svn commit: r362668 - in projects/nfs-over-tls/sys: fs/nfs fs/nfsclient fs/nfsserver rpc rpc/rpcsec_tls
Rick Macklem
rmacklem at FreeBSD.org
Sat Jun 27 01:08:30 UTC 2020
Author: rmacklem
Date: Sat Jun 27 01:08:27 2020
New Revision: 362668
URL: https://svnweb.freebsd.org/changeset/base/362668
Log:
Add options to rpctls_getinfo() to check if the daemons are running.
When both of the new options are "false", the behaviour does not change.
When either option is true, rpctls_getinfo() checks to see if the
corresponding daemon is connected to the socket for server upcalls.
It returns false if it is not connected.
This allows the NFS client and server to fail attempts to use TLS
when the required daemon is not running and connected to the upcall socekt.
This patch also assumes that rpctls_getinfo() will return an appropriate
maximum size for the ext_pgs mbufs in the list required by sosend() for
TLS, so it no longer bothers to do a min() with the 16K default in
the NFS code.
Modified:
projects/nfs-over-tls/sys/fs/nfs/nfs_commonsubs.c
projects/nfs-over-tls/sys/fs/nfsclient/nfs_clkrpc.c
projects/nfs-over-tls/sys/fs/nfsclient/nfs_clrpcops.c
projects/nfs-over-tls/sys/fs/nfsclient/nfs_clvfsops.c
projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdkrpc.c
projects/nfs-over-tls/sys/rpc/clnt_bck.c
projects/nfs-over-tls/sys/rpc/clnt_vc.c
projects/nfs-over-tls/sys/rpc/rpcsec_tls.h
projects/nfs-over-tls/sys/rpc/rpcsec_tls/rpctls_impl.c
projects/nfs-over-tls/sys/rpc/svc_vc.c
Modified: projects/nfs-over-tls/sys/fs/nfs/nfs_commonsubs.c
==============================================================================
--- projects/nfs-over-tls/sys/fs/nfs/nfs_commonsubs.c Sat Jun 27 00:57:48 2020 (r362667)
+++ projects/nfs-over-tls/sys/fs/nfs/nfs_commonsubs.c Sat Jun 27 01:08:27 2020 (r362668)
@@ -361,15 +361,13 @@ nfscl_reqstart(struct nfsrv_descript *nd, int procnum,
}
nd->nd_procnum = procnum;
nd->nd_repstat = 0;
- nd->nd_maxextsiz = 16384;
- if (use_ext && PMAP_HAS_DMAP != 0) {
- nd->nd_flag |= ND_EXTPG;
+ nd->nd_maxextsiz = 0;
#ifdef KERN_TLS
- if (rpctls_getinfo(&maxlen))
- nd->nd_maxextsiz = min(TLS_MAX_MSG_SIZE_V10_2,
- maxlen);
-#endif
+ if (use_ext && rpctls_getinfo(&maxlen, false, false)) {
+ nd->nd_flag |= ND_EXTPG;
+ nd->nd_maxextsiz = maxlen;
}
+#endif
/*
* Get the first mbuf for the request.
