          \n"  \
-	    "   ldr            %[ret], [%[oldv]]         \n"  \
+	    "   ldr" SUF "     %[ret], [%[oldv]]         \n"  \
 	    "   teq            %[tmp], %[ret]            \n"  \
 	    "   ittee          ne                        \n"  \
 	    "   str" SUF "ne   %[tmp], [%[oldv]]         \n"  \

Modified: projects/kyua-use-googletest-test-interface/sys/dev/evdev/cdev.c
==============================================================================
--- projects/kyua-use-googletest-test-interface/sys/dev/evdev/cdev.c	Sun Mar 29 23:01:36 2020	(r359429)
+++ projects/kyua-use-googletest-test-interface/sys/dev/evdev/cdev.c	Sun Mar 29 23:33:12 2020	(r359430)
@@ -47,6 +47,18 @@
 #include <dev/evdev/evdev_private.h>
 #include <dev/evdev/input.h>
 
+#ifdef COMPAT_FREEBSD32
+#include <sys/mount.h>
+#include <sys/sysent.h>
+#include <compat/freebsd32/freebsd32.h>
+struct input_event32 {
+	struct timeval32	time;
+	uint16_t		type;
+	uint16_t		code;
+	int32_t			value;
+};
+#endif
+
 #ifdef EVDEV_DEBUG
 #define	debugf(client, fmt, args...)	printf("evdev cdev: "fmt"\n", ##args)
 #else
@@ -161,7 +173,14 @@ static int
 evdev_read(struct cdev *dev, struct uio *uio, int ioflag)
 {
 	struct evdev_client *client;
-	struct input_event event;
+	union {
+		struct input_event t;
+#ifdef COMPAT_FREEBSD32
+		struct input_event32 t32;
+#endif
+	} event;
+	struct input_event *head;
+	size_t evsize;
 	int ret = 0;
 	int remaining;
 
@@ -175,11 +194,18 @@ evdev_read(struct cdev *dev, struct uio *uio, int iofl
 	if (client->ec_revoked)
 		return (ENODEV);
 
+#ifdef COMPAT_FREEBSD32
+	if (SV_CURPROC_FLAG(SV_ILP32))
+		evsize = sizeof(struct input_event32);
+	else
+#endif
+		evsize = sizeof(struct input_event);
+
 	/* Zero-sized reads are allowed for error checking */
-	if (uio->uio_resid != 0 && uio->uio_resid < sizeof(struct input_event))
+	if (uio->uio_resid != 0 && uio->uio_resid < evsize)
 		return (EINVAL);
 
-	remaining = uio->uio_resid / sizeof(struct input_event);
+	remaining = uio->uio_resid / evsize;
 
 	EVDEV_CLIENT_LOCKQ(client);
 
@@ -191,19 +217,31 @@ evdev_read(struct cdev *dev, struct uio *uio, int iofl
 				client->ec_blocked = true;
 				ret = mtx_sleep(client, &client->ec_buffer_mtx,
 				    PCATCH, "evread", 0);
+				if (ret == 0 && client->ec_revoked)
+					ret = ENODEV;
 			}
 		}
 	}
 
 	while (ret == 0 && !EVDEV_CLIENT_EMPTYQ(client) && remaining > 0) {
-		memcpy(&event, &client->ec_buffer[client->ec_buffer_head],
-		    sizeof(struct input_event));
+		head = client->ec_buffer + client->ec_buffer_head;
+#ifdef COMPAT_FREEBSD32
+		if (SV_CURPROC_FLAG(SV_ILP32)) {
+			bzero(&event.t32, sizeof(struct input_event32));
+			TV_CP(*head, event.t32, time);
+			CP(*head, event.t32, type);
+			CP(*head, event.t32, code);
+			CP(*head, event.t32, value);
+		} else
+#endif
+			bcopy(head, &event.t, evsize);
+
 		client->ec_buffer_head =
 		    (client->ec_buffer_head + 1) % client->ec_buffer_size;
 		remaining--;
 
 		EVDEV_CLIENT_UNLOCKQ(client);
-		ret = uiomove(&event, sizeof(struct input_event), uio);
+		ret = uiomove(&event, evsize, uio);
 		EVDEV_CLIENT_LOCKQ(client);
 	}
 
@@ -217,7 +255,13 @@ evdev_write(struct cdev *dev, struct uio *uio, int iof
 {
 	struct evdev_dev *evdev = dev->si_drv1;
 	struct evdev_client *client;
-	struct input_event event;
+	union {
+		struct input_event t;
+#ifdef COMPAT_FREEBSD32
+		struct input_event32 t32;
+#endif
+	} event;
+	size_t evsize;
 	int ret = 0;
 
 	ret = devfs_get_cdevpriv((void **)&client);
@@ -230,16 +274,30 @@ evdev_write(struct cdev *dev, struct uio *uio, int iof
 	if (client->ec_revoked || evdev == NULL)
 		return (ENODEV);
 
-	if (uio->uio_resid % sizeof(struct input_event) != 0) {
+#ifdef COMPAT_FREEBSD32
+	if (SV_CURPROC_FLAG(SV_ILP32))
+		evsize = sizeof(struct input_event32);
+	else
+#endif
+		evsize = sizeof(struct input_event);
+
+	if (uio->uio_resid % evsize != 0) {
 		debugf(client, "write size not multiple of input_event size");
 		return (EINVAL);
 	}
 
 	while (uio->uio_resid > 0 && ret == 0) {
-		ret = uiomove(&event, sizeof(struct input_event), uio);
-		if (ret == 0)
-			ret = evdev_inject_event(evdev, event.type, event.code,
-			    event.value);
+		ret = uiomove(&event, evsize, uio);
+		if (ret == 0) {
+#ifdef COMPAT_FREEBSD32
+			if (SV_CURPROC_FLAG(SV_ILP32))
+				ret = evdev_inject_event(evdev, event.t32.type,
+				    event.t32.code, event.t32.value);
+			else
+#endif
+				ret = evdev_inject_event(evdev, event.t.type,
+				    event.t.code, event.t.value);
+		}
 	}
 
 	return (ret);

Modified: projects/kyua-use-googletest-test-interface/sys/dev/sound/pci/hda/hdac.c
==============================================================================
--- projects/kyua-use-googletest-test-interface/sys/dev/sound/pci/hda/hdac.c	Sun Mar 29 23:01:36 2020	(r359429)
+++ projects/kyua-use-googletest-test-interface/sys/dev/sound/pci/hda/hdac.c	Sun Mar 29 23:33:12 2020	(r359430)
@@ -1413,21 +1413,11 @@ hdac_poll_reinit(struct hdac_softc *sc)
 		pollticks >>= 1;
 		if (pollticks > hz)
 			pollticks = hz;
-		if (pollticks < 1) {
-			HDA_BOOTVERBOSE(
-				device_printf(sc->dev,
-				    "poll interval < 1 tick !\n");
-			);
+		if (pollticks < 1)
 			pollticks = 1;
-		}
 		if (min > pollticks)
 			min = pollticks;
 	}
-	HDA_BOOTVERBOSE(
-		device_printf(sc->dev,
-		    "poll interval %d -> %d ticks\n",
-		    sc->poll_ival, min);
-	);
 	sc->poll_ival = min;
 	if (min == 1000000)
 		callout_stop(&sc->poll_callout);

Modified: projects/kyua-use-googletest-test-interface/sys/netinet/sctp_cc_functions.c
==============================================================================
--- projects/kyua-use-googletest-test-interface/sys/netinet/sctp_cc_functions.c	Sun Mar 29 23:01:36 2020	(r359429)
+++ projects/kyua-use-googletest-test-interface/sys/netinet/sctp_cc_functions.c	Sun Mar 29 23:33:12 2020	(r359430)
@@ -1914,7 +1914,7 @@ measure_rtt(struct sctp_nets *net)
 	if (net->fast_retran_ip == 0 && net->ssthresh < 0xFFFF && htcp_ccount(&net->cc_mod.htcp_ca) > 3) {
 		if (net->cc_mod.htcp_ca.maxRTT < net->cc_mod.htcp_ca.minRTT)
 			net->cc_mod.htcp_ca.maxRTT = net->cc_mod.htcp_ca.minRTT;
-		if (net->cc_mod.htcp_ca.maxRTT < srtt && srtt <= net->cc_mod.htcp_ca.maxRTT + MSEC_TO_TICKS(20))
+		if (net->cc_mod.htcp_ca.maxRTT < srtt && srtt <= net->cc_mod.htcp_ca.maxRTT + sctp_msecs_to_ticks(20))
 			net->cc_mod.htcp_ca.maxRTT = srtt;
 	}
 }
@@ -1975,7 +1975,7 @@ htcp_beta_update(struct htcp *ca, uint32_t minRTT, uin
 		}
 	}
 
-	if (ca->modeswitch && minRTT > (uint32_t)MSEC_TO_TICKS(10) && maxRTT) {
+	if (ca->modeswitch && minRTT > sctp_msecs_to_ticks(10) && maxRTT) {
 		ca->beta = (minRTT << 7) / maxRTT;
 		if (ca->beta < BETA_MIN)
 			ca->beta = BETA_MIN;

Modified: projects/kyua-use-googletest-test-interface/sys/netinet/sctp_constants.h
==============================================================================
--- projects/kyua-use-googletest-test-interface/sys/netinet/sctp_constants.h	Sun Mar 29 23:01:36 2020	(r359429)
+++ projects/kyua-use-googletest-test-interface/sys/netinet/sctp_constants.h	Sun Mar 29 23:33:12 2020	(r359430)
@@ -577,16 +577,6 @@ __FBSDID("$FreeBSD$");
 #define SCTP_ASOC_MAX_CHUNKS_ON_QUEUE 512
 
 
-/* The conversion from time to ticks and vice versa is done by rounding
- * upwards. This way we can test in the code the time to be positive and
- * know that this corresponds to a positive number of ticks.
- */
-#define MSEC_TO_TICKS(x) ((hz == 1000) ? x : ((((x) * hz) + 999) / 1000))
-#define TICKS_TO_MSEC(x) ((hz == 1000) ? x : ((((x) * 1000) + (hz - 1)) / hz))
-
-#define SEC_TO_TICKS(x) ((x) * hz)
-#define TICKS_TO_SEC(x) (((x) + (hz - 1)) / hz)
-
 /*
  * Basically the minimum amount of time before I do a early FR. Making this
  * value to low will cause duplicate retransmissions.

Modified: projects/kyua-use-googletest-test-interface/sys/netinet/sctp_input.c
==============================================================================
--- projects/kyua-use-googletest-test-interface/sys/netinet/sctp_input.c	Sun Mar 29 23:01:36 2020	(r359429)
+++ projects/kyua-use-googletest-test-interface/sys/netinet/sctp_input.c	Sun Mar 29 23:33:12 2020	(r359430)
@@ -2600,7 +2600,7 @@ sctp_handle_cookie_echo(struct mbuf *m, int iphlen, in
 	 */
 	(void)SCTP_GETTIME_TIMEVAL(&now);
 	/* Expire time is in Ticks, so we convert to seconds */
-	time_expires.tv_sec = cookie->time_entered.tv_sec + TICKS_TO_SEC(cookie->cookie_life);
+	time_expires.tv_sec = cookie->time_entered.tv_sec + sctp_ticks_to_secs(cookie->cookie_life);
 	time_expires.tv_usec = cookie->time_entered.tv_usec;
 	if (timevalcmp(&now, &time_expires, >)) {
 		/* cookie is stale! */

Modified: projects/kyua-use-googletest-test-interface/sys/netinet/sctp_pcb.c
==============================================================================
--- projects/kyua-use-googletest-test-interface/sys/netinet/sctp_pcb.c	Sun Mar 29 23:01:36 2020	(r359429)
+++ projects/kyua-use-googletest-test-interface/sys/netinet/sctp_pcb.c	Sun Mar 29 23:33:12 2020	(r359430)
@@ -2556,13 +2556,13 @@ sctp_inpcb_alloc(struct socket *so, uint32_t vrf_id)
 	m = &inp->sctp_ep;
 
 	/* setup the base timeout information */
-	m->sctp_timeoutticks[SCTP_TIMER_SEND] = SEC_TO_TICKS(SCTP_SEND_SEC);	/* needed ? */
-	m->sctp_timeoutticks[SCTP_TIMER_INIT] = SEC_TO_TICKS(SCTP_INIT_SEC);	/* needed ? */
-	m->sctp_timeoutticks[SCTP_TIMER_RECV] = MSEC_TO_TICKS(SCTP_BASE_SYSCTL(sctp_delayed_sack_time_default));
-	m->sctp_timeoutticks[SCTP_TIMER_HEARTBEAT] = MSEC_TO_TICKS(SCTP_BASE_SYSCTL(sctp_heartbeat_interval_default));
-	m->sctp_timeoutticks[SCTP_TIMER_PMTU] = SEC_TO_TICKS(SCTP_BASE_SYSCTL(sctp_pmtu_raise_time_default));
-	m->sctp_timeoutticks[SCTP_TIMER_MAXSHUTDOWN] = SEC_TO_TICKS(SCTP_BASE_SYSCTL(sctp_shutdown_guard_time_default));
-	m->sctp_timeoutticks[SCTP_TIMER_SIGNATURE] = SEC_TO_TICKS(SCTP_BASE_SYSCTL(sctp_secret_lifetime_default));
+	m->sctp_timeoutticks[SCTP_TIMER_SEND] = sctp_secs_to_ticks(SCTP_SEND_SEC);	/* needed ? */
+	m->sctp_timeoutticks[SCTP_TIMER_INIT] = sctp_secs_to_ticks(SCTP_INIT_SEC);	/* needed ? */
+	m->sctp_timeoutticks[SCTP_TIMER_RECV] = sctp_msecs_to_ticks(SCTP_BASE_SYSCTL(sctp_delayed_sack_time_default));
+	m->sctp_timeoutticks[SCTP_TIMER_HEARTBEAT] = sctp_msecs_to_ticks(SCTP_BASE_SYSCTL(sctp_heartbeat_interval_default));
+	m->sctp_timeoutticks[SCTP_TIMER_PMTU] = sctp_secs_to_ticks(SCTP_BASE_SYSCTL(sctp_pmtu_raise_time_default));
+	m->sctp_timeoutticks[SCTP_TIMER_MAXSHUTDOWN] = sctp_secs_to_ticks(SCTP_BASE_SYSCTL(sctp_shutdown_guard_time_default));
+	m->sctp_timeoutticks[SCTP_TIMER_SIGNATURE] = sctp_secs_to_ticks(SCTP_BASE_SYSCTL(sctp_secret_lifetime_default));
 	/* all max/min max are in ms */
 	m->sctp_maxrto = SCTP_BASE_SYSCTL(sctp_rto_max_default);
 	m->sctp_minrto = SCTP_BASE_SYSCTL(sctp_rto_min_default);
@@ -2610,7 +2610,7 @@ sctp_inpcb_alloc(struct socket *so, uint32_t vrf_id)
 	sctp_timer_start(SCTP_TIMER_TYPE_NEWCOOKIE, inp, NULL, NULL);
 
