From owner-svn-src-projects@freebsd.org Sun Aug 30 01:09:17 2020 Return-Path: Delivered-To: svn-src-projects@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 040F93C2F19 for ; Sun, 30 Aug 2020 01:09:17 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4BfFbc6Gf5z4LZ3; Sun, 30 Aug 2020 01:09:16 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id BA9FAE5E3; Sun, 30 Aug 2020 01:09:16 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 07U19GH5076900; Sun, 30 Aug 2020 01:09:16 GMT (envelope-from rmacklem@FreeBSD.org) Received: (from rmacklem@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 07U19G9E076897; Sun, 30 Aug 2020 01:09:16 GMT (envelope-from rmacklem@FreeBSD.org) Message-Id: <202008300109.07U19G9E076897@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: rmacklem set sender to rmacklem@FreeBSD.org using -f From: Rick Macklem Date: Sun, 30 Aug 2020 01:09:16 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r364971 - in projects/nfs-over-tls: . usr.sbin/rpctlssd X-SVN-Group: projects X-SVN-Commit-Author: rmacklem X-SVN-Commit-Paths: in projects/nfs-over-tls: . usr.sbin/rpctlssd X-SVN-Commit-Revision: 364971 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Aug 2020 01:09:17 -0000 Author: rmacklem Date: Sun Aug 30 01:09:15 2020 New Revision: 364971 URL: https://svnweb.freebsd.org/changeset/base/364971 Log: Set the OID for a user@domain subjAltName otherName component to one assigned under the FreeBSD MIB registry. Modified: projects/nfs-over-tls/nfs-over-tls-setup.txt projects/nfs-over-tls/usr.sbin/rpctlssd/rpctlssd.8 projects/nfs-over-tls/usr.sbin/rpctlssd/rpctlssd.c Modified: projects/nfs-over-tls/nfs-over-tls-setup.txt ============================================================================== --- projects/nfs-over-tls/nfs-over-tls-setup.txt Sat Aug 29 22:24:41 2020 (r364970) +++ projects/nfs-over-tls/nfs-over-tls-setup.txt Sun Aug 30 01:09:15 2020 (r364971) @@ -212,10 +212,10 @@ to nfsv4-server.uoguelph.ca and the other to nfsv4-ser For a client where you wish all RPCs to be done as the user rmacklem on the above server: -# openssl req -new -key key.pem -addext "subjectAltName=otherName:1.2.3.4.6.9;UTF8:rmacklem@uoguelph.ca" -out req.pem +# openssl req -new -key key.pem -addext "subjectAltName=otherName:1.3.6.1.4.1.2238.1.1.1;UTF8:rmacklem@uoguelph.ca" -out req.pem For a client similar to the above, but has a FQDN of nfsv4-client.uoguelph.ca: -# openssl req -new -key key.pem -addext "subjectAltName=DNS:nfsv4-client.uoguelph.ca,othername:1.2.3.4.6.9;UTF8:rmacklem@uoguelph.ca" -out req.pem +# openssl req -new -key key.pem -addext "subjectAltName=DNS:nfsv4-client.uoguelph.ca,othername:1.3.6.1.4.1.2238.1.1.1;UTF8:rmacklem@uoguelph.ca" -out req.pem If you want to look at the CSR: # openssl req -in req.pem -noout -text Modified: projects/nfs-over-tls/usr.sbin/rpctlssd/rpctlssd.8 ============================================================================== --- projects/nfs-over-tls/usr.sbin/rpctlssd/rpctlssd.8 Sat Aug 29 22:24:41 2020 (r364970) +++ projects/nfs-over-tls/usr.sbin/rpctlssd/rpctlssd.8 Sun Aug 30 01:09:15 2020 (r364971) @@ -75,7 +75,7 @@ The option in the .Xr exports 5 file specifies that the client must provide a certificate -that verifies and has a otherName:1.2.3.4.6.9;UTF8: field of +that verifies and has a otherName:1.3.6.1.4.1.2238.1.1.1;UTF8: field of subjectAltName of the form .Dq user@dns_domain that maps to a . @@ -237,7 +237,7 @@ have been specified. .It Fl u This option specifies that if the client provides a certificate that both verifies and has a subjectAltName with an otherName of the form -.Dq otherName:1.2.3.4.6.9;UTF8:user@dns_domain +.Dq otherName:1.3.6.1.4.1.2238.1.1.1;UTF8:user@dns_domain the daemon will attempt to map .Dq user@dns_domain in the above Modified: projects/nfs-over-tls/usr.sbin/rpctlssd/rpctlssd.c ============================================================================== --- projects/nfs-over-tls/usr.sbin/rpctlssd/rpctlssd.c Sat Aug 29 22:24:41 2020 (r364970) +++ projects/nfs-over-tls/usr.sbin/rpctlssd/rpctlssd.c Sun Aug 30 01:09:15 2020 (r364971) @@ -94,7 +94,7 @@ static uint64_t rpctls_ssl_usec = 0; static bool rpctls_gothup = false; static bool rpctls_cnuser = false; static char *rpctls_dnsname; -static const char *rpctls_cnuseroid = "1.2.3.4.6.9"; +static const char *rpctls_cnuseroid = "1.3.6.1.4.1.2238.1.1.1"; /* * A linked list of all current "SSL *"s and socket "fd"s From owner-svn-src-projects@freebsd.org Tue Sep 1 01:12:56 2020 Return-Path: Delivered-To: svn-src-projects@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 947AC3D42B7 for ; Tue, 1 Sep 2020 01:12:56 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4BgTZw2Z19z4PLB; Tue, 1 Sep 2020 01:12:56 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 34B2710EC8; Tue, 1 Sep 2020 01:12:56 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 0811CuTw074350; Tue, 1 Sep 2020 01:12:56 GMT (envelope-from rmacklem@FreeBSD.org) Received: (from rmacklem@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 0811Cudu074349; Tue, 1 Sep 2020 01:12:56 GMT (envelope-from rmacklem@FreeBSD.org) Message-Id: <202009010112.0811Cudu074349@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: rmacklem set sender to rmacklem@FreeBSD.org using -f From: Rick Macklem Date: Tue, 1 Sep 2020 01:12:56 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r365020 - projects/nfs-over-tls/sys/fs/nfsclient X-SVN-Group: projects X-SVN-Commit-Author: rmacklem X-SVN-Commit-Paths: projects/nfs-over-tls/sys/fs/nfsclient X-SVN-Commit-Revision: 365020 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Sep 2020 01:12:56 -0000 Author: rmacklem Date: Tue Sep 1 01:12:55 2020 New Revision: 365020 URL: https://svnweb.freebsd.org/changeset/base/365020 Log: Add a check to test for the case of the "tls" option being used with "udp". The KERN_TLS only supports TCP, so use of the "tls" option with "udp" will not work. This patch adds a test for this case, so that the mount is not attempted when both "tls" and "udp" are specified. Modified: projects/nfs-over-tls/sys/fs/nfsclient/nfs_clvfsops.c Modified: projects/nfs-over-tls/sys/fs/nfsclient/nfs_clvfsops.c ============================================================================== --- projects/nfs-over-tls/sys/fs/nfsclient/nfs_clvfsops.c Tue Sep 1 01:10:16 2020 (r365019) +++ projects/nfs-over-tls/sys/fs/nfsclient/nfs_clvfsops.c Tue Sep 1 01:12:55 2020 (r365020) @@ -1419,7 +1419,9 @@ mountnfs(struct nfs_args *argp, struct mount *mp, stru if ((newflag & NFSMNT_TLS) != 0) { error = EINVAL; #ifdef KERN_TLS - if (rpctls_getinfo(&maxlen, true, false)) + /* KERN_TLS is only supported for TCP. */ + if (argp->sotype == SOCK_STREAM && + rpctls_getinfo(&maxlen, true, false)) error = 0; #endif if (error != 0) { From owner-svn-src-projects@freebsd.org Thu Sep 3 21:52:50 2020 Return-Path: Delivered-To: svn-src-projects@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id D091C3CC035 for ; Thu, 3 Sep 2020 21:52:50 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4BjF0f4Yx2z43nd; Thu, 3 Sep 2020 21:52:50 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 81293226B0; Thu, 3 Sep 2020 21:52:50 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 083LqobU038142; Thu, 3 Sep 2020 21:52:50 GMT (envelope-from rmacklem@FreeBSD.org) Received: (from rmacklem@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 083Lqova038139; Thu, 3 Sep 2020 21:52:50 GMT (envelope-from rmacklem@FreeBSD.org) Message-Id: <202009032152.083Lqova038139@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: rmacklem set sender to rmacklem@FreeBSD.org using -f From: Rick Macklem Date: Thu, 3 Sep 2020 21:52:50 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r365310 - projects/nfs-over-tls/usr.sbin/rpc.tlsclntd X-SVN-Group: projects X-SVN-Commit-Author: rmacklem X-SVN-Commit-Paths: projects/nfs-over-tls/usr.sbin/rpc.tlsclntd X-SVN-Commit-Revision: 365310 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Sep 2020 21:52:50 -0000 Author: rmacklem Date: Thu Sep 3 21:52:49 2020 New Revision: 365310 URL: https://svnweb.freebsd.org/changeset/base/365310 Log: Add the renamed client daemon. Also, add long options for those who like them. Added: projects/nfs-over-tls/usr.sbin/rpc.tlsclntd/ projects/nfs-over-tls/usr.sbin/rpc.tlsclntd/Makefile (contents, props changed) projects/nfs-over-tls/usr.sbin/rpc.tlsclntd/rpc.tlsclntd.8 (contents, props changed) projects/nfs-over-tls/usr.sbin/rpc.tlsclntd/rpc.tlsclntd.c (contents, props changed) Added: projects/nfs-over-tls/usr.sbin/rpc.tlsclntd/Makefile ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ projects/nfs-over-tls/usr.sbin/rpc.tlsclntd/Makefile Thu Sep 3 21:52:49 2020 (r365310) @@ -0,0 +1,32 @@ +# $FreeBSD$ + +.include + +PROG= rpc.tlsclntd +MAN= rpc.tlsclntd.8 +SRCS= rpc.tlsclntd.c rpctlscd.h rpctlscd_svc.c rpctlscd_xdr.c + +CFLAGS+= -I. + +CFLAGS+= -I/usr/ktls/include +LDFLAGS+= -L/usr/ktls/lib + +LIBADD= ssl crypto util + +CLEANFILES= rpctlscd_svc.c rpctlscd_xdr.c rpctlscd.h + +RPCSRC= ${SRCTOP}/sys/rpc/rpcsec_tls/rpctlscd.x +RPCGEN= RPCGEN_CPP=${CPP:Q} rpcgen -L -C -M + +rpctlscd_svc.c: ${RPCSRC} rpctlscd.h + ${RPCGEN} -m -o ${.TARGET} ${RPCSRC} + +rpctlscd_xdr.c: ${RPCSRC} rpctlscd.h + ${RPCGEN} -c -o ${.TARGET} ${RPCSRC} + +rpctlscd.h: ${RPCSRC} + ${RPCGEN} -h -o ${.TARGET} ${RPCSRC} + +.PATH: ${SRCTOP}/sys/rpc/rpcsec_tls + +.include Added: projects/nfs-over-tls/usr.sbin/rpc.tlsclntd/rpc.tlsclntd.8 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ projects/nfs-over-tls/usr.sbin/rpc.tlsclntd/rpc.tlsclntd.8 Thu Sep 3 21:52:49 2020 (r365310) @@ -0,0 +1,176 @@ +.\" Copyright (c) 2008 Isilon Inc http://www.isilon.com/ +.\" Authors: Doug Rabson +.\" Developed with Red Inc: Alfred Perlstein +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.