From nobody Wed Apr 13 14:58:30 2022 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 689621AFF058; Wed, 13 Apr 2022 14:58:30 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Kdm1f2Ntjz4hD2; Wed, 13 Apr 2022 14:58:30 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1649861910; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ILS78TspLhlyG6rptrpyLsSvUIR3hLvUmD9m+5Hqcbw=; b=Fo5EBIABHUeOERS7m5s6i8m9v+jl3wU8pOyC1vXjuQf9gJgiS/VK/BOT5n6ubAIlYz6l3D zHE4fGfKfABG8CVNGi1TUkWe1zOmlfOtBTChfal44rgBTX47oIXq6GKG1GBFSfqbMM1aGi o30bASqs54vaEVL2kpGAD9bBBmDwKi1YIKOC6NjWTDmLT67MQKefUi6Z5WxfxBZ1LIlQqD +kM2XzJZyycRUS1uwOI/JnCfTfwgY1GgXKUfT5aCqWH682KkHZuE0PL2ZtKSTSVH8g3WRM 1+rPBIO9siLY1EO7vHrRKu+KyIqqTiVrY6t89q1AnbRNBuwdwdKJGuNLDBOfLg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 31B456139; Wed, 13 Apr 2022 14:58:30 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 23DEwU5S010462; Wed, 13 Apr 2022 14:58:30 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 23DEwUc8010461; Wed, 13 Apr 2022 14:58:30 GMT (envelope-from git) Date: Wed, 13 Apr 2022 14:58:30 GMT Message-Id: <202204131458.23DEwUc8010461@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Rick Macklem Subject: git: 6cabeb169ef4 - stable/13 - nfsd: Do not exempt NFSv3 Fsinfo from the TLS check List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: rmacklem X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: 6cabeb169ef4d5cc4f824a54129186d3fdc61626 Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1649861910; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ILS78TspLhlyG6rptrpyLsSvUIR3hLvUmD9m+5Hqcbw=; b=mjmnRrxzeSRrgNdDLY9nGSV3ZqHL6mO1JI/X+TtkDkP/dJLqOYFanH9v5tMCkMnQmHTVw8 dYGqs7esMhYg1fl3Bgyoa8MG7E6zoeVgAyzfWCgVxOHR2X/LJGiElEzJe3sMxrNQn1JZZp Jcdvy+mLUXcZEc/CA+PiEP5fr0tc42HlQ1hHCliL0CV9et9uGOQsqtoinp5cqsqY/m2NsC sluYdoSEBhzmegMS9j+Nkpa9wFziw+xmrjWU0IrlXXHy7c8Zb8ZeDoMomyIMUv37VXh3WD 0oy+8bUAHGK3H/JF/ZZ4ARUtdbbyFR2vvDFaqWAHzZhQoxZmOhdfc0frDsiusw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1649861910; a=rsa-sha256; cv=none; b=f1n14pb/o+ScVr6lkPbAKw9FwXun5JELFui6pI3hOavsDg9dpM1Bv2Py5g6+cq6QML6641 un+7KxrbTDeNigEkHNplo102BWrWOLw29/9rzkLwWmeWG1oLUBHQTEz35ijJ5wD/fsuXMg HAzB23fNv7KdZOWxFke2rHUpzcDukBgWvO1+FEJDzFM0mpuayIjKJGWKp2otAJ+aMNbU3i I8NGhl0UUiqG9DHV6LndcQ/Mnxb0p0v47WP5Sg90bEKdueRKWUPG6PSJPQBbPjW6dgzLjm 2ZE8AKc/Htq72qm6c1wMr5dSq94a1TRlsDB4bCqVVw5IDQ5dmwkV+cuU/8kRsg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch stable/13 has been updated by rmacklem: URL: https://cgit.FreeBSD.org/src/commit/?id=6cabeb169ef4d5cc4f824a54129186d3fdc61626 commit 6cabeb169ef4d5cc4f824a54129186d3fdc61626 Author: Rick Macklem AuthorDate: 2022-03-10 00:52:42 +0000 Commit: Rick Macklem CommitDate: 2022-04-13 14:55:45 +0000 nfsd: Do not exempt