 	/* How long is a cookie good for ? */
-	m->def_cookie_life = MSEC_TO_TICKS(SCTP_BASE_SYSCTL(sctp_valid_cookie_life_default));
+	m->def_cookie_life = sctp_msecs_to_ticks(SCTP_BASE_SYSCTL(sctp_valid_cookie_life_default));
 	/*
 	 * Initialize authentication parameters
 	 */

Modified: projects/kyua-use-googletest-test-interface/sys/netinet/sctp_timer.c
==============================================================================
--- projects/kyua-use-googletest-test-interface/sys/netinet/sctp_timer.c	Sun Mar 29 23:01:36 2020	(r359429)
+++ projects/kyua-use-googletest-test-interface/sys/netinet/sctp_timer.c	Sun Mar 29 23:33:12 2020	(r359430)
@@ -1539,7 +1539,7 @@ sctp_autoclose_timer(struct sctp_inpcb *inp, struct sc
 			tim_touse = &asoc->time_last_sent;
 		}
 		/* Now has long enough transpired to autoclose? */
-		ticks_gone_by = SEC_TO_TICKS((uint32_t)(tn.tv_sec - tim_touse->tv_sec));
+		ticks_gone_by = sctp_secs_to_ticks((uint32_t)(tn.tv_sec - tim_touse->tv_sec));
 		if (ticks_gone_by >= asoc->sctp_autoclose_ticks) {
 			/*
 			 * autoclose time has hit, call the output routine,

Modified: projects/kyua-use-googletest-test-interface/sys/netinet/sctp_usrreq.c
==============================================================================
--- projects/kyua-use-googletest-test-interface/sys/netinet/sctp_usrreq.c	Sun Mar 29 23:01:36 2020	(r359429)
+++ projects/kyua-use-googletest-test-interface/sys/netinet/sctp_usrreq.c	Sun Mar 29 23:33:12 2020	(r359430)
@@ -1600,7 +1600,7 @@ sctp_getopt(struct socket *so, int optname, void *optv
 			break;
 		case SCTP_AUTOCLOSE:
 			if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE))
-				val = TICKS_TO_SEC(inp->sctp_ep.auto_close_time);
+				val = sctp_ticks_to_secs(inp->sctp_ep.auto_close_time);
 			else
 				val = 0;
 			break;
@@ -2012,7 +2012,7 @@ flags_out:
 				    ((inp->sctp_flags & SCTP_PCB_FLAGS_UDPTYPE) &&
 				    (sack->sack_assoc_id == SCTP_FUTURE_ASSOC))) {
 					SCTP_INP_RLOCK(inp);
-					sack->sack_delay = TICKS_TO_MSEC(inp->sctp_ep.sctp_timeoutticks[SCTP_TIMER_RECV]);
+					sack->sack_delay = sctp_ticks_to_msecs(inp->sctp_ep.sctp_timeoutticks[SCTP_TIMER_RECV]);
 					sack->sack_freq = inp->sctp_ep.sctp_sack_freq;
 					SCTP_INP_RUNLOCK(inp);
 				} else {
@@ -2493,7 +2493,7 @@ flags_out:
 					/* Use endpoint defaults */
 					SCTP_INP_RLOCK(inp);
 					paddrp->spp_pathmaxrxt = inp->sctp_ep.def_net_failure;
-					paddrp->spp_hbinterval = TICKS_TO_MSEC(inp->sctp_ep.sctp_timeoutticks[SCTP_TIMER_HEARTBEAT]);

*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***

From owner-svn-src-projects@freebsd.org  Fri Apr  3 22:15:49 2020
Return-Path: <owner-svn-src-projects@freebsd.org>
Delivered-To: svn-src-projects@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id B2F9F274587
 for <svn-src-projects@mailman.nyi.freebsd.org>;
 Fri,  3 Apr 2020 22:15:49 +0000 (UTC)
 (envelope-from rmacklem@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 48vDlj0ZQnz4S89;
 Fri,  3 Apr 2020 22:15:44 +0000 (UTC)
 (envelope-from rmacklem@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 55679CC05;
 Fri,  3 Apr 2020 22:06:56 +0000 (UTC)
 (envelope-from rmacklem@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 033M6upO099395;
 Fri, 3 Apr 2020 22:06:56 GMT (envelope-from rmacklem@FreeBSD.org)
Received: (from rmacklem@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id 033M6uA5099394;
 Fri, 3 Apr 2020 22:06:56 GMT (envelope-from rmacklem@FreeBSD.org)
Message-Id: <202004032206.033M6uA5099394@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: rmacklem set sender to
 rmacklem@FreeBSD.org using -f
From: Rick Macklem <rmacklem@FreeBSD.org>
Date: Fri, 3 Apr 2020 22:06:56 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-projects@freebsd.org
Subject: svn commit: r359617 - projects/nfs-over-tls/usr.sbin/rpctlssd
X-SVN-Group: projects
X-SVN-Commit-Author: rmacklem
X-SVN-Commit-Paths: projects/nfs-over-tls/usr.sbin/rpctlssd
X-SVN-Commit-Revision: 359617
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-projects@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "SVN commit messages for the src &quot; projects&quot;
 tree" <svn-src-projects.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-projects>, 
 <mailto:svn-src-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-projects/>
List-Post: <mailto:svn-src-projects@freebsd.org>
List-Help: <mailto:svn-src-projects-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-projects>, 
 <mailto:svn-src-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Apr 2020 22:15:49 -0000

Author: rmacklem
Date: Fri Apr  3 22:06:55 2020
New Revision: 359617
URL: https://svnweb.freebsd.org/changeset/base/359617

Log:
  Bring the man page for rpctlssd up to date.

Modified:
  projects/nfs-over-tls/usr.sbin/rpctlssd/rpctlssd.8

Modified: projects/nfs-over-tls/usr.sbin/rpctlssd/rpctlssd.8
==============================================================================
--- projects/nfs-over-tls/usr.sbin/rpctlssd/rpctlssd.8	Fri Apr  3 22:03:21 2020	(r359616)
+++ projects/nfs-over-tls/usr.sbin/rpctlssd/rpctlssd.8	Fri Apr  3 22:06:55 2020	(r359617)
@@ -39,9 +39,13 @@
 .Op Fl h
 .Op Fl l Ar CAfile
 .Op Fl m
+.Op Fl n Ar domain_name
 .Op Fl p Ar CApath
 .Op Fl r Ar CRLfile
+.Op Fl u
 .Op Fl v
+.Op Fl W
+.Op Fl w
 .Sh DESCRIPTION
 The
 .Nm
@@ -50,22 +54,43 @@ implementation.
 This daemon must be running to allow the kernel RPC to perform the TLS
 handshake after a TCP client has sent the STARTTLS Null RPC request to
 the server.
-This is needed to support clients doing NFS over TLS.
+This daemon requires that the kernel be built with
+.Dq options KERNEL_TLS
+and be running on an architecture such as
+.Dq amd64
+that supports a direct map (not i386).
 Note that the
 .Fl tls
 option in the
 .Xr exports 5
-file specifies that the client must use RPC over TLS and the
+file specifies that the client must use RPC over TLS.
+The
 .Fl tlscert
 option in the
 .Xr exports 5
 file specifies that the client must provide a certificate
 that verifies.
-For this latter case, the
+The
+.Fl tlscertuser
+option in the
+.Xr exports 5
+file specifies that the client must provide a certificate
+that verifies and has a otherName:1.2.3.4.6.9;UTF8: field of
+subjectAltName of the form
+.Dq user@dns_domain
+that maps to a <uid, gid_list>.
+For the latter two cases, the
 .Fl m
-and
+and either the
 .Fl l
+or
+.Fl p
 options must be specified.
+The
+.Fl tlscertuser
+option also requires that the
+.Fl u
+option on this daemon be specified.
 .Pp
 Also, if the IP address used by the client cannot be trusted,
 the rules in
@@ -75,22 +100,46 @@ As such, the
 .Fl h
 option can be used along with
 .Fl m
-and
+and either the
 .Fl l
+or
+.Fl p
 options to require that the client certificate have the correct
-Fully Qualified Domain Name in it.
+Fully Qualified Domain Name (FQDN) in it.
 .Pp
 A certificate and associated key must exist in /etc/rpctlssd
-(or the ``certdir'' specified by the
+(or the
+.Dq certdir
+specified by the
 .Fl D
 option)
-in files named ``cert.pem'' and ``key.pem''.
+in files named
+.Dq cert.pem
+and
+.Dq key.pem .
 .Pp
+If a SIGHUP signal is sent to the daemon it will reload the
+.Dq CRLfile .
+If the
+.Fl r
+option was not specified, the SIGHUP signal will be ignored.
+.Pp
+The daemon will log failed certificate verifications via
+.Xr syslogd 8
+using LOG_INFO | LOG_DAEMON when the
+.Fl m
+option has been specified.
+.Pp
 The options are as follows:
 .Bl -tag -width indent
 .It Fl D Ar certdir
-Use ``certdir'' instead of /etc/rpctlssd as the location for the
-certificate in a file called ``cert.pem'' and key in ``key.pem''.
+Use
+.Dq certdir
+instead of /etc/rpctlssd as the location for the
+certificate in a file called
+.Dq cert.pem
+and key in
+.Dq key.pem .
 .It Fl d
 Run in debug mode.
 In this mode,
@@ -98,17 +147,23 @@ In this mode,
 will not fork when it starts.
 .It Fl h
 This option specifies that the client must provide a certificate
-that both verifies and has the Fully Qualified Domain Name (FQDN) for
-the IP address that the client uses to connect to the server
-in either the subjectAltName or commonName field of the
-certificate.
+that both verifies and has a FQDN that matches the reverse
+DNS name for the IP address that
+the client uses to connect to the server.
+The FQDN should be
+in the DNS field of the subjectAltName, but is also allowed
+to be in the CN field of the
+subjectName in the certificate.
+By default, a wildcard "*" in the FQDN is not allowed.
 With this option, a failure to verify the client certificate
-or find the FQDN in the certificate will result in the
+or match the FQDN will result in the
 server sending AUTH_REJECTEDCRED replies to all client RPCs.
 This option requires the
 .Fl m
-and
+and either the
 .Fl l
+or
+.Fl p
 options.
 .It Fl l Ar CAfile
 This option specifies the path name of a CA certificate(s) file
@@ -119,10 +174,13 @@ This path name is used in
 .Dq SSL_CTX_load_verify_locations(ctx,CAfile,NULL)
 and
 .Dq SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(CAfile))
-openssl calls.
+openssl library calls.
 Note that this is a path name for the file and is not assumed to be
-in ``certdir''.
-This option should be specified when the
+in
+.Dq certdir .
+Either this option or the
+.Fl p
+option must be specified when the
 .Fl m
 option is specified so that the daemon can verify the client's
 certificate.
@@ -132,10 +190,28 @@ from the client during the TLS handshake.
 It does not require that the client provide a certificate.
 It should be specified unless no client doing RPC over TLS is
 required to have a certificate.
-For NFS, the export option
+For NFS, either the export option
 .Fl tlscert
-will be used to require a client to provide a certificate
+or
+.Fl tlscertuser
+may be used to require a client to provide a certificate
 that verifies.
+See
+.Xr exports 5 .
+.It Fl n Ar domain_name
+This option specifies what the
+.Dq domain_name
+is for use with the
+.Fl u
+option, overriding the domain_name of the server this daemon is running on.
+If you have specified the
+.Fl domain
+command line option for
+.Xr nfsuserd 8
+then you should specify this option with the same
+.Dq domain_name
+that was specified for
+.Xr nfsuserd 8 .
 .It Fl p Ar CApath
 This option is similar to the
 .Fl l
@@ -158,23 +234,90 @@ This option is meaningless unless either the
 or
 .Fl p
 have been specified.
+.It Fl u
+This option specifies that if the client provides a certificate
+that both verifies and has a subjectAltName with an otherName of the form
+.Dq otherName:1.2.3.4.6.9;UTF8:user@dns_domain
+the daemon will attempt to map
+.Dq user@dns_domain
+in the above
+to a <uid, gid_list>.
+The mapping of
+.Dq user@dns_domain
+is done in the same manner as the
+.Xr nfsuserd 8
+daemon, where
+.Dq dns_domain
+is the domain of the NFS server (or the one set via the
+.Fl n
+option) and
+.Dq user
+is a valid username in the password database.
+If this mapping is successful, then the <uid, gid_list> for
+.Dq user
+will be used for all
+RPCs on the mount instead of the credentials in the RPC request
+header.
+This option requires the
+.Fl m
+and either the
+.Fl l
+or
+.Fl p
+options.
+Use of this option does not conform to RFC-X, which does
+not allow certificates to be used for user authentication.
 .It Fl v
 Run in verbose mode.
 In this mode,
 .Nm
-will log activity messages to syslog using LOG_INFO | LOG_DAEMON or to
+will log activity messages to
+.Xr syslogd 8
+using LOG_INFO | LOG_DAEMON or to
 stderr, if the
 .Fl d
 option has also been specified.
+.It Fl W
+This option is used with the
+.Fl h
+option to allow use of a wildcard
+.Dq *
+that matches multiple
+components of the reverse DNS name for the client's IP
+address.
+For example, the FQDN
+.Dq *.uoguelph.ca
+would match both
+.Dq laptop21.uoguelph.ca
+and
+.Dq laptop3.cis.uoguelph.ca .
+.It Fl w
+Similar to
+.Fl W
+but allows the wildcard
+.Dq *
+to match a single component of the reverse DNS name.
+For example, the FQDN
+.Dq *.uoguelph.ca
+would match
+.Dq laptop21.uoguelph.ca
+but not
+.Dq laptop3.cis.uoguelph.ca .
+Only one of the
+.Fl W
+and
+.Fl w
+options is allowed.
 .El
 .Sh EXIT STATUS
 .Ex -std
 .Sh SEE ALSO
 .Xr openssl 1 ,
-.Xr syslog 3 ,
 .Xr exports 5 ,
 .Xr mount_nfs 8 ,
-.Xr rpctlscd 8
+.Xr nfsuserd 8 ,
+.Xr rpctlscd 8 ,
+.Xr syslogd 8
 .Sh BUGS
 This daemon cannot be safely shut down and restarted if there are
 any active RPC-over-TLS connections.

