usr.sbin: Automated cleanup of cdefs and other formatting

Apply the following automated changes to try to eliminate
no-longer-needed sys/cdefs.h includes as well as now-empty
blank lines in a row.

Remove /^#if.*\n#endif.*\n#include\s+<sys/cdefs.h>.*\n/
Remove /\n+#include\s+<sys/cdefs.h>.*\n+#if.*\n#endif.*\n+/
Remove /\n+#if.*\n#endif.*\n+/
Remove /^#if.*\n#endif.*\n/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/types.h>/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/param.h>/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/capsicum.h>/

Sponsored by: Netflix

Remove $FreeBSD$: one-line .c pattern

Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/

rpc.tls[serv|clnt]d.c: Clean up code for OpenSSL3

There were several function calls that are deprecated for
OpenSSL1.1.1. These have been removed.
There was also a function call deprecated for OpenSSL3 and
that one has been #ifdef'd on OPENSSL_VERSION_NUMBER.

Reviewed by: emaste, ngie
Differential Revision: https://reviews.freebsd.org/D40275

spdx: The BSD-2-Clause-FreeBSD identifier is obsolete, drop -FreeBSD

The SPDX folks have obsoleted the BSD-2-Clause-FreeBSD identifier. Catch
up to that fact and revert to their recommended match of BSD-2-Clause.

Discussed with: pfg
MFC After: 3 days
Sponsored by: Netflix

rpc.tlsservd: Check for a tls syscall failure.

Although the tls syscall to set up the upcall should
not normally fail, the daemon should check for such
a failure. This patch adds a check for that failure.

MFC after: 1 week

rpc.tlsservd: Add an option to run multiple daemons

During discussions with someone that was doing NFS-over-TLS
development for Solaris, we had a concern that the server might
become overloaded after rebooting, due to a large number of
TLS handshake requests from clients.

To alleviate this potential problem, this patch modifies rpc.tlsservd
so that it supports the "-N/--numdaemons" command line option,
which specifies that up to RPCTLS_SRV_MAXNPROCS (currently defined
as 16 in the patch) may be started.

When there are multiple daemons, one is selected by the patched kernel
in a round-robin fashion, to serve a TLS handshake request.

The man page update will be done in a future commit.

Reviewed by: emaste, karels
Differential Revision: https://reviews.freebsd.org/D35886

rpc.tlsservd: Add the -2 option to the usage line

Commit 0637b12b13be added the -2 option to allow
TLS 1.2 NFS-over-TLS mounts. It did not add -2
to the usage message.

This patch adds -2 to the usage message.

MFC after: 2 weeks

rpc.tlsservd: Modify the -C option to use SSL_CTX_set_ciphersuites

Commit 0b4f2ab0e913 fixes the krpc so that it can use TLS
version 1.3 for NFS-over-TLS, as required by
the draft (someday to be an RFC).
This patch replaces SSL_CTX_set_cipher_list() with
SSL_CTX_set_ciphersuites(), since that is the function
that is used for TLS1.3.

The man page has already been updated.

MFC after: 2 weeks

rpc.tlsservd: Add an option to allow TLS version 1.2

Commit 0b4f2ab0e913 fixes the krpc so that it can use TLS
version 1.3 for NFS-over-TLS, as required by
the draft (someday to be an RFC).
Since FreeBSD 13.0, 13.1 use TLS version 1.2 for
NFS-over-TLS mounts, this command line option
may be used so that mounts from 13.0, 13.1 will still work.

Without the command line option, only TLS version 1.3
mounts are permitted.

The man page update will be a separate commit.

MFC after: 2 weeks

rpc.tlsservd: Add logging of TLS version and cipher used

This patch adds logging of the version of TLS and cipher
negotiated successfully by the TLS handshake for each client,
if the "-v" command line option has been specified.

This information may be useful for monitoring and debugging
NFS-over-TLS mounts.

MFC after: 2 weeks

rpc.tlsclntd, rpc.tlsservd: Fix getopt_long argument

The "C" option in the argument to getopt_long() was
missing a ":" for both rpc.tlsclntd.c and rpc.tlsservd.c.
This patch fixes this.

MFC after: 2 weeks

rpc.tlsservd: Add a -C command line option for preferred_ciphers

rpc.tlsclntd has a -C command line option for setting
preferred_ciphers. Testing at a recent IETF NFSv4 testing
event showed that setting preferred_ciphers is not normally
needed for the rpc.tlsservd.

This patch modifies rpc.tlsservd to not specify preferred_ciphers
by default, but provides the same -C option as rpc.tlsclntd to
set preferred_ciphers, in case it is needed.

The man page update will be done as a separate commit.

MFC after: 2 weeks

rpc.tlsservd: Delete set but unused variable

nfs tls: Update for SSL_OP_ENABLE_KTLS.

Upstream OpenSSL (and the KTLS backport) have switched to an opt-in
option (SSL_OP_ENABLE_KTLS) in place of opt-out modes
(SSL_MODE_NO_KTLS_TX and SSL_MODE_NO_KTLS_RX) for controlling kernel
TLS.

Reviewed by: rmacklem
Sponsored by: Netflix
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D31445

nfs-over-tls: add user space daemons rpc.tlsclntd and rpc.tlsservd

The kernel changes needed for nfs-over-tls have been committed to main.
However, nfs-over-tls requires user space daemons to handle the
TLS handshake and other non-application data TLS records.
There is one daemon (rpc.tlsclntd) for the client side and one daemon
(rpc.tlsservd) for the server side, although they share a fair amount
of code found in rpc.tlscommon.c and rpc.tlscommon.h.
They use a KTLS enabled OpenSSL to perform the actual work and, as such,
are only built when MK_OPENSSL_KTLS is set.
Communication with the kernel is done via upcall RPCs done on AF_LOCAL
sockets and the custom system call rpctls_syscall.

Reviewed by: gbe (man pages only), jhb (usr.sbin/Makefile only)
Comments by: jhb
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D28430
Relnotes: yes