\" Modified from gssd.8 for rpc.tlsclntd.8 by Rick Macklem. +.Dd September 3, 2020 +.Dt RPC.TLSCLNTD 8 +.Os +.Sh NAME +.Nm rpc.tlsclntd +.Nd "Sun RPC over TLS Client Daemon" +.Sh SYNOPSIS +.Nm +.Op Fl D Ar certdir +.Op Fl d +.Op Fl l Ar CAfile +.Op Fl m +.Op Fl p Ar CApath +.Op Fl r Ar CRLfile +.Op Fl v +.Sh DESCRIPTION +The +.Nm +program provides support for the client side of the kernel Sun RPC over TLS +implementation. +This daemon must be running for the kernel RPC to be able to do a TLS +connection to a server for an NFS over TLS mount. +This daemon requires that the kernel be built with +.Dq options KERNEL_TLS +and be running on an architecture such as +.Dq amd64 +that supports a direct map (not i386). +.Pp +If either of the +.Fl l +or +.Fl p +options have been specified, the daemon will require the server's +certificate to verify +and have a Fully Qualified Domain Name (FQDN) in it. +This FQDN must match +the reverse DNS name for the IP address that +the server is using for the TCP connection. +The FQDN may be +in either the DNS field of the subjectAltName or the CN field of the +subjectName in the certificate and +cannot have a wildcard +.Dq * +in it. +.Pp +If a SIGHUP signal is sent to the daemon it will reload the +.Dq CRLfile . +If the +.Fl r +option was not specified, the SIGHUP signal will be ignored. +.Pp +The daemon will log failed certificate verifications via +.Xr syslogd 8 +using LOG_INFO | LOG_DAEMON when the +.Fl l +or +.Fl p +option has been specified. +.Pp +The options are as follows: +.Bl -tag -width indent +.It Fl D Ar certdir , Fl Fl certdir= Ns Ar certdir +Use +.Dq certdir +instead of /etc/rpc.tlsclntd for the +.Fl m +option. +.It Fl d , Fl Fl debuglevel +Run in debug mode. +In this mode, +.Nm +will not fork when it starts. +.It Fl l Ar CAfile , Fl Fl verifylocs= Ns Ar CAfile +This specifies the path name of a CAfile which holds the information +for server certificate verification. +This path name is used in +.Dq SSL_CTX_load_verify_locations(ctx,CAfile,NULL) +and +.Dq SSL_CTX_set0_CA_list(ctx,SSL_load_client_CA_file(CAfile)) +openssl library calls. +Note that this is a path name for the file and is not assumed to be +in +.Dq certdir . +.It Fl m , Fl Fl mutualverf +Enable support for mutual authentication. +A certificate and associated key must be found in /etc/rpc.tlsclntd +(or the directory specified by the +.Fl D +option) +in case a server requests a peer certificate. +The certificate needs to be in a file named +.Dq cert.pem +and the key in a file named +.Dq key.pem . +If there is a passphrase on the +.Dq key.pem +file, this daemon will prompt for the passphrase during startup. +.It Fl p Ar CApath , Fl Fl verifydir= Ns Ar CApath +This option is similar to the +.Fl l +option, but specifies the path of a directory with CA +certificates in it. +When this option is used, +.Dq SSL_CTX_set0_CA_list(ctx,SSL_load_client_CA_file()) +is not called, so a list of CA names is not be passed +to the server during the TLS handshake. +The openssl documentation indicates this call is rarely needed. +(However, I was not able to determine if/when this matters, so +if in doubt, use the +.Fl l +option instead of this option.) +.It Fl r Ar CRLfile , Fl Fl crl= Ns Ar CRLfile +This option specifies a Certificate Revocation List (CRL) file +that is to be loaded into the verify certificate store and +checked during verification of the server's certificate. +This option is meaningless unless either the +.Fl l +or +.Fl p +have been specified. +.It Fl v , Fl Fl verbose +Run in verbose mode. +In this mode, +.Nm +will log activity messages to syslog using LOG_INFO | LOG_DAEMON or to +stderr, if the +.Fl d +option has also been specified. +.El +.Sh EXIT STATUS +.Ex -std +.Sh SEE ALSO +.Xr openssl 1 , +.Xr mount_nfs 8 , +.Xr rpc.tlsservd 8 , +.Xr syslogd 8 +.Sh BUGS +This daemon cannot be safely shut down and restarted if there are +any active RPC-over-TLS connections. +Doing so will orphan the KERNEL_TLS connections, so that they +can no longer do upcalls successfully, since the +.Dq SSL * +structures in userspace have been lost. +.Sh HISTORY +The +.Nm +manual page first appeared in +.Fx 13.0 . Added: projects/nfs-over-tls/usr.sbin/rpc.tlsclntd/rpc.tlsclntd.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ projects/nfs-over-tls/usr.sbin/rpc.tlsclntd/rpc.tlsclntd.c Thu Sep 3 21:52:49 2020 (r365310) @@ -0,0 +1,783 @@ +/*- + * SPDX-License-Identifier: BSD-2-Clause-FreeBSD + * + * Copyright (c) 2008 Isilon Inc http://www.isilon.com/ + * Authors: Doug Rabson + * Developed with Red Inc: Alfred Perlstein + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +/* Modified from gssd.c for the client side of kernel RPC-over-TLS. */ + +#include +__FBSDID("$FreeBSD$"); + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include +#include + +#include +#include +#include +#include +#include + +#include "rpctlscd.h" + +#ifndef _PATH_RPCTLSCDSOCK +#define _PATH_RPCTLSCDSOCK "/var/run/rpc.tlsclntd.sock" +#endif +#ifndef _PATH_CERTANDKEY +#define _PATH_CERTANDKEY "/etc/rpc.tlsclntd/" +#endif +#ifndef _PATH_RPCTLSCDPID +#define _PATH_RPCTLSCDPID "/var/run/rpc.tlsclntd.pid" +#endif +#ifndef _PREFERRED_CIPHERS +#define _PREFERRED_CIPHERS "AES128-GCM-SHA256" +#endif + +static struct pidfh *rpctls_pfh = NULL; +static int rpctls_debug_level; +static bool rpctls_verbose; +static SSL_CTX *rpctls_ctx = NULL; +static const char *rpctls_verify_cafile = NULL; +static const char *rpctls_verify_capath = NULL; +static const char *rpctls_crlfile = NULL; +static const char *rpctls_certdir = _PATH_CERTANDKEY; +static uint64_t rpctls_ssl_refno = 0; +static uint64_t rpctls_ssl_sec = 0; +static uint64_t rpctls_ssl_usec = 0; +static bool rpctls_gothup = false; + +/* + * A linked list of all current "SSL *"s and socket "fd"s + * for kernel RPC TLS connections is maintained. + * The "refno" field is a unique 64bit value used to + * identify which entry a kernel RPC upcall refers to. + */ +LIST_HEAD(ssl_list, ssl_entry); +struct ssl_entry { + LIST_ENTRY(ssl_entry) next; + uint64_t refno; + int s; + SSL *ssl; +}; +static struct ssl_list rpctls_ssllist; + +static void rpctlscd_terminate(int); +static SSL_CTX *rpctls_setupcl_ssl(bool cert); +static SSL *rpctls_connect(SSL_CTX *ctx, int s); +static int rpctls_gethost(int s, struct sockaddr *sad, + char *hostip, size_t hostlen); +static int rpctls_checkhost(struct sockaddr *sad, X509 *cert); +static int rpctls_loadcrlfile(SSL_CTX *ctx); +static void rpctls_huphandler(int sig __unused); + +extern void rpctlscd_1(struct svc_req *rqstp, SVCXPRT *transp); + +static struct option longopts[] = { + { "certdir", required_argument, NULL, 'D' }, + { "debuglevel", no_argument, NULL, 'd' }, + { "verifylocs", required_argument, NULL, 'l' }, + { "mutualverf", no_argument, NULL, 'm' }, + { "verifydir", required_argument, NULL, 'p' }, + { "crl", required_argument, NULL, 'r' }, + { "verbose", no_argument, NULL, 'v' }, + { NULL, 0, NULL, 0 } +}; + +int +main(int argc, char **argv) +{ + /* + * We provide an RPC service on a local-domain socket. The + * kernel rpctls code will upcall to this daemon to do the initial + * TLS handshake. + */ + struct sockaddr_un sun; + int fd, oldmask, ch; + SVCXPRT *xprt; + bool cert; + struct timeval tm; + struct timezone tz; + pid_t otherpid; + + /* Check that another rpctlscd isn't already running. */ + rpctls_pfh = pidfile_open(_PATH_RPCTLSCDPID, 0600, &otherpid); + if (rpctls_pfh == NULL) { + if (errno == EEXIST) + errx(1, "rpctlscd already running, pid: %d.", otherpid); + warn("cannot open or create pidfile"); + } + + if (modfind("ktls_ocf") < 0) { + /* Not present in kernel, try loading it */ + if (kldload("ktls_ocf") < 0 || modfind("ktls_ocf") < 0) + errx(1, "Cannot load ktls_ocf"); + } + if (modfind("aesni") < 0) { + /* Not present in kernel, try loading it */ + kldload("aesni"); + } + + /* Get the time when this daemon is started. */ + gettimeofday(&tm, &tz); + rpctls_ssl_sec = tm.tv_sec; + rpctls_ssl_usec = tm.tv_usec; + + rpctls_verbose = false; + cert = false; + while ((ch = getopt_long(argc, argv, "D:dl:mp:r:v", longopts, NULL)) != + -1) { + switch (ch) { + case 'D': + rpctls_certdir = optarg; + break; + case 'd': + rpctls_debug_level++; + break; + case 'l': + rpctls_verify_cafile = optarg; + break; + case 'm': + cert = true; + break; + case 'p': + rpctls_verify_capath = optarg; + break; + case 'r': + rpctls_crlfile = optarg; + break; + case 'v': + rpctls_verbose = true; + break; + default: + fprintf(stderr, "usage: %s " + "[-D/--certdir certdir] [-d/--debuglevel] " + "[-l/--verifylocs CAfile] [-m/--mutualverf] " + "[-p/--verifydir CApath] [-r/--crl CRLfile] " + "[-v/--verbose]\n", argv[0]); + exit(1); + break; + } + } + if (rpctls_crlfile != NULL && rpctls_verify_cafile == NULL && + rpctls_verify_capath == NULL) + errx(1, "-r requires the -l and/or " + "-p options"); + + if (modfind("krpc") < 0) { + /* Not present in kernel, try loading it */ + if (kldload("krpc") < 0 || modfind("krpc") < 0) + errx(1, "Kernel RPC is not available"); + } + + /* + * Set up the SSL_CTX *. + * Do it now, before daemonizing, in case the private key + * is encrypted and requires a passphrase to be entered. + */ + rpctls_ctx = rpctls_setupcl_ssl(cert); + if (rpctls_ctx == NULL) { + if (rpctls_debug_level == 0) { + syslog(LOG_ERR, "Can't set up TSL context"); + exit(1); + } + err(1, "Can't set up TSL context"); + } + LIST_INIT(&rpctls_ssllist); + + if (!rpctls_debug_level) { + if (daemon(0, 0) != 0) + err(1, "Can't daemonize"); + signal(SIGINT, SIG_IGN); + signal(SIGQUIT, SIG_IGN); + signal(SIGHUP, SIG_IGN); + } + signal(SIGTERM, rpctlscd_terminate); + signal(SIGPIPE, SIG_IGN); + signal(SIGHUP, rpctls_huphandler); + + pidfile_write(rpctls_pfh); + + memset(&sun, 0, sizeof sun); + sun.sun_family = AF_LOCAL; + unlink(_PATH_RPCTLSCDSOCK); + strcpy(sun.sun_path, _PATH_RPCTLSCDSOCK); + sun.sun_len = SUN_LEN(&sun); + fd = socket(AF_LOCAL, SOCK_STREAM, 0); + if (fd < 0) { + if (rpctls_debug_level == 0) { + syslog(LOG_ERR, "Can't create local rpctlscd socket"); + exit(1); + } + err(1, "Can't create local rpctlscd socket"); + } + oldmask = umask(S_IXUSR|S_IRWXG|S_IRWXO); + if (bind(fd, (struct sockaddr *)&sun, sun.sun_len) < 0) { + if (rpctls_debug_level == 0) { + syslog(LOG_ERR, "Can't bind local rpctlscd socket"); + exit(1); + } + err(1, "Can't bind local rpctlscd socket"); + } + umask(oldmask); + if (listen(fd, SOMAXCONN) < 0) { + if (rpctls_debug_level == 0) { + syslog(LOG_ERR, + "Can't listen on local rpctlscd socket"); + exit(1); + } + err(1, "Can't listen on local rpctlscd socket"); + } + xprt = svc_vc_create(fd, RPC_MAXDATASIZE, RPC_MAXDATASIZE); + if (!xprt) { + if (rpctls_debug_level == 0) { + syslog(LOG_ERR, + "Can't create transport for local rpctlscd socket"); + exit(1); + } + err(1, "Can't create transport for local rpctlscd socket"); + } + if (!svc_reg(xprt, RPCTLSCD, RPCTLSCDVERS, rpctlscd_1, NULL)) { + if (rpctls_debug_level == 0) { + syslog(LOG_ERR, + "Can't