From owner-svn-src-projects@freebsd.org  Fri Apr  3 22:16:32 2020
Return-Path: <owner-svn-src-projects@freebsd.org>
Delivered-To: svn-src-projects@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 6A9D92745FA
 for <svn-src-projects@mailman.nyi.freebsd.org>;
 Fri,  3 Apr 2020 22:16:32 +0000 (UTC)
 (envelope-from rmacklem@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 48vDmb386Vz4SNj;
 Fri,  3 Apr 2020 22:16:31 +0000 (UTC)
 (envelope-from rmacklem@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 723BCCEE6;
 Fri,  3 Apr 2020 22:16:22 +0000 (UTC)
 (envelope-from rmacklem@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 033MGM6g005756;
 Fri, 3 Apr 2020 22:16:22 GMT (envelope-from rmacklem@FreeBSD.org)
Received: (from rmacklem@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id 033MGMcO005755;
 Fri, 3 Apr 2020 22:16:22 GMT (envelope-from rmacklem@FreeBSD.org)
Message-Id: <202004032216.033MGMcO005755@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: rmacklem set sender to
 rmacklem@FreeBSD.org using -f
From: Rick Macklem <rmacklem@FreeBSD.org>
Date: Fri, 3 Apr 2020 22:16:22 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-projects@freebsd.org
Subject: svn commit: r359619 - projects/nfs-over-tls/usr.sbin/rpctlscd
X-SVN-Group: projects
X-SVN-Commit-Author: rmacklem
X-SVN-Commit-Paths: projects/nfs-over-tls/usr.sbin/rpctlscd
X-SVN-Commit-Revision: 359619
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-projects@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "SVN commit messages for the src &quot; projects&quot;
 tree" <svn-src-projects.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-projects>, 
 <mailto:svn-src-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-projects/>
List-Post: <mailto:svn-src-projects@freebsd.org>
List-Help: <mailto:svn-src-projects-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-projects>, 
 <mailto:svn-src-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Apr 2020 22:16:32 -0000

Author: rmacklem
Date: Fri Apr  3 22:16:21 2020
New Revision: 359619
URL: https://svnweb.freebsd.org/changeset/base/359619

Log:
  Bring the rpctlscd man page up to date.

Modified:
  projects/nfs-over-tls/usr.sbin/rpctlscd/rpctlscd.8

Modified: projects/nfs-over-tls/usr.sbin/rpctlscd/rpctlscd.8
==============================================================================
--- projects/nfs-over-tls/usr.sbin/rpctlscd/rpctlscd.8	Fri Apr  3 22:13:53 2020	(r359618)
+++ projects/nfs-over-tls/usr.sbin/rpctlscd/rpctlscd.8	Fri Apr  3 22:16:21 2020	(r359619)
@@ -36,12 +36,10 @@
 .Nm
 .Op Fl D Ar certdir
 .Op Fl d
-.Op Fl h
 .Op Fl l Ar CAfile
 .Op Fl m
 .Op Fl p Ar CApath
 .Op Fl r Ar CRLfile
-.Op Fl V
 .Op Fl v
 .Sh DESCRIPTION
 The
@@ -50,26 +48,56 @@ program provides support for the client side of the ke
 implementation.
 This daemon must be running for the kernel RPC to be able to do a TLS
 connection to a server for an NFS over TLS mount.
+This daemon requires that the kernel be built with
+.Dq options KERNEL_TLS
+and be running on an architecture such as
+.Dq amd64
+that supports a direct map (not i386).
 .Pp
+If either of the
+.Fl l
+or
+.Fl p
+options have been specified, the daemon will require the server's
+certificate to verify
+and have a Fully Qualified Domain Name (FQDN) in it.
+This FQDN must match
+the reverse DNS name for the IP address that
+the server is using for the TCP connection.
+The FQDN may be
+in either the DNS field of the subjectAltName or the CN field of the
+subjectName in the certificate and
+cannot have a wildcard
+.Dq *
+in it.
+.Pp
+If a SIGHUP signal is sent to the daemon it will reload the
+.Dq CRLfile .
+If the
+.Fl r
+option was not specified, the SIGHUP signal will be ignored.
+.Pp
+The daemon will log failed certificate verifications via
+.Xr syslogd 8
+using LOG_INFO | LOG_DAEMON when the
+.Fl l
+or
+.Fl p
+option has been specified.
+.Pp
 The options are as follows:
 .Bl -tag -width indent
 .It Fl D Ar certdir
-Use ``certdir'' instead of /etc/rpctlscd for the
-.Fl c
+Use
+.Dq certdir
+instead of /etc/rpctlscd for the
+.Fl m
 option.
 .It Fl d
 Run in debug mode.
 In this mode,
 .Nm
 will not fork when it starts.
-.It Fl h
-This option specifies that the certificate provided by the server during
-TLS handshake must have the Fully Qualified Domain Name for the server's
-IP address in either the subjectAltName or commonName field of the
-certificate.
-This option is meaningless unless the
-.FL V
-option is also specified.
 .It Fl l Ar CAfile
 This specifies the path name of a CAfile which holds the information
 for server certificate verification.
@@ -77,19 +105,24 @@ This path name is used in
 .Dq SSL_CTX_load_verify_locations(ctx,CAfile,NULL)
 and
 .Dq SSL_CTX_set0_CA_list(ctx,SSL_load_client_CA_file(CAfile))
-calls.
+openssl library calls.
 Note that this is a path name for the file and is not assumed to be
-in ``certdir''.
-This option may need to be specified when the
-.Fl V
-option is specified.
+in
+.Dq certdir .
 .It Fl m
 Enable support for mutual authentication.
-A certificate must be found in /etc/rpctlscd (or the directory specified by
-.Fl D )
+A certificate and associated key must be found in /etc/rpctlscd
+(or the directory specified by the
+.Fl D
+option)
 in case a server requests a peer certificate.
-The certificate needs to be in a file named ``cert.pem'' and a key in
-a file named ``key.pem'' in the directory for this option to work.
+The certificate needs to be in a file named
+.Dq cert.pem
+and the key in a file named
+.Dq key.pem .
+If there is a passphrase on the
+.Dq key.pem
+file, this daemon will prompt for the passphrase during startup.
 .It Fl p Ar CApath
 This option is similar to the
 .Fl l
@@ -97,7 +130,7 @@ option, but specifies the path of a directory with CA
 certificates in it.
 When this option is used,
 .Dq SSL_CTX_set0_CA_list(ctx,SSL_load_client_CA_file())
-is not called, so a list of CA names might not be passed
+is not called, so a list of CA names is not be passed
 to the server during the TLS handshake.
 The openssl documentation indicates this call is rarely needed.
 (However, I was not able to determine if/when this matters, so
@@ -107,18 +140,12 @@ option instead of this option.)
 .It Fl r Ar CRLfile
 This option specifies a Certificate Revocation List (CRL) file
 that is to be loaded into the verify certificate store and
-checked during verification.
+checked during verification of the server's certificate.
 This option is meaningless unless either the
 .Fl l
 or
 .Fl p
 have been specified.
-.It Fl V
-This option specifies that the certificate provided by the server
-during the TLS handshake must verify.
-If this option is specified, the
-.Fl l
-option may also need to be specified.
 .It Fl v
 Run in verbose mode.
 In this mode,
@@ -132,9 +159,9 @@ option has also been specified.
 .Ex -std
 .Sh SEE ALSO
 .Xr openssl 1 ,
-.Xr syslog 3 ,
 .Xr mount_nfs 8 ,
-.Xr rpctlssd 8
+.Xr rpctlssd 8 ,
+.Xr syslogd 8
 .Sh BUGS
 This daemon cannot be safely shut down and restarted if there are
 any active RPC-over-TLS connections.

From owner-svn-src-projects@freebsd.org  Fri Apr  3 22:19:31 2020
Return-Path: <owner-svn-src-projects@freebsd.org>
Delivered-To: svn-src-projects@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 884282746B3
 for <svn-src-projects@mailman.nyi.freebsd.org>;
 Fri,  3 Apr 2020 22:19:31 +0000 (UTC)
 (envelope-from rmacklem@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 48vDr16yH0z4TKV;
 Fri,  3 Apr 2020 22:19:29 +0000 (UTC)
 (envelope-from rmacklem@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4E2AACEEC;
 Fri,  3 Apr 2020 22:19:22 +0000 (UTC)
 (envelope-from rmacklem@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 033MJMTK005934;
 Fri, 3 Apr 2020 22:19:22 GMT (envelope-from rmacklem@FreeBSD.org)
Received: (from rmacklem@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id 033MJM2d005933;
 Fri, 3 Apr 2020 22:19:22 GMT (envelope-from rmacklem@FreeBSD.org)
Message-Id: <202004032219.033MJM2d005933@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: rmacklem set sender to
 rmacklem@FreeBSD.org using -f
From: Rick Macklem <rmacklem@FreeBSD.org>
Date: Fri, 3 Apr 2020 22:19:22 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-projects@freebsd.org
Subject: svn commit: r359620 - projects/nfs-over-tls/usr.sbin/mountd
X-SVN-Group: projects
X-SVN-Commit-Author: rmacklem
X-SVN-Commit-Paths: projects/nfs-over-tls/usr.sbin/mountd
X-SVN-Commit-Revision: 359620
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-projects@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "SVN commit messages for the src &quot; projects&quot;
 tree" <svn-src-projects.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-projects>, 
 <mailto:svn-src-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-projects/>
List-Post: <mailto:svn-src-projects@freebsd.org>
List-Help: <mailto:svn-src-projects-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-projects>, 
 <mailto:svn-src-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Apr 2020 22:19:31 -0000

Author: rmacklem
Date: Fri Apr  3 22:19:21 2020
New Revision: 359620
URL: https://svnweb.freebsd.org/changeset/base/359620

Log:
  Add the "tlscertuser" export option and fix the "tlscert" export option.

Modified:
  projects/nfs-over-tls/usr.sbin/mountd/mountd.c

Modified: projects/nfs-over-tls/usr.sbin/mountd/mountd.c
==============================================================================
--- projects/nfs-over-tls/usr.sbin/mountd/mountd.c	Fri Apr  3 22:16:21 2020	(r359619)
+++ projects/nfs-over-tls/usr.sbin/mountd/mountd.c	Fri Apr  3 22:19:21 2020	(r359620)
@@ -2753,7 +2753,9 @@ do_opt(char **cpp, char **endcpp, struct exportlist *e
 		} else if (!strcmp(cpopt, "tls")) {
 			*exflagsp |= MNTEX_TLS;
 		} else if (!strcmp(cpopt, "tlscert")) {
-			*exflagsp |= MNTEX_TLSCERT;
+			*exflagsp |= (MNTEX_TLS | MNTEX_TLSCERT);
+		} else if (!strcmp(cpopt, "tlscertuser")) {
+			*exflagsp |= (MNTEX_TLS | MNTEX_TLSCERT | MNTEX_TLSCNUSER);
 		} else {
 			syslog(LOG_ERR, "bad opt %s", cpopt);
 			return (1);

From owner-svn-src-projects@freebsd.org  Fri Apr  3 22:21:11 2020
Return-Path: <owner-svn-src-projects@freebsd.org>
Delivered-To: svn-src-projects@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id A7E11274769
 for <svn-src-projects@mailman.nyi.freebsd.org>;
 Fri,  3 Apr 2020 22:21:11 +0000 (UTC)
 (envelope-from rmacklem@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 48vDsy0PF0z4Tsc;
 Fri,  3 Apr 2020 22:21:09 +0000 (UTC)
 (envelope-from rmacklem@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 518E3CEE2;
 Fri,  3 Apr 2020 22:13:54 +0000 (UTC)
 (envelope-from rmacklem@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 033MDsv5005583;
 Fri, 3 Apr 2020 22:13:54 GMT (envelope-from rmacklem@FreeBSD.org)
Received: (from rmacklem@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id 033MDsuR005582;
 Fri, 3 Apr 2020 22:13:54 GMT (envelope-from rmacklem@FreeBSD.org)
Message-Id: <202004032213.033MDsuR005582@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: rmacklem set sender to
 rmacklem@FreeBSD.org using -f
From: Rick Macklem <rmacklem@FreeBSD.org>
Date: Fri, 3 Apr 2020 22:13:54 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-projects@freebsd.org
Subject: svn commit: r359618 - projects/nfs-over-tls/usr.sbin/rpctlscd
X-SVN-Group: projects
X-SVN-Commit-Author: rmacklem
X-SVN-Commit-Paths: projects/nfs-over-tls/usr.sbin/rpctlscd
X-SVN-Commit-Revision: 359618
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-projects@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "SVN commit messages for the src &quot; projects&quot;
 tree" <svn-src-projects.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-projects>, 
 <mailto:svn-src-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-projects/>
List-Post: <mailto:svn-src-projects@freebsd.org>
List-Help: <mailto:svn-src-projects-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-projects>, 
 <mailto:svn-src-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Apr 2020 22:21:11 -0000

Author: rmacklem
Date: Fri Apr  3 22:13:53 2020
New Revision: 359618
URL: https://svnweb.freebsd.org/changeset/base/359618

Log:
  Update the rpctlscd in several areas.
  
  This patch updates/fixes the rpctlscd in the following areas:
  - Fix handling of the CRL file and add code to reload it when a SIGHUP
    is posted to the daemon.
  - Move the creation of the SSL_CTX * to before the program daemonizes.
    This was done so that it can prompt for a passphrase for the case
    where the client has a certificate with an encrypted key.
  - Fix up options.
  - Make the handling of the server hostname in the certificate not
    accept a wildcard, as recommended by RFC6125.