Modified: projects/nfs-over-tls/sys/fs/nfsclient/nfs_clkrpc.c
==============================================================================
--- projects/nfs-over-tls/sys/fs/nfsclient/nfs_clkrpc.c Sat Jun 27 00:57:48 2020 (r362667)
+++ projects/nfs-over-tls/sys/fs/nfsclient/nfs_clkrpc.c Sat Jun 27 01:08:27 2020 (r362668)
@@ -116,17 +116,13 @@ printf("cbreq nd_md=%p\n", nd.nd_md);
mac_cred_associate_nfsd(nd.nd_cred);
#endif
#endif
- if (((xprt->xp_tls & RPCTLS_FLAGS_HANDSHAKE) != 0 ||
- nfs_use_ext_pgs) && PMAP_HAS_DMAP != 0) {
- nd.nd_flag |= ND_EXTPG;
- nd.nd_maxextsiz = 16384;
#ifdef KERN_TLS
- if ((xprt->xp_tls & RPCTLS_FLAGS_HANDSHAKE) != 0 &&
- rpctls_getinfo(&maxlen))
- nd.nd_maxextsiz = min(TLS_MAX_MSG_SIZE_V10_2,
- maxlen);
-#endif
+ if ((xprt->xp_tls & RPCTLS_FLAGS_HANDSHAKE) != 0 &&
+ rpctls_getinfo(&maxlen, false, false)) {
+ nd.nd_flag |= ND_EXTPG;
+ nd.nd_maxextsiz = maxlen;
}
+#endif
cacherep = nfs_cbproc(&nd, rqst->rq_xid);
} else {
NFSMGET(nd.nd_mreq);
Modified: projects/nfs-over-tls/sys/fs/nfsclient/nfs_clrpcops.c
==============================================================================
--- projects/nfs-over-tls/sys/fs/nfsclient/nfs_clrpcops.c Sat Jun 27 00:57:48 2020 (r362667)
+++ projects/nfs-over-tls/sys/fs/nfsclient/nfs_clrpcops.c Sat Jun 27 01:08:27 2020 (r362668)
@@ -5877,19 +5877,14 @@ nfscl_doiods(vnode_t vp, struct uio *uiop, int *iomode
iovlen = uiop->uio_iov->iov_len;
doextpgs = false;
maxextsiz = 0;
- if ((NFSHASTLS(nmp) ||
- (nfs_use_ext_pgs &&
- xfer > MCLBYTES)) &&
- PMAP_HAS_DMAP != 0) {
- doextpgs = true;
- maxextsiz = 16384;
#ifdef KERN_TLS
- if (rpctls_getinfo(&maxlen))
- maxextsiz = min(
- TLS_MAX_MSG_SIZE_V10_2,
- maxlen);
-#endif
+ if (NFSHASTLS(nmp) &&
+ rpctls_getinfo(&maxlen,
+ false, false)) {
+ doextpgs = true;
+ maxextsiz = maxlen;
}
+#endif
m = nfsm_uiombuflist(doextpgs,
maxextsiz, uiop, len, NULL,
NULL);
Modified: projects/nfs-over-tls/sys/fs/nfsclient/nfs_clvfsops.c
==============================================================================
--- projects/nfs-over-tls/sys/fs/nfsclient/nfs_clvfsops.c Sat Jun 27 00:57:48 2020 (r362667)
+++ projects/nfs-over-tls/sys/fs/nfsclient/nfs_clvfsops.c Sat Jun 27 01:08:27 2020 (r362668)
@@ -77,6 +77,8 @@ __FBSDID("$FreeBSD$");
#include <fs/nfsclient/nfs.h>
#include <nfs/nfsdiskless.h>
+#include <rpc/rpcsec_tls.h>
+
FEATURE(nfscl, "NFSv4 client");
extern int nfscl_ticks;
@@ -1394,6 +1396,9 @@ mountnfs(struct nfs_args *argp, struct mount *mp, stru
struct nfsclds *dsp, *tdsp;
uint32_t lease;
static u_int64_t clval = 0;
+#ifdef KERN_TLS
+ u_int maxlen;
+#endif
NFSCL_DEBUG(3, "in mnt\n");
clp = NULL;
@@ -1403,11 +1408,11 @@ mountnfs(struct nfs_args *argp, struct mount *mp, stru
free(nam, M_SONAME);
return (0);
} else {
- /* NFS-over-TLS requires "options KERN_TLS" and a DMAP. */
+ /* NFS-over-TLS requires that rpctls be functioning. */
if ((newflag & NFSMNT_TLS) != 0) {
error = EINVAL;