register service for local rpctlscd socket"); + exit(1); + } + err(1, "Can't register service for local rpctlscd socket"); + } + + rpctls_syscall(RPCTLS_SYSC_CLSETPATH, _PATH_RPCTLSCDSOCK); + svc_run(); + rpctls_syscall(RPCTLS_SYSC_CLSHUTDOWN, ""); + + SSL_CTX_free(rpctls_ctx); + EVP_cleanup(); + return (0); +} + +static void +rpctlscd_verbose_out(const char *fmt, ...) +{ + va_list ap; + + if (rpctls_verbose) { + va_start(ap, fmt); + if (rpctls_debug_level == 0) + vsyslog(LOG_INFO | LOG_DAEMON, fmt, ap); + else + vfprintf(stderr, fmt, ap); + va_end(ap); + } +} + +bool_t +rpctlscd_null_1_svc(void *argp, void *result, struct svc_req *rqstp) +{ + + rpctlscd_verbose_out("rpctlscd_null: done\n"); + return (TRUE); +} + +bool_t +rpctlscd_connect_1_svc(void *argp, + struct rpctlscd_connect_res *result, struct svc_req *rqstp) +{ + int s; + bool_t res; + SSL *ssl; + char buf[1024]; + ssize_t siz, ret; + struct ssl_entry *newslp; + + rpctlscd_verbose_out("rpctlsd_connect: started\n"); + /* Get the socket fd from the kernel. */ + s = rpctls_syscall(RPCTLS_SYSC_CLSOCKET, ""); +rpctlscd_verbose_out("rpctlsd_connect s=%d\n", s); + if (s < 0) { + result->reterr = RPCTLSERR_NOSOCKET; + return (TRUE); + } + + /* Do a TLS connect handshake. */ + ssl = rpctls_connect(rpctls_ctx, s); + if (ssl == NULL) { + rpctlscd_verbose_out("rpctlsd_connect: can't do TLS " + "handshake\n"); + result->reterr = RPCTLSERR_NOSSL; + } else { + result->reterr = RPCTLSERR_OK; + result->sec = rpctls_ssl_sec; + result->usec = rpctls_ssl_usec; + result->ssl = ++rpctls_ssl_refno; + /* Hard to believe this will ever wrap around.. */ + if (rpctls_ssl_refno == 0) + result->ssl = ++rpctls_ssl_refno; + } + + if (ssl == NULL) { + /* + * For RPC-over-TLS, this upcall is expected + * to close off the socket. + */ + close(s); + return (TRUE); + } + + /* Maintain list of all current SSL *'s */ + newslp = malloc(sizeof(*newslp)); + newslp->refno = rpctls_ssl_refno; + newslp->s = s; + newslp->ssl = ssl; + LIST_INSERT_HEAD(&rpctls_ssllist, newslp, next); + return (TRUE); +} + +bool_t +rpctlscd_handlerecord_1_svc(struct rpctlscd_handlerecord_arg *argp, + struct rpctlscd_handlerecord_res *result, struct svc_req *rqstp) +{ + struct ssl_entry *slp; + int ret; + char junk; + +rpctlscd_verbose_out("handlerec sslref=%jx\n", (uintmax_t)slp->refno); + slp = NULL; + if (argp->sec == rpctls_ssl_sec && argp->usec == + rpctls_ssl_usec) { + LIST_FOREACH(slp, &rpctls_ssllist, next) { + if (slp->refno == argp->ssl) + break; + } + } + + if (slp != NULL) { + rpctlscd_verbose_out("rpctlscd_handlerecord fd=%d\n", + slp->s); + /* + * An SSL_read() of 0 bytes should fail, but it should + * handle the non-application data record before doing so. + */ + ret = SSL_read(slp->ssl, &junk, 0); + if (ret <= 0) { + /* Check to see if this was a close alert. */ + ret = SSL_get_shutdown(slp->ssl); +rpctlscd_verbose_out("get_shutdown2=%d\n", ret); + if ((ret & (SSL_SENT_SHUTDOWN | + SSL_RECEIVED_SHUTDOWN)) == SSL_RECEIVED_SHUTDOWN) + SSL_shutdown(slp->ssl); + } else { + if (rpctls_debug_level == 0) + syslog(LOG_ERR, "SSL_read returned %d", ret); + else + fprintf(stderr, "SSL_read returned %d\n", ret); + } + result->reterr = RPCTLSERR_OK; + } else + result->reterr = RPCTLSERR_NOSSL; + return (TRUE); +} + +bool_t +rpctlscd_disconnect_1_svc(struct rpctlscd_disconnect_arg *argp, + struct rpctlscd_disconnect_res *result, struct svc_req *rqstp) +{ + struct ssl_entry *slp; + int ret; + +rpctlscd_verbose_out("disconnect refno=%jx\n", (uintmax_t)slp->refno); + slp = NULL; + if (argp->sec == rpctls_ssl_sec && argp->usec == + rpctls_ssl_usec) { + LIST_FOREACH(slp, &rpctls_ssllist, next) { + if (slp->refno == argp->ssl) + break; + } + } + + if (slp != NULL) { + rpctlscd_verbose_out("rpctlscd_disconnect: fd=%d closed\n", + slp->s); + LIST_REMOVE(slp, next); + ret = SSL_get_shutdown(slp->ssl); +rpctlscd_verbose_out("get_shutdown0=%d\n", ret); + /* + * Do an SSL_shutdown() unless a close alert has + * already been sent. + */ + if ((ret & SSL_SENT_SHUTDOWN) == 0) + SSL_shutdown(slp->ssl); + SSL_free(slp->ssl); + /* + * For RPC-over-TLS, this upcall is expected + * to close off the socket. + */ + shutdown(slp->s, SHUT_WR); + close(slp->s); + free(slp); + result->reterr = RPCTLSERR_OK; + } else + result->reterr = RPCTLSERR_NOCLOSE; + return (TRUE); +} + +int +rpctlscd_1_freeresult(SVCXPRT *transp, xdrproc_t xdr_result, caddr_t result) +{ + + return (TRUE); +} + +static void +rpctlscd_terminate(int sig __unused) +{ + + rpctls_syscall(RPCTLS_SYSC_CLSHUTDOWN, ""); + pidfile_remove(rpctls_pfh); + exit(0); +} + +static SSL_CTX * +rpctls_setupcl_ssl(bool cert) +{ + SSL_CTX *ctx; + long flags; + char path[PATH_MAX]; + size_t len, rlen; + int ret; + + SSL_library_init(); + SSL_load_error_strings(); + OpenSSL_add_all_algorithms(); + + ctx = SSL_CTX_new(TLS_client_method()); + if (ctx == NULL) { + rpctlscd_verbose_out("rpctls_setupcl_ssl: SSL_CTX_new " + "failed\n"); + return (NULL); + } + SSL_CTX_set_ecdh_auto(ctx, 1); + + /* + * Set preferred ciphers, since KERN_TLS only supports a + * few of them. + */ + ret = SSL_CTX_set_cipher_list(ctx, _PREFERRED_CIPHERS); + if (ret == 0) { + rpctlscd_verbose_out("rpctls_setupcl_ssl: " + "SSL_CTX_set_cipher_list failed to set any ciphers\n"); + SSL_CTX_free(ctx); + return (NULL); + } + + /* + * If cert is true, a certificate and key exists in + * rpctls_certdir, so that it can do mutual authentication. + */ + if (cert) { + /* Get the cert.pem and key.pem files. */ + len = strlcpy(path, rpctls_certdir, sizeof(path)); + rlen = sizeof(path) - len; + if (strlcpy(&path[len], "cert.pem", rlen) != 8) { + SSL_CTX_free(ctx); + return (NULL); + } + ret = SSL_CTX_use_certificate_file(ctx, path, + SSL_FILETYPE_PEM); + if (ret != 1) { + rpctlscd_verbose_out("rpctls_setupcl_ssl: can't use " + "certificate file path=%s ret=%d\n", path, ret); + SSL_CTX_free(ctx); + return (NULL); + } + if (strlcpy(&path[len], "key.pem", rlen) != 7) { + SSL_CTX_free(ctx); + return (NULL); + } + ret = SSL_CTX_use_PrivateKey_file(ctx, path, + SSL_FILETYPE_PEM); + if (ret != 1) { + rpctlscd_verbose_out("rpctls_setupcl_ssl: Can't use " + "private key path=%s ret=%d\n", path, ret); + SSL_CTX_free(ctx); + return (NULL); + } + } + if (rpctls_verify_cafile != NULL || rpctls_verify_capath != NULL) { + if (rpctls_crlfile != NULL) { + ret = rpctls_loadcrlfile(ctx); + if (ret == 0) { + rpctlscd_verbose_out("rpctls_setupcl_ssl: " + "Load CRLfile failed\n"); + SSL_CTX_free(ctx); + return (NULL); + } + } +#if OPENSSL_VERSION_NUMBER >= 0x30000000 + ret = 1; + if (rpctls_verify_cafile != NULL) + ret = SSL_CTX_load_verify_file(ctx, + rpctls_verify_cafile); + if (ret != 0 && rpctls_verify_capath != NULL) + ret = SSL_CTX_load_verify_dir(ctx, + rpctls_verify_capath); +#else + ret = SSL_CTX_load_verify_locations(ctx, + rpctls_verify_cafile, rpctls_verify_capath); +#endif + if (ret == 0) { + rpctlscd_verbose_out("rpctls_setupcl_ssl: " + "Can't load verify locations\n"); + SSL_CTX_free(ctx); + return (NULL); + } + /* + * The man page says that the + * SSL_CTX_set0_CA_list() call is not normally + * needed, but I believe it is harmless. + */ + if (rpctls_verify_cafile != NULL) + SSL_CTX_set0_CA_list(ctx, + SSL_load_client_CA_file(rpctls_verify_cafile)); + } + + /* RPC-over-TLS must use TLSv1.3. */ +#ifdef notyet + flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | + SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2; +#else + flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1_3; +#endif + SSL_CTX_set_options(ctx, flags); + return (ctx); +} + +static SSL * +rpctls_connect(SSL_CTX *ctx, int s) +{ + SSL *ssl; + X509 *cert; + struct sockaddr *sad; + struct sockaddr_storage ad; + char hostnam[NI_MAXHOST]; + int gethostret, ret; + char *cp, *cp2; + + if (rpctls_gothup) { + rpctls_gothup = false; + ret = rpctls_loadcrlfile(ctx); + if (ret == 0) + rpctlscd_verbose_out("rpctls_connect: Can't " + "reload CRLfile\n"); + } + ssl = SSL_new(ctx); + if (ssl == NULL) { + rpctlscd_verbose_out("rpctls_connect: " + "SSL_new failed\n"); + return (NULL); + } + if (SSL_set_fd(ssl, s) != 1) { + rpctlscd_verbose_out("rpctls_connect: " + "SSL_set_fd failed\n"); + SSL_free(ssl); + return (NULL); + } +rpctlscd_verbose_out("at SSL_connect\n"); + ret = SSL_connect(ssl); +rpctlscd_verbose_out("aft SSL_connect ret=%d\n", ret); + if (ret != 1) { + rpctlscd_verbose_out("rpctls_connect: " + "SSL_connect failed %d\n", + ret); + SSL_free(ssl); + return (NULL); + } + + cert = SSL_get_peer_certificate(ssl); + if (cert == NULL) { + rpctlscd_verbose_out("rpctls_connect: get peer" + " certificate failed\n"); + SSL_free(ssl); + return (NULL); + } + gethostret = rpctls_gethost(s, sad, hostnam, sizeof(hostnam)); + if (gethostret == 0) + hostnam[0] = '\0'; + ret = SSL_get_verify_result(ssl); + if (ret == X509_V_OK && (rpctls_verify_cafile != NULL || + rpctls_verify_capath != NULL) && (gethostret == 0 || + rpctls_checkhost(sad, cert) != 1)) + ret = X509_V_ERR_HOSTNAME_MISMATCH; + X509_free(cert); + if (ret != X509_V_OK && (rpctls_verify_cafile != NULL || + rpctls_verify_capath != NULL)) { + if (ret != X509_V_OK) { + cp = X509_NAME_oneline(X509_get_issuer_name(cert), + NULL, 0); + cp2 = X509_NAME_oneline(X509_get_subject_name(cert), + NULL, 0); + if (rpctls_debug_level == 0) + syslog(LOG_INFO | LOG_DAEMON, + "rpctls_connect: client IP %s " + "issuerName=%s subjectName=%s verify " + "failed %s\n", hostnam, cp, cp2, + X509_verify_cert_error_string(ret)); + else + fprintf(stderr, + "rpctls_connect: client IP %s " + "issuerName=%s subjectName=%s verify " + "failed %s\n", hostnam, cp, cp2, + X509_verify_cert_error_string(ret)); + } + SSL_free(ssl); + return (NULL); + } + + /* Check to see if ktls is enabled on the connection. */ + ret = BIO_get_ktls_send(SSL_get_wbio(ssl)); + rpctlscd_verbose_out("rpctls_connect: BIO_get_ktls_send=%d\n", ret); + if (ret != 0) { + ret = BIO_get_ktls_recv(SSL_get_rbio(ssl)); + rpctlscd_verbose_out("rpctls_connect: BIO_get_ktls_recv=%d\n", ret); + } + if (ret == 0) { + if (rpctls_debug_level == 0) + syslog(LOG_ERR, "ktls not working\n"); + else + fprintf(stderr, "ktls not working\n"); + SSL_free(ssl); + return (NULL); + } + + return (ssl); +} + +/* + * Get the server's IP address. + */ +static int +rpctls_gethost(int s, struct sockaddr *sad, char *hostip, size_t hostlen) +{ + socklen_t slen; + int ret; + + slen = sizeof(struct