Modified:
  projects/nfs-over-tls/usr.sbin/rpctlscd/rpctlscd.c

Modified: projects/nfs-over-tls/usr.sbin/rpctlscd/rpctlscd.c
==============================================================================
--- projects/nfs-over-tls/usr.sbin/rpctlscd/rpctlscd.c	Fri Apr  3 22:06:55 2020	(r359617)
+++ projects/nfs-over-tls/usr.sbin/rpctlscd/rpctlscd.c	Fri Apr  3 22:13:53 2020	(r359618)
@@ -41,6 +41,7 @@ __FBSDID("$FreeBSD$");
 #include <sys/syslog.h>
 #include <sys/time.h>
 #include <err.h>
+#include <libutil.h>
 #include <netdb.h>
 #include <signal.h>
 #include <stdarg.h>
@@ -67,10 +68,14 @@ __FBSDID("$FreeBSD$");
 #ifndef	_PATH_CERTANDKEY
 #define	_PATH_CERTANDKEY	"/etc/rpctlscd/"
 #endif
+#ifndef	_PATH_RPCTLSCDPID
+#define	_PATH_RPCTLSCDPID	"/var/run/rpctlscd.pid"
+#endif
 #ifndef	_PREFERRED_CIPHERS
 #define	_PREFERRED_CIPHERS	"SHA384:SHA256:!CAMELLIA"
 #endif
 
+static struct pidfh	*rpctls_pfh = NULL;
 static int		rpctls_debug_level;
 static bool		rpctls_verbose;
 static int testnossl;
@@ -79,8 +84,6 @@ static const char	*rpctls_verify_cafile = NULL;
 static const char	*rpctls_verify_capath = NULL;
 static const char	*rpctls_crlfile = NULL;
 static const char	*rpctls_certdir = _PATH_CERTANDKEY;
-static bool		rpctls_verify = false;
-static bool		rpctls_comparehost = false;
 static uint64_t		rpctls_ssl_refno = 0;
 static uint64_t		rpctls_ssl_sec = 0;
 static uint64_t		rpctls_ssl_usec = 0;
@@ -104,8 +107,10 @@ static struct ssl_list	rpctls_ssllist;
 static void		rpctlscd_terminate(int);
 static SSL_CTX		*rpctls_setupcl_ssl(bool cert);
 static SSL		*rpctls_connect(SSL_CTX *ctx, int s);
-static int		rpctls_checkhost(int s, X509 *cert);
-static int		rpctls_loadfiles(SSL_CTX *ctx);
+static int		rpctls_gethost(int s, struct sockaddr *sad,
+			    char *hostip, size_t hostlen);
+static int		rpctls_checkhost(struct sockaddr *sad, X509 *cert);
+static int		rpctls_loadcrlfile(SSL_CTX *ctx);
 static void		rpctls_huphandler(int sig __unused);
 
 extern void rpctlscd_1(struct svc_req *rqstp, SVCXPRT *transp);
@@ -125,7 +130,16 @@ main(int argc, char **argv)
 	bool cert;
 	struct timeval tm;
 	struct timezone tz;
+	pid_t otherpid;
 
+	/* Check that another rpctlscd isn't already running. */
+	rpctls_pfh = pidfile_open(_PATH_RPCTLSCDPID, 0600, &otherpid);
+	if (rpctls_pfh == NULL) {
+		if (errno == EEXIST)
+			errx(1, "rpctlscd already running, pid: %d.", otherpid);
+		warn("cannot open or create pidfile");
+	}
+
 	/* Get the time when this daemon is started. */
 	gettimeofday(&tm, &tz);
 	rpctls_ssl_sec = tm.tv_sec;
@@ -134,7 +148,7 @@ main(int argc, char **argv)
 	rpctls_verbose = false;
 	testnossl = 0;
 	cert = false;
-	while ((ch = getopt(argc, argv, "D:dhl:mp:rtVv")) != -1) {
+	while ((ch = getopt(argc, argv, "D:dl:mp:r:tv")) != -1) {
 		switch (ch) {
 		case 'D':
 			rpctls_certdir = optarg;
@@ -142,9 +156,6 @@ main(int argc, char **argv)
 		case 'd':
 			rpctls_debug_level++;
 			break;
-		case 'h':
-			rpctls_comparehost = true;
-			break;
 		case 'l':
 			rpctls_verify_cafile = optarg;
 			break;
@@ -160,22 +171,23 @@ main(int argc, char **argv)
 		case 't':
 			testnossl = 1;
 			break;
-		case 'V':
-			rpctls_verify = true;
-			break;
 		case 'v':
 			rpctls_verbose = true;
 			break;
 		default:
 			fprintf(stderr, "usage: %s "
-			    "[-D certdir] [-d] [-h] "
+			    "[-D certdir] [-d] "
 			    "[-l CAfile] [-m] "
 			    "[-p CApath] [-r CRLfile] "
-			    "[-V] [-v]\n", argv[0]);
+			    "[-v]\n", argv[0]);
 			exit(1);
 			break;
 		}
 	}
+	if (rpctls_crlfile != NULL && rpctls_verify_cafile == NULL &&
+	    rpctls_verify_capath == NULL)
+		errx(1, "-r requires the -l <CAfile> and/or "
+		    "-p <CApath> options");
 
 	if (modfind("krpc") < 0) {
 		/* Not present in kernel, try loading it */
@@ -183,6 +195,21 @@ main(int argc, char **argv)
 			errx(1, "Kernel RPC is not available");
 	}
 
+	/*
+	 * Set up the SSL_CTX *.
+	 * Do it now, before daemonizing, in case the private key
+	 * is encrypted and requires a passphrase to be entered.
+	 */
+	rpctls_ctx = rpctls_setupcl_ssl(cert);
+	if (rpctls_ctx == NULL) {
+		if (rpctls_debug_level == 0) {
+			syslog(LOG_ERR, "Can't set up TSL context");
+			exit(1);
+		}
+		err(1, "Can't set up TSL context");
+	}
+	LIST_INIT(&rpctls_ssllist);
+
 	if (!rpctls_debug_level) {
 		if (daemon(0, 0) != 0)
 			err(1, "Can't daemonize");
@@ -194,6 +221,8 @@ main(int argc, char **argv)
 	signal(SIGPIPE, rpctlscd_terminate);
 	signal(SIGHUP, rpctls_huphandler);
 
+	pidfile_write(rpctls_pfh);
+
 	memset(&sun, 0, sizeof sun);
 	sun.sun_family = AF_LOCAL;
 	unlink(_PATH_RPCTLSCDSOCK);
@@ -242,17 +271,6 @@ main(int argc, char **argv)
 		err(1, "Can't register service for local rpctlscd socket");
 	}
 
-	/* Set up the OpenSSL TSL stuff. */
-	rpctls_ctx = rpctls_setupcl_ssl(cert);
-	if (rpctls_ctx == NULL) {
-		if (rpctls_debug_level == 0) {
-			syslog(LOG_ERR, "Can't set up TSL context");
-			exit(1);
-		}
-		err(1, "Can't set up TSL context");
-	}
-	LIST_INIT(&rpctls_ssllist);
-
 	gssd_syscall(_PATH_RPCTLSCDSOCK);
 	svc_run();
 	gssd_syscall("");
@@ -390,6 +408,7 @@ rpctlscd_terminate(int sig __unused)
 {
 
 	gssd_syscall("");
+	pidfile_remove(rpctls_pfh);
 	exit(0);
 }
 
@@ -461,10 +480,10 @@ rpctls_setupcl_ssl(bool cert)
 	}
 	if (rpctls_verify_cafile != NULL || rpctls_verify_capath != NULL) {
 		if (rpctls_crlfile != NULL) {
-			ret = rpctls_loadfiles(ctx);
+			ret = rpctls_loadcrlfile(ctx);
 			if (ret == 0) {
-				rpctlscd_verbose_out("rpctls_setup_ssl: "
-				    "Load CAfile, CRLfile failed\n");
+				rpctlscd_verbose_out("rpctls_setupcl_ssl: "
+				    "Load CRLfile failed\n");
 				SSL_CTX_free(ctx);
 				return (NULL);
 			}
@@ -503,15 +522,18 @@ rpctls_connect(SSL_CTX *ctx, int s)
 {
 	SSL *ssl;
 	X509 *cert;
-	int ret;
-	char *cp;
+	struct sockaddr *sad;
+	struct sockaddr_storage ad;
+	char hostnam[NI_MAXHOST];
+	int gethostret, ret;
+	char *cp, *cp2;
 
 	if (rpctls_gothup) {
 		rpctls_gothup = false;
-		ret = rpctls_loadfiles(ctx);
+		ret = rpctls_loadcrlfile(ctx);
 		if (ret == 0)
 			rpctlscd_verbose_out("rpctls_connect: Can't "
-			    "load CAfile, CRLfile\n");
+			    "reload CRLfile\n");
 	}
 	ssl = SSL_new(ctx);
 	if (ssl == NULL) {
@@ -542,18 +564,27 @@ rpctls_connect(SSL_CTX *ctx, int s)
 		SSL_free(ssl);
 		return (NULL);
 	}
-	cp = X509_NAME_oneline(X509_get_issuer_name(cert), NULL, 0);
-	rpctlscd_verbose_out("rpctls_connect: cert issuerName=%s\n", cp);
-	cp = X509_NAME_oneline(X509_get_subject_name(cert), NULL, 0);
-	rpctlscd_verbose_out("rpctls_connect: cert subjectName=%s\n", cp);
+	gethostret = rpctls_gethost(s, sad, hostnam, sizeof(hostnam));
+	if (gethostret == 0)
+		hostnam[0] = '\0';
 	ret = SSL_get_verify_result(ssl);
-	rpctlscd_verbose_out("rpctls_connect: get "
-	    "verify result=%d\n", ret);
-	if (ret == X509_V_OK && rpctls_comparehost &&
-	    rpctls_checkhost(s, cert) != 1)
+	if (ret == X509_V_OK && (rpctls_verify_cafile != NULL ||
+	    rpctls_verify_capath != NULL) && (gethostret == 0 ||
+	    rpctls_checkhost(sad, cert) != 1))
 		ret = X509_V_ERR_HOSTNAME_MISMATCH;
 	X509_free(cert);
-	if (rpctls_verify && ret != X509_V_OK) {
+	if (ret != X509_V_OK && (rpctls_verify_cafile != NULL ||
+	    rpctls_verify_capath != NULL)) {
+		if (ret != X509_V_OK) {
+			cp = X509_NAME_oneline(X509_get_issuer_name(cert),
+			    NULL, 0);
+			cp2 = X509_NAME_oneline(X509_get_subject_name(cert),
+			    NULL, 0);
+			syslog(LOG_INFO | LOG_DAEMON, "rpctls_connect: client"
+			    " IP %s issuerName=%s subjectName=%s verify "
+			    "failed %s\n", hostnam, cp, cp2,
+			    X509_verify_cert_error_string(ret));
+		}
 		SSL_shutdown(ssl);
 		SSL_free(ssl);
 		return (NULL);
@@ -569,81 +600,81 @@ rpctls_connect(SSL_CTX *ctx, int s)
 }
 
 /*
- * Check a client IP address against any host address in the
- * certificate.  Basically getpeername(2), getnameinfo(3) and
- * X509_check_host().
+ * Get the server's IP address.
  */
 static int
-rpctls_checkhost(int s, X509 *cert)
+rpctls_gethost(int s, struct sockaddr *sad, char *hostip, size_t hostlen)
 {
-	struct sockaddr *sad;
-	struct sockaddr_storage ad;
-	char hostnam[NI_MAXHOST];
 	socklen_t slen;
 	int ret;
 
-	sad = (struct sockaddr *)&ad;
-	slen = sizeof(ad);
+	slen = sizeof(struct sockaddr_storage);
 	if (getpeername(s, sad, &slen) < 0)
 		return (0);
+	ret = 0;
 	if (getnameinfo((const struct sockaddr *)sad,
-	    sad->sa_len, hostnam, sizeof(hostnam),
-	    NULL, 0, NI_NUMERICHOST) == 0)
-		rpctlscd_verbose_out("rpctls_checkhost: %s\n",
-		    hostnam);
+	    sad->sa_len, hostip, hostlen,
+	    NULL, 0, NI_NUMERICHOST) == 0) {
+		rpctlscd_verbose_out("rpctls_gethost: %s\n",
+		    hostip);
+		ret = 1;
+	}
+	return (ret);
+}
+
+/*
+ * Check a server IP address against any host address in the
+ * certificate.  Basically getnameinfo(3) and
+ * X509_check_host().
+ */
+static int
+rpctls_checkhost(struct sockaddr *sad, X509 *cert)
+{
+	char hostnam[NI_MAXHOST];
+	int ret;
+
 	if (getnameinfo((const struct sockaddr *)sad,
 	    sad->sa_len, hostnam, sizeof(hostnam),
 	    NULL, 0, NI_NAMEREQD) != 0)
 		return (0);
-	rpctlscd_verbose_out("rpctls_checkhost: DNS %s\n", hostnam);
-	ret = X509_check_host(cert, hostnam, strlen(hostnam), 0, NULL);
+	rpctlscd_verbose_out("rpctls_checkhost: DNS %s\n",
+	    hostnam);
+	ret = X509_check_host(cert, hostnam, strlen(hostnam),
+	    X509_CHECK_FLAG_NO_WILDCARDS, NULL);
 	return (ret);
 }
 
 /*
- * Load the CAfile (and optionally CRLfile) into the certificate
- * verification store.
+ * (re)load the CRLfile into the certificate verification store.
  */
 static int
-rpctls_loadfiles(SSL_CTX *ctx)
+rpctls_loadcrlfile(SSL_CTX *ctx)
 {
 	X509_STORE *certstore;
 	X509_LOOKUP *certlookup;
 	int ret;
 
-	if (rpctls_verify_cafile != NULL ||
-	    rpctls_verify_capath != NULL) {
-		if (rpctls_crlfile != NULL) {
-			certstore = SSL_CTX_get_cert_store(ctx);
-			certlookup = X509_STORE_add_lookup(
-			    certstore, X509_LOOKUP_file());
-			ret = 0;
-			if (certlookup != NULL)
-				ret = X509_load_crl_file(certlookup,
-				    rpctls_crlfile, X509_FILETYPE_PEM);
-			if (ret != 0)
-				ret = X509_STORE_set_flags(certstore,
-				    X509_V_FLAG_CRL_CHECK |
-				    X509_V_FLAG_CRL_CHECK_ALL);
-			if (ret == 0) {
-				rpctlscd_verbose_out(
-				    "rpctls_loadfiles: Can't"
-				    " load CRLfile=%s\n",
-				    rpctls_crlfile);
-				return (ret);
-			}
-		}
-		ret = SSL_CTX_load_verify_locations(ctx,
-		    rpctls_verify_cafile, rpctls_verify_capath);
+	if ((rpctls_verify_cafile != NULL ||
+	    rpctls_verify_capath != NULL) &&
+	    rpctls_crlfile != NULL) {
+		certstore = SSL_CTX_get_cert_store(ctx);
+		certlookup = X509_STORE_add_lookup(
+		    certstore, X509_LOOKUP_file());
+		ret = 0;
+		if (certlookup != NULL)
+			ret = X509_load_crl_file(certlookup,
+			    rpctls_crlfile, X509_FILETYPE_PEM);
+		if (ret != 0)
+			ret = X509_STORE_set_flags(certstore,
+			    X509_V_FLAG_CRL_CHECK |
+			    X509_V_FLAG_CRL_CHECK_ALL);
 		if (ret == 0) {
-			rpctlscd_verbose_out("rpctls_loadfiles: "
-			    "Can't load verify locations\n");
+			rpctlscd_verbose_out(
+			    "rpctls_loadcrlfile: Can't"
+			    " load CRLfile=%s\n",
+			    rpctls_crlfile);
 			return (ret);
 		}
-		if (rpctls_verify_cafile != NULL)
-			SSL_CTX_set_client_CA_list(ctx,
-			    SSL_load_client_CA_file(
-			    rpctls_verify_cafile));
 	}
 	return (1);
 }

From owner-svn-src-projects@freebsd.org  Fri Apr  3 22:22:18 2020
Return-Path: <owner-svn-src-projects@freebsd.org>
Delivered-To: svn-src-projects@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id E6FB2274960
 for <svn-src-projects@mailman.nyi.freebsd.org>;
 Fri,  3 Apr 2020 22:22:18 +0000 (UTC)
 (envelope-from rmacklem@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 48vDvD513fz4VRW;
 Fri,  3 Apr 2020 22:22:16 +0000 (UTC)
 (envelope-from rmacklem@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id BE088CBFC;
 Fri,  3 Apr 2020 22:03:21 +0000 (UTC)
 (envelope-from rmacklem@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 033M3LhW099183;
 Fri, 3 Apr 2020 22:03:21 GMT (envelope-from rmacklem@FreeBSD.org)
Received: (from rmacklem@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id 033M3LZl099182;
 Fri, 3 Apr 2020 22:03:21 GMT (envelope-from rmacklem@FreeBSD.org)
Message-Id: <202004032203.033M3LZl099182@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: rmacklem set sender to
 rmacklem@FreeBSD.org using -f
From: Rick Macklem <rmacklem@FreeBSD.org>
Date: Fri, 3 Apr 2020 22:03:21 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-projects@freebsd.org
Subject: svn commit: r359616 - projects/nfs-over-tls/usr.sbin/rpctlssd
X-SVN-Group: projects
X-SVN-Commit-Author: rmacklem
X-SVN-Commit-Paths: projects/nfs-over-tls/usr.sbin/rpctlssd
X-SVN-Commit-Revision: 359616
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-projects@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "SVN commit messages for the src &quot; projects&quot;
 tree" <svn-src-projects.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-projects>, 
 <mailto:svn-src-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-projects/>
List-Post: <mailto:svn-src-projects@freebsd.org>
List-Help: <mailto:svn-src-projects-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-projects>, 
 <mailto:svn-src-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Apr 2020 22:22:19 -0000

Author: rmacklem
Date: Fri Apr  3 22:03:21 2020
New Revision: 359616
URL: https://svnweb.freebsd.org/changeset/base/359616

Log:
  Update rpctlssd in several areas.
  
