freebsd-dev/sys/rpc/rpcsec_tls.h

/*-
 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
 *
 * Copyright (c) 2020 Rick Macklem
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
 * $FreeBSD$
 */

#ifndef	_RPC_RPCSEC_TLS_H_
#define	_RPC_RPCSEC_TLS_H_

/* Operation values for rpctls syscall. */
#define	RPCTLS_SYSC_CLSETPATH	1
#define	RPCTLS_SYSC_CLSOCKET	2
#define	RPCTLS_SYSC_CLSHUTDOWN	3
#define	RPCTLS_SYSC_SRVSETPATH	4
#define	RPCTLS_SYSC_SRVSOCKET	5
#define	RPCTLS_SYSC_SRVSHUTDOWN	6
#define	RPCTLS_SYSC_SRVSTARTUP	7

/* Max nprocs for SRV startup */
#define	RPCTLS_SRV_MAXNPROCS	16

/* System call used by the rpctlscd, rpctlssd daemons. */
int	rpctls_syscall(int, const char *);

/* Flag bits to indicate certificate results. */
#define	RPCTLS_FLAGS_HANDSHAKE	0x01
#define	RPCTLS_FLAGS_GOTCERT	0x02
#define	RPCTLS_FLAGS_SELFSIGNED	0x04
#define	RPCTLS_FLAGS_VERIFIED	0x08
#define	RPCTLS_FLAGS_DISABLED	0x10
#define	RPCTLS_FLAGS_CERTUSER	0x20
#define	RPCTLS_FLAGS_HANDSHFAIL	0x40

/* Error return values for upcall rpcs. */
#define	RPCTLSERR_OK		0
#define	RPCTLSERR_NOCLOSE	1
#define	RPCTLSERR_NOSSL		2
#define	RPCTLSERR_NOSOCKET	3

#ifdef _KERNEL
/* Functions that perform upcalls to the rpctlsd daemon. */
enum clnt_stat	rpctls_connect(CLIENT *newclient, char *certname,
		    struct socket *so, uint64_t *sslp, uint32_t *reterr);
enum clnt_stat	rpctls_cl_handlerecord(uint64_t sec, uint64_t usec,
		    uint64_t ssl, uint32_t *reterr);
enum clnt_stat	rpctls_srv_handlerecord(uint64_t sec, uint64_t usec,
		    uint64_t ssl, int procpos, uint32_t *reterr);
enum clnt_stat	rpctls_cl_disconnect(uint64_t sec, uint64_t usec,
		    uint64_t ssl, uint32_t *reterr);
enum clnt_stat	rpctls_srv_disconnect(uint64_t sec, uint64_t usec,
		    uint64_t ssl, int procpos, uint32_t *reterr);

/* Initialization function for rpcsec_tls. */
int		rpctls_init(void);

/* Get TLS information function. */
bool		rpctls_getinfo(u_int *maxlen, bool rpctlscd_run,
		    bool rpctlssd_run);

/* String for AUTH_TLS reply verifier. */
#define	RPCTLS_START_STRING	"STARTTLS"

/* ssl refno value to indicate TLS handshake being done. */
#define	RPCTLS_REFNO_HANDSHAKE	0xFFFFFFFFFFFFFFFFULL

/* Macros for VIMAGE. */
/* Just define the KRPC_VNETxxx() macros as VNETxxx() macros. */
#define	KRPC_VNET_DEFINE(t, n)		VNET_DEFINE(t, n)
#define	KRPC_VNET_DEFINE_STATIC(t, n)	VNET_DEFINE_STATIC(t, n)
#define	KRPC_VNET(n)			VNET(n)

#define	KRPC_CURVNET_SET(n)		CURVNET_SET(n)
#define	KRPC_CURVNET_SET_QUIET(n)	CURVNET_SET_QUIET(n)
#define	KRPC_CURVNET_RESTORE()		CURVNET_RESTORE()
#define	KRPC_TD_TO_VNET(n)		TD_TO_VNET(n)

