git: 744c2dc7dde4 - main - rpc: Delete AUTH_NEEDS_TLS(_MUTUAL_HOST) auth_stat values

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Rick Macklem <rmacklem_at_FreeBSD.org>
Date: Thu, 23 Dec 2021 22:35:59 UTC
The branch main has been updated by rmacklem:

URL: https://cgit.FreeBSD.org/src/commit/?id=744c2dc7dde4ee1e1efc9630439682ea0dc338db

commit 744c2dc7dde4ee1e1efc9630439682ea0dc338db
Author:     Rick Macklem <rmacklem@FreeBSD.org>
AuthorDate: 2021-12-23 22:31:53 +0000
Commit:     Rick Macklem <rmacklem@FreeBSD.org>
CommitDate: 2021-12-23 22:31:53 +0000

    rpc: Delete AUTH_NEEDS_TLS(_MUTUAL_HOST) auth_stat values
    
    I thought that these new auth_stat values had been agreed
    upon by the IETF NFSv4 working group, but that no longer
    is the case.  As such, delete them and use AUTH_TOOWEAK
    instead.  Leave the code that uses these new auth_stat
    values in the sources #ifdef notnow, in case they are
    defined in the future.
    
    MFC after:      1 week
---
 sys/fs/nfsserver/nfs_nfsdport.c | 5 +++++
 sys/fs/nfsserver/nfs_nfsdsubs.c | 4 ++++
 sys/rpc/auth.h                  | 6 ------
 3 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/sys/fs/nfsserver/nfs_nfsdport.c b/sys/fs/nfsserver/nfs_nfsdport.c
index 5c3280b55d7a..943523d2da14 100644
--- a/sys/fs/nfsserver/nfs_nfsdport.c
+++ b/sys/fs/nfsserver/nfs_nfsdport.c
@@ -4053,10 +4053,15 @@ nfsvno_testexp(struct nfsrv_descript *nd, struct nfsexstuff *exp)
 	      (nd->nd_flag & ND_TLSCERTUSER) == 0))) {
 		if ((nd->nd_flag & ND_NFSV4) != 0)
 			return (NFSERR_WRONGSEC);
+#ifdef notnow
+		/* There is currently no auth_stat for this. */
 		else if ((nd->nd_flag & ND_TLS) == 0)
 			return (NFSERR_AUTHERR | AUTH_NEEDS_TLS);
 		else
 			return (NFSERR_AUTHERR | AUTH_NEEDS_TLS_MUTUAL_HOST);
+#endif
+		else
+			return (NFSERR_AUTHERR | AUTH_TOOWEAK);
 	}
 
 	/*
diff --git a/sys/fs/nfsserver/nfs_nfsdsubs.c b/sys/fs/nfsserver/nfs_nfsdsubs.c
index 8dc193a314e5..ca691941ed0d 100644
--- a/sys/fs/nfsserver/nfs_nfsdsubs.c
+++ b/sys/fs/nfsserver/nfs_nfsdsubs.c
@@ -2145,9 +2145,13 @@ checktls:
 	if ((nd->nd_flag & (ND_TLS | ND_EXTLSCERTUSER | ND_EXTLSCERT)) ==
 	    ND_TLS)
 		return (0);
+#ifdef notnow
+	/* There is currently no auth_stat for this. */
 	if ((nd->nd_flag & ND_TLS) == 0)
 		return (NFSERR_AUTHERR | AUTH_NEEDS_TLS);
 	return (NFSERR_AUTHERR | AUTH_NEEDS_TLS_MUTUAL_HOST);
+#endif
+	return (NFSERR_AUTHERR | AUTH_TOOWEAK);
 }
 
 /*
diff --git a/sys/rpc/auth.h b/sys/rpc/auth.h
index 5444f6180c5e..0752e72de95e 100644
--- a/sys/rpc/auth.h
+++ b/sys/rpc/auth.h
@@ -138,7 +138,6 @@ enum auth_stat {
 	/*
 	 * kerberos errors
 	 */
-	,
 	AUTH_KERB_GENERIC = 8,		/* kerberos generic error */
 	AUTH_TIMEEXPIRE = 9,		/* time of credential expired */
 	AUTH_TKT_FILE = 10,		/* something wrong with ticket file */
@@ -150,11 +149,6 @@ enum auth_stat {
 	 */
 	RPCSEC_GSS_CREDPROBLEM = 13,
 	RPCSEC_GSS_CTXPROBLEM = 14,
-	/*
-	 * RPC-over-TLS errors
-	 */
-	AUTH_NEEDS_TLS = 15,
-	AUTH_NEEDS_TLS_MUTUAL_HOST = 16,
 	/* Also used by RPCSEC_TLS for the same purpose */
 	RPCSEC_GSS_NODISPATCH = 0x8000000
 };