  This patch add/updates the following areas of the rpctlssd:
  - Add support for reloading of the CRL file when a SIGHUP is posted to
    the daemon.
  - Replace the cruft I created trying to debug the handling of the CRL
    with code that works.
    --> In case this will give you a chuckle, I spent several days trying
        to figure out why the CRL code wasn't working.
        What was the bug? I had missed the ":" after the "r" in the getopt()
        argument, so the file was remaining set to NULL when the "-r"
        option was specified.
        --> The silly ones are the hardest to find.
  - Add options for controlling whether or not a wildcard "*" is allowed
    in the client's DNS name in it's certificate and what it means.
    (RFC6125 discourages use of a wildcard, but it only applies to a client's
     handling of a server's certificate and not the reverse.)
  - Add an option "-u" that allows client certificates with a
    otherName:<OID number>;UTF8:user@dns_domain field in subjectAltName
    to have "user" mapped to a set of <uid, gid_list> as machine credentials
    to be used for RPCs instead of the user credentials in the RPC header.
    (This option does not conform to the IETF draft.)

Modified:
  projects/nfs-over-tls/usr.sbin/rpctlssd/rpctlssd.c

Modified: projects/nfs-over-tls/usr.sbin/rpctlssd/rpctlssd.c
==============================================================================
--- projects/nfs-over-tls/usr.sbin/rpctlssd/rpctlssd.c	Fri Apr  3 20:56:43 2020	(r359615)
+++ projects/nfs-over-tls/usr.sbin/rpctlssd/rpctlssd.c	Fri Apr  3 22:03:21 2020	(r359616)
@@ -41,7 +41,9 @@ __FBSDID("$FreeBSD$");
 #include <sys/syslog.h>
 #include <sys/time.h>
 #include <err.h>
+#include <libutil.h>
 #include <netdb.h>
+#include <pwd.h>
 #include <signal.h>
 #include <stdarg.h>
 #include <stdio.h>
@@ -68,10 +70,14 @@ __FBSDID("$FreeBSD$");
 #ifndef	_PATH_CERTANDKEY
 #define	_PATH_CERTANDKEY	"/etc/rpctlssd/"
 #endif
+#ifndef	_PATH_RPCTLSSDPID
+#define	_PATH_RPCTLSSDPID	"/var/run/rpctlssd.pid"
+#endif
 #ifndef	_PREFERRED_CIPHERS
 #define	_PREFERRED_CIPHERS	"SHA384:SHA256:!CAMELLIA"
 #endif
 
+static struct pidfh	*rpctls_pfh = NULL;
 static int		rpctls_debug_level;
 static bool		rpctls_verbose;
 static SSL_CTX		*rpctls_ctx = NULL;
@@ -81,10 +87,14 @@ static const char	*rpctls_verify_capath = NULL;
 static const char	*rpctls_crlfile = NULL;
 static const char	*rpctls_certdir = _PATH_CERTANDKEY;
 static bool		rpctls_comparehost = false;
+static unsigned int	rpctls_wildcard = X509_CHECK_FLAG_NO_WILDCARDS;
 static uint64_t		rpctls_ssl_refno = 0;
 static uint64_t		rpctls_ssl_sec = 0;
 static uint64_t		rpctls_ssl_usec = 0;
 static bool		rpctls_gothup = false;
+static bool		rpctls_cnuser = false;
+static char		*rpctls_dnsname;
+static const char	*rpctls_cnuseroid = "1.2.3.4.6.9";
 
 /*
  * A linked list of all current "SSL *"s and socket "fd"s
@@ -104,14 +114,19 @@ static struct ssl_list	rpctls_ssllist;
 static void		rpctlssd_terminate(int);
 static SSL_CTX		*rpctls_setup_ssl(const char *certdir);
 static SSL		*rpctls_server(SSL_CTX *ctx, int s,
-			    uint32_t *flags);
-static int		rpctls_checkhost(int s, X509 *cert);
-static int		rpctls_loadfiles(SSL_CTX *ctx);
+			    uint32_t *flags, uint32_t *uidp,
+			    int *ngrps, uint32_t *gidp);
+static int		rpctls_gethost(int s, struct sockaddr *sad,
+			    char *hostip, size_t hostlen);
+static int		rpctls_checkhost(struct sockaddr *sad, X509 *cert);
+static int		rpctls_loadcrlfile(SSL_CTX *ctx);
+static int		rpctls_cnname(X509 *cert, uint32_t *uidp,
+			    int *ngrps, uint32_t *gidp);
+static char		*rpctls_getdnsname(char *dnsname);
 static void		rpctls_huphandler(int sig __unused);
-static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x);
 
-extern void rpctlssd_1(struct svc_req *rqstp, SVCXPRT *transp);
-extern int gssd_syscall(const char *path);
+extern void		rpctlssd_1(struct svc_req *rqstp, SVCXPRT *transp);
+extern int		gssd_syscall(const char *path);
 
 int
 main(int argc, char **argv)
@@ -126,16 +141,33 @@ main(int argc, char **argv)
 	SVCXPRT *xprt;
 	struct timeval tm;
 	struct timezone tz;
+	char hostname[MAXHOSTNAMELEN + 2];
+	pid_t otherpid;
 
+	/* Check that another rpctlssd isn't already running. */
+	rpctls_pfh = pidfile_open(_PATH_RPCTLSSDPID, 0600, &otherpid);
+	if (rpctls_pfh == NULL) {
+		if (errno == EEXIST)
+			errx(1, "rpctlssd already running, pid: %d.", otherpid);
+		warn("cannot open or create pidfile");
+	}
+
 	/* Get the time when this daemon is started. */
 	gettimeofday(&tm, &tz);
 	rpctls_ssl_sec = tm.tv_sec;
 	rpctls_ssl_usec = tm.tv_usec;
 
+	/* Set the dns name for the server. */
+	rpctls_dnsname = rpctls_getdnsname(hostname);
+	if (rpctls_dnsname == NULL) {
+		strcpy(hostname, "@default.domain");
+		rpctls_dnsname = hostname;
+	}
+fprintf(stderr, "dnsname=%s\n", rpctls_dnsname);
 
 	debug = 0;
 	rpctls_verbose = false;
-	while ((ch = getopt(argc, argv, "D:dhl:mp:rv")) != -1) {
+	while ((ch = getopt(argc, argv, "D:dhl:n:mp:r:uvWw")) != -1) {
 		switch (ch) {
 		case 'D':
 			rpctls_certdir = optarg;
@@ -152,21 +184,42 @@ main(int argc, char **argv)
 		case 'm':
 			rpctls_do_mutual = true;
 			break;
+		case 'n':
+			hostname[0] = '@';
+			strlcpy(&hostname[1], optarg, MAXHOSTNAMELEN + 1);
+			rpctls_dnsname = hostname;
+			break;
 		case 'p':
 			rpctls_verify_capath = optarg;
 			break;
 		case 'r':
 			rpctls_crlfile = optarg;
 			break;
+		case 'u':
+			rpctls_cnuser = true;
+			break;
 		case 'v':
 			rpctls_verbose = true;
 			break;
+		case 'W':
+			if (rpctls_wildcard != X509_CHECK_FLAG_NO_WILDCARDS)
+				errx(1, "options -w and -W are mutually "
+				    "exclusive");
+			rpctls_wildcard = X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS;
+			break;
+		case 'w':
+			if (rpctls_wildcard != X509_CHECK_FLAG_NO_WILDCARDS)
+				errx(1, "options -w and -W are mutually "
+				    "exclusive");
+			rpctls_wildcard = 0;
+			break;
 		default:
 			fprintf(stderr, "usage: %s "
 			    "[-D certdir] [-d] [-h] "
 			    "[-l CAfile] [-m] "
+			    "[-n domain_name] "
 			    "[-p CApath] [-r CRLfile] "
-			    "[-v]\n", argv[0]);
+			    "[-u] [-v] [-W] [-w]\n", argv[0]);
 			exit(1);
 		}
 	}
@@ -176,8 +229,15 @@ main(int argc, char **argv)
 		    "-p <CApath> options");
 	if (rpctls_comparehost && (!rpctls_do_mutual ||
 	    (rpctls_verify_cafile == NULL && rpctls_verify_capath == NULL)))
-		errx(1, "-h requires the -m and either the "
-		    "-l <CAfile> or -p <CApath> options");
+		errx(1, "-h requires the -m plus the "
+		    "-l <CAfile> and/or -p <CApath> options");
+	if (!rpctls_comparehost && rpctls_wildcard !=
+	    X509_CHECK_FLAG_NO_WILDCARDS)
+		errx(1, "The -w or -W options require the -h option");
+	if (rpctls_cnuser && (!rpctls_do_mutual ||
+	    (rpctls_verify_cafile == NULL && rpctls_verify_capath == NULL)))
+		errx(1, "-u requires the -m plus the "
+		    "-l <CAfile> and/or -p <CApath> options");
 
 	if (modfind("krpc") < 0) {
 		/* Not present in kernel, try loading it */
@@ -196,6 +256,8 @@ main(int argc, char **argv)
 	signal(SIGPIPE, rpctlssd_terminate);
 	signal(SIGHUP, rpctls_huphandler);
 
+	pidfile_write(rpctls_pfh);
+
 	memset(&sun, 0, sizeof sun);
 	sun.sun_family = AF_LOCAL;
 	unlink(_PATH_RPCTLSSDSOCK);
@@ -291,10 +353,12 @@ bool_t
 rpctlssd_connect_1_svc(void *argp,
     struct rpctlssd_connect_res *result, struct svc_req *rqstp)
 {
-	int s;
+	int ngrps, s;
 	SSL *ssl;
 	uint32_t flags;
 	struct ssl_entry *newslp;
+	uint32_t uid;
+	uint32_t *gidp;
 
 	rpctlssd_verbose_out("rpctlsd_connect_svc: started\n");
 	memset(result, 0, sizeof(*result));
@@ -305,11 +369,19 @@ rpctlssd_verbose_out("rpctlsd_connect_svc s=%d\n", s);
 		return (FALSE);
 
 	/* Do the server side of a TLS handshake. */
-	ssl = rpctls_server(rpctls_ctx, s, &flags);
-	if (ssl == NULL)
+	gidp = calloc(NGROUPS, sizeof(*gidp));
+	ssl = rpctls_server(rpctls_ctx, s, &flags, &uid, &ngrps, gidp);
+	if (ssl == NULL) {
+		free(gidp);
 		rpctlssd_verbose_out("rpctlssd_connect_svc: ssl "
 		    "accept failed\n");
-	else {
+		/*
+		 * For RPC-over-TLS, this upcall is expected
+		 * to close off the socket.
+		 */
+		close(s);
+		return (FALSE);
+	} else {
 		rpctlssd_verbose_out("rpctlssd_connect_svc: "
 		    "succeeded flags=0x%x\n", flags);
 		result->flags = flags;
@@ -319,17 +391,17 @@ rpctlssd_verbose_out("rpctlsd_connect_svc s=%d\n", s);
 		/* Hard to believe this could ever wrap around.. */
 		if (rpctls_ssl_refno == 0)
 			result->ssl = ++rpctls_ssl_refno;
+		if ((flags & RPCTLS_FLAGS_CNUSER) != 0) {
+			result->uid = uid;
+			result->gid.gid_len = ngrps;
+			result->gid.gid_val = gidp;
+		} else {
+			result->uid = 0;
+			result->gid.gid_len = 0;
+			result->gid.gid_val = gidp;
+		}
 	}
 
-	if (ssl == NULL) {
-		/*
-		 * For RPC-over-TLS, this upcall is expected
-		 * to close off the socket.
-		 */
-		close(s);
-		return (FALSE);
-	}
-
 	/* Maintain list of all current SSL *'s */
 	newslp = malloc(sizeof(*newslp));
 	newslp->ssl = ssl;
@@ -374,7 +446,13 @@ rpctlssd_disconnect_1_svc(struct rpctlssd_disconnect_a
 int
 rpctlssd_1_freeresult(SVCXPRT *transp, xdrproc_t xdr_result, caddr_t result)
 {
+	rpctlssd_connect_res *res;
 
+	if (xdr_result == (xdrproc_t)xdr_rpctlssd_connect_res) {
+		res = (rpctlssd_connect_res *)result;
+		if (res->gid.gid_val != NULL)
+			free(res->gid.gid_val);
+	}
 	return (TRUE);
 }
 
@@ -383,6 +461,7 @@ rpctlssd_terminate(int sig __unused)
 {
 
 	gssd_syscall("S");
+	pidfile_remove(rpctls_pfh);
 	exit(0);
 }
 
@@ -390,12 +469,7 @@ rpctlssd_terminate(int sig __unused)
 static int
 rpctls_verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx)
 {
-	int err;
-	char *cp;
 
-	err = X509_STORE_CTX_get_error(x509_ctx);
-	cp = (char *)X509_STORE_CTX_get_cert_crl(x509_ctx);
-rpctlssd_verbose_out("verf cb pre=%d err=%d cercrl=%p\n", preverify_ok, err, cp);
 	return (1);
 }
 
@@ -458,13 +532,29 @@ rpctls_setup_ssl(const char *certdir)
 
