From owner-svn-src-projects@freebsd.org Fri Apr 3 23:00:38 2020 Return-Path: Delivered-To: svn-src-projects@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id C8A932757F6 for ; Fri, 3 Apr 2020 23:00:38 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 48vFlV2TNWz3GCY; Fri, 3 Apr 2020 23:00:38 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id E3CA5D740; Fri, 3 Apr 2020 23:00:27 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 033N0REl030420; Fri, 3 Apr 2020 23:00:27 GMT (envelope-from rmacklem@FreeBSD.org) Received: (from rmacklem@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 033N0QPm030415; Fri, 3 Apr 2020 23:00:26 GMT (envelope-from rmacklem@FreeBSD.org) Message-Id: <202004032300.033N0QPm030415@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: rmacklem set sender to rmacklem@FreeBSD.org using -f From: Rick Macklem Date: Fri, 3 Apr 2020 23:00:26 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r359625 - in projects/nfs-over-tls/sys/fs: nfs nfsserver X-SVN-Group: projects X-SVN-Commit-Author: rmacklem X-SVN-Commit-Paths: in projects/nfs-over-tls/sys/fs: nfs nfsserver X-SVN-Commit-Revision: 359625 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Apr 2020 23:00:38 -0000 Author: rmacklem Date: Fri Apr 3 23:00:26 2020 New Revision: 359625 URL: https://svnweb.freebsd.org/changeset/base/359625 Log: Fix up the handling of the "tls" and "tlscert" export options and add support for the "tlscertuser" export option. Modified: projects/nfs-over-tls/sys/fs/nfs/nfs.h projects/nfs-over-tls/sys/fs/nfs/nfsdport.h projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdkrpc.c projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdport.c projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdsubs.c Modified: projects/nfs-over-tls/sys/fs/nfs/nfs.h ============================================================================== --- projects/nfs-over-tls/sys/fs/nfs/nfs.h Fri Apr 3 22:46:08 2020 (r359624) +++ projects/nfs-over-tls/sys/fs/nfs/nfs.h Fri Apr 3 23:00:26 2020 (r359625) @@ -719,8 +719,10 @@ struct nfsrv_descript { #define ND_NOMAP 0x800000000 #define ND_TLS 0x1000000000 #define ND_TLSCERT 0x2000000000 -#define ND_EXTLS 0x4000000000 -#define ND_EXTLSCERT 0x8000000000 +#define ND_TLSCNUSER 0x4000000000 +#define ND_EXTLS 0x8000000000 +#define ND_EXTLSCERT 0x10000000000 +#define ND_EXTLSCNUSER 0x20000000000 /* * ND_GSS should be the "or" of all GSS type authentications. Modified: projects/nfs-over-tls/sys/fs/nfs/nfsdport.h ============================================================================== --- projects/nfs-over-tls/sys/fs/nfs/nfsdport.h Fri Apr 3 22:46:08 2020 (r359624) +++ projects/nfs-over-tls/sys/fs/nfs/nfsdport.h Fri Apr 3 23:00:26 2020 (r359625) @@ -83,6 +83,7 @@ struct nfsexstuff { #define NFSVNO_EXV4ONLY(e) ((e)->nes_exflag & MNT_EXV4ONLY) #define NFSVNO_EXTLS(e) ((e)->nes_exflag & MNTEX_TLS) #define NFSVNO_EXTLSCERT(e) ((e)->nes_exflag & MNTEX_TLSCERT) +#define NFSVNO_EXTLSCNUSER(e) ((e)->nes_exflag & MNTEX_TLSCNUSER) #define NFSVNO_SETEXRDONLY(e) ((e)->nes_exflag = (MNT_EXPORTED|MNT_EXRDONLY)) Modified: projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdkrpc.c ============================================================================== --- projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdkrpc.c