git: 56e9d8e38e7e - main - nfsd: Fix NFSv4.1/4.2 Secinfo_no_name when security flavors empty

[Rick Macklem]

The branch main has been updated by rmacklem:

URL: https://cgit.FreeBSD.org/src/commit/?id=56e9d8e38e7eed84901acddca24170eb352d2ed6

commit 56e9d8e38e7eed84901acddca24170eb352d2ed6
Author:     Rick Macklem <rmacklem at FreeBSD.org>
AuthorDate: 2021-06-05 03:31:20 +0000
Commit:     Rick Macklem <rmacklem at FreeBSD.org>
CommitDate: 2021-06-05 03:31:20 +0000

    nfsd: Fix NFSv4.1/4.2 Secinfo_no_name when security flavors empty
    
    Commit 947bd2479ba9 added support for the Secinfo_no_name operation.
    When a non-exported file system is being traversed, the list of
    security flavors is empty.  It turns out that the Linux client
    mount attempt fails when the security flavors list in the
    Secinfo_no_name reply is empty.
    
    This patch modifies Secinfo/Secinfo_no_name so that it replies
    with all four security flavors when the list is empty.
    This fixes Linux NFSv4.1/4.2 mounts when the file system at
    the NFSv4 root (as specified on a V4: exports(5) line) is
    not exported.
    
    MFC after:      2 weeks
---
 sys/fs/nfsserver/nfs_nfsdserv.c | 50 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 50 insertions(+)

diff --git a/sys/fs/nfsserver/nfs_nfsdserv.c b/sys/fs/nfsserver/nfs_nfsdserv.c
index f4d6dbe42a21..d7049ba1fed8 100644
--- a/sys/fs/nfsserver/nfs_nfsdserv.c
+++ b/sys/fs/nfsserver/nfs_nfsdserv.c
@@ -3709,6 +3709,31 @@ nfsrvd_secinfo(struct nfsrv_descript *nd, int isdgram,
 	 */
 	len = 0;
 	NFSM_BUILD(sizp, u_int32_t *, NFSX_UNSIGNED);
+
+	/* If nes_numsecflavor == 0, all are allowed. */
+	if (retnes.nes_numsecflavor == 0) {
+		NFSM_BUILD(tl, uint32_t *, 2 * NFSX_UNSIGNED);
+		*tl++ = txdr_unsigned(RPCAUTH_UNIX);
+		*tl = txdr_unsigned(RPCAUTH_GSS);
+		nfsm_strtom(nd, nfsgss_mechlist[KERBV_MECH].str,
+		    nfsgss_mechlist[KERBV_MECH].len);
+		NFSM_BUILD(tl, uint32_t *, 3 * NFSX_UNSIGNED);
+		*tl++ = txdr_unsigned(GSS_KERBV_QOP);
+		*tl++ = txdr_unsigned(RPCAUTHGSS_SVCNONE);
+		*tl = txdr_unsigned(RPCAUTH_GSS);
+		nfsm_strtom(nd, nfsgss_mechlist[KERBV_MECH].str,
+		    nfsgss_mechlist[KERBV_MECH].len);
+		NFSM_BUILD(tl, uint32_t *, 3 * NFSX_UNSIGNED);
+		*tl++ = txdr_unsigned(GSS_KERBV_QOP);
+		*tl++ = txdr_unsigned(RPCAUTHGSS_SVCINTEGRITY);
+		*tl = txdr_unsigned(RPCAUTH_GSS);
+		nfsm_strtom(nd, nfsgss_mechlist[KERBV_MECH].str,
+		    nfsgss_mechlist[KERBV_MECH].len);
+		NFSM_BUILD(tl, uint32_t *, 2 * NFSX_UNSIGNED);
+		*tl++ = txdr_unsigned(GSS_KERBV_QOP);
+		*tl = txdr_unsigned(RPCAUTHGSS_SVCPRIVACY);
+		len = 4;
+	}
 	for (i = 0; i < retnes.nes_numsecflavor; i++) {
 		if (retnes.nes_secflavors[i] == AUTH_SYS) {
 			NFSM_BUILD(tl, u_int32_t *, NFSX_UNSIGNED);
@@ -3819,6 +3844,31 @@ nfsrvd_secinfononame(struct nfsrv_descript *nd, int isdgram,
 	 */
 	len = 0;
 	NFSM_BUILD(sizp, uint32_t *, NFSX_UNSIGNED);
+
+	/* If nes_numsecflavor == 0, all are allowed. */
+	if (retnes.nes_numsecflavor == 0) {
+		NFSM_BUILD(tl, uint32_t *, 2 * NFSX_UNSIGNED);
+		*tl++ = txdr_unsigned(RPCAUTH_UNIX);
+		*tl = txdr_unsigned(RPCAUTH_GSS);
+		nfsm_strtom(nd, nfsgss_mechlist[KERBV_MECH].str,
+		    nfsgss_mechlist[KERBV_MECH].len);
+		NFSM_BUILD(tl, uint32_t *, 3 * NFSX_UNSIGNED);
+		*tl++ = txdr_unsigned(GSS_KERBV_QOP);
+		*tl++ = txdr_unsigned(RPCAUTHGSS_SVCNONE);
+		*tl = txdr_unsigned(RPCAUTH_GSS);
+		nfsm_strtom(nd, nfsgss_mechlist[KERBV_MECH].str,
+		    nfsgss_mechlist[KERBV_MECH].len);
+		NFSM_BUILD(tl, uint32_t *, 3 * NFSX_UNSIGNED);
+		*tl++ = txdr_unsigned(GSS_KERBV_QOP);
+		*tl++ = txdr_unsigned(RPCAUTHGSS_SVCINTEGRITY);
+		*tl = txdr_unsigned(RPCAUTH_GSS);
+		nfsm_strtom(nd, nfsgss_mechlist[KERBV_MECH].str,
+		    nfsgss_mechlist[KERBV_MECH].len);
+		NFSM_BUILD(tl, uint32_t *, 2 * NFSX_UNSIGNED);
+		*tl++ = txdr_unsigned(GSS_KERBV_QOP);
+		*tl = txdr_unsigned(RPCAUTHGSS_SVCPRIVACY);
+		len = 4;
+	}
 	for (i = 0; i < retnes.nes_numsecflavor; i++) {
 		if (retnes.nes_secflavors[i] == AUTH_SYS) {
 			NFSM_BUILD(tl, uint32_t *, NFSX_UNSIGNED);