From e0fe09c72d787d06261f7624d83092616b3f3949 Mon Sep 17 00:00:00 2001 From: rmacklem Date: Tue, 11 Aug 2020 00:26:45 +0000 Subject: [PATCH] Add an argument to newnfs_connect() that indicates use TLS for the connection. For NFSv4.0, the server creates a server->client TCP connection for callbacks. If the client mount on the server is using TLS, enable TLS for this callback TCP connection. TLS connections from clients will not be supported until the kernel RPC changes are committed. Since this changes the internal ABI between the NFS kernel modules that will require a version bump, delete newnfs_trimtrailing(), which is no longer used. Since LCL_TLSCB is not yet set, these changes should not have any semantic affect at this time. --- sys/fs/nfs/nfs.h | 1 + sys/fs/nfs/nfs_commonkrpc.c | 6 ++++-- sys/fs/nfs/nfs_commonsubs.c | 21 +-------------------- sys/fs/nfs/nfs_var.h | 4 +--- sys/fs/nfsclient/nfs_clrpcops.c | 2 +- sys/fs/nfsclient/nfs_clvfsops.c | 4 ++-- sys/fs/nfsserver/nfs_nfsdstate.c | 8 ++++++-- sys/rpc/clnt.h | 2 ++ sys/sys/param.h | 2 +- 9 files changed, 19 insertions(+), 31 deletions(-) diff --git a/sys/fs/nfs/nfs.h b/sys/fs/nfs/nfs.h index 29d5373b5966..70b2536245ff 100644 --- a/sys/fs/nfs/nfs.h +++ b/sys/fs/nfs/nfs.h @@ -336,6 +336,7 @@ struct nfsreferral { #define LCL_DONEBINDCONN 0x00040000 #define LCL_RECLAIMONEFS 0x00080000 #define LCL_NFSV42 0x00100000 +#define LCL_TLSCB 0x00200000 #define LCL_GSS LCL_KERBV /* Or of all mechs */ diff --git a/sys/fs/nfs/nfs_commonkrpc.c b/sys/fs/nfs/nfs_commonkrpc.c index 334d46e05c23..79c6067c9866 100644 --- a/sys/fs/nfs/nfs_commonkrpc.c +++ b/sys/fs/nfs/nfs_commonkrpc.c @@ -167,7 +167,7 @@ static int nfsv2_procid[NFS_V3NPROCS] = { */ int newnfs_connect(struct nfsmount *nmp, struct nfssockreq *nrp, - struct ucred *cred, NFSPROC_T *p, int callback_retry_mult) + struct ucred *cred, NFSPROC_T *p, int callback_retry_mult, bool dotls) { int rcvreserve, sndreserve; int pktscale, pktscalesav; @@ -374,6 +374,8 @@ newnfs_connect(struct nfsmount *nmp, struct nfssockreq *nrp, } else { retries = NFSV4_CALLBACKRETRY * callback_retry_mult; } + if (dotls) + CLNT_CONTROL(client, CLSET_TLS, &one); } CLNT_CONTROL(client, CLSET_RETRIES, &retries); @@ -586,7 +588,7 @@ newnfs_request(struct nfsrv_descript *nd, struct nfsmount *nmp, * and let clnt_reconnect_create handle reconnects. */ if (nrp->nr_client == NULL) - newnfs_connect(nmp, nrp, cred, td, 0); + newnfs_connect(nmp, nrp, cred, td, 0, false); /* * For a client side mount, nmp is != NULL and clp == NULL. For diff --git a/sys/fs/nfs/nfs_commonsubs.c b/sys/fs/nfs/nfs_commonsubs.c index d9e03cf7b791..1fc4e2a4d757 100644 --- a/sys/fs/nfs/nfs_commonsubs.c +++ b/sys/fs/nfs/nfs_commonsubs.c @@ -1057,25 +1057,6 @@ nfsaddr2_match(NFSSOCKADDR_T nam1, NFSSOCKADDR_T nam2) return (0); } -/* - * Trim trailing data off the mbuf list being built. - */ -void -newnfs_trimtrailing(nd, mb, bpos) - struct nfsrv_descript *nd; - struct mbuf *mb; - caddr_t bpos; -{ - - if (mb->m_next) { - m_freem(mb->m_next); - mb->m_next = NULL; - } - mb->m_len = bpos - mtod(mb, caddr_t); - nd->nd_mb = mb; - nd->nd_bpos = bpos; -} - /* * Dissect a file handle on the client. */ @@ -3650,7 +3631,7 @@ nfsrv_nfsuserdport(struct nfsuserd_args *nargs, NFSPROC_T *p) } rp->nr_vers = RPCNFSUSERD_VERS; if (error == 0) - error = newnfs_connect(NULL, rp, NFSPROCCRED(p), p, 0); + error = newnfs_connect(NULL, rp, NFSPROCCRED(p), p, 0, false); if (error == 0) { NFSLOCKNAMEID(); nfsrv_nfsuserd = RUNNING; diff --git a/sys/fs/nfs/nfs_var.h b/sys/fs/nfs/nfs_var.h index 7bf89011d2fd..695c72f74ad3 100644 --- a/sys/fs/nfs/nfs_var.h +++ b/sys/fs/nfs/nfs_var.h @@ -324,8 +324,6 @@ int nfsm_mbufuio(struct nfsrv_descript *, struct uio *, int); int nfsm_fhtom(struct nfsrv_descript *, u_int8_t *, int, int); int nfsm_advance(struct nfsrv_descript *, int, int); void *nfsm_dissct(struct nfsrv_descript *, int, int); -void newnfs_trimtrailing(struct nfsrv_descript *, struct mbuf *, - caddr_t); void newnfs_copycred(struct nfscred *, struct ucred *); void newnfs_copyincred(struct ucred *, struct nfscred *); int nfsrv_dissectacl(struct nfsrv_descript *, NFSACL_T *, int *, @@ -766,7 +764,7 @@ int newnfs_request(struct nfsrv_descript *, struct nfsmount *, struct ucred *, u_int32_t, u_int32_t, u_char *, int, u_int64_t *, struct nfsclsession *); int newnfs_connect(struct nfsmount *, struct nfssockreq *, - struct ucred *, NFSPROC_T *, int); + struct ucred *, NFSPROC_T *, int, bool); void newnfs_disconnect(struct nfssockreq *); int newnfs_sigintr(struct nfsmount *, NFSPROC_T *); diff --git a/sys/fs/nfsclient/nfs_clrpcops.c b/sys/fs/nfsclient/nfs_clrpcops.c index 33065249315f..f64615df7f8f 100644 --- a/sys/fs/nfsclient/nfs_clrpcops.c +++ b/sys/fs/nfsclient/nfs_clrpcops.c @@ -5617,7 +5617,7 @@ nfsrpc_fillsa(struct nfsmount *nmp, struct sockaddr_in *sin, * unmount, but I did it anyhow. */ nrp->nr_cred = crhold(nmp->nm_sockreq.nr_cred); - error = newnfs_connect(nmp, nrp, NULL, p, 0); + error = newnfs_connect(nmp, nrp, NULL, p, 0, false); NFSCL_DEBUG(3, "DS connect=%d\n", error); dsp = NULL; diff --git a/sys/fs/nfsclient/nfs_clvfsops.c b/sys/fs/nfsclient/nfs_clvfsops.c index 7124c10573fa..e97d42f4a381 100644 --- a/sys/fs/nfsclient/nfs_clvfsops.c +++ b/sys/fs/nfsclient/nfs_clvfsops.c @@ -718,7 +718,7 @@ nfs_decode_args(struct mount *mp, struct nfsmount *nmp, struct nfs_args *argp, nmp->nm_soproto = argp->proto; if (nmp->nm_sotype == SOCK_DGRAM) while (newnfs_connect(nmp, &nmp->nm_sockreq, - cred, td, 0)) { + cred, td, 0, false)) { printf("newnfs_args: retrying connect\n"); (void) nfs_catnap(PSOCK, 0, "nfscon"); } @@ -1527,7 +1527,7 @@ mountnfs(struct nfs_args *argp, struct mount *mp, struct sockaddr *nam, nmp->nm_sockreq.nr_vers = NFS_VER2; - if ((error = newnfs_connect(nmp, &nmp->nm_sockreq, cred, td, 0))) + if ((error = newnfs_connect(nmp, &nmp->nm_sockreq, cred, td, 0, false))) goto bad; /* For NFSv4.1, get the clientid now. */ if (nmp->nm_minorvers > 0) { diff --git a/sys/fs/nfsserver/nfs_nfsdstate.c b/sys/fs/nfsserver/nfs_nfsdstate.c index 5d15c68c4ead..68216a6f50f5 100644 --- a/sys/fs/nfsserver/nfs_nfsdstate.c +++ b/sys/fs/nfsserver/nfs_nfsdstate.c @@ -4423,6 +4423,7 @@ nfsrv_docallback(struct nfsclient *clp, int procnum, nfsv4stateid_t *stateidp, u_int32_t callback; struct nfsdsession *sep = NULL; uint64_t tval; + bool dotls; nd = malloc(sizeof(*nd), M_TEMP, M_WAITOK | M_ZERO); cred = newnfs_getcred(); @@ -4547,6 +4548,9 @@ nfsrv_docallback(struct nfsclient *clp, int procnum, nfsv4stateid_t *stateidp, /* * Call newnfs_connect(), as required, and then newnfs_request(). */ + dotls = false; + if ((clp->lc_flags & LCL_TLSCB) != 0) + dotls = true; (void) newnfs_sndlock(&clp->lc_req.nr_lock); if (clp->lc_req.nr_client == NULL) { if ((clp->lc_flags & LCL_NFSV41) != 0) { @@ -4554,10 +4558,10 @@ nfsrv_docallback(struct nfsclient *clp, int procnum, nfsv4stateid_t *stateidp, nfsrv_freesession(sep, NULL); } else if (nd->nd_procnum == NFSV4PROC_CBNULL) error = newnfs_connect(NULL, &clp->lc_req, cred, - NULL, 1); + NULL, 1, dotls); else error = newnfs_connect(NULL, &clp->lc_req, cred, - NULL, 3); + NULL, 3, dotls); } newnfs_sndunlock(&clp->lc_req.nr_lock); NFSD_DEBUG(4, "aft sndunlock=%d\n", error); diff --git a/sys/rpc/clnt.h b/sys/rpc/clnt.h index 26a21cf13187..23c92103edff 100644 --- a/sys/rpc/clnt.h +++ b/sys/rpc/clnt.h @@ -357,6 +357,8 @@ enum clnt_stat clnt_call_private(CLIENT *, struct rpc_callextra *, rpcproc_t, #define CLSET_PRIVPORT 27 /* set privileged source port flag */ #define CLGET_PRIVPORT 28 /* get privileged source port flag */ #define CLSET_BACKCHANNEL 29 /* set backchannel for socket */ +#define CLSET_TLS 30 /* set TLS for socket */ +#define CLSET_BLOCKRCV 31 /* Temporarily block reception */ #endif diff --git a/sys/sys/param.h b/sys/sys/param.h index cdb5495ed335..605a9793e961 100644 --- a/sys/sys/param.h +++ b/sys/sys/param.h @@ -60,7 +60,7 @@ * in the range 5 to 9. */ #undef __FreeBSD_version -#define __FreeBSD_version 1300105 /* Master, propagated to newvers */ +#define __FreeBSD_version 1300106 /* Master, propagated to newvers */ /* * __FreeBSD_kernel__ indicates that this system uses the kernel of FreeBSD,