sockaddr_storage); + if (getpeername(s, sad, &slen) < 0) + return (0); + ret = 0; + if (getnameinfo((const struct sockaddr *)sad, + sad->sa_len, hostip, hostlen, + NULL, 0, NI_NUMERICHOST) == 0) { + rpctlscd_verbose_out("rpctls_gethost: %s\n", + hostip); + ret = 1; + } + return (ret); +} + +/* + * Check a server IP address against any host address in the + * certificate. Basically getnameinfo(3) and + * X509_check_host(). + */ +static int +rpctls_checkhost(struct sockaddr *sad, X509 *cert) +{ + char hostnam[NI_MAXHOST]; + int ret; + + if (getnameinfo((const struct sockaddr *)sad, + sad->sa_len, hostnam, sizeof(hostnam), + NULL, 0, NI_NAMEREQD) != 0) + return (0); + rpctlscd_verbose_out("rpctls_checkhost: DNS %s\n", + hostnam); + ret = X509_check_host(cert, hostnam, strlen(hostnam), + X509_CHECK_FLAG_NO_WILDCARDS, NULL); + return (ret); +} + +/* + * (re)load the CRLfile into the certificate verification store. + */ +static int +rpctls_loadcrlfile(SSL_CTX *ctx) +{ + X509_STORE *certstore; + X509_LOOKUP *certlookup; + int ret; + + if ((rpctls_verify_cafile != NULL || + rpctls_verify_capath != NULL) && + rpctls_crlfile != NULL) { + certstore = SSL_CTX_get_cert_store(ctx); + certlookup = X509_STORE_add_lookup( + certstore, X509_LOOKUP_file()); + ret = 0; + if (certlookup != NULL) + ret = X509_load_crl_file(certlookup, + rpctls_crlfile, X509_FILETYPE_PEM); + if (ret != 0) + ret = X509_STORE_set_flags(certstore, + X509_V_FLAG_CRL_CHECK | + X509_V_FLAG_CRL_CHECK_ALL); + if (ret == 0) { + rpctlscd_verbose_out( + "rpctls_loadcrlfile: Can't" + " load CRLfile=%s\n", + rpctls_crlfile); + return (ret); + } + } + return (1); +} + +static void +rpctls_huphandler(int sig __unused) +{ + + rpctls_gothup = true; +} + *** DIFF OUTPUT TRUNCATED AT 1000 LINES *** From owner-svn-src-projects@freebsd.org Thu Sep 3 21:58:19 2020 Return-Path: Delivered-To: svn-src-projects@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 569373CC3DD for ; Thu, 3 Sep 2020 21:58:19 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4BjF6z1jwqz43xN; Thu, 3 Sep 2020 21:58:19 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 1DD3B224A5; Thu, 3 Sep 2020 21:58:19 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 083LwJmF038451; Thu, 3 Sep 2020 21:58:19 GMT (envelope-from rmacklem@FreeBSD.org) Received: (from rmacklem@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 083LwIor038448; Thu, 3 Sep 2020 21:58:18 GMT (envelope-from rmacklem@FreeBSD.org) Message-Id: <202009032158.083LwIor038448@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: rmacklem set sender to rmacklem@FreeBSD.org using -f From: Rick Macklem Date: Thu, 3 Sep 2020 21:58:18 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r365311 - projects/nfs-over-tls/usr.sbin/rpc.tlsservd X-SVN-Group: projects X-SVN-Commit-Author: rmacklem X-SVN-Commit-Paths: projects/nfs-over-tls/usr.sbin/rpc.tlsservd X-SVN-Commit-Revision: 365311 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Sep 2020 21:58:19 -0000 Author: rmacklem Date: Thu Sep 3 21:58:18 2020 New Revision: 365311 URL: https://svnweb.freebsd.org/changeset/base/365311 Log: Add the renamed server daemon. Also add long options for those who like them. Added: projects/nfs-over-tls/usr.sbin/rpc.tlsservd/ projects/nfs-over-tls/usr.sbin/rpc.tlsservd/Makefile (contents, props changed) projects/nfs-over-tls/usr.sbin/rpc.tlsservd/rpc.tlsservd.8 (contents, props changed) projects/nfs-over-tls/usr.sbin/rpc.tlsservd/rpc.tlsservd.c (contents, props changed) Added: projects/nfs-over-tls/usr.sbin/rpc.tlsservd/Makefile ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ projects/nfs-over-tls/usr.sbin/rpc.tlsservd/Makefile Thu Sep 3 21:58:18 2020 (r365311) @@ -0,0 +1,32 @@ +# $FreeBSD$ + +.include + +PROG= rpc.tlsservd +MAN= rpc.tlsservd.8 +SRCS= rpc.tlsservd.c rpctlssd.h rpctlssd_svc.c rpctlssd_xdr.c + +CFLAGS+= -I. + +CFLAGS+= -I/usr/ktls/include +LDFLAGS+= -L/usr/ktls/lib + +LIBADD= ssl crypto util + +CLEANFILES= rpctlssd_svc.c rpctlssd_xdr.c rpctlssd.h + +RPCSRC= ${SRCTOP}/sys/rpc/rpcsec_tls/rpctlssd.x +RPCGEN= RPCGEN_CPP=${CPP:Q} rpcgen -L -C -M + +rpctlssd_svc.c: ${RPCSRC} rpctlssd.h + ${RPCGEN} -m -o ${.TARGET} ${RPCSRC} + +rpctlssd_xdr.c: ${RPCSRC} rpctlssd.h + ${RPCGEN} -c -o ${.TARGET} ${RPCSRC} + +rpctlssd.h: ${RPCSRC} + ${RPCGEN} -h -o ${.TARGET} ${RPCSRC} + +.PATH: ${SRCTOP}/sys/rpc/rpcsec_tls + +.include Added: projects/nfs-over-tls/usr.sbin/rpc.tlsservd/rpc.tlsservd.8 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ projects/nfs-over-tls/usr.sbin/rpc.tlsservd/rpc.tlsservd.8 Thu Sep 3 21:58:18 2020 (r365311) @@ -0,0 +1,332 @@ +.\" Copyright (c) 2008 Isilon Inc http://www.isilon.com/ +.\" Authors: Doug Rabson +.\" Developed with Red Inc: Alfred Perlstein +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.\" Modified from gssd.8 for rpc.tlsservd.8 by Rick Macklem. +.Dd September 3, 2020 +.Dt RPC.TLSSERVD 8 +.Os +.Sh NAME +.Nm rpc.tlsservd +.Nd "Sun RPC over TLS Server Daemon" +.Sh SYNOPSIS +.Nm +.Op Fl D Ar certdir +.Op Fl d +.Op Fl h +.Op Fl l Ar CAfile +.Op Fl m +.Op Fl n Ar domain_name +.Op Fl p Ar CApath +.Op Fl r Ar CRLfile +.Op Fl u +.Op Fl v +.Op Fl W +.Op Fl w +.Sh DESCRIPTION +The +.Nm +program provides support for the server side of the kernel Sun RPC over TLS +implementation. +This daemon must be running to allow the kernel RPC to perform the TLS +handshake after a TCP client has sent the STARTTLS Null RPC request to +the server. +This daemon requires that the kernel be built with +.Dq options KERNEL_TLS +and be running on an architecture such as +.Dq amd64 +that supports a direct map (not i386). +Note that the +.Fl tls +option in the +.Xr exports 5 +file specifies that the client must use RPC over TLS. +The +.Fl tlscert +option in the +.Xr exports 5 +file specifies that the client must provide a certificate +that verifies. +The +.Fl tlscertuser +option in the +.Xr exports 5 +file specifies that the client must provide a certificate +that verifies and has a otherName:1.3.6.1.4.1.2238.1.1.1;UTF8: field of +subjectAltName of the form +.Dq user@dns_domain +that maps to a . +For the latter two cases, the +.Fl m +and either the +.Fl l +or +.Fl p +options must be specified. +The +.Fl tlscertuser +option also requires that the +.Fl u +option on this daemon be specified. +.Pp +Also, if the IP address used by the client cannot be trusted, +the rules in +.Xr exports 5 +cannot be applied safely. +As such, the +.Fl h +option can be used along with +.Fl m +and either the +.Fl l +or +.Fl p +options to require that the client certificate have the correct +Fully Qualified Domain Name (FQDN) in it. +.Pp +A certificate and associated key must exist in /etc/rpctlssd +(or the +.Dq certdir +specified by the +.Fl D +option) +in files named +.Dq cert.pem +and +.Dq key.pem . +.Pp +If a SIGHUP signal is sent to the daemon it will reload the +.Dq CRLfile . +If the +.Fl r +option was not specified, the SIGHUP signal will be ignored. +.Pp +The daemon will log failed certificate verifications via +.Xr syslogd 8 +using LOG_INFO | LOG_DAEMON when the +.Fl m +option has been specified. +.Pp +The options are as follows: +.Bl -tag -width indent +.It Fl D Ar certdir , Fl Fl certdir= Ns Ar certdir +Use +.Dq certdir +instead of /etc/rpctlssd as the location for the +certificate in a file called +.Dq cert.pem +and key in +.Dq key.pem . +.It Fl d , Fl Fl debuglevel +Run in debug mode. +In this mode, +.Nm +will not fork when it starts. +.It Fl h , Fl Fl checkhost +This option specifies that the client must provide a certificate +that both verifies and has a FQDN that matches the reverse +DNS name for the IP address that +the client uses to connect to the server. +The FQDN should be +in the DNS field of the subjectAltName, but is also allowed +to be in the CN field of the +subjectName in the certificate. +By default, a wildcard "*" in the FQDN is not allowed. +With this option, a failure to verify the client certificate +or match the FQDN will result in the +server sending AUTH_REJECTEDCRED replies to all client RPCs. +This option requires the +.Fl m +and either the +.Fl l +or +.Fl p +options. +.It Fl l Ar CAfile , Fl Fl verifylocs= Ns Ar CAfile +This option specifies the path name of a CA certificate(s) file +in pem format, which is used to verify client certificates and to +set the list of CA(s) sent to the client so that it knows which +certificate to send to the server during the TLS handshake. +This path name is used in +.Dq SSL_CTX_load_verify_locations(ctx,CAfile,NULL) +and +.Dq SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(CAfile)) +openssl library calls. +Note that this is a path name for the file and is not assumed to be +in +.Dq certdir . +Either this option or the +.Fl p +option must be specified when the +.Fl m +option is specified so that the daemon can verify the client's +certificate. +.It Fl m , Fl Fl mutualverf +This option specifies that the server is to request a certificate +from the client during the TLS handshake. +It does not require that the client provide a certificate. +It should be specified unless no client doing RPC over TLS is +required to have a certificate. +For NFS, either the export option +.Fl tlscert +or +.Fl tlscertuser +may be used to require a client to provide a certificate +that verifies. +See +.Xr exports 5 . +.It Fl n Ar domain_name , Fl Fl domain= Ns Ar domain_name +This option specifies what the +.Dq domain_name +is for use with the +.Fl u +option, overriding the domain_name of the server this daemon is running on. +If you have specified the +.Fl domain +command line option for +.Xr nfsuserd 8 +then you should specify this option with the same +.Dq domain_name +that was specified for +.Xr nfsuserd 8 . +.It Fl p Ar CApath , Fl Fl verifydir= Ns Ar CApath +This option is similar to the +.Fl l +option, but specifies the path of a directory with CA +certificates in it. +When this option is used, +.Dq SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file()) +is not called, so a list of CA names might not be passed +to the client during the TLS handshake. +(I was not able to determine if/when this matters, but +if in doubt, use the +.Fl l +option instead of this option.) +.It Fl r Ar CRLfile , Fl Fl crl= Ns Ar CRLfile +This option specifies a Certificate Revocation List (CRL) file +that is to be loaded into the verify certificate store and +checked during verification. +This