Fri Apr 3 22:46:08 2020 (r359624) +++ projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdkrpc.c Fri Apr 3 23:00:26 2020 (r359625) @@ -243,6 +243,8 @@ nfssvc_program(struct svc_req *rqst, SVCXPRT *xprt) nd.nd_flag |= ND_TLS; if ((xprt->xp_tls & RPCTLS_FLAGS_VERIFIED) != 0) nd.nd_flag |= ND_TLSCERT; + if ((xprt->xp_tls & RPCTLS_FLAGS_CNUSER) != 0) + nd.nd_flag |= ND_TLSCNUSER; } nd.nd_maxextsiz = 16384; #ifdef MAC Modified: projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdport.c ============================================================================== --- projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdport.c Fri Apr 3 22:46:08 2020 (r359624) +++ projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdport.c Fri Apr 3 23:00:26 2020 (r359625) @@ -3351,14 +3351,14 @@ nfsd_fhtovp(struct nfsrv_descript *nd, struct nfsrvfh /* * If TLS is required by the export, check the flags in nd_flag. */ -printf("ndflag=0x%jx exflags=0x%x\n", (uintmax_t)nd->nd_flag, exp->nes_exflag); if (nd->nd_repstat == 0 && ((NFSVNO_EXTLS(exp) && (nd->nd_flag & ND_TLS) == 0) || (NFSVNO_EXTLSCERT(exp) && - (nd->nd_flag & ND_TLSCERT) == 0))) { + (nd->nd_flag & ND_TLSCERT) == 0) || + (NFSVNO_EXTLSCNUSER(exp) && + (nd->nd_flag & ND_TLSCNUSER) == 0))) { vput(*vpp); nd->nd_repstat = NFSERR_ACCES; -printf("set eacces\n"); } /* @@ -3625,11 +3625,12 @@ nfsvno_v4rootexport(struct nfsrv_descript *nd) } /* And set ND_EXxx flags for TLS. */ -printf("v4root exflags=0x%x\n", exflags); - if ((exflags & RPCTLS_FLAGS_HANDSHAKE) != 0) { + if ((exflags & MNTEX_TLS) != 0) { nd->nd_flag |= ND_EXTLS; - if ((exflags & RPCTLS_FLAGS_VERIFIED) != 0) + if ((exflags & MNTEX_TLSCERT) != 0) nd->nd_flag |= ND_EXTLSCERT; + if ((exflags & MNTEX_TLSCNUSER) != 0) + nd->nd_flag |= ND_EXTLSCNUSER; } out: Modified: projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdsubs.c ============================================================================== --- projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdsubs.c Fri Apr 3 22:46:08 2020 (r359624) +++ projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdsubs.c Fri Apr 3 23:00:26 2020 (r359625) @@ -2130,21 +2130,28 @@ nfsd_checkrootexp(struct nfsrv_descript *nd) { if ((nd->nd_flag & (ND_GSS | ND_EXAUTHSYS)) == ND_EXAUTHSYS) - return (0); + goto checktls; if ((nd->nd_flag & (ND_GSSINTEGRITY | ND_EXGSSINTEGRITY)) == (ND_GSSINTEGRITY | ND_EXGSSINTEGRITY)) - return (0); + goto checktls; if ((nd->nd_flag & (ND_GSSPRIVACY | ND_EXGSSPRIVACY)) == (ND_GSSPRIVACY | ND_EXGSSPRIVACY)) - return (0); + goto checktls; if ((nd->nd_flag & (ND_GSS | ND_GSSINTEGRITY | ND_GSSPRIVACY | ND_EXGSS)) == (ND_GSS | ND_EXGSS)) + goto checktls; + return (1); +checktls: + if ((nd->nd_flag & ND_EXTLS) == 0) return (0); - if ((nd->nd_flag & (ND_TLSCERT | ND_EXTLSCERT)) == + if ((nd->nd_flag & (ND_TLSCNUSER | ND_EXTLSCNUSER)) == + (ND_TLSCNUSER | ND_EXTLSCNUSER)) + return (0); + if ((nd->nd_flag & (ND_TLSCERT | ND_EXTLSCERT | ND_EXTLSCNUSER)) == (ND_TLSCERT | ND_EXTLSCERT)) return (0); - if ((nd->nd_flag & (ND_EXTLSCERT | ND_EXTLS | ND_TLS)) == - (ND_EXTLS | ND_TLS)) + if ((nd->nd_flag & (ND_TLS | ND_EXTLSCNUSER | ND_EXTLSCERT)) == + ND_TLS) return (0); return (1); }