#ifdef KERN_TLS
- if (PMAP_HAS_DMAP != 0)
+ if (rpctls_getinfo(&maxlen, true, false))
error = 0;
#endif
if (error != 0) {
Modified: projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdkrpc.c
==============================================================================
--- projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdkrpc.c Sat Jun 27 00:57:48 2020 (r362667)
+++ projects/nfs-over-tls/sys/fs/nfsserver/nfs_nfsdkrpc.c Sat Jun 27 01:08:27 2020 (r362668)
@@ -283,9 +283,8 @@ nfssvc_program(struct svc_req *rqst, SVCXPRT *xprt)
#ifdef KERN_TLS
if ((xprt->xp_tls & RPCTLS_FLAGS_HANDSHAKE) != 0 &&
- rpctls_getinfo(&maxlen))
- nd.nd_maxextsiz = min(TLS_MAX_MSG_SIZE_V10_2,
- maxlen);
+ rpctls_getinfo(&maxlen, false, false))
+ nd.nd_maxextsiz = maxlen;
#endif
cacherep = nfs_proc(&nd, rqst->rq_xid, xprt, &rp);
NFSLOCKV4ROOTMUTEX();
Modified: projects/nfs-over-tls/sys/rpc/clnt_bck.c
==============================================================================
--- projects/nfs-over-tls/sys/rpc/clnt_bck.c Sat Jun 27 00:57:48 2020 (r362667)
+++ projects/nfs-over-tls/sys/rpc/clnt_bck.c Sat Jun 27 01:08:27 2020 (r362668)
@@ -311,7 +311,7 @@ call_again:
*/
maxextsiz = TLS_MAX_MSG_SIZE_V10_2;
#ifdef KERN_TLS
- if (rpctls_getinfo(&maxlen))
+ if (rpctls_getinfo(&maxlen, false, false))
maxextsiz = min(maxextsiz, maxlen);
#endif
mreq = _rpc_copym_into_ext_pgs(mreq, maxextsiz);
Modified: projects/nfs-over-tls/sys/rpc/clnt_vc.c
==============================================================================
--- projects/nfs-over-tls/sys/rpc/clnt_vc.c Sat Jun 27 00:57:48 2020 (r362667)
+++ projects/nfs-over-tls/sys/rpc/clnt_vc.c Sat Jun 27 01:08:27 2020 (r362668)
@@ -434,7 +434,7 @@ call_again:
*/
maxextsiz = TLS_MAX_MSG_SIZE_V10_2;
#ifdef KERN_TLS
- if (rpctls_getinfo(&maxlen))
+ if (rpctls_getinfo(&maxlen, false, false))
maxextsiz = min(maxextsiz, maxlen);
#endif
mreq = _rpc_copym_into_ext_pgs(mreq, maxextsiz);
Modified: projects/nfs-over-tls/sys/rpc/rpcsec_tls.h
==============================================================================
--- projects/nfs-over-tls/sys/rpc/rpcsec_tls.h Sat Jun 27 00:57:48 2020 (r362667)
+++ projects/nfs-over-tls/sys/rpc/rpcsec_tls.h Sat Jun 27 01:08:27 2020 (r362668)
@@ -72,7 +72,8 @@ enum clnt_stat rpctls_srv_disconnect(uint64_t sec, uin
int rpctls_init(void);
/* Get TLS information function. */
-bool rpctls_getinfo(u_int *maxlen);
+bool rpctls_getinfo(u_int *maxlen, bool rpctlscd_run,
+ bool rpctlssd_run);
/* String for AUTH_TLS reply verifier. */
#define RPCTLS_START_STRING "STARTTLS"
Modified: projects/nfs-over-tls/sys/rpc/rpcsec_tls/rpctls_impl.c
==============================================================================
--- projects/nfs-over-tls/sys/rpc/rpcsec_tls/rpctls_impl.c Sat Jun 27 00:57:48 2020 (r362667)
+++ projects/nfs-over-tls/sys/rpc/rpcsec_tls/rpctls_impl.c Sat Jun 27 01:08:27 2020 (r362668)
@@ -133,8 +133,7 @@ printf("setting err=%d path=%s\n", error, path);
