Date: Fri, 3 Apr 2020 23:00:26 +0000 (UTC) From: Rick Macklem <rmacklem@FreeBSD.org> To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r359625 - in projects/nfs-over-tls/sys/fs: nfs nfsserver Message-ID: <202004032300.033N0QPm030415@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: rmacklem Date: Fri Apr 3 23:00:26 2020 New Revision: 359625 URL: https://svnweb.freebsd.org/changeset/base/359625 Log: Fix up the handling of the "tls" and "tlscert" export options and add support for the "tlscertuser" export option. Modified: projects/nfs-over-tls/sys/fs/nfs/nfs.h projects/nfs-over-tls/sys/fs/nfs/nfsdport.h projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdkrpc.c projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdport.c projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdsubs.c Modified: projects/nfs-over-tls/sys/fs/nfs/nfs.h ============================================================================== --- projects/nfs-over-tls/sys/fs/nfs/nfs.h Fri Apr 3 22:46:08 2020 (r359624) +++ projects/nfs-over-tls/sys/fs/nfs/nfs.h Fri Apr 3 23:00:26 2020 (r359625) @@ -719,8 +719,10 @@ struct nfsrv_descript { #define ND_NOMAP 0x800000000 #define ND_TLS 0x1000000000 #define ND_TLSCERT 0x2000000000 -#define ND_EXTLS 0x4000000000 -#define ND_EXTLSCERT 0x8000000000 +#define ND_TLSCNUSER 0x4000000000 +#define ND_EXTLS 0x8000000000 +#define ND_EXTLSCERT 0x10000000000 +#define ND_EXTLSCNUSER 0x20000000000 /* * ND_GSS should be the "or" of all GSS type authentications. Modified: projects/nfs-over-tls/sys/fs/nfs/nfsdport.h ============================================================================== --- projects/nfs-over-tls/sys/fs/nfs/nfsdport.h Fri Apr 3 22:46:08 2020 (r359624) +++ projects/nfs-over-tls/sys/fs/nfs/nfsdport.h Fri Apr 3 23:00:26 2020 (r359625) @@ -83,6 +83,7 @@ struct nfsexstuff { #define NFSVNO_EXV4ONLY(e) ((e)->nes_exflag & MNT_EXV4ONLY) #define NFSVNO_EXTLS(e) ((e)->nes_exflag & MNTEX_TLS) #define NFSVNO_EXTLSCERT(e) ((e)->nes_exflag & MNTEX_TLSCERT) +#define NFSVNO_EXTLSCNUSER(e) ((e)->nes_exflag & MNTEX_TLSCNUSER) #define NFSVNO_SETEXRDONLY(e) ((e)->nes_exflag = (MNT_EXPORTED|MNT_EXRDONLY)) Modified: projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdkrpc.c ============================================================================== --- projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdkrpc.c Fri Apr 3 22:46:08 2020 (r359624) +++ projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdkrpc.c Fri Apr 3 23:00:26 2020 (r359625) @@ -243,6 +243,8 @@ nfssvc_program(struct svc_req *rqst, SVCXPRT *xprt) nd.nd_flag |= ND_TLS; if ((xprt->xp_tls & RPCTLS_FLAGS_VERIFIED) != 0) nd.nd_flag |= ND_TLSCERT; + if ((xprt->xp_tls & RPCTLS_FLAGS_CNUSER) != 0) + nd.nd_flag |= ND_TLSCNUSER; } nd.nd_maxextsiz = 16384; #ifdef MAC Modified: projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdport.c ============================================================================== --- projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdport.c Fri Apr 3 22:46:08 2020 (r359624) +++ projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdport.c Fri Apr 3 23:00:26 2020 (r359625) @@ -3351,14 +3351,14 @@ nfsd_fhtovp(struct nfsrv_descript *nd, struct nfsrvfh /* * If TLS is required by the export, check the flags in nd_flag. */ -printf("ndflag=0x%jx exflags=0x%x\n", (uintmax_t)nd->nd_flag, exp->nes_exflag); if (nd->nd_repstat == 0 && ((NFSVNO_EXTLS(exp) && (nd->nd_flag & ND_TLS) == 0) || (NFSVNO_EXTLSCERT(exp) && - (nd->nd_flag & ND_TLSCERT) == 0))) { + (nd->nd_flag & ND_TLSCERT) == 0) || + (NFSVNO_EXTLSCNUSER(exp) && + (nd->nd_flag & ND_TLSCNUSER) == 0))) { vput(*vpp); nd->nd_repstat = NFSERR_ACCES; -printf("set eacces\n"); } /* @@ -3625,11 +3625,12 @@ nfsvno_v4rootexport(struct nfsrv_descript *nd) } /* And set ND_EXxx flags for TLS. */ -printf("v4root exflags=0x%x\n", exflags); - if ((exflags & RPCTLS_FLAGS_HANDSHAKE) != 0) { + if ((exflags & MNTEX_TLS) != 0) { nd->nd_flag |= ND_EXTLS; - if ((exflags & RPCTLS_FLAGS_VERIFIED) != 0) + if ((exflags & MNTEX_TLSCERT) != 0) nd->nd_flag |= ND_EXTLSCERT; + if ((exflags & MNTEX_TLSCNUSER) != 0) + nd->nd_flag |= ND_EXTLSCNUSER; } out: Modified: projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdsubs.c ============================================================================== --- projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdsubs.c Fri Apr 3 22:46:08 2020 (r359624) +++ projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdsubs.c Fri Apr 3 23:00:26 2020 (r359625) @@ -2130,21 +2130,28 @@ nfsd_checkrootexp(struct nfsrv_descript *nd) { if ((nd->nd_flag & (ND_GSS | ND_EXAUTHSYS)) == ND_EXAUTHSYS) - return (0); + goto checktls; if ((nd->nd_flag & (ND_GSSINTEGRITY | ND_EXGSSINTEGRITY)) == (ND_GSSINTEGRITY | ND_EXGSSINTEGRITY)) - return (0); + goto checktls; if ((nd->nd_flag & (ND_GSSPRIVACY | ND_EXGSSPRIVACY)) == (ND_GSSPRIVACY | ND_EXGSSPRIVACY)) - return (0); + goto checktls; if ((nd->nd_flag & (ND_GSS | ND_GSSINTEGRITY | ND_GSSPRIVACY | ND_EXGSS)) == (ND_GSS | ND_EXGSS)) + goto checktls; + return (1); +checktls: + if ((nd->nd_flag & ND_EXTLS) == 0) return (0); - if ((nd->nd_flag & (ND_TLSCERT | ND_EXTLSCERT)) == + if ((nd->nd_flag & (ND_TLSCNUSER | ND_EXTLSCNUSER)) == + (ND_TLSCNUSER | ND_EXTLSCNUSER)) + return (0); + if ((nd->nd_flag & (ND_TLSCERT | ND_EXTLSCERT | ND_EXTLSCNUSER)) == (ND_TLSCERT | ND_EXTLSCERT)) return (0); - if ((nd->nd_flag & (ND_EXTLSCERT | ND_EXTLS | ND_TLS)) == - (ND_EXTLS | ND_TLS)) + if ((nd->nd_flag & (ND_TLS | ND_EXTLSCNUSER | ND_EXTLSCERT)) == + ND_TLS) return (0); return (1); }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202004032300.033N0QPm030415>