option is meaningless unless either the +.Fl l +or +.Fl p +have been specified. +.It Fl u , Fl Fl certuser +This option specifies that if the client provides a certificate +that both verifies and has a subjectAltName with an otherName of the form +.Dq otherName:1.3.6.1.4.1.2238.1.1.1;UTF8:user@dns_domain +the daemon will attempt to map +.Dq user@dns_domain +in the above +to a . +The mapping of +.Dq user@dns_domain +is done in the same manner as the +.Xr nfsuserd 8 +daemon, where +.Dq dns_domain +is the domain of the NFS server (or the one set via the +.Fl n +option) and +.Dq user +is a valid username in the password database. +If this mapping is successful, then the for +.Dq user +will be used for all +RPCs on the mount instead of the credentials in the RPC request +header. +This option requires the +.Fl m +and either the +.Fl l +or +.Fl p +options. +Use of this option does not conform to RFC-X, which does +not allow certificates to be used for user authentication. +.It Fl v , Fl Fl verbose +Run in verbose mode. +In this mode, +.Nm +will log activity messages to +.Xr syslogd 8 +using LOG_INFO | LOG_DAEMON or to +stderr, if the +.Fl d +option has also been specified. +.It Fl W , Fl Fl multiwild +This option is used with the +.Fl h +option to allow use of a wildcard +.Dq * +that matches multiple +components of the reverse DNS name for the client's IP +address. +For example, the FQDN +.Dq *.uoguelph.ca +would match both +.Dq laptop21.uoguelph.ca +and +.Dq laptop3.cis.uoguelph.ca . +.It Fl w , Fl Fl singlewild +Similar to +.Fl W +but allows the wildcard +.Dq * +to match a single component of the reverse DNS name. +For example, the FQDN +.Dq *.uoguelph.ca +would match +.Dq laptop21.uoguelph.ca +but not +.Dq laptop3.cis.uoguelph.ca . +Only one of the +.Fl W +and +.Fl w +options is allowed. +.El +.Sh EXIT STATUS +.Ex -std +.Sh SEE ALSO +.Xr openssl 1 , +.Xr exports 5 , +.Xr mount_nfs 8 , +.Xr nfsuserd 8 , +.Xr rpc.tlsclntd 8 , +.Xr syslogd 8 +.Sh BUGS +This daemon cannot be safely shut down and restarted if there are +any active RPC-over-TLS connections. +Doing so will orphan the KERNEL_TLS connections, so that they +can no longer do upcalls successfully, since the +.Dq SSL * +structures in userspace have been lost. +.Sh HISTORY +The +.Nm +manual page first appeared in +.Fx 13.0 . Added: projects/nfs-over-tls/usr.sbin/rpc.tlsservd/rpc.tlsservd.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ projects/nfs-over-tls/usr.sbin/rpc.tlsservd/rpc.tlsservd.c Thu Sep 3 21:58:18 2020 (r365311) @@ -0,0 +1,993 @@ +/*- + * SPDX-License-Identifier: BSD-2-Clause-FreeBSD + * + * Copyright (c) 2008 Isilon Inc http://www.isilon.com/ + * Authors: Doug Rabson + * Developed with Red Inc: Alfred Perlstein + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +/* Modified from gssd.c for the server side of kernel RPC-over-TLS. */ + +#include +__FBSDID("$FreeBSD$"); + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include +#include + +#include +#include +#include +#include +#include + +#include "rpctlssd.h" + +#ifndef _PATH_RPCTLSSDSOCK +#define _PATH_RPCTLSSDSOCK "/var/run/rpc.tlsservd.sock" +#endif +#ifndef _PATH_CERTANDKEY +#define _PATH_CERTANDKEY "/etc/rpc.tlsservd/" +#endif +#ifndef _PATH_RPCTLSSDPID +#define _PATH_RPCTLSSDPID "/var/run/rpc.tlsservd.pid" +#endif +#ifndef _PREFERRED_CIPHERS +#define _PREFERRED_CIPHERS "AES128-GCM-SHA256" +#endif + +static struct pidfh *rpctls_pfh = NULL; +static int rpctls_debug_level; +static bool rpctls_verbose; +static SSL_CTX *rpctls_ctx = NULL; +static bool rpctls_do_mutual = false; +static const char *rpctls_verify_cafile = NULL; +static const char *rpctls_verify_capath = NULL; +static const char *rpctls_crlfile = NULL; +static const char *rpctls_certdir = _PATH_CERTANDKEY; +static bool rpctls_comparehost = false; +static unsigned int rpctls_wildcard = X509_CHECK_FLAG_NO_WILDCARDS; +static uint64_t rpctls_ssl_refno = 0; +static uint64_t rpctls_ssl_sec = 0; +static uint64_t rpctls_ssl_usec = 0; +static bool rpctls_gothup = false; +static bool rpctls_cnuser = false; +static char *rpctls_dnsname; +static const char *rpctls_cnuseroid = "1.3.6.1.4.1.2238.1.1.1"; + +/* + * A linked list of all current "SSL *"s and socket "fd"s + * for kernel RPC TLS connections is maintained. + * The "refno" field is a unique 64bit value used to + * identify which entry a kernel RPC upcall refers to. + */ +LIST_HEAD(ssl_list, ssl_entry); +struct ssl_entry { + LIST_ENTRY(ssl_entry) next; + uint64_t refno; + int s; + SSL *ssl; +}; +static struct ssl_list rpctls_ssllist; + +static void rpctlssd_terminate(int); +static SSL_CTX *rpctls_setup_ssl(const char *certdir); +static SSL *rpctls_server(SSL_CTX *ctx, int s, + uint32_t *flags, uint32_t *uidp, + int *ngrps, uint32_t *gidp); +static int rpctls_gethost(int s, struct sockaddr *sad, + char *hostip, size_t hostlen); +static int rpctls_checkhost(struct sockaddr *sad, X509 *cert); +static int rpctls_loadcrlfile(SSL_CTX *ctx); +static int rpctls_cnname(X509 *cert, uint32_t *uidp, + int *ngrps, uint32_t *gidp); +static char *rpctls_getdnsname(char *dnsname); +static void rpctls_huphandler(int sig __unused); + +extern void rpctlssd_1(struct svc_req *rqstp, SVCXPRT *transp); + +static struct option longopts[] = { + { "certdir", required_argument, NULL, 'D' }, + { "debuglevel", no_argument, NULL, 'd' }, + { "checkhost", no_argument, NULL, 'h' }, + { "verifylocs", required_argument, NULL, 'l' }, + { "mutualverf", no_argument, NULL, 'm' }, + { "domain", required_argument, NULL, 'n' }, + { "verifydir", required_argument, NULL, 'p' }, + { "crl", required_argument, NULL, 'r' }, + { "certuser", no_argument, NULL, 'u' }, + { "verbose", no_argument, NULL, 'v' }, + { "multiwild", no_argument, NULL, 'W' }, + { "singlewild", no_argument, NULL, 'w' }, + { NULL, 0, NULL, 0 } +}; + +int +main(int argc, char **argv) +{ + /* + * We provide an RPC service on a local-domain socket. The + * kernel rpctls code will upcall to this daemon to do the initial + * TLS handshake. + */ + struct sockaddr_un sun; + int fd, oldmask, ch, debug; + SVCXPRT *xprt; + struct timeval tm; + struct timezone tz; + char hostname[MAXHOSTNAMELEN + 2]; + pid_t otherpid; + + /* Check that another rpctlssd isn't already running. */ + rpctls_pfh = pidfile_open(_PATH_RPCTLSSDPID, 0600, &otherpid); + if (rpctls_pfh == NULL) { + if (errno == EEXIST) + errx(1, "rpctlssd already running, pid: %d.", otherpid); + warn("cannot open or create pidfile"); + } + + if (modfind("ktls_ocf") < 0) { + /* Not present in kernel, try loading it */ + if (kldload("ktls_ocf") < 0 || modfind("ktls_ocf") < 0) + errx(1, "Cannot load ktls_ocf"); + } + if (modfind("aesni") < 0) { + /* Not present in kernel, try loading it */ + kldload("aesni"); + } + + /* Get the time when this daemon is started. */ + gettimeofday(&tm, &tz); + rpctls_ssl_sec = tm.tv_sec; + rpctls_ssl_usec = tm.tv_usec; + + /* Set the dns name for the server. */ + rpctls_dnsname = rpctls_getdnsname(hostname); + if (rpctls_dnsname == NULL) { + strcpy(hostname, "@default.domain"); + rpctls_dnsname = hostname; + } +fprintf(stderr, "dnsname=%s\n", rpctls_dnsname); + + debug = 0; + rpctls_verbose = false; + while ((ch = getopt_long(argc, argv, "D:dhl:n:mp:r:uvWw", longopts, + NULL)) != -1) { + switch (ch) { + case 'D': + rpctls_certdir = optarg; + break; + case 'd': + rpctls_debug_level++; + break; + case 'h': + rpctls_comparehost = true; + break; + case 'l': + rpctls_verify_cafile = optarg; + break; + case 'm': + rpctls_do_mutual = true; + break; + case 'n': + hostname[0] = '@'; + strlcpy(&hostname[1], optarg, MAXHOSTNAMELEN + 1); + rpctls_dnsname = hostname; + break; + case 'p': + rpctls_verify_capath = optarg; + break; + case 'r': + rpctls_crlfile = optarg; + break; + case 'u': + rpctls_cnuser = true; + break; + case 'v': + rpctls_verbose = true; + break; + case 'W': + if (rpctls_wildcard != X509_CHECK_FLAG_NO_WILDCARDS) + errx(1, "options -w and -W are mutually " + "exclusive"); + rpctls_wildcard = X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS; + break; + case 'w': + if (rpctls_wildcard != X509_CHECK_FLAG_NO_WILDCARDS) + errx(1, "options -w and -W are mutually " + "exclusive"); + rpctls_wildcard = 0; + break; + default: + fprintf(stderr, "usage: %s " + "[-D/--certdir certdir] [-d/--debuglevel] " + "[-h/--checkhost] " + "[-l/--verifylocs CAfile] [-m/--mutualverf] " + "[-n/--domain domain_name] " + "[-p/--verifydir CApath] [-r/--crl CRLfile] " + "[-u/--certuser] [-v/--verbose] [-W/--multiwild] " + "[-w/--singlewild]\n", argv[0]); + exit(1); + } + } + if (rpctls_do_mutual && rpctls_verify_cafile == NULL && + rpctls_verify_capath == NULL) + errx(1, "-m requires the -l and/or " + "-p options"); + if (rpctls_comparehost && (!rpctls_do_mutual || + (rpctls_verify_cafile == NULL && rpctls_verify_capath == NULL))) + errx(1, "-h requires the -m plus the " + "-l and/or -p options"); + if (!rpctls_comparehost && rpctls_wildcard != + X509_CHECK_FLAG_NO_WILDCARDS) + errx(1, "The -w or -W options require the -h option"); + if (rpctls_cnuser && (!rpctls_do_mutual || + (rpctls_verify_cafile == NULL && rpctls_verify_capath == NULL))) + errx(1, "-u requires the -m plus the " + "-l and/or -p options"); + + if (modfind("krpc") < 0) { + /* Not present in kernel, try loading it */ + if (kldload("krpc") < 0 || modfind("krpc") < 0) + errx(1, "Kernel RPC is not available"); + } + + if (rpctls_debug_level == 0) { + if (daemon(0, 0) != 0) + err(1, "Can't daemonize"); + signal(SIGINT, SIG_IGN); + signal(SIGQUIT, SIG_IGN); + signal(SIGHUP, SIG_IGN); + } + signal(SIGTERM, rpctlssd_terminate); + signal(SIGPIPE, SIG_IGN); + signal(SIGHUP, rpctls_huphandler); + + pidfile_write(rpctls_pfh); + + memset(&sun, 0, sizeof sun); + sun.sun_family = AF_LOCAL; + unlink(_PATH_RPCTLSSDSOCK); + strcpy(sun.sun_path, _PATH_RPCTLSSDSOCK); + sun.sun_len = SUN_LEN(&sun); + fd = socket(AF_LOCAL, SOCK_STREAM, 0); + if (fd < 0) { + if (rpctls_debug_level == 0) { + syslog(LOG_ERR, "Can't create local rpctlssd socket"); + exit(1); + } + err(1, "Can't create local rpctlssd socket"); + } + oldmask = umask(S_IXUSR|S_IRWXG|S_IRWXO); + if (bind(fd, (struct sockaddr *)&sun, sun.sun_len) < 0) { + if (rpctls_debug_level == 0) { + syslog(LOG_ERR, "Can't bind local rpctlssd socket"); + exit(1); + } + err(1, "Can't bind local rpctlssd socket"); + } + umask(oldmask); + if (listen(fd, SOMAXCONN) < 0) { + if (rpctls_debug_level == 0) { + syslog(LOG_ERR, + "Can't listen on local rpctlssd socket"); + exit(1); + } + err(1, "Can't listen on local rpctlssd socket"); + } + xprt = svc_vc_create(fd, RPC_MAXDATASIZE, RPC_MAXDATASIZE); + if (!xprt) { + if (rpctls_debug_level == 0) { + syslog(LOG_ERR, + "Can't create transport for local rpctlssd socket"); + exit(1); + } + err(1, "Can't create transport for local rpctlssd socket"); + } + if (!svc_reg(xprt, RPCTLSSD, RPCTLSSDVERS, rpctlssd_1, NULL)) { + if (rpctls_debug_level == 0) { + syslog(LOG_ERR, + "Can't register service for local rpctlssd socket"); + exit(1); + } + err(1, "Can't register service for local rpctlssd socket"); + } + + rpctls_ctx = rpctls_setup_ssl(rpctls_certdir); + if (rpctls_ctx == NULL) { + if (rpctls_debug_level == 0) { + syslog(LOG_ERR, "Can't create SSL context"); + exit(1); + } + err(1, "Can't create SSL context"); + } + rpctls_gothup = false; + LIST_INIT(&rpctls_ssllist); + + rpctls_syscall(RPCTLS_SYSC_SRVSETPATH, _PATH_RPCTLSSDSOCK); + svc_run(); + rpctls_syscall(RPCTLS_SYSC_SRVSHUTDOWN, ""); + + SSL_CTX_free(rpctls_ctx); + EVP_cleanup(); + return (0); +} + +static void +rpctlssd_verbose_out(const char *fmt, ...) +{ + va_list ap; + + if (rpctls_verbose) { + va_start(ap, fmt); + if (rpctls_debug_level == 0) + vsyslog(LOG_INFO | LOG_DAEMON, fmt, ap); + else + vfprintf(stderr, fmt, ap); + va_end(ap); + } +} + +bool_t +rpctlssd_null_1_svc(void *argp, void *result, struct svc_req *rqstp) +{ + + rpctlssd_verbose_out("rpctlssd_null_svc: done\n"); + return (TRUE); +} + +bool_t +rpctlssd_connect_1_svc(void *argp, + struct rpctlssd_connect_res *result, struct svc_req *rqstp) +{ + int ngrps, s; + SSL *ssl; + uint32_t flags; + struct ssl_entry *newslp; + uint32_t uid; + uint32_t *gidp; + + rpctlssd_verbose_out("rpctlsd_connect_svc: started\n"); + memset(result, 0, sizeof(*result)); + /* Get the socket fd from the kernel. */ + s = rpctls_syscall(RPCTLS_SYSC_SRVSOCKET, ""); +rpctlssd_verbose_out("rpctlsd_connect_svc s=%d\n", s); + if (s < 0) + return (FALSE); + + /* Do the server side of a TLS handshake. */ + gidp = calloc(NGROUPS, sizeof(*gidp)); + ssl = rpctls_server(rpctls_ctx, s, &flags, &uid, &ngrps, gidp); + if (ssl == NULL) { + free(gidp); + rpctlssd_verbose_out("rpctlssd_connect_svc: ssl " + "accept failed\n"); + /* + * For RPC-over-TLS, this upcall is expected + * to close off the socket upon handshake failure. + */ + close(s); + return (FALSE); + } else { + rpctlssd_verbose_out("rpctlssd_connect_svc: " + "succeeded flags=0x%x\n", flags); + result->flags = flags; + result->sec = rpctls_ssl_sec; + result->usec = rpctls_ssl_usec; + result->ssl = ++rpctls_ssl_refno; + /* Hard to believe this could ever wrap around.. */ + if (rpctls_ssl_refno == 0) + result->ssl = ++rpctls_ssl_refno; + if ((flags & RPCTLS_FLAGS_CERTUSER) != 0) { + result->uid = uid; + result->gid.gid_len = ngrps; + result->gid.gid_val = gidp; + } else { + result->uid = 0; + result->gid.gid_len = 0; + result->gid.gid_val = gidp; + } + } + + /* Maintain list of all current SSL *'s */ + newslp = malloc(sizeof(*newslp)); + newslp->ssl = ssl; + newslp->s = s; + newslp->refno = rpctls_ssl_refno; + LIST_INSERT_HEAD(&rpctls_ssllist, newslp, next); + return (TRUE); +} + +bool_t +rpctlssd_handlerecord_1_svc(struct rpctlssd_handlerecord_arg *argp, + struct rpctlssd_handlerecord_res *result, struct svc_req *rqstp) +{ + struct ssl_entry *slp; + int ret; + char junk; + + slp = NULL; + if (argp->sec == rpctls_ssl_sec && argp->usec == + rpctls_ssl_usec) { + LIST_FOREACH(slp, &rpctls_ssllist, next) { + if (slp->refno == argp->ssl) + break; + } + } + + if (slp != NULL) { + rpctlssd_verbose_out("rpctlssd_handlerecord fd=%d\n", + slp->s); + /* + * An SSL_read() of 0 bytes should fail, but it should + * handle the non-application data record before doing so. + */ + ret = SSL_read(slp->ssl, &junk, 0); + if (ret <= 0) { + /* Check to see if this was a close alert. */ + ret = SSL_get_shutdown(slp->ssl); +rpctlssd_verbose_out("get_shutdown=%d\n", ret); + if ((ret & (SSL_SENT_SHUTDOWN | + SSL_RECEIVED_SHUTDOWN)) == SSL_RECEIVED_SHUTDOWN) + SSL_shutdown(slp->ssl); + } else { + if (rpctls_debug_level == 0) + syslog(LOG_ERR, "SSL_read returned %d", ret); + else + fprintf(stderr, "SSL_read returned %d\n", ret); + } + result->reterr = RPCTLSERR_OK; + } else + result->reterr = RPCTLSERR_NOSSL; + return (TRUE); +} + +bool_t +rpctlssd_disconnect_1_svc(struct rpctlssd_disconnect_arg *argp, + struct rpctlssd_disconnect_res *result, struct svc_req *rqstp) +{ + struct ssl_entry *slp; + int ret; + + slp = NULL; + if (argp->sec == rpctls_ssl_sec && argp->usec == + rpctls_ssl_usec) { + LIST_FOREACH(slp, &rpctls_ssllist, next) { + if (slp->refno == argp->ssl) + break; + } + } + + if (slp != NULL) { + rpctlssd_verbose_out("rpctlssd_disconnect fd=%d closed\n", + slp->s); + LIST_REMOVE(slp, next); + ret = SSL_get_shutdown(slp->ssl); +rpctlssd_verbose_out("get_shutdown1=%d\n", ret); + /* + * Do an SSL_shutdown() unless a close alert has + * already been sent. + */ + if ((ret & SSL_SENT_SHUTDOWN) == 0) + SSL_shutdown(slp->ssl); + SSL_free(slp->ssl); + /* + * For RPC-over-TLS, this upcall is expected + * to close off the socket. + */ + shutdown(slp->s, SHUT_WR); + close(slp->s); + free(slp); + result->reterr = RPCTLSERR_OK; + } else + result->reterr = RPCTLSERR_NOCLOSE; + return (TRUE); +} + +int +rpctlssd_1_freeresult(SVCXPRT *transp, xdrproc_t xdr_result, caddr_t result) +{ + rpctlssd_connect_res *res; + + if (xdr_result == (xdrproc_t)xdr_rpctlssd_connect_res) { + res = (rpctlssd_connect_res *)result; + if (res->gid.gid_val != NULL) + free(res->gid.gid_val); + } + return (TRUE); +} + +static void +rpctlssd_terminate(int sig __unused) +{ + struct ssl_entry *slp; + + rpctls_syscall(RPCTLS_SYSC_SRVSHUTDOWN, ""); + pidfile_remove(rpctls_pfh); + + /* + * Shut down all TCP connections, so that any compromised TLS + * connection is no longer usable. + */ + LIST_FOREACH(slp, &rpctls_ssllist, next) + shutdown(slp->s, SHUT_RD); + exit(0); +} + +/* Allow the handshake to proceed. */ +static int +rpctls_verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx) +{ + + return (1); +} + +static SSL_CTX * +rpctls_setup_ssl(const char *certdir) +{ + SSL_CTX *ctx; + char path[PATH_MAX]; + size_t len, rlen; + int ret; + + SSL_library_init(); + SSL_load_error_strings(); + OpenSSL_add_all_algorithms(); + + ctx = SSL_CTX_new(TLS_server_method()); + if (ctx == NULL) { + rpctlssd_verbose_out("rpctls_setup_ssl: SSL_CTX_new failed\n"); + return (NULL); + } + SSL_CTX_set_ecdh_auto(ctx, 1); + + /* + * Set preferred ciphers, since KERN_TLS only supports a + * few of them. + */ + ret = SSL_CTX_set_cipher_list(ctx, _PREFERRED_CIPHERS); + if (ret == 0) { + rpctlssd_verbose_out("rpctls_setup_ssl: " + "SSL_CTX_set_cipher_list failed to set any ciphers\n"); + SSL_CTX_free(ctx); + return (NULL); + } + + /* Get the cert.pem and key.pem files from the directory certdir. */ + len = strlcpy(path, certdir, sizeof(path)); + rlen = sizeof(path) - len; + if (strlcpy(&path[len], "cert.pem", rlen) != 8) { + SSL_CTX_free(ctx); + return (NULL); + } + ret = SSL_CTX_use_certificate_file(ctx, path, SSL_FILETYPE_PEM); + if (ret != 1) { + rpctlssd_verbose_out("rpctls_setup_ssl: can't use certificate " + "file path=%s ret=%d\n", path, ret); + SSL_CTX_free(ctx); + return (NULL); + } + if (strlcpy(&path[len], "key.pem", rlen) != 7) { + SSL_CTX_free(ctx); + return (NULL); + } + ret = SSL_CTX_use_PrivateKey_file(ctx, path, SSL_FILETYPE_PEM); + if (ret != 1) { + rpctlssd_verbose_out("rpctls_setup_ssl: Can't use private " + "key path=%s ret=%d\n", path, ret); + SSL_CTX_free(ctx); + return (NULL); + } + + /* Set Mutual authentication, as required. */ + if (rpctls_do_mutual) { + if (rpctls_verify_cafile != NULL || + rpctls_verify_capath != NULL) { *** DIFF OUTPUT TRUNCATED AT 1000 LINES *** From owner-svn-src-projects@freebsd.org Thu Sep 3 22:01:53 2020 Return-Path: Delivered-To: svn-src-projects@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 56AD43CC530 for ; Thu, 3 Sep 2020 22:01:53 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4BjFC50hjYz44lX; Thu, 3 Sep 2020 22:01:53 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id EFE9B2272A; Thu, 3 Sep 2020 22:01:52 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 083M1qFI044031; Thu, 3 Sep 2020 22:01:52 GMT (envelope-from rmacklem@FreeBSD.org) Received: (from rmacklem@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 083M1qI4044029; Thu, 3 Sep 2020 22:01:52 GMT (envelope-from rmacklem@FreeBSD.org) Message-Id: <202009032201.083M1qI4044029@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: rmacklem set sender to rmacklem@FreeBSD.org using -f From: Rick Macklem Date: Thu, 3 Sep 2020 22:01:52 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r365312 - projects/nfs-over-tls/rc.d X-SVN-Group: projects X-SVN-Commit-Author: rmacklem X-SVN-Commit-Paths: projects/nfs-over-tls/rc.d X-SVN-Commit-Revision: 365312 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Sep 2020 22:01:53 -0000 Author: rmacklem Date: Thu Sep 3 22:01:52 2020 New Revision: 365312 URL: https://svnweb.freebsd.org/changeset/base/365312 Log: Add the rc.d scripts for the renamed daemons. Added: projects/nfs-over-tls/rc.d/tlsclntd projects/nfs-over-tls/rc.d/tlsservd Added: projects/nfs-over-tls/rc.d/tlsclntd ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ projects/nfs-over-tls/rc.d/tlsclntd Thu Sep 3 22:01:52 2020 (r365312) @@ -0,0 +1,20 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# PROVIDE: tlsclntd +# REQUIRE: NETWORKING +# KEYWORD: nojail shutdown + +. /etc/rc.subr + +name="tlsclntd" +desc="NFS over TLS client side daemon" +rcvar="tlsclntd_enable" +command="/usr/sbin/rpc.${name}" +pidfile="/var/run/rpc.${name}.pid" + +load_rc_config $name + +run_rc_command "$1" Added: projects/nfs-over-tls/rc.d/tlsservd ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ projects/nfs-over-tls/rc.d/tlsservd Thu Sep 3 22:01:52 2020 (r365312) @@ -0,0 +1,24 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# PROVIDE: tlsservd +# REQUIRE: NETWORKING +# KEYWORD: nojail shutdown + +. /etc/rc.subr + +name="tlsservd" +desc="NFS over TLS server side daemon" +rcvar="tlsservd_enable" +command="/usr/sbin/rpc.${name}" + +pidfile="/var/run/rpc.