From owner-svn-src-projects@freebsd.org Tue Apr 7 02:32:43 2020 Return-Path: Delivered-To: svn-src-projects@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 32F5B2A57AE for ; Tue, 7 Apr 2020 02:32:43 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 48xBJq0LHfz3xHN; Tue, 7 Apr 2020 02:32:43 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 06EA7246F; Tue, 7 Apr 2020 02:32:43 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 0372Wgok030018; Tue, 7 Apr 2020 02:32:42 GMT (envelope-from rmacklem@FreeBSD.org) Received: (from rmacklem@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 0372WgFE030017; Tue, 7 Apr 2020 02:32:42 GMT (envelope-from rmacklem@FreeBSD.org) Message-Id: <202004070232.0372WgFE030017@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: rmacklem set sender to rmacklem@FreeBSD.org using -f From: Rick Macklem Date: Tue, 7 Apr 2020 02:32:42 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r359683 - projects/nfs-over-tls/sys/sys X-SVN-Group: projects X-SVN-Commit-Author: rmacklem X-SVN-Commit-Paths: projects/nfs-over-tls/sys/sys X-SVN-Commit-Revision: 359683 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Apr 2020 02:32:43 -0000 Author: rmacklem Date: Tue Apr 7 02:32:42 2020 New Revision: 359683 URL: https://svnweb.freebsd.org/changeset/base/359683 Log: Add MNTEX_TLSCERTUSER and fix the comment on MNTEX_TLSCERT. Modified: projects/nfs-over-tls/sys/sys/mount.h Modified: projects/nfs-over-tls/sys/sys/mount.h ============================================================================== --- projects/nfs-over-tls/sys/sys/mount.h Mon Apr 6 23:54:50 2020 (r359682) +++ projects/nfs-over-tls/sys/sys/mount.h Tue Apr 7 02:32:42 2020 (r359683) @@ -369,7 +369,8 @@ void __mnt_vnode_markerfree_lazy(struct vnode * compatibility with old versions of mountd, etc. */ #define MNTEX_TLS 0x0000000000000001ULL /* TLS RPC required */ -#define MNTEX_TLSCERT 0x0000000000000002ULL /* verified certificate req */ +#define MNTEX_TLSCERT 0x0000000000000002ULL /* verified cert req */ +#define MNTEX_TLSCERTUSER 0x0000000000000004ULL /* user cert req */ #define MNTEX_EXPORTED MNT_EXPORTED /* filesystem exported */ #define MNTEX_RDONLY MNT_EXRDONLY /* exported read only */ #define MNTEX_EXPORTANON MNT_EXPORTANON /* anon uid mapping for all */ From owner-svn-src-projects@freebsd.org Tue Apr 7 02:45:26 2020 Return-Path: Delivered-To: svn-src-projects@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id C08852A5B3F for ; Tue, 7 Apr 2020 02:45:26 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 48xBbV4jhTz3xs3; Tue, 7 Apr 2020 02:45:26 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 9CF142659; Tue, 7 Apr 2020 02:45:26 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 0372jQuL036114; Tue, 7 Apr 2020 02:45:26 GMT (envelope-from rmacklem@FreeBSD.org) Received: (from rmacklem@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 0372jOFE036105; Tue, 7 Apr 2020 02:45:24 GMT (envelope-from rmacklem@FreeBSD.org) Message-Id: <202004070245.0372jOFE036105@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: rmacklem set sender to rmacklem@FreeBSD.org using -f From: Rick Macklem Date: Tue, 7 Apr 2020 02:45:24 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r359684 - in projects/nfs-over-tls/sys: fs/nfs fs/nfsserver rpc rpc/rpcsec_tls X-SVN-Group: projects X-SVN-Commit-Author: rmacklem X-SVN-Commit-Paths: in projects/nfs-over-tls/sys: fs/nfs fs/nfsserver rpc rpc/rpcsec_tls X-SVN-Commit-Revision: 359684 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Apr 2020 02:45:26 -0000 Author: rmacklem Date: Tue Apr 7 02:45:24 2020 New Revision: 359684 URL: https://svnweb.freebsd.org/changeset/base/359684 