 	/* Set Mutual authentication, as required. */
 	if (rpctls_do_mutual) {
-		rpctlssd_verbose_out("rpctls_setup_ssl: set mutual\n");
-		ret = rpctls_loadfiles(ctx);
-		if (ret == 0) {
-			rpctlssd_verbose_out("rpctls_setup_ssl: "
-			    "Load CAfile, CRLfile failed\n");
-			SSL_CTX_free(ctx);
-			return (NULL);
+		if (rpctls_verify_cafile != NULL ||
+		    rpctls_verify_capath != NULL) {
+			if (rpctls_crlfile != NULL) {
+				ret = rpctls_loadcrlfile(ctx);
+				if (ret == 0) {
+					rpctlssd_verbose_out("rpctls_setup_ssl:"
+					    " Load CRLfile failed\n");
+					SSL_CTX_free(ctx);
+					return (NULL);
+				}
+			}
+			ret = SSL_CTX_load_verify_locations(ctx,
+			    rpctls_verify_cafile, rpctls_verify_capath);
+			if (ret == 0) {
+				rpctlssd_verbose_out("rpctls_setup_ssl: "
+				    "Can't load verify locations\n");
+				SSL_CTX_free(ctx);
+				return (NULL);
+			}
+			if (rpctls_verify_cafile != NULL)
+				SSL_CTX_set_client_CA_list(ctx,
+				    SSL_load_client_CA_file(
+			    rpctls_verify_cafile));
 		}
 		SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER,
 		    rpctls_verify_callback);
@@ -473,20 +563,25 @@ rpctls_setup_ssl(const char *certdir)
 }
 
 static SSL *
-rpctls_server(SSL_CTX *ctx, int s, uint32_t *flags)
+rpctls_server(SSL_CTX *ctx, int s, uint32_t *flags, uint32_t *uidp,
+    int *ngrps, uint32_t *gidp)
 {
 	SSL *ssl;
 	X509 *cert;
-	int ret;
-	char *cp;
+	struct sockaddr *sad;
+	struct sockaddr_storage ad;
+	char hostnam[NI_MAXHOST];
+	int gethostret, ret;
+	char *cp, *cp2;
 
 	*flags = 0;
+	sad = (struct sockaddr *)&ad;
 	if (rpctls_gothup) {
 		rpctls_gothup = false;
-		ret = rpctls_loadfiles(ctx);
+		ret = rpctls_loadcrlfile(ctx);
 		if (ret == 0)
 			rpctlssd_verbose_out("rpctls_server: Can't "
-			    "load CAfile, CRLfile\n");
+			    "reload CRLfile\n");
 	}
 	ssl = SSL_new(ctx);
 	if (ssl == NULL) {
@@ -508,29 +603,44 @@ rpctls_server(SSL_CTX *ctx, int s, uint32_t *flags)
 	*flags |= RPCTLS_FLAGS_HANDSHAKE;
 	if (rpctls_do_mutual) {
 		cert = SSL_get_peer_certificate(ssl);
-		if (cert == NULL)
-			rpctlssd_verbose_out("rpctls_server: "
-			    "No peer certificate\n");
-		else {
-			cp = X509_NAME_oneline(X509_get_issuer_name(cert),
-			    NULL, 0);
-			rpctlssd_verbose_out("rpctls_server: cert "
-			    "issuerName=%s\n", cp);
-			cp = X509_NAME_oneline(X509_get_subject_name(cert),
-			    NULL, 0);
-			rpctlssd_verbose_out("rpctls_server: cert "
-			    "subjectName=%s\n", cp);
+		if (cert != NULL) {
+			gethostret = rpctls_gethost(s, sad, hostnam,
+			    sizeof(hostnam));
+			if (gethostret == 0)
+				hostnam[0] = '\0';
+			cp2 = X509_NAME_oneline(
+			    X509_get_subject_name(cert), NULL, 0);
+rpctlssd_verbose_out("%s\n", cp2);
 			*flags |= RPCTLS_FLAGS_GOTCERT;
 			ret = SSL_get_verify_result(ssl);
-			rpctlssd_verbose_out("rpctls_server: get "
-			    "verify result=%d\n", ret);
+			if (ret != X509_V_OK) {
+				cp = X509_NAME_oneline(
+				    X509_get_issuer_name(cert), NULL, 0);
+				if (rpctls_debug_level == 0)
+					syslog(LOG_INFO | LOG_DAEMON,
+					    "rpctls_server: client IP %s "
+					    "issuerName=%s subjectName=%s"
+					    " verify failed %s\n", hostnam,
+					    cp, cp2,
+					    X509_verify_cert_error_string(ret));
+				else
+					fprintf(stderr,
+					    "rpctls_server: client IP %s "
+					    "issuerName=%s subjectName=%s"
+					    " verify failed %s\n", hostnam,
+					    cp, cp2,
+					    X509_verify_cert_error_string(ret));
+			}
 			if (ret ==
 			    X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT ||
 			    ret == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN)
 				*flags |= RPCTLS_FLAGS_SELFSIGNED;
 			else if (ret == X509_V_OK) {
 				if (rpctls_comparehost) {
-					ret = rpctls_checkhost(s, cert);
+					ret = 0;
+					if (gethostret != 0)
+						ret = rpctls_checkhost(sad,
+						    cert);
 					if (ret != 1) {
 						*flags |=
 						    RPCTLS_FLAGS_DISABLED;
@@ -540,97 +650,215 @@ rpctls_server(SSL_CTX *ctx, int s, uint32_t *flags)
 						    "failed\n");
 					}
 				}
+				if (rpctls_cnuser) {
+					ret = rpctls_cnname(cert, uidp,
+					    ngrps, gidp);
+					if (ret != 0)
+						*flags |= RPCTLS_FLAGS_CNUSER;
+				}
 				*flags |= RPCTLS_FLAGS_VERIFIED;
 			}
 			X509_free(cert);
-		}
+		} else
+			rpctlssd_verbose_out("rpctls_server: "
+			    "No peer certificate\n");
 	}
 	return (ssl);
 }
 
 /*
- * Check a client IP address against any host address in the
- * certificate.  Basically getpeername(2), getnameinfo(3) and
- * X509_check_host().
+ * Get the client's IP address.
  */
-int
-rpctls_checkhost(int s, X509 *cert)
+static int
+rpctls_gethost(int s, struct sockaddr *sad, char *hostip, size_t hostlen)
 {
-	struct sockaddr *sad;
-	struct sockaddr_storage ad;
-	char hostnam[NI_MAXHOST];
 	socklen_t slen;
 	int ret;
 
-	sad = (struct sockaddr *)&ad;
-	slen = sizeof(ad);
+	slen = sizeof(struct sockaddr_storage);
 	if (getpeername(s, sad, &slen) < 0)
 		return (0);
+	ret = 0;
 	if (getnameinfo((const struct sockaddr *)sad,
-	    sad->sa_len, hostnam, sizeof(hostnam),
-	    NULL, 0, NI_NUMERICHOST) == 0)
-		rpctlssd_verbose_out("rpctls_checkhost: %s\n",
-		    hostnam);
+	    sad->sa_len, hostip, hostlen,
+	    NULL, 0, NI_NUMERICHOST) == 0) {
+		rpctlssd_verbose_out("rpctls_gethost: %s\n",
+		    hostip);
+		ret = 1;
+	}
+	return (ret);
+}
+
+/*
+ * Check a client IP address against any host address in the
+ * certificate.  Basically getnameinfo(3) and
+ * X509_check_host().
+ */
+static int
+rpctls_checkhost(struct sockaddr *sad, X509 *cert)
+{
+	char hostnam[NI_MAXHOST];
+	int ret;
+
 	if (getnameinfo((const struct sockaddr *)sad,
 	    sad->sa_len, hostnam, sizeof(hostnam),
 	    NULL, 0, NI_NAMEREQD) != 0)
 		return (0);
 	rpctlssd_verbose_out("rpctls_checkhost: DNS %s\n",
 	    hostnam);
-	ret = X509_check_host(cert, hostnam, strlen(hostnam), 0, NULL);
+	ret = X509_check_host(cert, hostnam, strlen(hostnam),
+	    rpctls_wildcard, NULL);
 	return (ret);
 }
 
 /*
- * Load the CAfile (and optionally CRLfile) into the certificate
- * verification store.
+ * Acquire the dnsname for this server.
  */
+static char *
+rpctls_getdnsname(char *hostname)
+{
+	char *cp, *dnsname;
+	struct addrinfo *aip, hints;
+	int error;
+
+	dnsname = NULL;
+	if (gethostname(hostname, MAXHOSTNAMELEN) == 0) {
+		if ((cp = strchr(hostname, '.')) != NULL &&
+		    *(cp + 1) != '\0') {
+			*cp = '@';
+			dnsname = cp;
+		} else {
+			memset((void *)&hints, 0, sizeof (hints));
+			hints.ai_flags = AI_CANONNAME;
+			error = getaddrinfo(hostname, NULL, &hints, &aip);
+			if (error == 0) {
+				if (aip->ai_canonname != NULL &&
+				    (cp = strchr(aip->ai_canonname, '.')) !=
+				    NULL && *(cp + 1) != '\0') {
+					hostname[0] = '@';
+					strlcpy(&hostname[1], cp + 1,
+					    MAXHOSTNAMELEN + 1);
+					dnsname = hostname;
+				}
+				freeaddrinfo(aip);
+			}
+		}
+	}
+	return (dnsname);
+}
+
+/*
+ * Check a commonName to see if it maps to "user@domain" and
+ * acquire a <uid, gidlist> for it if it does.
+ */
 static int
-rpctls_loadfiles(SSL_CTX *ctx)
+rpctls_cnname(X509 *cert, uint32_t *uidp, int *ngrps, uint32_t *gidp)
 {
+	char *cp, usern[1024 + 1];
+	struct passwd *pwd;
+	gid_t gids[NGROUPS];
+	int i;
+	GENERAL_NAMES *genlist;
+	GENERAL_NAME *genname;
+	OTHERNAME *val;
+
+	/* First, find the otherName in the subjectAltName. */
+	genlist = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
+rpctlssd_verbose_out("genlist=%p\n", genlist);
+	if (genlist == NULL)
+		return (0);
+	val = NULL;
+	for (i = 0; i < sk_GENERAL_NAME_num(genlist); i++) {
+		genname = sk_GENERAL_NAME_value(genlist, i);
+		if (genname->type != GEN_OTHERNAME)
+			continue;
+		val = genname->d.otherName;
+		break;
+	}
+	if (val == NULL)
+		return (0);
+rpctlssd_verbose_out("fnd type=0x%x len=%d anstyp=0x%x data=%s\n", val->value->type, val->value->value.utf8string->length, val->value->value.utf8string->type, val->value->value.utf8string->data);
+
+	/* Check to see that it is the correct OID. */
+	i = i2t_ASN1_OBJECT(usern, sizeof(usern), val->type_id);
+rpctlssd_verbose_out("obj=%d str=%s\n", i,  usern);
+	if (i != strlen(rpctls_cnuseroid) || memcmp(usern, rpctls_cnuseroid,
+	    i) != 0) {
+		rpctlssd_verbose_out("rpctls_cnname: invalid cnuser "
+		    "oid len=%d val=%s\n", i, usern);
+		return (0);
+	}
+
+	/* Sanity check the otherName. */
+	if (val->value->type != V_ASN1_UTF8STRING ||
+	    val->value->value.utf8string->length < 3 ||
+	    val->value->value.utf8string->length > sizeof(usern) - 1) {
+		rpctlssd_verbose_out("rpctls_cnname: invalid cnuser "
+		    "type=%d\n", val->value->type);
+		return (0);
+	}
+
+	/* Look for a "user" in the otherName */
+	memcpy(usern, val->value->value.utf8string->data,
+	    val->value->value.utf8string->length);
+	usern[val->value->value.utf8string->length] = '\0';
+	rpctlssd_verbose_out("rpctls_cnname: userstr %s\n", usern);
+
+	/* Now, look for the @dnsname suffix in the commonName. */
+	cp = strcasestr(usern, rpctls_dnsname);
+	if (cp == NULL)
+		return (0);
+rpctlssd_verbose_out("dns=%s\n", cp);
+	if (*(cp + strlen(rpctls_dnsname)) != '\0')
+		return (0);
+	*cp = '\0';
+
+	/* See if the "user" is in the passwd database. */
+rpctlssd_verbose_out("user=%s\n", usern);
+	pwd = getpwnam(usern);
+	if (pwd == NULL)
+		return (0);
+rpctlssd_verbose_out("pwname=%s\n", pwd->pw_name);
+	*uidp = pwd->pw_uid;
+	*ngrps = NGROUPS;
+	if (getgrouplist(pwd->pw_name, pwd->pw_gid, gids, ngrps) < 0)
+		return (0);
+	for (i = 0; i < *ngrps; i++)
+		gidp[i] = gids[i];
+	return (1);
+}
+
+/*
+ * (re)load the CRLfile into the certificate verification store.
+ */
+static int
+rpctls_loadcrlfile(SSL_CTX *ctx)
+{
 	X509_STORE *certstore;
 	X509_LOOKUP *certlookup;
 	int ret;
 
-	if (rpctls_verify_cafile != NULL ||
-	    rpctls_verify_capath != NULL) {
-		if (rpctls_crlfile != NULL) {
-			certstore = SSL_CTX_get_cert_store(ctx);
-			certlookup = X509_STORE_add_lookup(
-			    certstore, X509_LOOKUP_file());
-			ret = 0;
-			if (certlookup != NULL)
-				ret = X509_load_crl_file(certlookup,
-				    rpctls_crlfile, X509_FILETYPE_PEM);
-			if (ret != 0)
-				ret = X509_STORE_set_flags(certstore,
-				    X509_V_FLAG_CRL_CHECK |
-				    X509_V_FLAG_CRL_CHECK_ALL);
-			if (ret != 0)
-{
-X509_STORE_set_cert_crl(certstore, cert_crl);
-				X509_STORE_set_verify_cb_func(
-				    certstore, rpctls_verify_callback);
-}
-			if (ret == 0) {
-				rpctlssd_verbose_out(
-				    "rpctls_setup_ssl: Can't"
-				    " load CRLfile=%s\n",
-				    rpctls_crlfile);
-				return (ret);
-			}
-		}
-		ret = SSL_CTX_load_verify_locations(ctx,
-		    rpctls_verify_cafile, rpctls_verify_capath);
+	if ((rpctls_verify_cafile != NULL ||
+	    rpctls_verify_capath != NULL) &&
+	    rpctls_crlfile != NULL) {
+		certstore = SSL_CTX_get_cert_store(ctx);
+		certlookup = X509_STORE_add_lookup(
+		    certstore, X509_LOOKUP_file());
+		ret = 0;
+		if (certlookup != NULL)
+			ret = X509_load_crl_file(certlookup,
+			    rpctls_crlfile, X509_FILETYPE_PEM);
+		if (ret != 0)
+			ret = X509_STORE_set_flags(certstore,
+			    X509_V_FLAG_CRL_CHECK |
+			    X509_V_FLAG_CRL_CHECK_ALL);
 		if (ret == 0) {
-			rpctlssd_verbose_out("rpctls_setup_ssl: "
-			    "Can't load verify locations\n");
+			rpctlssd_verbose_out(
+			    "rpctls_loadcrlfile: Can't"
+			    " load CRLfile=%s\n",
+			    rpctls_crlfile);
 			return (ret);
 		}
-		if (rpctls_verify_cafile != NULL)
-			SSL_CTX_set_client_CA_list(ctx,
-			    SSL_load_client_CA_file(
-			    rpctls_verify_cafile));
 	}
 	return (1);
 }
@@ -642,42 +870,3 @@ rpctls_huphandler(int sig __unused)
 	rpctls_gothup = true;
 }
 