${name}.pid" +required_files="/etc/rpc.tlsservd/cert.pem /etc/rpc.tlsservd/key.pem" +extra_commands="reload" + + +load_rc_config $name + +run_rc_command "$1" From owner-svn-src-projects@freebsd.org Thu Sep 3 22:11:02 2020 Return-Path: Delivered-To: svn-src-projects@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 575103CC56F for ; Thu, 3 Sep 2020 22:11:02 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4BjFPf1hw3z4512; Thu, 3 Sep 2020 22:11:02 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 1F13122887; Thu, 3 Sep 2020 22:11:02 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 083MB2V1045536; Thu, 3 Sep 2020 22:11:02 GMT (envelope-from rmacklem@FreeBSD.org) Received: (from rmacklem@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 083MB2t4045535; Thu, 3 Sep 2020 22:11:02 GMT (envelope-from rmacklem@FreeBSD.org) Message-Id: <202009032211.083MB2t4045535@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: rmacklem set sender to rmacklem@FreeBSD.org using -f From: Rick Macklem Date: Thu, 3 Sep 2020 22:11:02 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r365313 - projects/nfs-over-tls X-SVN-Group: projects X-SVN-Commit-Author: rmacklem X-SVN-Commit-Paths: projects/nfs-over-tls X-SVN-Commit-Revision: 365313 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Sep 2020 22:11:02 -0000 Author: rmacklem Date: Thu Sep 3 22:11:01 2020 New Revision: 365313 URL: https://svnweb.freebsd.org/changeset/base/365313 Log: Update the setup document for the renamed daemons. Modified: projects/nfs-over-tls/nfs-over-tls-setup.txt Modified: projects/nfs-over-tls/nfs-over-tls-setup.txt ============================================================================== --- projects/nfs-over-tls/nfs-over-tls-setup.txt Thu Sep 3 22:01:52 2020 (r365312) +++ projects/nfs-over-tls/nfs-over-tls-setup.txt Thu Sep 3 22:11:01 2020 (r365313) @@ -90,28 +90,18 @@ Now, you need to patch the include files in /usr/ktls/ # patch -p0 < /usr/nfs-over-tls/openssl3.patch And now you should be able to build/install the utilities. -(You'll get warnings about SSL_CTX_load_verify_locations() deprecated. - Thats ok for now.) -# cd /usr/nfs-over-tls/usr.sbin/rpctlssd +# cd /usr/nfs-over-tls/usr.sbin/rpc.tlsservd # make SRCTOP=/usr/nfs-over-tls -# cp rpctlssd /usr/sbin -# cp rpctlssd.8.gz /usr/share/man/man8 -# cd ../rpctlscd +# cp rpc.tlsservd /usr/sbin +# cp rpc.tlsservd.8.gz /usr/share/man/man8 +# cd ../rpc.tlsclntd # make SRCTOP=/usr/nfs-over-tls -# cp rpctlscd /usr/sbin -# cp rpctlscd.8.gz /usr/share/man/man8 -# cd /usr/nfs-over-tls -# mkdir sbin -# cd sbin -# ln -s /usr/src/sbin/mount mount -# cd /usr/nfs-over-tls/usr.sbin/mountd -# make SRCTOP=/usr/nfs-over-tls -# cp mountd /usr/sbin -# cp exports.5.gz /usr/share/man/man5 +# cp rpc.tlsclntd /usr/sbin +# cp rpc.tlsclntd.8.gz /usr/share/man/man8 You can copy the rc.d scripts as follows: # cd /usr/nfs-over-tls/rc.d -# cp rpctlscd rpctlssd /etc/rc.d +# cp tlsclntd tlsservd /etc/rc.d Almost done. Here's a few more things you need to do: # cd /etc @@ -128,7 +118,7 @@ First, a bit of background. NFS-over-TLS uses the KERN will only work on architectures that support a direct map, such as amd64 (not i386). Then daemons must be running on the NFS server(s) and NFS client(s) -for NFS-over-TLS to work. rpctlssd(8) for the server(s) and rpctlscd(8) +for NFS-over-TLS to work. rpc.tlsservd(8) for the server(s) and rpc.tlsclntd(8) for the client(s). Then you will have to create x509 certificate for at least the NFS server(s) and, optionally, some or all of the NFS clients. @@ -183,7 +173,7 @@ Now, you should be ready to create/sign certificates f (If this certificate is for a client laptop, you might want to use the "-aes256" option, so the key.pem file is encrypted using a passphrase. This implies that the passphrase will need to be entered when the - rpctlscd(8) daemon is started on the client, but that the key cannot + rpc.tlsclntd(8) daemon is started on the client, but that the key cannot be used without the passphrase, if it is compromised.) 4 - Create a Certificate Signing Request (CSR). @@ -226,7 +216,7 @@ If you want to look at the CSR: name .pem.) You can now copy key.pem and cert.pem to the directory -/etc/rpctlssd on the server(s) or /etc/rpctlscd on the client(s). +/etc/rpc.tlsservd on the server(s) or /etc/rpc.tlsclntd on the client(s). If you want to look at any certificate, you can use the command... # openssl x509 -in cert.pem -noout -text @@ -238,7 +228,7 @@ If you want certificates for clients, just repeat #3-5 If you have created certificates for any of your NFS client(s), you probably want to create a Certificate Revocation List (CRL) as well. The initial file will not have any revocations in it, but can be -provided to either/both of the rpctlssd(8) and rpctlscd(8) daemons, +provided to either/both of the rpc.tlsservd(8) and rpc.tlsclntd(8) daemons, then it can be reloaded by posting a SIGHUP to the daemon(s) when updated. This avoids restarting the daemon(s), which is not a good thing to do while there are NFS-over-TLS mount(s) to the NFS server. @@ -264,9 +254,9 @@ of its identity to allow it to do an NFS mount from an For this case, you can also set the otherName field of the subjectAltName to "user@dns_domain" so that all RPCs will be performed on the server as "user", if you specify the "-u" -command line option for the rpctlssd(8) daemon on the NFS server. +command line option for the rpc.tlsservd(8) daemon on the NFS server. (If you do not want this feature simply do not set the otherName - field of subjectAltName or do not set "-u" on the rpctlssd(8) daemon.) + field of subjectAltName or do not set "-u" on the rpc.tlsservd(8) daemon.) Another case might be where you do not trust the client to use the correct IP address when mounting the NFS server, although the client @@ -276,74 +266,74 @@ the FQDN of the client and enable the server to check the "-h" option. The FQDN in the client's certificate may have a wildcard "*" in it, depending on what command line options are specified for -the server's rpctlssd. +the server's rpc.tlsservd. For client(s) where you find controlling mount access via the client's IP address using the exports(5) file is sufficient and you are not using the "-u" command line option on the -server's rpctlssd, the client does not need to have a certificate. +server's rpc.tlsservd, the client does not need to have a certificate. You can still allow/require the client to use TLS so that the RPC traffic is encrypted on the wire. -Once you have key(s) and certificate(s) in the /etc/rpctlssd directory -on the NFS server(s) and in the /etc/rpctlscd directory on +Once you have key(s) and certificate(s) in the /etc/rpc.tlsservd directory +on the NFS server(s) and in the /etc/rpc.tlsclntd directory on the NFS client(s), you need to set the appropriate command line option(s) for the daemons. -The man pages for rpctlscd(8) and rpctlssd(8) cover the command line +The man pages for rpc.tlsclntd(8) and rpc.tlsservd(8) cover the command line options, but here are a few examples. For an NFS server: - An NFS server where no clients have certificates. -# rpctlssd +# rpc.tlsservd - An NFS server where some/all clients have certificates and you wish to verify them against your site local CA created above. -# rpctlssd -m -l /root/demoCA/cacert.pem -r /root/demoCA/crl.pem +# rpc.tlsservd -m -l /root/demoCA/cacert.pem -r /root/demoCA/crl.pem - An NFS server where all clients have certificates and FQDN names that are in the certificates (in either the subjectAltName DNS field or subjectName CN field) and you want to check the client's IP address reverse DNS maps to the FQDN. The FQDN in the client's certificate cannot have a wildcard "*" in it. -# rpctlssd -m -h -l /root/demoCA/cacert.pem -r /root/demoCA/crl.pem +# rpc.tlsservd -m -h -l /root/demoCA/cacert.pem -r /root/demoCA/crl.pem - Similar to the above, but the FQDN in the client's certificate may have a wildcard "*" in it, which will only match a single component of the client's reverse DNS name. For example, an FQDN set to "*.uoguelph.ca" will match "laptop21.uoguelph.ca", but not "laptop3.cis.uoguelph.ca". -# rpctlssd -m -h -w -l /root/demoCA/cacert.pem -r /root/demoCA/crl.pem +# rpc.tlsservd -m -h -w -l /root/demoCA/cacert.pem -r /root/demoCA/crl.pem - Similar to the above, except that a wildcard "*" in the FQDN can match multiple fields. For example, if the FQDN is set to "*.uoguelph.ca", it would match "laptop3.cis.uoguelph.ca" as well as "laptop21.uoguelph.ca". -# rpctlssd -m -h -W -l /root/demoCA/cacert.pem -r /root/demoCA/crl.pem +# rpc.tlsservd -m -h -W -l /root/demoCA/cacert.pem -r /root/demoCA/crl.pem - An NFS server where some client(s) have certificates with the otherName field of the subjectAltName set to "user@dns_domain" and you want those clients to use the for "user" in the password database for all RPCs on the connection, ignoring the credentials in the RPC header. -# rpctlssd -m -u -l /root/demoCA/cacert.pem -r /root/demoCA/crl.pem +# rpc.tlsservd -m -u -l /root/demoCA/cacert.pem -r /root/demoCA/crl.pem For an NFS client: - An NFS client without a certificate. -# rpctlscd +# rpc.tlsclntd -- An NFS client with a certificate and key in /etc/rpctlscd on the client +- An NFS client with a certificate and key in /etc/rpc.tlsclntd on the client created by the site local CA above that the server can use for verification. -# rpctlscd -m +# rpc.tlsclntd -m - An NFS client which wants to verify the NFS server's certificate. (This requires that the cacert.pem and crl.pem be copied onto the client from the CA site.) The FQDN in the server's certificate must match the reverse DNS name for the server's IP address and there cannot be a wildcard in the FQDN. -# rpctlscd -l -r +# rpc.tlsclntd -l -r -- An NFS client that has a certificate and key in /etc/rpctlscd and +- An NFS client that has a certificate and key in /etc/rpc.tlsclntd and also wishes to verify the NFS server's certificate as above. -# rpctlscd -m -l -r +# rpc.tlsclntd -m -l -r If you use either the "-m" and/or "-v" options, you probably want to modify your /etc/syslog.conf so that "LOG_INFO | LOG_DAEMON" goes somewhere. @@ -353,10 +343,10 @@ it will log a lot of other stuff, as well. Once you have set things up, you can add line(s) to your /etc/rc.conf for the daemon(s): For the client: -rpctlscd_enable="YES" +tlsclntd_enable="YES" For the server: -rpctlssd_enable="YES" +tlsservd_enable="YES" -- plus rpctlscd_flags and/or rpctlssd_flags if you are