#endif	/* _KERNEL */

#endif	/* _RPC_RPCSEC_TLS_H_ */
Add the .h file that describes the operations for the rpctls_syscall. This .h file will be used by the nfs-over-tls daemons to do the system call that was added by r361599. 2020-05-31 01:12:52 +00:00			`/*-`
			`* SPDX-License-Identifier: BSD-2-Clause-FreeBSD`
			`*`
			`* Copyright (c) 2020 Rick Macklem`
			`*`
			`* Redistribution and use in source and binary forms, with or without`
			`* modification, are permitted provided that the following conditions`
			`* are met:`
			`* 1. Redistributions of source code must retain the above copyright`
			`* notice, this list of conditions and the following disclaimer.`
			`* 2. Redistributions in binary form must reproduce the above copyright`
			`* notice, this list of conditions and the following disclaimer in the`
			`* documentation and/or other materials provided with the distribution.`
			`*`
			* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
			`* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE`
			`* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE`
			`* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE`
			`* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL`
			`* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS`
			`* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)`
			`* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT`
			`* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY`
			`* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF`
			`* SUCH DAMAGE.`
			`*`
			`* $FreeBSD$`
			`*/`

			`#ifndef _RPC_RPCSEC_TLS_H_`
			`#define _RPC_RPCSEC_TLS_H_`

			`/* Operation values for rpctls syscall. */`
			`#define RPCTLS_SYSC_CLSETPATH 1`
			`#define RPCTLS_SYSC_CLSOCKET 2`
			`#define RPCTLS_SYSC_CLSHUTDOWN 3`
			`#define RPCTLS_SYSC_SRVSETPATH 4`
			`#define RPCTLS_SYSC_SRVSOCKET 5`
			`#define RPCTLS_SYSC_SRVSHUTDOWN 6`
nfsd: Allow multiple instances of rpc.tlsservd During a discussion with someone working on NFS-over-TLS for a non-FreeBSD platform, we agreed that a single server daemon for TLS handshakes could become a bottleneck when an NFS server first boots, if many concurrent NFS-over-TLS connections are attempted. This patch modifies the kernel RPC code so that it can handle multiple rpc.tlsservd daemons. A separate commit currently under review as D35886 for the rpc.tlsservd daemon. 2022-08-22 20:54:24 +00:00			`#define RPCTLS_SYSC_SRVSTARTUP 7`

			`/* Max nprocs for SRV startup */`
			`#define RPCTLS_SRV_MAXNPROCS 16`
Add the .h file that describes the operations for the rpctls_syscall. This .h file will be used by the nfs-over-tls daemons to do the system call that was added by r361599. 2020-05-31 01:12:52 +00:00
			`/* System call used by the rpctlscd, rpctlssd daemons. */`
			`int rpctls_syscall(int, const char *);`