-static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
-{
-    X509_REVOKED *rev;
-    int ret;
-
-rpctlssd_verbose_out("in cert_crl\n");
-    /*
-     * The rules changed for this... previously if a CRL contained unhandled
-     * critical extensions it could still be used to indicate a certificate
-     * was revoked. This has since been changed since critical extensions can
-     * change the meaning of CRL entries.
-     */
-#ifdef notnow
-    if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
-        && (crl->flags & EXFLAG_CRITICAL) &&
-        !verify_cb_crl(ctx, X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION))
-        return 0;
-#endif
-    /*
-     * Look for serial number of certificate in CRL.  If found, make sure
-     * reason is not removeFromCRL.
-     */
-    ret = X509_CRL_get0_by_cert(crl, &rev, x);
-rpctlssd_verbose_out("get0 cert=%d\n", ret);
-    if (ret != 0) {
-#ifdef notnow
-        if (rev->reason == CRL_REASON_REMOVE_FROM_CRL)
-{ rpctls_verbose_out("ret 2\n");
-            return 2;
-}
-        if (!verify_cb_crl(ctx, X509_V_ERR_CERT_REVOKED))
-#endif
-rpctlssd_verbose_out("ret 0\n");
-            return 0;
-    }
-
-rpctlssd_verbose_out("ret 1\n");
-    return 1;
-}

From owner-svn-src-projects@freebsd.org  Fri Apr  3 22:23:25 2020
Return-Path: <owner-svn-src-projects@freebsd.org>
Delivered-To: svn-src-projects@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 2478A2749B8
 for <svn-src-projects@mailman.nyi.freebsd.org>;
 Fri,  3 Apr 2020 22:23:25 +0000 (UTC)
 (envelope-from rmacklem@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 48vDwX4NKXz4VtB;
 Fri,  3 Apr 2020 22:23:24 +0000 (UTC)
 (envelope-from rmacklem@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id E7807D0D3;
 Fri,  3 Apr 2020 22:22:50 +0000 (UTC)
 (envelope-from rmacklem@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 033MMoWP011650;
 Fri, 3 Apr 2020 22:22:50 GMT (envelope-from rmacklem@FreeBSD.org)
Received: (from rmacklem@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id 033MMogU011649;
 Fri, 3 Apr 2020 22:22:50 GMT (envelope-from rmacklem@FreeBSD.org)
Message-Id: <202004032222.033MMogU011649@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: rmacklem set sender to
 rmacklem@FreeBSD.org using -f
From: Rick Macklem <rmacklem@FreeBSD.org>
Date: Fri, 3 Apr 2020 22:22:50 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-projects@freebsd.org
Subject: svn commit: r359621 - projects/nfs-over-tls/usr.sbin/mountd
X-SVN-Group: projects
X-SVN-Commit-Author: rmacklem
X-SVN-Commit-Paths: projects/nfs-over-tls/usr.sbin/mountd
X-SVN-Commit-Revision: 359621
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-projects@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "SVN commit messages for the src &quot; projects&quot;
 tree" <svn-src-projects.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-projects>, 
 <mailto:svn-src-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-projects/>
List-Post: <mailto:svn-src-projects@freebsd.org>
List-Help: <mailto:svn-src-projects-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-projects>, 
 <mailto:svn-src-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Apr 2020 22:23:25 -0000

Author: rmacklem
Date: Fri Apr  3 22:22:50 2020
New Revision: 359621
URL: https://svnweb.freebsd.org/changeset/base/359621

Log:
  Add the "tls", "tlscert" and "tlscertuser" options to exports.5.

Modified:
  projects/nfs-over-tls/usr.sbin/mountd/exports.5

Modified: projects/nfs-over-tls/usr.sbin/mountd/exports.5
==============================================================================
--- projects/nfs-over-tls/usr.sbin/mountd/exports.5	Fri Apr  3 22:19:21 2020	(r359620)
+++ projects/nfs-over-tls/usr.sbin/mountd/exports.5	Fri Apr  3 22:22:50 2020	(r359621)
@@ -187,7 +187,59 @@ preferred flavor first.
 If this option is not present,
 the default security flavor list of just sys is used.
 .Pp
+.Fl tls
+specifies that all remote access must be done using RPC-over-TLS.
+This option requires the
+.Xr rpctlssd 8
+daemon be running on the server.
+.Pp
+.Fl tlscert
+specifies that all remote access must be done using RPC-over-TLS
+and that the NFS client(s) must provide a TLS/X509 certificate
+that verifies.
+This option requires the
+.Xr rpctlssd 8
+daemon be running on the server with the
+.Fl m
+command line option specified for it.
+.Pp
+.Fl tlscertuser
+is similar to
+.Fl tlscert
+but also requires that there be a
+.Dq otherName
+field in
+.Dq subjectAltName
+of the TLS/X509 certificate of the form
+.Dq 1.2.3.4.6.9;UTFS8:user@dns_domain
+where
+.Dq user@dns_domain
+maps to a valid user on the NFS server using the same technique as
+.Xr nfsuserd 8
+does.
 The
+.Dq user
+must be a valid username in the password database and
+.Dq dns_domain
+the domain of the server (or as set via the
+.Fl domain
+command line option for
+.Xr nfsuserd 8 .
+The
+.Dq user
+is then mapped to
+.Dq <uid, gid0,..., gidN>
+credentials that are used for all RPCs, in a manner similar
+to the
+.Fl mapall
+option.
+This option requires the
+.Xr rpctlssd 8
+daemon be running on the server with the
+.Fl u
+command line option specified for it.
+.Pp
+The
 .Fl ro
 option specifies that the file system should be exported read-only
 (default read/write).
@@ -537,6 +589,7 @@ afterwards, whereas NFSv3 rejects the mount request.
 .Xr netgroup 5 ,
 .Xr mountd 8 ,
 .Xr nfsd 8 ,
+.Xr nfsuserd ,
 .Xr showmount 8
 .Sh BUGS
 The export options are tied to the local mount points in the kernel and

From owner-svn-src-projects@freebsd.org  Fri Apr  3 22:38:22 2020
Return-Path: <owner-svn-src-projects@freebsd.org>
Delivered-To: svn-src-projects@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 9B9A8274F60
 for <svn-src-projects@mailman.nyi.freebsd.org>;
 Fri,  3 Apr 2020 22:38:22 +0000 (UTC)
 (envelope-from rmacklem@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 48vFFp0QPWz4bWk;
 Fri,  3 Apr 2020 22:38:21 +0000 (UTC)
 (envelope-from rmacklem@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 599EAD2F1;
 Fri,  3 Apr 2020 22:38:14 +0000 (UTC)
 (envelope-from rmacklem@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 033McEN4017914;
 Fri, 3 Apr 2020 22:38:14 GMT (envelope-from rmacklem@FreeBSD.org)
Received: (from rmacklem@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id 033McDZL017909;
 Fri, 3 Apr 2020 22:38:13 GMT (envelope-from rmacklem@FreeBSD.org)
Message-Id: <202004032238.033McDZL017909@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: rmacklem set sender to
 rmacklem@FreeBSD.org using -f
From: Rick Macklem <rmacklem@FreeBSD.org>
Date: Fri, 3 Apr 2020 22:38:13 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-projects@freebsd.org
Subject: svn commit: r359623 - projects/nfs-over-tls/sys/rpc
X-SVN-Group: projects
X-SVN-Commit-Author: rmacklem
X-SVN-Commit-Paths: projects/nfs-over-tls/sys/rpc
X-SVN-Commit-Revision: 359623
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-projects@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "SVN commit messages for the src &quot; projects&quot;
 tree" <svn-src-projects.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-projects>, 
 <mailto:svn-src-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-projects/>
List-Post: <mailto:svn-src-projects@freebsd.org>
List-Help: <mailto:svn-src-projects-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-projects>, 
 <mailto:svn-src-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Apr 2020 22:38:22 -0000

Author: rmacklem
Date: Fri Apr  3 22:38:13 2020
New Revision: 359623
URL: https://svnweb.freebsd.org/changeset/base/359623

Log:
  Update the files in sys/rpc to add handling of certuser.
  
  certuser refers to using an otherName in the subjectAltName of the
  client's certificate to create machine credentials that are used
  to perform the RPCs instead of the user credentials in the RPC header.
  These changes require the changes in sys/rpc/rpcsec_tls which will
  be committed soon.

Modified:
  projects/nfs-over-tls/sys/rpc/rpcsec_tls.h
  projects/nfs-over-tls/sys/rpc/svc.c
  projects/nfs-over-tls/sys/rpc/svc.h
  projects/nfs-over-tls/sys/rpc/svc_auth.c

Modified: projects/nfs-over-tls/sys/rpc/rpcsec_tls.h
==============================================================================
--- projects/nfs-over-tls/sys/rpc/rpcsec_tls.h	Fri Apr  3 22:36:22 2020	(r359622)
+++ projects/nfs-over-tls/sys/rpc/rpcsec_tls.h	Fri Apr  3 22:38:13 2020	(r359623)
@@ -41,6 +41,7 @@
 #define	RPCTLS_FLAGS_SELFSIGNED	0x04
 #define	RPCTLS_FLAGS_VERIFIED	0x08
 #define	RPCTLS_FLAGS_DISABLED	0x10
+#define	RPCTLS_FLAGS_CNUSER	0x20
 
 #ifdef _KERNEL
 /* Functions that perform upcalls to the rpctlsd daemon. */

Modified: projects/nfs-over-tls/sys/rpc/svc.c
==============================================================================
--- projects/nfs-over-tls/sys/rpc/svc.c	Fri Apr  3 22:36:22 2020	(r359622)
+++ projects/nfs-over-tls/sys/rpc/svc.c	Fri Apr  3 22:38:13 2020	(r359623)
@@ -902,6 +902,8 @@ svc_xprt_free(SVCXPRT *xprt)
 {
 
 	mem_free(xprt->xp_p3, sizeof(SVCXPRT_EXT));
+	/* The size argument is ignored, so 0 is ok. */
+	mem_free(xprt->xp_gidp, 0);
 	mem_free(xprt, sizeof(SVCXPRT));
 }
 

Modified: projects/nfs-over-tls/sys/rpc/svc.h
==============================================================================
--- projects/nfs-over-tls/sys/rpc/svc.h	Fri Apr  3 22:36:22 2020	(r359622)
+++ projects/nfs-over-tls/sys/rpc/svc.h	Fri Apr  3 22:38:13 2020	(r359623)
@@ -181,6 +181,9 @@ typedef struct __rpc_svcxprt {
 	uint64_t	xp_sslsec;	/* Userland SSL * */
 	uint64_t	xp_sslusec;
 	uint64_t	xp_sslrefno;
+	int		xp_ngrps;	/* Cred. from TLS cert. */
+	uid_t		xp_uid;
+	gid_t		*xp_gidp;
 #else
 	int		xp_fd;
 	u_short		xp_port;	 /* associated port number */

Modified: projects/nfs-over-tls/sys/rpc/svc_auth.c
==============================================================================
--- projects/nfs-over-tls/sys/rpc/svc_auth.c	Fri Apr  3 22:36:22 2020	(r359622)
+++ projects/nfs-over-tls/sys/rpc/svc_auth.c	Fri Apr  3 22:38:13 2020	(r359623)
@@ -179,10 +179,29 @@ svc_getcred(struct svc_req *rqst, struct ucred **crp, 
 	struct ucred *cr = NULL;
 	int flavor;
 	struct xucred *xcr;
+	SVCXPRT *xprt = rqst->rq_xprt;
 
 	flavor = rqst->rq_cred.oa_flavor;
 	if (flavorp)
 		*flavorp = flavor;
+
+	/*
+	 * If there are credentials acquired via a TLS
+	 * certificate for this TCP connection, use those
+	 * instead of what is in the RPC header.
+	 */
+	if ((xprt->xp_tls & (RPCTLS_FLAGS_CNUSER |
+	    RPCTLS_FLAGS_DISABLED)) == RPCTLS_FLAGS_CNUSER &&
+	    flavor == AUTH_UNIX) {
+		cr = crget();
+		cr->cr_uid = cr->cr_ruid = cr->cr_svuid = xprt->xp_uid;
+		crsetgroups(cr, xprt->xp_ngrps, xprt->xp_gidp);
+		cr->cr_rgid = cr->cr_svgid = xprt->xp_gidp[0];
+		cr->cr_prison = &prison0;
+		prison_hold(cr->cr_prison);
+		*crp = cr;
+		return (TRUE);
+	}
 
 	switch (flavor) {
 	case AUTH_UNIX:

From owner-svn-src-projects@freebsd.org  Fri Apr  3 23:00:38 2020
Return-Path: <owner-svn-src-projects@freebsd.org>
Delivered-To: svn-src-projects@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id C8A932757F6
 for <svn-src-projects@mailman.nyi.freebsd.org>;
 Fri,  3 Apr 2020 23:00:38 +0000 (UTC)
 (envelope-from rmacklem@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 48vFlV2TNWz3GCY;
 Fri,  3 Apr 2020 23:00:38 +0000 (UTC)
 (envelope-from rmacklem@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id E3CA5D740;
 Fri,  3 Apr 2020 23:00:27 +0000 (UTC)
 (envelope-from rmacklem@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 033N0REl030420;
 Fri, 3 Apr 2020 23:00:27 GMT (envelope-from rmacklem@FreeBSD.org)
Received: (from rmacklem@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id 033N0QPm030415;
 Fri, 3 Apr 2020 23:00:26 GMT (envelope-from rmacklem@FreeBSD.org)
Message-Id: <202004032300.033N0QPm030415@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: rmacklem set sender to
 rmacklem@FreeBSD.org using -f
From: Rick Macklem <rmacklem@FreeBSD.org>
Date: Fri, 3 Apr 2020 23:00:26 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-projects@freebsd.org
Subject: svn commit: r359625 - in projects/nfs-over-tls/sys/fs: nfs nfsserver
X-SVN-Group: projects
X-SVN-Commit-Author: rmacklem
X-SVN-Commit-Paths: in projects/nfs-over-tls/sys/fs: nfs nfsserver
X-SVN-Commit-Revision: 359625
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-projects@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "SVN commit messages for the src &quot; projects&quot;
 tree" <svn-src-projects.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-projects>, 
 <mailto:svn-src-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-projects/>
List-Post: <mailto:svn-src-projects@freebsd.org>
List-Help: <mailto:svn-src-projects-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-projects>, 
 <mailto:svn-src-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Apr 2020 23:00:38 -0000

Author: rmacklem
Date: Fri Apr  3 23:00:26 2020
New Revision: 359625
URL: https://svnweb.freebsd.org/changeset/base/359625

Log:
  Fix up the handling of the "tls" and "tlscert" export options and
  add support for the "tlscertuser" export option.