Log: Rename constants with CNUSER in them to ones with CERTUSER in them. CERTUSER is more correct now that user@dns_domain is in the otherName field of subjectAltName and not the CN field of subjectName. Also, add the missing definition for MNTEX_TLSCERTUSER to mount.h. Modified: projects/nfs-over-tls/sys/fs/nfs/nfs.h projects/nfs-over-tls/sys/fs/nfs/nfsdport.h projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdkrpc.c projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdport.c projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdsubs.c projects/nfs-over-tls/sys/rpc/rpcsec_tls.h projects/nfs-over-tls/sys/rpc/rpcsec_tls/rpctls_impl.c projects/nfs-over-tls/sys/rpc/svc_auth.c Modified: projects/nfs-over-tls/sys/fs/nfs/nfs.h ============================================================================== --- projects/nfs-over-tls/sys/fs/nfs/nfs.h Tue Apr 7 02:32:42 2020 (r359683) +++ projects/nfs-over-tls/sys/fs/nfs/nfs.h Tue Apr 7 02:45:24 2020 (r359684) @@ -719,10 +719,10 @@ struct nfsrv_descript { #define ND_NOMAP 0x800000000 #define ND_TLS 0x1000000000 #define ND_TLSCERT 0x2000000000 -#define ND_TLSCNUSER 0x4000000000 +#define ND_TLSCERTUSER 0x4000000000 #define ND_EXTLS 0x8000000000 #define ND_EXTLSCERT 0x10000000000 -#define ND_EXTLSCNUSER 0x20000000000 +#define ND_EXTLSCERTUSER 0x20000000000 /* * ND_GSS should be the "or" of all GSS type authentications. Modified: projects/nfs-over-tls/sys/fs/nfs/nfsdport.h ============================================================================== --- projects/nfs-over-tls/sys/fs/nfs/nfsdport.h Tue Apr 7 02:32:42 2020 (r359683) +++ projects/nfs-over-tls/sys/fs/nfs/nfsdport.h Tue Apr 7 02:45:24 2020 (r359684) @@ -83,7 +83,7 @@ struct nfsexstuff { #define NFSVNO_EXV4ONLY(e) ((e)->nes_exflag & MNT_EXV4ONLY) #define NFSVNO_EXTLS(e) ((e)->nes_exflag & MNTEX_TLS) #define NFSVNO_EXTLSCERT(e) ((e)->nes_exflag & MNTEX_TLSCERT) -#define NFSVNO_EXTLSCNUSER(e) ((e)->nes_exflag & MNTEX_TLSCNUSER) +#define NFSVNO_EXTLSCERTUSER(e) ((e)->nes_exflag & MNTEX_TLSCERTUSER) #define NFSVNO_SETEXRDONLY(e) ((e)->nes_exflag = (MNT_EXPORTED|MNT_EXRDONLY)) Modified: projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdkrpc.c ============================================================================== --- projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdkrpc.c Tue Apr 7 02:32:42 2020 (r359683) +++ projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdkrpc.c Tue Apr 7 02:45:24 2020 (r359684) @@ -243,8 +243,8 @@ nfssvc_program(struct svc_req *rqst, SVCXPRT *xprt) nd.nd_flag |= ND_TLS; if ((xprt->xp_tls & RPCTLS_FLAGS_VERIFIED) != 0) nd.nd_flag |= ND_TLSCERT; - if ((xprt->xp_tls & RPCTLS_FLAGS_CNUSER) != 0) - nd.nd_flag |= ND_TLSCNUSER; + if ((xprt->xp_tls & RPCTLS_FLAGS_CERTUSER) != 0) + nd.nd_flag |= ND_TLSCERTUSER; } nd.nd_maxextsiz = 16384; #ifdef MAC Modified: projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdport.c ============================================================================== --- projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdport.c Tue Apr 7 02:32:42 2020 (r359683) +++ projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdport.c Tue Apr 7 02:45:24 2020 (r359684) @@ -3355,8 +3355,8 @@ nfsd_fhtovp(struct nfsrv_descript *nd, struct nfsrvfh (nd->nd_flag & ND_TLS) == 0) || (NFSVNO_EXTLSCERT(exp) && (nd->nd_flag & ND_TLSCERT) == 0) || - (NFSVNO_EXTLSCNUSER(exp) && - (nd->nd_flag & ND_TLSCNUSER) == 0))) { + (NFSVNO_EXTLSCERTUSER(exp) && + (nd->nd_flag & ND_TLSCERTUSER) == 0))) { vput(*vpp); nd->nd_repstat = NFSERR_ACCES; } @@ -3629,8 +3629,8 @@ nfsvno_v4rootexport(struct nfsrv_descript *nd) nd->nd_flag |= ND_EXTLS; if ((exflags & MNTEX_TLSCERT) != 0) nd->nd_flag |= ND_EXTLSCERT; - if ((exflags & MNTEX_TLSCNUSER) != 0) - nd->nd_flag |= ND_EXTLSCNUSER; + if ((exflags & MNTEX_TLSCERTUSER) != 0) + nd->nd_flag |= ND_EXTLSCERTUSER; } out: Modified: projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdsubs.c ============================================================================== --- projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdsubs.c Tue Apr 7 02:32:42 2020 (r359683) +++ projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdsubs.c Tue Apr 7 02:45:24 2020 (r359684) @@ -2144,13 +2144,13 @@ nfsd_checkrootexp(struct nfsrv_descript *nd) checktls: if ((nd->nd_flag & ND_EXTLS) == 0) return (0); - if ((nd->nd_flag & (ND_TLSCNUSER | ND_EXTLSCNUSER)) == - (ND_TLSCNUSER | ND_EXTLSCNUSER)) + if ((nd->nd_flag & (ND_TLSCERTUSER | ND_EXTLSCERTUSER)) == + (ND_TLSCERTUSER | ND_EXTLSCERTUSER)) return (0); - if ((nd->nd_flag & (ND_TLSCERT | ND_EXTLSCERT | ND_EXTLSCNUSER)) == + if ((nd->nd_flag & (ND_TLSCERT | ND_EXTLSCERT | ND_EXTLSCERTUSER)) == (ND_TLSCERT | ND_EXTLSCERT)) return (0); - if ((nd->nd_flag & (ND_TLS | ND_EXTLSCNUSER | ND_EXTLSCERT)) == + if ((nd->nd_flag & (ND_TLS | ND_EXTLSCERTUSER | ND_EXTLSCERT)) == ND_TLS) return (0); return (1); Modified: projects/nfs-over-tls/sys/rpc/rpcsec_tls.h ============================================================================== --- projects/nfs-over-tls/sys/rpc/rpcsec_tls.h Tue Apr 7 02:32:42 2020 (r359683) +++ projects/nfs-over-tls/sys/rpc/rpcsec_tls.h Tue Apr 7 02:45:24 2020 (r359684) @@ -41,7 +41,7 @@ #define RPCTLS_FLAGS_SELFSIGNED 0x04 #define RPCTLS_FLAGS_VERIFIED 0x08 #define RPCTLS_FLAGS_DISABLED 0x10 -#define RPCTLS_FLAGS_CNUSER 0x20 +#define RPCTLS_FLAGS_CERTUSER 0x20 #ifdef _KERNEL /* Functions that perform upcalls to the rpctlsd daemon. */ Modified: projects/nfs-over-tls/sys/rpc/rpcsec_tls/rpctls_impl.c ============================================================================== --- projects/nfs-over-tls/sys/rpc/rpcsec_tls/rpctls_impl.c Tue Apr 7 02:32:42 2020 (r359683) +++ projects/nfs-over-tls/sys/rpc/rpcsec_tls/rpctls_impl.c Tue Apr 7 02:45:24 2020 (r359684) @@ -460,8 +460,8 @@ printf("rpctls_conect so=%p\n", so); *sslp++ = res.sec; *sslp++ = res.usec; *sslp = res.ssl; - if ((*flags & (RPCTLS_FLAGS_CNUSER | - RPCTLS_FLAGS_DISABLED)) == RPCTLS_FLAGS_CNUSER) { + if ((*flags & (RPCTLS_FLAGS_CERTUSER | + RPCTLS_FLAGS_DISABLED)) == RPCTLS_FLAGS_CERTUSER) { *ngrps = res.gid.gid_len; *uid = res.uid; *gids = gidp = mem_alloc(*ngrps * sizeof(gid_t)); @@ -559,8 +559,8 @@ printf("authtls: null reply=%d\n", call_stat); xprt->xp_sslsec = ssl[0]; xprt->xp_sslusec = ssl[1]; xprt->xp_sslrefno = ssl[2]; - if ((flags & (RPCTLS_FLAGS_CNUSER | - RPCTLS_FLAGS_DISABLED)) == RPCTLS_FLAGS_CNUSER) { + if ((flags & (RPCTLS_FLAGS_CERTUSER | + RPCTLS_FLAGS_DISABLED)) == RPCTLS_FLAGS_CERTUSER) { xprt->xp_ngrps = ngrps; xprt->xp_uid = uid; xprt->xp_gidp = gidp; Modified: projects/nfs-over-tls/sys/rpc/svc_auth.c ============================================================================== --- projects/nfs-over-tls/sys/rpc/svc_auth.c Tue Apr 7 02:32:42 2020 (r359683) +++ projects/nfs-over-tls/sys/rpc/svc_auth.c Tue Apr 7 02:45:24 2020 (r359684) @@ -190,8 +190,8 @@ svc_getcred(struct svc_req *rqst, struct ucred **crp, * certificate for this TCP connection, use those * instead of what is in the RPC header. */ - if ((xprt->xp_tls & (RPCTLS_FLAGS_CNUSER | - RPCTLS_FLAGS_DISABLED)) == RPCTLS_FLAGS_CNUSER && + if ((xprt->xp_tls & (RPCTLS_FLAGS_CERTUSER | + RPCTLS_FLAGS_DISABLED)) == RPCTLS_FLAGS_CERTUSER && flavor == AUTH_UNIX) { cr = crget(); cr->cr_uid = cr->cr_ruid = cr->cr_svuid = xprt->xp_uid;