			`/* Flag bits to indicate certificate results. */`
			`#define RPCTLS_FLAGS_HANDSHAKE 0x01`
			`#define RPCTLS_FLAGS_GOTCERT 0x02`
			`#define RPCTLS_FLAGS_SELFSIGNED 0x04`
			`#define RPCTLS_FLAGS_VERIFIED 0x08`
			`#define RPCTLS_FLAGS_DISABLED 0x10`
			`#define RPCTLS_FLAGS_CERTUSER 0x20`
Add TLS support to the kernel RPC. An internet draft titled "Towards Remote Procedure Call Encryption By Default" describes how TLS is to be used for Sun RPC, with NFS as an intended use case. This patch adds client and server support for this to the kernel RPC, using KERN_TLS and upcalls to daemons for the handshake, peer reset and other non-application data record cases. The upcalls to the daemons use three fields to uniquely identify the TCP connection. They are the time.tv_sec, time.tv_usec of the connection establshment, plus a 64bit sequence number. The time fields avoid problems with re-use of the sequence number after a daemon restart. For the server side, once a Null RPC with AUTH_TLS is received, kernel reception on the socket is blocked and an upcall to the rpctlssd(8) daemon is done to perform the TLS handshake. Upon completion, the completion status of the handshake is stored in xp_tls as flag bits and the reply to the Null RPC is sent. For the client, if CLSET_TLS has been set, a new TCP connection will send the Null RPC with AUTH_TLS to initiate the handshake. The client kernel RPC code will then block kernel I/O on the socket and do an upcall to the rpctlscd(8) daemon to perform the handshake. If the upcall is successful, ct_rcvstate will be maintained to indicate if/when an upcall is being done. If non-application data records are received, the code does an upcall to the appropriate daemon, which will do a SSL_read() of 0 length to handle the record(s). When the socket is being shut down, upcalls are done to the daemons, so that they can perform SSL_shutdown() calls to perform the "peer reset". The rpctlssd(8) and rpctlscd(8) daemons require a patched version of the openssl library and, as such, will not be committed to head at this time. Although the changes done by this patch are fairly numerous, there should be no semantics change to the kernel RPC at this time. A future commit to the NFS code will optionally enable use of TLS for NFS. 2020-08-22 03:57:55 +00:00			`#define RPCTLS_FLAGS_HANDSHFAIL 0x40`
Add the .h file that describes the operations for the rpctls_syscall. This .h file will be used by the nfs-over-tls daemons to do the system call that was added by r361599. 2020-05-31 01:12:52 +00:00
			`/* Error return values for upcall rpcs. */`
			`#define RPCTLSERR_OK 0`
			`#define RPCTLSERR_NOCLOSE 1`
			`#define RPCTLSERR_NOSSL 2`
			`#define RPCTLSERR_NOSOCKET 3`

			`#ifdef _KERNEL`
			`/* Functions that perform upcalls to the rpctlsd daemon. */`
Add a new "tlscertname" NFS mount option. When using NFS-over-TLS, an NFS client can optionally provide an X.509 certificate to the server during the TLS handshake. For some situations, such as different NFS servers or different certificates being mapped to different user credentials on the NFS server, there may be a need for different mounts to provide different certificates. This new mount option called "tlscertname" may be used to specify a non-default certificate be provided. This alernate certificate will be stored in /etc/rpc.tlsclntd in a file with a name based on what is provided by this mount option. 2020-12-21 23:14:53 +00:00			`enum clnt_stat rpctls_connect(CLIENT newclient, char certname,`
			`struct socket so, uint64_t sslp, uint32_t *reterr);`
Add the .h file that describes the operations for the rpctls_syscall. This .h file will be used by the nfs-over-tls daemons to do the system call that was added by r361599. 2020-05-31 01:12:52 +00:00			`enum clnt_stat rpctls_cl_handlerecord(uint64_t sec, uint64_t usec,`
			`uint64_t ssl, uint32_t *reterr);`
			`enum clnt_stat rpctls_srv_handlerecord(uint64_t sec, uint64_t usec,`
nfsd: Allow multiple instances of rpc.tlsservd During a discussion with someone working on NFS-over-TLS for a non-FreeBSD platform, we agreed that a single server daemon for TLS handshakes could become a bottleneck when an NFS server first boots, if many concurrent NFS-over-TLS connections are attempted. This patch modifies the kernel RPC code so that it can handle multiple rpc.tlsservd daemons. A separate commit currently under review as D35886 for the rpc.tlsservd daemon. 2022-08-22 20:54:24 +00:00			`uint64_t ssl, int procpos, uint32_t *reterr);`
Add the .h file that describes the operations for the rpctls_syscall. This .h file will be used by the nfs-over-tls daemons to do the system call that was added by r361599. 2020-05-31 01:12:52 +00:00			`enum clnt_stat rpctls_cl_disconnect(uint64_t sec, uint64_t usec,`
			`uint64_t ssl, uint32_t *reterr);`
			`enum clnt_stat rpctls_srv_disconnect(uint64_t sec, uint64_t usec,`
nfsd: Allow multiple instances of rpc.tlsservd During a discussion with someone working on NFS-over-TLS for a non-FreeBSD platform, we agreed that a single server daemon for TLS handshakes could become a bottleneck when an NFS server first boots, if many concurrent NFS-over-TLS connections are attempted. This patch modifies the kernel RPC code so that it can handle multiple rpc.tlsservd daemons. A separate commit currently under review as D35886 for the rpc.tlsservd daemon. 2022-08-22 20:54:24 +00:00			`uint64_t ssl, int procpos, uint32_t *reterr);`
Add the .h file that describes the operations for the rpctls_syscall. This .h file will be used by the nfs-over-tls daemons to do the system call that was added by r361599. 2020-05-31 01:12:52 +00:00
			`/* Initialization function for rpcsec_tls. */`
			`int rpctls_init(void);`