Modified:
  projects/nfs-over-tls/sys/fs/nfs/nfs.h
  projects/nfs-over-tls/sys/fs/nfs/nfsdport.h
  projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdkrpc.c
  projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdport.c
  projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdsubs.c

Modified: projects/nfs-over-tls/sys/fs/nfs/nfs.h
==============================================================================
--- projects/nfs-over-tls/sys/fs/nfs/nfs.h	Fri Apr  3 22:46:08 2020	(r359624)
+++ projects/nfs-over-tls/sys/fs/nfs/nfs.h	Fri Apr  3 23:00:26 2020	(r359625)
@@ -719,8 +719,10 @@ struct nfsrv_descript {
 #define	ND_NOMAP		0x800000000
 #define	ND_TLS			0x1000000000
 #define	ND_TLSCERT		0x2000000000
-#define	ND_EXTLS		0x4000000000
-#define	ND_EXTLSCERT		0x8000000000
+#define	ND_TLSCNUSER		0x4000000000
+#define	ND_EXTLS		0x8000000000
+#define	ND_EXTLSCERT		0x10000000000
+#define	ND_EXTLSCNUSER		0x20000000000
 
 /*
  * ND_GSS should be the "or" of all GSS type authentications.

Modified: projects/nfs-over-tls/sys/fs/nfs/nfsdport.h
==============================================================================
--- projects/nfs-over-tls/sys/fs/nfs/nfsdport.h	Fri Apr  3 22:46:08 2020	(r359624)
+++ projects/nfs-over-tls/sys/fs/nfs/nfsdport.h	Fri Apr  3 23:00:26 2020	(r359625)
@@ -83,6 +83,7 @@ struct nfsexstuff {
 #define	NFSVNO_EXV4ONLY(e)		((e)->nes_exflag & MNT_EXV4ONLY)
 #define	NFSVNO_EXTLS(e)			((e)->nes_exflag & MNTEX_TLS)
 #define	NFSVNO_EXTLSCERT(e)		((e)->nes_exflag & MNTEX_TLSCERT)
+#define	NFSVNO_EXTLSCNUSER(e)		((e)->nes_exflag & MNTEX_TLSCNUSER)
 
 #define	NFSVNO_SETEXRDONLY(e)	((e)->nes_exflag = (MNT_EXPORTED|MNT_EXRDONLY))
 

Modified: projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdkrpc.c
==============================================================================
--- projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdkrpc.c	Fri Apr  3 22:46:08 2020	(r359624)
+++ projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdkrpc.c	Fri Apr  3 23:00:26 2020	(r359625)
@@ -243,6 +243,8 @@ nfssvc_program(struct svc_req *rqst, SVCXPRT *xprt)
 			nd.nd_flag |= ND_TLS;
 			if ((xprt->xp_tls & RPCTLS_FLAGS_VERIFIED) != 0)
 				nd.nd_flag |= ND_TLSCERT;
+			if ((xprt->xp_tls & RPCTLS_FLAGS_CNUSER) != 0)
+				nd.nd_flag |= ND_TLSCNUSER;
 		}
 		nd.nd_maxextsiz = 16384;
 #ifdef MAC

Modified: projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdport.c
==============================================================================
--- projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdport.c	Fri Apr  3 22:46:08 2020	(r359624)
+++ projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdport.c	Fri Apr  3 23:00:26 2020	(r359625)
@@ -3351,14 +3351,14 @@ nfsd_fhtovp(struct nfsrv_descript *nd, struct nfsrvfh 
 	/*
 	 * If TLS is required by the export, check the flags in nd_flag.
 	 */
-printf("ndflag=0x%jx exflags=0x%x\n", (uintmax_t)nd->nd_flag, exp->nes_exflag);
 	if (nd->nd_repstat == 0 && ((NFSVNO_EXTLS(exp) &&
 	    (nd->nd_flag & ND_TLS) == 0) ||
 	     (NFSVNO_EXTLSCERT(exp) &&
-	      (nd->nd_flag & ND_TLSCERT) == 0))) {
+	      (nd->nd_flag & ND_TLSCERT) == 0) ||
+	     (NFSVNO_EXTLSCNUSER(exp) &&
+	      (nd->nd_flag & ND_TLSCNUSER) == 0))) {
 		vput(*vpp);
 		nd->nd_repstat = NFSERR_ACCES;
-printf("set eacces\n");
 	}
 
 	/*
@@ -3625,11 +3625,12 @@ nfsvno_v4rootexport(struct nfsrv_descript *nd)
 	}
 
 	/* And set ND_EXxx flags for TLS. */
-printf("v4root exflags=0x%x\n", exflags);
-	if ((exflags & RPCTLS_FLAGS_HANDSHAKE) != 0) {
+	if ((exflags & MNTEX_TLS) != 0) {
 		nd->nd_flag |= ND_EXTLS;
-		if ((exflags & RPCTLS_FLAGS_VERIFIED) != 0)
+		if ((exflags & MNTEX_TLSCERT) != 0)
 			nd->nd_flag |= ND_EXTLSCERT;
+		if ((exflags & MNTEX_TLSCNUSER) != 0)
+			nd->nd_flag |= ND_EXTLSCNUSER;
 	}
 
 out:

Modified: projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdsubs.c
==============================================================================
--- projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdsubs.c	Fri Apr  3 22:46:08 2020	(r359624)
+++ projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdsubs.c	Fri Apr  3 23:00:26 2020	(r359625)
@@ -2130,21 +2130,28 @@ nfsd_checkrootexp(struct nfsrv_descript *nd)
 {
 
 	if ((nd->nd_flag & (ND_GSS | ND_EXAUTHSYS)) == ND_EXAUTHSYS)
-		return (0);
+		goto checktls;
 	if ((nd->nd_flag & (ND_GSSINTEGRITY | ND_EXGSSINTEGRITY)) ==
 	    (ND_GSSINTEGRITY | ND_EXGSSINTEGRITY))
-		return (0);
+		goto checktls;
 	if ((nd->nd_flag & (ND_GSSPRIVACY | ND_EXGSSPRIVACY)) ==
 	    (ND_GSSPRIVACY | ND_EXGSSPRIVACY))
-		return (0);
+		goto checktls;
 	if ((nd->nd_flag & (ND_GSS | ND_GSSINTEGRITY | ND_GSSPRIVACY |
 	     ND_EXGSS)) == (ND_GSS | ND_EXGSS))
+		goto checktls;
+	return (1);
+checktls:
+	if ((nd->nd_flag & ND_EXTLS) == 0)
 		return (0);
-	if ((nd->nd_flag & (ND_TLSCERT | ND_EXTLSCERT)) ==
+	if ((nd->nd_flag & (ND_TLSCNUSER | ND_EXTLSCNUSER)) ==
+	    (ND_TLSCNUSER | ND_EXTLSCNUSER))
+		return (0);
+	if ((nd->nd_flag & (ND_TLSCERT | ND_EXTLSCERT | ND_EXTLSCNUSER)) ==
 	    (ND_TLSCERT | ND_EXTLSCERT))
 		return (0);
-	if ((nd->nd_flag & (ND_EXTLSCERT | ND_EXTLS | ND_TLS)) ==
-	    (ND_EXTLS | ND_TLS))
+	if ((nd->nd_flag & (ND_TLS | ND_EXTLSCNUSER | ND_EXTLSCERT)) ==
+	    ND_TLS)
 		return (0);
 	return (1);
 }

From owner-svn-src-projects@freebsd.org  Fri Apr  3 23:05:55 2020
Return-Path: <owner-svn-src-projects@freebsd.org>
Delivered-To: svn-src-projects@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 51891275CDA
 for <svn-src-projects@mailman.nyi.freebsd.org>;
 Fri,  3 Apr 2020 23:05:55 +0000 (UTC)
 (envelope-from rmacklem@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 48vFsY45bvz3J6Q;
 Fri,  3 Apr 2020 23:05:53 +0000 (UTC)
 (envelope-from rmacklem@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 0EDA8D51F;
 Fri,  3 Apr 2020 22:46:09 +0000 (UTC)
 (envelope-from rmacklem@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 033Mk867023950;
 Fri, 3 Apr 2020 22:46:08 GMT (envelope-from rmacklem@FreeBSD.org)
Received: (from rmacklem@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id 033Mk8to023949;
 Fri, 3 Apr 2020 22:46:08 GMT (envelope-from rmacklem@FreeBSD.org)
Message-Id: <202004032246.033Mk8to023949@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: rmacklem set sender to
 rmacklem@FreeBSD.org using -f
From: Rick Macklem <rmacklem@FreeBSD.org>
Date: Fri, 3 Apr 2020 22:46:08 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-projects@freebsd.org
Subject: svn commit: r359624 - projects/nfs-over-tls/sys/rpc/rpcsec_tls
X-SVN-Group: projects
X-SVN-Commit-Author: rmacklem
X-SVN-Commit-Paths: projects/nfs-over-tls/sys/rpc/rpcsec_tls
X-SVN-Commit-Revision: 359624
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-projects@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "SVN commit messages for the src &quot; projects&quot;
 tree" <svn-src-projects.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-projects>, 
 <mailto:svn-src-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-projects/>
List-Post: <mailto:svn-src-projects@freebsd.org>
List-Help: <mailto:svn-src-projects-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-projects>, 
 <mailto:svn-src-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Apr 2020 23:05:55 -0000

Author: rmacklem
Date: Fri Apr  3 22:46:08 2020
New Revision: 359624
URL: https://svnweb.freebsd.org/changeset/base/359624

Log:
  Add support for certuser to the files in sys/rpc/rpcsec_tls.

Modified:
  projects/nfs-over-tls/sys/rpc/rpcsec_tls/rpctls_impl.c
  projects/nfs-over-tls/sys/rpc/rpcsec_tls/rpctlssd.x

Modified: projects/nfs-over-tls/sys/rpc/rpcsec_tls/rpctls_impl.c
==============================================================================
--- projects/nfs-over-tls/sys/rpc/rpcsec_tls/rpctls_impl.c	Fri Apr  3 22:38:13 2020	(r359623)
+++ projects/nfs-over-tls/sys/rpc/rpcsec_tls/rpctls_impl.c	Fri Apr  3 22:46:08 2020	(r359624)
@@ -90,7 +90,8 @@ static struct opaque_auth rpctls_null_verf;
 static CLIENT		*rpctls_connect_client(void);
 static CLIENT		*rpctls_server_client(void);
 static enum clnt_stat	rpctls_server(struct socket *so,
-			    uint32_t *flags, uint64_t *sslp);
+			    uint32_t *flags, uint64_t *sslp,
+			    uid_t *uid, int *ngrps, gid_t **gids);
 
 static void
 rpctls_init(void *dummy)
@@ -425,11 +426,15 @@ printf("aft srv disconnect upcall=%d\n", stat);
 
 /* Do an upcall for a new server socket using TLS. */
 static enum clnt_stat
-rpctls_server(struct socket *so, uint32_t *flags, uint64_t *sslp)
+rpctls_server(struct socket *so, uint32_t *flags, uint64_t *sslp,
+    uid_t *uid, int *ngrps, gid_t **gids)
 {
 	enum clnt_stat stat;
 	CLIENT *cl;
 	struct rpctlssd_connect_res res;
+	gid_t *gidp;
+	uint32_t *gidv;
+	int i;
 	static bool rpctls_server_busy = false;
 
 printf("In rpctls_server\n");
@@ -455,6 +460,16 @@ printf("rpctls_conect so=%p\n", so);
 		*sslp++ = res.sec;
 		*sslp++ = res.usec;
 		*sslp = res.ssl;
+		if ((*flags & (RPCTLS_FLAGS_CNUSER |
+		    RPCTLS_FLAGS_DISABLED)) == RPCTLS_FLAGS_CNUSER) {
+			*ngrps = res.gid.gid_len;
+			*uid = res.uid;
+			*gids = gidp = mem_alloc(*ngrps * sizeof(gid_t));
+			gidv = res.gid.gid_val;
+printf("got uid=%d ngrps=%d gidv=%p gids=%p\n", *uid, *ngrps, gidv, gids);
+			for (i = 0; i < *ngrps; i++)
+				*gidp++ = *gidv++;
+		}
 	}
 printf("aft server upcall stat=%d flags=0x%x\n", stat, res.flags);
 	CLNT_RELEASE(cl);
@@ -484,6 +499,9 @@ _svcauth_rpcsec_tls(struct svc_req *rqst, struct rpc_m
 	SVCXPRT *xprt;
 	uint32_t flags;
 	uint64_t ssl[3];
+	int ngrps;
+	uid_t uid;
+	gid_t *gidp;
 	
 	/* Initialize reply. */
 	rqst->rq_verf = rpctls_null_verf;
@@ -531,7 +549,7 @@ printf("authtls: null reply=%d\n", call_stat);
 
 	/* Do an upcall to do the TLS handshake. */
 	stat = rpctls_server(rqst->rq_xprt->xp_socket, &flags,
-	    ssl);
+	    ssl, &uid, &ngrps, &gidp);
 
 	/* Re-enable reception on the socket within the krpc. */
 	sx_xlock(&xprt->xp_lock);
@@ -541,6 +559,13 @@ printf("authtls: null reply=%d\n", call_stat);
 		xprt->xp_sslsec = ssl[0];
 		xprt->xp_sslusec = ssl[1];
 		xprt->xp_sslrefno = ssl[2];
+		if ((flags & (RPCTLS_FLAGS_CNUSER |
+		    RPCTLS_FLAGS_DISABLED)) == RPCTLS_FLAGS_CNUSER) {
+			xprt->xp_ngrps = ngrps;
+			xprt->xp_uid = uid;
+			xprt->xp_gidp = gidp;
+printf("got uid=%d ngrps=%d gidp=%p\n", uid, ngrps, gidp);
+		}
 	}
 	sx_xunlock(&xprt->xp_lock);
 	xprt_active(xprt);		/* Harmless if already active. */

Modified: projects/nfs-over-tls/sys/rpc/rpcsec_tls/rpctlssd.x
==============================================================================
--- projects/nfs-over-tls/sys/rpc/rpcsec_tls/rpctlssd.x	Fri Apr  3 22:38:13 2020	(r359623)
+++ projects/nfs-over-tls/sys/rpc/rpcsec_tls/rpctlssd.x	Fri Apr  3 22:46:08 2020	(r359624)
@@ -27,13 +27,15 @@
 
 /* Modified from gssd.x for the server side of RPC-over-TLS. */
 
-/* $FreeBSD:$ */
+/* $FreeBSD$ */
 
 struct rpctlssd_connect_res {
 	uint32_t flags;
 	uint64_t sec;
 	uint64_t usec;
 	uint64_t ssl;
+	uint32_t uid;
+	uint32_t gid<>;
 };
 
 struct rpctlssd_disconnect_arg {