using command line +- plus tlsclntd_flags and/or tlsservd_flags if you are using command line options for these (see below). From owner-svn-src-projects@freebsd.org Thu Sep 3 22:20:28 2020 Return-Path: Delivered-To: svn-src-projects@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 58F983CCE98 for ; Thu, 3 Sep 2020 22:20:28 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4BjFcX1jwxz45bd; Thu, 3 Sep 2020 22:20:28 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 1F2502283B; Thu, 3 Sep 2020 22:20:28 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 083MKScd051287; Thu, 3 Sep 2020 22:20:28 GMT (envelope-from rmacklem@FreeBSD.org) Received: (from rmacklem@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 083MKSS2051286; Thu, 3 Sep 2020 22:20:28 GMT (envelope-from rmacklem@FreeBSD.org) Message-Id: <202009032220.083MKSS2051286@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: rmacklem set sender to rmacklem@FreeBSD.org using -f From: Rick Macklem Date: Thu, 3 Sep 2020 22:20:28 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r365314 - projects/nfs-over-tls X-SVN-Group: projects X-SVN-Commit-Author: rmacklem X-SVN-Commit-Paths: projects/nfs-over-tls X-SVN-Commit-Revision: 365314 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Sep 2020 22:20:28 -0000 Author: rmacklem Date: Thu Sep 3 22:20:27 2020 New Revision: 365314 URL: https://svnweb.freebsd.org/changeset/base/365314 Log: Update the setup doc for startup of the daemons. Modified: projects/nfs-over-tls/nfs-over-tls-setup.txt Modified: projects/nfs-over-tls/nfs-over-tls-setup.txt ============================================================================== --- projects/nfs-over-tls/nfs-over-tls-setup.txt Thu Sep 3 22:11:01 2020 (r365313) +++ projects/nfs-over-tls/nfs-over-tls-setup.txt Thu Sep 3 22:20:27 2020 (r365314) @@ -284,6 +284,12 @@ The man pages for rpc.tlsclntd(8) and rpc.tlsservd(8) options, but here are a few examples. For an NFS server: +(Although these examples show the daemons started via a command line, the + options should normally be specified via the tls[clnt|serv]d_flags line + in /etc/rc.conf and then they are started upon boot. + To start them without use of the /etc/rc.d scripts, you will need to + add "/usr/ktls/lib" to your ldconfig_paths via rc.conf or similar. + Otherwise it will complain it cannot find the correct ssl library.) - An NFS server where no clients have certificates. # rpc.tlsservd @@ -344,9 +350,11 @@ Once you have set things up, you can add line(s) to yo for the daemon(s): For the client: tlsclntd_enable="YES" +tlsclntd_env="LD_LIBRARY_PATH=/usr/ktls/lib" For the server: tlsservd_enable="YES" +tlsservd_env="LD_LIBRARY_PATH=/usr/ktls/lib" - plus tlsclntd_flags and/or tlsservd_flags if you are using command line options for these (see below). From owner-svn-src-projects@freebsd.org Fri Sep 4 00:47:26 2020 Return-Path: Delivered-To: svn-src-projects@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id ED9783D0ACB for ; Fri, 4 Sep 2020 00:47:26 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4BjJt65sy9z4HMj; Fri, 4 Sep 2020 00:47:26 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id AD14A2461D; Fri, 4 Sep 2020 00:47:26 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 0840lQPH043312; Fri, 4 Sep 2020 00:47:26 GMT (envelope-from rmacklem@FreeBSD.org) Received: (from rmacklem@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 0840lQw9043311; Fri, 4 Sep 2020 00:47:26 GMT (envelope-from rmacklem@FreeBSD.org) Message-Id: <202009040047.0840lQw9043311@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: rmacklem set sender to rmacklem@FreeBSD.org using -f From: Rick Macklem Date: Fri, 4 Sep 2020 00:47:26 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r365323 - projects/nfs-over-tls/usr.sbin/rpc.tlsservd X-SVN-Group: projects X-SVN-Commit-Author: rmacklem X-SVN-Commit-Paths: projects/nfs-over-tls/usr.sbin/rpc.tlsservd X-SVN-Commit-Revision: 365323 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Sep 2020 00:47:27 -0000 Author: rmacklem Date: Fri Sep 4 00:47:26 2020 New Revision: 365323 URL: https://svnweb.freebsd.org/changeset/base/365323 Log: Fix the path name of the certificate directory in the man page. Modified: projects/nfs-over-tls/usr.sbin/rpc.tlsservd/rpc.tlsservd.8 Modified: projects/nfs-over-tls/usr.sbin/rpc.tlsservd/rpc.tlsservd.8 ============================================================================== --- projects/nfs-over-tls/usr.sbin/rpc.tlsservd/rpc.tlsservd.8 Fri Sep 4 00:25:02 2020 (r365322) +++ projects/nfs-over-tls/usr.sbin/rpc.tlsservd/rpc.tlsservd.8 Fri Sep 4 00:47:26 2020 (r365323) @@ -107,7 +107,7 @@ or options to require that the client certificate have the correct Fully Qualified Domain Name (FQDN) in it. .Pp -A certificate and associated key must exist in /etc/rpctlssd +A certificate and associated key must exist in /etc/rpc.tlsservd (or the .Dq certdir specified by the @@ -135,7 +135,7 @@ The options are as follows: .It Fl D Ar certdir , Fl Fl certdir= Ns Ar certdir Use .Dq certdir -instead of /etc/rpctlssd as the location for the +instead of /etc/rpc.tlsservd as the location for the certificate in a file called .Dq cert.pem and key in From owner-svn-src-projects@freebsd.org Fri Sep 4 02:22:28 2020 Return-Path: Delivered-To: svn-src-projects@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 01AF43D34A1 for ; Fri, 4 Sep 2020 02:22:28 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4BjLzl6Dl1z4Nl2; Fri, 4 Sep 2020 02:22:27 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id B93BC2564A; Fri, 4 Sep 2020 02:22:27 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 0842MRrF005974; Fri, 4 Sep 2020 02:22:27 GMT (envelope-from rmacklem@FreeBSD.org) Received: (from rmacklem@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 0842MR8q005973; Fri, 4 Sep 2020 02:22:27 GMT (envelope-from rmacklem@FreeBSD.org) Message-Id: <202009040222.0842MR8q005973@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: rmacklem set sender to rmacklem@FreeBSD.org using -f From: Rick Macklem Date: Fri, 4 Sep 2020 02:22:27 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r365324 - projects/nfs-over-tls X-SVN-Group: projects X-SVN-Commit-Author: rmacklem X-SVN-Commit-Paths: projects/nfs-over-tls X-SVN-Commit-Revision: 365324 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Sep 2020 02:22:28 -0000 Author: rmacklem Date: Fri Sep 4 02:22:27 2020 New Revision: 365324 URL: https://svnweb.freebsd.org/changeset/base/365324 Log: Add a line to the setup doc to make sure that the scripts are executable. Modified: projects/nfs-over-tls/nfs-over-tls-setup.txt Modified: projects/nfs-over-tls/nfs-over-tls-setup.txt ============================================================================== --- projects/nfs-over-tls/nfs-over-tls-setup.txt Fri Sep 4 00:47:26 2020 (r365323) +++ projects/nfs-over-tls/nfs-over-tls-setup.txt Fri Sep 4 02:22:27 2020 (r365324) @@ -102,6 +102,7 @@ And now you should be able to build/install the utilit You can copy the rc.d scripts as follows: # cd /usr/nfs-over-tls/rc.d # cp tlsclntd tlsservd /etc/rc.d +# chmod 555 /etc/rc.d/tlsclntd /etc/rc.d/tlsservd Almost done. Here's a few more things you need to do: # cd /etc From owner-svn-src-projects@freebsd.org Sat Sep 5 00:26:49 2020 Return-Path: Delivered-To: svn-src-projects@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id CBF533D414B for ; Sat, 5 Sep 2020 00:26:49 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4BjwMs54fgz4p1R; Sat, 5 Sep 2020 00:26:49 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 91A911529A; Sat, 5 Sep 2020 00:26:49 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 0850Qn9d023122; Sat, 5 Sep 2020 00:26:49 GMT (envelope-from rmacklem@FreeBSD.org) Received: (from rmacklem@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 0850QnD7023121; Sat, 5 Sep 2020 00:26:49 GMT (envelope-from rmacklem@FreeBSD.org) Message-Id: <202009050026.0850QnD7023121@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: rmacklem set sender to rmacklem@FreeBSD.org using -f From: Rick Macklem Date: Sat, 5 Sep 2020 00:26:49 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r365352 - in projects/nfs-over-tls/usr.sbin: mountd rpctlscd rpctlssd X-SVN-Group: projects X-SVN-Commit-Author: rmacklem X-SVN-Commit-Paths: in projects/nfs-over-tls/usr.sbin: mountd rpctlscd rpctlssd X-SVN-Commit-Revision: 365352 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Sep 2020 00:26:49 -0000 Author: rmacklem Date: Sat Sep 5 00:26:49 2020 New Revision: 365352 URL: https://svnweb.freebsd.org/changeset/base/365352 Log: Remove the old version of the rpctls daemons, plus mountd. In the case of mountd, the modifications are now in head. For the rpctls daemons, the new versions are in rpc.tlsclntd and rpc.tlsservd. Deleted: projects/nfs-over-tls/usr.sbin/mountd/ projects/nfs-over-tls/usr.sbin/rpctlscd/ projects/nfs-over-tls/usr.sbin/rpctlssd/ From owner-svn-src-projects@freebsd.org Sat Sep 5 00:28:22 2020 Return-Path: Delivered-To: svn-src-projects@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 759923D404B for ; Sat, 5 Sep 2020 00:28:22 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4BjwPf2Xcbz4p96; Sat, 5 Sep 2020 00:28:22 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 1E6D3151B4; Sat, 5 Sep 2020 00:28:22 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 0850SMYY023234; Sat, 5 Sep 2020 00:28:22 GMT (envelope-from rmacklem@FreeBSD.org) Received: (from rmacklem@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 0850SLte023233; Sat, 5 Sep 2020 00:28:21 GMT (envelope-from rmacklem@FreeBSD.org) Message-Id: <202009050028.0850SLte023233@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: rmacklem set sender to rmacklem@FreeBSD.org using -f From: Rick Macklem Date: Sat, 5 Sep 2020 00:28:21 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r365353 - projects/nfs-over-tls/rc.d X-SVN-Group: projects X-SVN-Commit-Author: rmacklem X-SVN-Commit-Paths: projects/nfs-over-tls/rc.d X-SVN-Commit-Revision: 365353 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Sep 2020 00:28:22 -0000 Author: rmacklem Date: Sat Sep 5 00:28:21 2020 New Revision: 365353 URL: https://svnweb.freebsd.org/changeset/base/365353 Log: Remove the old version of the rc.d startup scripts for the daemons. Deleted: projects/nfs-over-tls/rc.d/rpctlscd projects/nfs-over-tls/rc.d/rpctlssd