			`/* Get TLS information function. */`
Add TLS support to the kernel RPC. An internet draft titled "Towards Remote Procedure Call Encryption By Default" describes how TLS is to be used for Sun RPC, with NFS as an intended use case. This patch adds client and server support for this to the kernel RPC, using KERN_TLS and upcalls to daemons for the handshake, peer reset and other non-application data record cases. The upcalls to the daemons use three fields to uniquely identify the TCP connection. They are the time.tv_sec, time.tv_usec of the connection establshment, plus a 64bit sequence number. The time fields avoid problems with re-use of the sequence number after a daemon restart. For the server side, once a Null RPC with AUTH_TLS is received, kernel reception on the socket is blocked and an upcall to the rpctlssd(8) daemon is done to perform the TLS handshake. Upon completion, the completion status of the handshake is stored in xp_tls as flag bits and the reply to the Null RPC is sent. For the client, if CLSET_TLS has been set, a new TCP connection will send the Null RPC with AUTH_TLS to initiate the handshake. The client kernel RPC code will then block kernel I/O on the socket and do an upcall to the rpctlscd(8) daemon to perform the handshake. If the upcall is successful, ct_rcvstate will be maintained to indicate if/when an upcall is being done. If non-application data records are received, the code does an upcall to the appropriate daemon, which will do a SSL_read() of 0 length to handle the record(s). When the socket is being shut down, upcalls are done to the daemons, so that they can perform SSL_shutdown() calls to perform the "peer reset". The rpctlssd(8) and rpctlscd(8) daemons require a patched version of the openssl library and, as such, will not be committed to head at this time. Although the changes done by this patch are fairly numerous, there should be no semantics change to the kernel RPC at this time. A future commit to the NFS code will optionally enable use of TLS for NFS. 2020-08-22 03:57:55 +00:00			`bool rpctls_getinfo(u_int *maxlen, bool rpctlscd_run,`
			`bool rpctlssd_run);`
Add the .h file that describes the operations for the rpctls_syscall. This .h file will be used by the nfs-over-tls daemons to do the system call that was added by r361599. 2020-05-31 01:12:52 +00:00
			`/* String for AUTH_TLS reply verifier. */`
			`#define RPCTLS_START_STRING "STARTTLS"`