if (error == 0) {
error = ENXIO;
#ifdef KERN_TLS
- if (PMAP_HAS_DMAP != 0 && mb_use_ext_pgs &&
- rpctls_getinfo(&maxlen))
+ if (rpctls_getinfo(&maxlen, false, false))
error = 0;
#endif
}
@@ -182,8 +181,7 @@ printf("setting err=%d path=%s\n", error, path);
if (error == 0) {
error = ENXIO;
#ifdef KERN_TLS
- if (PMAP_HAS_DMAP != 0 && mb_use_ext_pgs &&
- rpctls_getinfo(&maxlen))
+ if (rpctls_getinfo(&maxlen, false, false))
error = 0;
#endif
}
@@ -592,6 +590,9 @@ _svcauth_rpcsec_tls(struct svc_req *rqst, struct rpc_m
int ngrps;
uid_t uid;
gid_t *gidp;
+#ifdef KERN_TLS
+ u_int maxlen;
+#endif
/* Initialize reply. */
rqst->rq_verf = rpctls_null_verf;
@@ -607,13 +608,14 @@ printf("authtls proc=%d\n", rqst->rq_proc);
if (rqst->rq_proc != NULLPROC)
return (AUTH_REJECTEDCRED);
- if (PMAP_HAS_DMAP == 0 || !mb_use_ext_pgs)
+ call_stat = FALSE;
+#ifdef KERN_TLS
+ if (rpctls_getinfo(&maxlen, false, true))
+ call_stat = TRUE;
+#endif
+ if (!call_stat)
return (AUTH_REJECTEDCRED);
-#ifndef KERN_TLS
- return (AUTH_REJECTEDCRED);
-#endif
-
/*
* Disable reception for the krpc so that the TLS handshake can
* be done on the socket in the rpctlssd daemon.
@@ -668,13 +670,15 @@ printf("authtls: aft handshake stat=%d\n", stat);
* Get kern.ipc.tls.enable and kern.ipc.tls.maxlen.
*/
bool
-rpctls_getinfo(u_int *maxlenp)
+rpctls_getinfo(u_int *maxlenp, bool rpctlscd_run, bool rpctlssd_run)
{
u_int maxlen;
bool enable;
int error;
size_t siz;
+ if (PMAP_HAS_DMAP == 0 || !mb_use_ext_pgs)
+ return (false);
siz = sizeof(enable);
error = kernel_sysctlbyname(curthread, "kern.ipc.tls.enable",
&enable, &siz, NULL, 0, NULL, 0);
@@ -684,6 +688,10 @@ rpctls_getinfo(u_int *maxlenp)
error = kernel_sysctlbyname(curthread, "kern.ipc.tls.maxlen",
&maxlen, &siz, NULL, 0, NULL, 0);
if (error != 0)
+ return (false);
+ if (rpctlscd_run && rpctls_connect_handle == NULL)
+ return (false);
+ if (rpctlssd_run && rpctls_server_handle == NULL)
return (false);
*maxlenp = maxlen;
return (enable);
Modified: projects/nfs-over-tls/sys/rpc/svc_vc.c
==============================================================================
--- projects/nfs-over-tls/sys/rpc/svc_vc.c Sat Jun 27 00:57:48 2020 (r362667)
+++ projects/nfs-over-tls/sys/rpc/svc_vc.c Sat Jun 27 01:08:27 2020 (r362668)
@@ -968,7 +968,7 @@ svc_vc_reply(SVCXPRT *xprt, struct rpc_msg *msg,
*/
maxextsiz = TLS_MAX_MSG_SIZE_V10_2;
#ifdef KERN_TLS
- if (rpctls_getinfo(&maxlen))
+ if (rpctls_getinfo(&maxlen, false, false))
maxextsiz = min(maxextsiz, maxlen);
#endif
mrep = _rpc_copym_into_ext_pgs(mrep, maxextsiz);
@@ -1045,7 +1045,7 @@ svc_vc_backchannel_reply(SVCXPRT *xprt, struct rpc_msg
*/
maxextsiz = TLS_MAX_MSG_SIZE_V10_2;
#ifdef KERN_TLS
- if (rpctls_getinfo(&maxlen))
+ if (rpctls_getinfo(&maxlen, false, false))
maxextsiz = min(maxextsiz, maxlen);
#endif
mrep = _rpc_copym_into_ext_pgs(mrep, maxextsiz);
More information about the svn-src-projects
mailing list