NFSv3 Fsinfo from the TLS check The Fsinfo RPC is exempt from the check for Kerberized NFS being required, as recommended by RFC2623. However, there is no reason to exempt Fsinfo from the requirement to use TLS. This patch fixes the code so that the exemption only applies to Kerberized NFS and not NFS-over-TLS. This only affects NFS-over-TLS for an NFSv3 mount when it is required, but the client does not do so. (cherry picked from commit 3fc3fe90915f02e25b4f1d5070e8e01e465e873d) --- sys/fs/nfsserver/nfs_nfsdport.c | 29 ++++++++++++++--------------- 1 file changed, 14 insertions(+), 15 deletions(-) diff --git a/sys/fs/nfsserver/nfs_nfsdport.c b/sys/fs/nfsserver/nfs_nfsdport.c index d63a788177b0..70243fa7ed2f 100644 --- a/sys/fs/nfsserver/nfs_nfsdport.c +++ b/sys/fs/nfsserver/nfs_nfsdport.c @@ -4053,16 +4053,11 @@ nfsvno_testexp(struct nfsrv_descript *nd, struct nfsexstuff *exp) { int i; - /* - * Allow NFSv3 Fsinfo per RFC2623. - */ - if (((nd->nd_flag & ND_NFSV4) != 0 || - nd->nd_procnum != NFSPROC_FSINFO) && - ((NFSVNO_EXTLS(exp) && (nd->nd_flag & ND_TLS) == 0) || - (NFSVNO_EXTLSCERT(exp) && - (nd->nd_flag & ND_TLSCERT) == 0) || - (NFSVNO_EXTLSCERTUSER(exp) && - (nd->nd_flag & ND_TLSCERTUSER) == 0))) { + if ((NFSVNO_EXTLS(exp) && (nd->nd_flag & ND_TLS) == 0) || + (NFSVNO_EXTLSCERT(exp) && + (nd->nd_flag & ND_TLSCERT) == 0) || + (NFSVNO_EXTLSCERTUSER(exp) && + (nd->nd_flag & ND_TLSCERTUSER) == 0)) { if ((nd->nd_flag & ND_NFSV4) != 0) return (NFSERR_WRONGSEC); #ifdef notnow @@ -4076,6 +4071,13 @@ nfsvno_testexp(struct nfsrv_descript *nd, struct nfsexstuff *exp) return (NFSERR_AUTHERR | AUTH_TOOWEAK); } + /* + * RFC2623 suggests that the NFSv3 Fsinfo RPC be allowed to use + * AUTH_NONE or AUTH_SYS for file systems requiring RPCSEC_GSS. + */ + if ((nd->nd_flag & ND_NFSV3) != 0 && nd->nd_procnum == NFSPROC_FSINFO) + return (0); + /* * This seems odd, but allow the case where the security flavor * list is empty. This happens when NFSv4 is traversing non-exported @@ -6721,18 +6723,15 @@ nfsm_trimtrailing(struct nfsrv_descript *nd, struct mbuf *mb, char *bpos, * Check to see if a put file handle operation should test for * NFSERR_WRONGSEC, although NFSv3 actually returns NFSERR_AUTHERR. * When Open is the next operation, NFSERR_WRONGSEC cannot be - * replied for the Open cases that use a component. Thia can + * replied for the Open cases that use a component. This can * be identified by the fact that the file handle's type is VDIR. */ bool nfsrv_checkwrongsec(struct nfsrv_descript *nd, int nextop, enum vtype vtyp) { - if ((nd->nd_flag & ND_NFSV4) == 0) { - if (nd->nd_procnum == NFSPROC_FSINFO) - return (false); + if ((nd->nd_flag & ND_NFSV4) == 0) return (true); - } if ((nd->nd_flag & ND_LASTOP) != 0) return (false);