Add TLS support to the kernel RPC. An internet draft titled "Towards Remote Procedure Call Encryption By Default" describes how TLS is to be used for Sun RPC, with NFS as an intended use case. This patch adds client and server support for this to the kernel RPC, using KERN_TLS and upcalls to daemons for the handshake, peer reset and other non-application data record cases. The upcalls to the daemons use three fields to uniquely identify the TCP connection. They are the time.tv_sec, time.tv_usec of the connection establshment, plus a 64bit sequence number. The time fields avoid problems with re-use of the sequence number after a daemon restart. For the server side, once a Null RPC with AUTH_TLS is received, kernel reception on the socket is blocked and an upcall to the rpctlssd(8) daemon is done to perform the TLS handshake. Upon completion, the completion status of the handshake is stored in xp_tls as flag bits and the reply to the Null RPC is sent. For the client, if CLSET_TLS has been set, a new TCP connection will send the Null RPC with AUTH_TLS to initiate the handshake. The client kernel RPC code will then block kernel I/O on the socket and do an upcall to the rpctlscd(8) daemon to perform the handshake. If the upcall is successful, ct_rcvstate will be maintained to indicate if/when an upcall is being done. If non-application data records are received, the code does an upcall to the appropriate daemon, which will do a SSL_read() of 0 length to handle the record(s). When the socket is being shut down, upcalls are done to the daemons, so that they can perform SSL_shutdown() calls to perform the "peer reset". The rpctlssd(8) and rpctlscd(8) daemons require a patched version of the openssl library and, as such, will not be committed to head at this time. Although the changes done by this patch are fairly numerous, there should be no semantics change to the kernel RPC at this time. A future commit to the NFS code will optionally enable use of TLS for NFS. 2020-08-22 03:57:55 +00:00			`/* ssl refno value to indicate TLS handshake being done. */`
			`#define RPCTLS_REFNO_HANDSHAKE 0xFFFFFFFFFFFFFFFFULL`

krpc: Add macros so that rpc.tlsservd can run in vnet prison Commit 7344856e3a6d added a lot of macros that will front end vnet macros so that nfsd(8) can run in vnet prison. This patch adds similar macros named KRPC_VNETxxx so that the rpc.tlsservd(8) daemon can run in a vnet prison, once the macros front end the vnet ones. For now, they are null macros. MFC after: 3 months 2023-02-15 13:58:21 +00:00			`/* Macros for VIMAGE. */`
nfsd: Enable the NFSD_VNET vnet front end macros Several commits have added front end macros for the vnet macros to the NFS server, krpc and kgssapi. These macros are now null, but this patch changes them to front end the vnet macros. With this commit, many global variables in the code become vnet'd, so that nfsd(8), nfsuserd(8), rpc.tlsservd(8) and gssd(8) can run in a vnet prison, once enabled. To run the NFS server in a vnet prison still requires a couple of patches (in D37741 and D38371) that allow mountd(8) to export file systems from within a vnet prison. Once these are committed to main, a small patch to kern_jail.c allowing "allow.nfsd" without VNET_NFSD defined will allow the NFS server to run in a vnet prison. One area that still needs to be settled is cleanup when a prison is removed. Without this, everything should work except there will be a leak of malloc'd data and mutex locks when a vnet prison is removed. MFC after: 3 months 2023-02-18 22:59:36 +00:00			`/* Just define the KRPC_VNETxxx() macros as VNETxxx() macros. */`
			`#define KRPC_VNET_DEFINE(t, n) VNET_DEFINE(t, n)`
			`#define KRPC_VNET_DEFINE_STATIC(t, n) VNET_DEFINE_STATIC(t, n)`
			`#define KRPC_VNET(n) VNET(n)`

			`#define KRPC_CURVNET_SET(n) CURVNET_SET(n)`
			`#define KRPC_CURVNET_SET_QUIET(n) CURVNET_SET_QUIET(n)`
			`#define KRPC_CURVNET_RESTORE() CURVNET_RESTORE()`
			`#define KRPC_TD_TO_VNET(n) TD_TO_VNET(n)`
krpc: Add macros so that rpc.tlsservd can run in vnet prison Commit 7344856e3a6d added a lot of macros that will front end vnet macros so that nfsd(8) can run in vnet prison. This patch adds similar macros named KRPC_VNETxxx so that the rpc.tlsservd(8) daemon can run in a vnet prison, once the macros front end the vnet ones. For now, they are null macros. MFC after: 3 months 2023-02-15 13:58:21 +00:00
Add the .h file that describes the operations for the rpctls_syscall. This .h file will be used by the nfs-over-tls daemons to do the system call that was added by r361599. 2020-05-31 01:12:52 +00:00			`#endif /* _KERNEL */`

			`#endif /* _RPC_RPCSEC_TLS_H_ */`